ory · aeneasr · Jul 22, 2020 · Jun 20, 2020 · Jun 29, 2020 · Jul 1, 2020
diff --git a/README.md b/README.md
@@ -31,11 +31,16 @@ This application can be configured using two environment variables:
   GitHub pages this would be the path, e.g. `https://mywebsite.com/kratos-selfservice-ui-node/`.
   **Must be absolute!**
 
+  If you want to also use hydra and connect an app via OAuth2, set these env-variables:
+  - `HYDRA_ADMIN_URL` should point to hydra's admin port including scheme (e.g. https://hydra.example.com:445)
+
+  If you want to test hydra without the use of kratos for user-management, rather have a look at the [hydra-login-consent-node][https://github.com/ory/hydra-login-consent-node].
+
 ### Network Setup
 
 This application works in two set ups:
 
-- Standalone with ORY Kratos
+- Standalone with ORY Kratos (plus optionally ORY Hydra)
 - With the ORY Oathkeeper Reverse Proxy
 
 #### Standalone using cookies

diff --git a/src/config.ts b/src/config.ts
@@ -1,3 +1,17 @@
+import winston from `winston`
+
+// Replace this with how you think logging should look like
+export const logger = winston.createLogger({
+  format: winston.format.combine(
+    winston.format.colorize(),
+    winston.format.simple()
+  ),
+  transports: [
+    new winston.transports.Console(),
+    //new winston.transports.File({ filename: 'combined.log' })
+  ]
+});
+
 export const SECURITY_MODE_STANDALONE = 'cookie'
 export const SECURITY_MODE_JWT = 'jwt'
 

diff --git a/src/index.ts b/src/index.ts
@@ -8,7 +8,7 @@ import { getConsent, postConsent } from './routes/consent'
 import errorHandler from './routes/error'
 import dashboard from './routes/dashboard'
 import debug from './routes/debug'
-import config, { SECURITY_MODE_JWT, SECURITY_MODE_STANDALONE } from './config'
+import config, { SECURITY_MODE_JWT, SECURITY_MODE_STANDALONE, logger } from './config'
 import jwks from 'jwks-rsa'
 import jwt from 'express-jwt'
 import {
@@ -24,6 +24,7 @@ import recoveryHandler from './routes/recovery'
 import morgan from 'morgan'
 import bodyParser from 'body-parser'
 import csrf from 'csurf'
+import winston from 'winston'
 
 const csrfProtection = csrf({cookie: true})
 
@@ -165,5 +166,7 @@ app.use((err: Error, req: Request, res: Response, next: NextFunction) => {
 const port = Number(process.env.PORT) || 3000
 app.listen(port, () => {
   console.log(`Listening on http://0.0.0.0:${port}`)
+  logger.info(`Listening on http://0.0.0.0:${port}`)
   console.log(`Security mode: ${config.securityMode}`)
+  logger.info(`Security mode: ${config.securityMode}`)
 })
diff --git a/src/routes/auth.ts b/src/routes/auth.ts
@@ -1,5 +1,5 @@
 import {NextFunction, Request, Response} from 'express'
-import config from '../config'
+import config, {logger} from '../config'
 import {sortFormFields} from '../translations'
 import {
   AdminApi,
@@ -25,7 +25,7 @@ export const authHandler = (type: 'login' | 'registration') => (
   // The request is used to identify the login and registration request and
   // return data like the csrf_token and so on.
   if (!request) {
-    console.log('No request found in URL, initializing auth flow.')
+    logger.info('No request found in URL, initializing auth flow.')
     res.redirect(`${config.kratos.browser}/self-service/browser/flows/${type}`)
     return
   }
@@ -41,6 +41,7 @@ export const authHandler = (type: 'login' | 'registration') => (
   authRequest
     .then(({body, response}) => {
       if (response.statusCode == 404 || response.statusCode == 410 || response.statusCode == 403) {
+        logger.warn(`redirecting to /self-service/browser/flows/${type} due to statusCode ${response.statusCode}`)
         res.redirect(
           `${config.kratos.browser}/self-service/browser/flows/${type}`
         )

diff --git a/src/routes/consent.ts b/src/routes/consent.ts
@@ -1,6 +1,7 @@
 import { NextFunction, Request, Response } from 'express'
 import {AdminApi as HydraAdminApi, AcceptConsentRequest, RejectRequest} from '@oryd/hydra-client'
 import url from 'url';
+import {logger} from '../config'
 
 const hydraAdminEndpoint = new HydraAdminApi(process.env.HYDRA_ADMIN_URL)
 
