lookup.ts

#!/usr/bin/env -S deno run --allow-net --allow-read --allow-run
// ^- This is some Unix-magic to allow running this script as a stand alone
// program. On Windows and other non-Unix OSes, run this script as:
//
//    deno run --allow-net --allow-read --allow-run lookup.ts
//
// Deno is a tool that lets you run JavaScript locally. Installation
// instructions for Linux, macOS and Windows are at
// https://deno.land/manual@v1.15.3/getting_started/installation.
//
// This script demonstrates calling the Lookup API published at the API Gateway
// and authenticating as a normal user rather than as an Application. In order
// to demonstrate this, the script will print out the authenticated user"s
// profile on Lookup including any private fields.
//
// You must have already generated a client id (or "key") for an App on
// https://developer.api.apps.cam.ac.uk/ and enabled the "Lookup" API for your
// App. The "callback URL" for the App must be
// "http://localhost:4000/oauth2/callback". See the documentation linked to on
// https://developer.api.apps.cam.ac.uk/ for more information on this.

//// DEPENDENCIES ////

// "open" allows opening URLs in the user"s default browser.
import { open } from "https://deno.land/x/open/index.ts"

// "Server" is used to implement a small HTTP server which listens for the
// authentication response from the API Gateway.
import { Server } from "https://deno.land/std/http/server.ts"

// Import an implementation of the authentication protocol used by the API
// Gateway from the Microsoft Authentication Library (MSAL).
import { PublicClientApplication, ProtocolMode } from "https://deno.land/x/azure_msal_deno@v1.1.0/mod.ts"

// The API Gateway makes use of Proof Key for Code Exchange (PKCE) to increase
// security. Using PKCE is best practice for all clients.
//
// See: https://datatracker.ietf.org/doc/html/rfc7636)
import { create as createPKCEVerifierPair } from "https://deno.land/x/pkce_deno/mod.ts"

// The API Gateway will pass us back a random "state" token we give it. We use
// this to verify that the request we got back from the gateway matches the
// authorisation we triggered.
import { cryptoRandomString } from "https://deno.land/x/crypto_random_string@1.0.0/mod.ts"

//// CONSTANTS ////

// The client id registered for the App on the API Gateway developer portal.
// This is not a secret.
const clientId = "s7w86kczmWEUncn7oerwAt23BC4zaE9u"

// Create a new client application using the Microsoft Sign-in library.
console.log("Creating the client object to perform a sign in.")
const client = new PublicClientApplication({
  auth: {
    authorityMetadata: JSON.stringify({
      // These endpoints can be found at https://api.apps.cam.ac.uk/oauth2/v1/.well-known/openid-configuration
      // or at https://developer.api.apps.cam.ac.uk/docs/oauth2/1/overview.
      authorization_endpoint: "https://api.apps.cam.ac.uk/oauth2/v1/auth",
      token_endpoint: "https://api.apps.cam.ac.uk/oauth2/v1/token",
    }),
    clientId,
    knownAuthorities: ["api.apps.cam.ac.uk"],
    protocolMode: ProtocolMode.OIDC,
  }
})

//// LOGIC ////

// Some common parameters we need to pass to the API Gateway as part of the
// authentication dance.
//
// Passing "https://api.apps.cam.ac.uk/lookup" as the scope means we"ll ask the
// user for permission to use Lookup on their behalf.
//
// The App registered at https://developer.api.apps.cam.ac.uk/ _must_ have the
// callback URL set to "http://localhost:4000/oauth2/callback".
const authParams = {
  scopes: ["https://api.apps.cam.ac.uk/lookup"],
  redirectUri: "http://localhost:4000/oauth2/callback",
}

// Create some random tokens required for PKCE and security best practice.
const state = cryptoRandomString({ length: 64, type: "alphanumeric" })
const nonce = cryptoRandomString({ length: 64, type: "alphanumeric" })
const { codeVerifier, codeChallenge } = createPKCEVerifierPair()

// A handler function to handle requests received back from the API Gateway.
const handleRequests = async (request: Request) => {
  // Pull out the path (the part before "?") from the request URL.
  const url = new URL(request.url)
  const path = url.pathname

  if(path === "/oauth2/callback") {
    // Handle the response. (See below.)
    handleCodeResponse(url)

    // Thank the user.
    return new Response(
      "Thanks, you can now close the browser tab and look for the result on the console."
    )
  } else {
    // Otherwise, return "not found"
    return new Response("Not found", { status: 404 })
  }
}

// Make a new web server to listen to requests from the Gateway.
const server = new Server({
  addr: "0.0.0.0:4000",
  handler: handleRequests
})

// This is a "Promise" which we can "await". The "await" will continue once the
// server stops.
const serverPromise = server.listenAndServe()

// We start the authentication by getting the user to visit a URL generated by
// the MSAL client.
const authUrl = await client.getAuthCodeUrl({
  ...authParams,
  codeChallenge,
  codeChallengeMethod: "S256",
  state,
  nonce,
})

// Tell the user to visit the URL.
console.log("Visit the following URL in your browser. I'll also try to open it")
console.log("for you in your default browser.\n")
console.log(`     ${authUrl}\n`)

// Also try opening the URL in the user"s preferred browser.
await open(authUrl, {
  wait: false, url: Deno.build.os === "windows"
})

// A handler function called when we"ve got a response back from the API
// gateway with a code.
const handleCodeResponse = async (url: URL) => {
  // We should have been redirected back to a URL of the form
  //
  //    http://localhost:4000/oauth2/callback?code={...}&state={...}
  //
  // Pull the code and state out of the URL.
  const code = url.searchParams.get("code")
  const receivedState = url.searchParams.get("state")

  // We should"ve got a code.
  if(!code) {
    throw new Error("No code returned from API Gateway.")
  }

  // The state should match the one we sent with the original authentication
  // request.
  if(receivedState !== state) {
    throw new Error("Incorrect state received from API Gateway.")
  }

  // Get an access token in exchange for the code.
  console.log("Exchanging the auth code from the Gateway for a token...")
  const authenticationResult = await client.acquireTokenByCode({
    ...authParams,
    code,
    codeVerifier,
  })

  // Check we got a response.
  if(!authenticationResult) {
    throw new Error("No response from API Gateway.")
  }

  // Extract claims about the user returned by the Gateway. The Microsoft
  // Authentication Library will already have verified these using the public
  // key associated with the API Gateway.
  const { idTokenClaims, accessToken } = authenticationResult
  console.log("Successfully got token from Gateway. ID token claims:\n")
  console.log(JSON.stringify(idTokenClaims, null, 2))
  console.log("\n")

  // The id token should contain the CRSid of the user.
  const [crsid, namespace] = (idTokenClaims as { sub: string; }).sub.split("@")

  // The API Gateway can authenticate a great number of identities. Make sure
  // this is a CRSid based one.
  if(namespace !== "v1.person.identifiers.cam.ac.uk") {
    throw new Error("Some user without a CRSid authenticated.")
  }

  // Fetch the profile of the authenticated user. Note that this can include
  // "private" attributes because we've authenticated as the user. To
  // demonstrate this we'll fetch the "@cam forwarding email", the tombstone
  // email address (for when the user leaves) and any emergency contact
  // information the user may have added.
  const fetchAttributes = [
    "all_identifiers",
    "departingEmail",
    "emergencyContact",
    "forwardingEmail",
  ]
  console.log(`Making a request to Lookup to get profile of ${crsid}...`)
  const personResponse = await fetch(
    `https://api.apps.cam.ac.uk/lookup/v1/person/crsid/${crsid}?fetch=${fetchAttributes.join(",")}`,
    {
      mode: "cors",
      credentials: "omit",
      headers: {
        Authorization: `Bearer ${accessToken}`,
        Accept: "application/json"
      },
    }
  )

  // Check response from Lookup.
  if(!personResponse.ok) {
    console.error("Error status:", personResponse.status)
    console.error("Error body:", await personResponse.text())
    throw new Error("Error received from Lookup")
  }

  // Log the received profile.
  console.log("Received user profile from Lookup:\n")
  console.log(JSON.stringify(await personResponse.json(), null, 2))

  // We want to stop the server now we"ve got a token.
  server.close()
}

// Wait for server to exit.
await serverPromise

// vim:sw=2:ts=2:et:sts