@@ -37,6 +38,7 @@ export const getConsent = (
           // This data will be available in the ID token.
           // id_token: { baz: 'bar' },
         //}
+        logger.info('Accepting ConsentReuqest')
         return hydraAdminEndpoint.acceptConsentRequest(String(challenge), acceptConsentRequest).then(function (response:any) {
           // All we need to do now is to redirect the user back to hydra!
           res.redirect(response.body.redirectTo);
@@ -56,6 +58,7 @@ export const getConsent = (
     })
     // This will handle any error that happens when making HTTP calls to hydra
     .catch(function (error:any) {
+      logger.error(error)
       next(error);
     });
 };
@@ -81,6 +84,7 @@ export const postConsent = (
       })
       // This will handle any error that happens when making HTTP calls to hydra
       .catch(function (error:any) {
+        logger.error(error)
         next(error);
       });
   }
@@ -123,6 +127,7 @@ export const postConsent = (
     })
     // This will handle any error that happens when making HTTP calls to hydra
     .catch(function (error:any) {
+      logger.error(error)
       next(error);
     });
 };
diff --git a/src/routes/hydra.ts b/src/routes/hydra.ts
@@ -1,6 +1,6 @@
 import {NextFunction, Request, Response} from 'express'
-import config from '../config'
-import {PublicApi} from '@oryd/kratos-client'
+import config, {logger} from '../config'
+import {PublicApi, Session} from '@oryd/kratos-client'
 import {AdminApi as HydraAdminApi, AcceptLoginRequest} from '@oryd/hydra-client'
 import url from 'url';
 
@@ -19,13 +19,13 @@ export default (
   const currentLocation = `${req.protocol}://${req.headers.host}${req.url}`;
 
   const query = url.parse(req.url, true).query;
-  // TODO FIGURE OUT HOW TO DO LOGIN AND REGISTRATION PAGES WITHOUT COOKIE FOR KEEPING THE CHALLENGE
+
   let challenge = query.login_challenge || req.cookies.login_challenge;
   if (challenge != null && challenge != "undefined") {
-    console.log("Writing the login_challenge cookie from hydra: " + challenge);
-    res.cookie("login_challenge", challenge);
+    logger.debug("Writing the login_challenge cookie from hydra: " + challenge);
+    logger.debug("login_challenge", challenge);
   } else {
-    console.log("challenge exists: "+challenge)
+    logger.debug("challenge exists: "+challenge)
   } 
   // ToDo Need to check more specific here!
   const kratos_session = req.cookies.ory_kratos_session
@@ -35,21 +35,20 @@ export default (
       // 3. Initiate login flow with Kratos
       // prompt=login forces a new login from kratos regardless of browser sessions - this is important because we are letting Hydra handle sessions
       // redirect_to ensures that when we redirect back to this url, we will have both the initial hydra challenge and the kratos request id in query params
-      console.log("    --> no request, not authenticated. Redirecting to kratos");
+      logger.info("no request, not authenticated. Redirecting to kratos");
       let return_to_address = encodeURI(currentLocation);
       res.redirect(`${config.kratos.browser}/self-service/browser/flows/login?prompt=login&return_to=${return_to_address}`);
       return
     }
     if (!challenge) {
-      console.log("No request but also no challenge, Invalid request!");
+      logger.error("No request, no challenge, Invalid request!");
       next()
       return
     } else {
       // 1. Parse Hydra challenge from query params
       // The challenge is used to fetch information about the login request from ORY Hydra.
       // Means we have just been redirected from Hydra, and are on the login page
       // We must check the hydra session to see if we can skip login
-      console.log("Checking Hydra Sessions");
       // 2. Call Hydra and check the session of this user
 
       return hydraAdminEndpoint.getLoginRequest(challenge)
@@ -63,7 +62,7 @@ export default (
             let acceptLoginRequest = new AcceptLoginRequest()
 
             acceptLoginRequest.subject = String(body.subject)
-            console.log("acceptLoginRequest "+acceptLoginRequest)
+            logger.info("acceptLoginRequest "+acceptLoginRequest)
             return hydraAdminEndpoint.acceptLoginRequest(challenge, acceptLoginRequest
               // All we need to do is to confirm that we indeed want to log in the user.
 
@@ -76,36 +75,33 @@ export default (
             kratosPublicEndpoint
               // We need to know who the user is for hydra
               .whoami(req as { headers: { [name: string]: string } })
-              .then( ({ body, response }) => {
+              .then( ({body, response} ) => {
                 // User is authenticated, accept the LoginRequest and tell Hydra
-                let acceptLoginRequest = new AcceptLoginRequest()
+                let acceptLoginRequest : AcceptLoginRequest = new AcceptLoginRequest()
+                // We should probably use "id" here but the gitlab-scenario only works via "email"
                 //acceptLoginRequest.subject = body.identity.id
-                acceptLoginRequest.subject = body.identity.traits.email
+                acceptLoginRequest.subject = (body.identity.traits as { email: string }).email || "[email protected]"
+
                 return hydraAdminEndpoint.acceptLoginRequest(challenge, acceptLoginRequest
                 ).then((hydraResponse: any) => {
                   // All we need to do now is to redirect the user back to hydra!
                   res.redirect(hydraResponse.body.redirectTo)
-                })                
-                .catch((err:any) => {
-                  // Something went wrong with validating the whoami answer
-                  console.log(err)
-                  next(err)
-                });
+                })
               })
               .catch((err:any) => {
                 // Something went wrong with the whoami call
-                console.log(err)
+                logger.error(err)
                 next(err)
               });
           } else {
-            console.log("Request and challenge are bot set but user is not authenticated. Unknown state!")
+            logger.error("Request and challenge are both set but user is not authenticated. Unknown state!")
             res.status(400).send('Request and challenge are bot set but user is not authenticated. Please try again!');
             next()
           }
         })
         .catch((err:any) => {
           // Something went wrong with validating hydra's challenge getting the LoginRequest
-          console.log(err)
+          logger.error(err)
           next()
         });
     }

diff --git a/src/routes/recovery.ts b/src/routes/recovery.ts
@@ -1,5 +1,5 @@
 import {NextFunction, Request, Response} from 'express'
-import config from '../config'
+import config, {logger} from '../config'
 import {CommonApi} from '@oryd/kratos-client'
 import {IncomingMessage} from 'http'
 
@@ -11,7 +11,7 @@ export default (req: Request, res: Response, next: NextFunction) => {
   // The request is used to identify the login and registration request and
   // return data like the csrf_token and so on.
   if (!request) {
-    console.log('No request found in URL, initializing recovery flow.')
+    logger.info('No request found in URL, initializing recovery flow.')
     res.redirect(`${config.kratos.browser}/self-service/browser/flows/recovery`)
     return
   }

diff --git a/src/routes/settings.ts b/src/routes/settings.ts
@@ -1,5 +1,5 @@
 import {NextFunction, Request, Response} from 'express'
-import config from '../config'
+import config, { logger } from '../config'
 import {CommonApi} from '@oryd/kratos-client'
 
 const commonApi = new CommonApi(config.kratos.admin)
@@ -9,7 +9,7 @@ const settingsHandler = (req: Request, res: Response, next: NextFunction) => {
   // The request is used to identify the login and registraion request and
   // return data like the csrf_token and so on.
   if (!request) {
-    console.log('No request found in URL, initializing flow.')
+    logger.info('No request found in URL, initializing settings flow.')
     res.redirect(`${config.kratos.browser}/self-service/browser/flows/settings`)
     return
   }

diff --git a/src/routes/verification.ts b/src/routes/verification.ts
@@ -1,5 +1,5 @@
 import {NextFunction, Request, Response} from 'express'
-import config from '../config'
+import config, {logger} from '../config'
 import {CommonApi} from '@oryd/kratos-client'
 import {IncomingMessage} from 'http'
 
@@ -11,7 +11,7 @@ export default (req: Request, res: Response, next: NextFunction) => {
   // The request is used to identify the login and registration request and
   // return data like the csrf_token and so on.
   if (!request) {
-    console.log('No request found in URL, initializing verify flow.')
+    logger.info('No request found in URL, initializing verify flow.')
     res.redirect(`${config.kratos.browser}/self-service/browser/flows/verification/email`)
     return
   }