Support Authgear Once user provision #4937

ref DEV-2341

Author: tung2744

Makefile

@@ -1,16 +1,56 @@
+# The use of variables
+#
+# We use simply expanded variables in this Makefile.
+#
+# This means
+# 1. You use ::= instead of = because = defines a recursively expanded variable.
+#    See https://www.gnu.org/software/make/manual/html_node/Simple-Assignment.html
+# 2. You use ::= instead of := because ::= is a POSIX standard.
+#    See https://www.gnu.org/software/make/manual/html_node/Simple-Assignment.html
+# 3. You do not use ?= because it is shorthand to define a recursively expanded variable.
+#    See https://www.gnu.org/software/make/manual/html_node/Conditional-Assignment.html
+#    You should use the long form documented in the above link instead.
+# 4. When you override a variable in the command line, as documented in https://www.gnu.org/software/make/manual/html_node/Overriding.html
+#    you specify the variable with ::= instead of = or :=
+#    If you fail to do so, the variable becomes recursively expanded variable accidentally.
+#
 # GIT_NAME could be empty.
-GIT_NAME ?= $(shell git describe --exact-match 2>/dev/null)
-GIT_HASH ?= git-$(shell git rev-parse --short=12 HEAD)
+ifeq ($(origin GIT_NAME), undefined)
+	GIT_NAME ::= $(shell git describe --exact-match 2>/dev/null)
+endif
+ifeq ($(origin GIT_HASH), undefined)
+	GIT_HASH ::= git-$(shell git rev-parse --short=12 HEAD)
+endif
+ifeq ($(origin LDFLAGS), undefined)
+	LDFLAGS ::= "-X github.com/authgear/authgear-server/pkg/version.Version=${GIT_HASH}"
+endif
+
+# osusergo: https://godoc.org/github.com/golang/go/src/os/user
+# netgo: https://golang.org/doc/go1.5#net
+# static_build: https://github.com/golang/go/issues/26492#issuecomment-635563222
+#   The binary is static on Linux only. It is not static on macOS.
+# timetzdata: https://golang.org/doc/go1.15#time/tzdata
+GO_BUILD_TAGS ::= osusergo netgo static_build timetzdata
+GO_RUN_TAGS ::=
 
-LDFLAGS ?= "-X github.com/authgear/authgear-server/pkg/version.Version=${GIT_HASH}"
 
 .PHONY: start
 start:
-	go run -ldflags ${LDFLAGS} ./cmd/authgear start
+	go run -tags "$(GO_RUN_TAGS)" -ldflags ${LDFLAGS} ./cmd/authgear start
 
 .PHONY: start-portal
 start-portal:
-	go run -ldflags ${LDFLAGS} ./cmd/portal start
+	go run -tags "$(GO_RUN_TAGS)" -ldflags ${LDFLAGS} ./cmd/portal start
+
+.PHONY: authgearonce-start
+authgearonce-start: GO_RUN_TAGS += authgearonce
+authgearonce-start:
+	$(MAKE) start GO_RUN_TAGS::="$(GO_RUN_TAGS)"
+
+.PHONY: authgearonce-start-portal
+authgearonce-start-portal: GO_RUN_TAGS += authgearonce
+authgearonce-start-portal:
+	$(MAKE) start-portal GO_RUN_TAGS::="$(GO_RUN_TAGS)"
 
 .PHONY: vendor
 vendor:
@@ -88,21 +128,17 @@ fmt:
 govulncheck:
 	govulncheck -show traces,version,verbose ./...
 
-# osusergo: https://godoc.org/github.com/golang/go/src/os/user
-# netgo: https://golang.org/doc/go1.5#net
-# static_build: https://github.com/golang/go/issues/26492#issuecomment-635563222
-#   The binary is static on Linux only. It is not static on macOS.
-# timetzdata: https://golang.org/doc/go1.15#time/tzdata
 .PHONY: build
 build:
-	go build -o $(BIN_NAME) -tags "osusergo netgo static_build timetzdata $(GO_BUILD_TAGS)" -ldflags ${LDFLAGS} ./cmd/$(TARGET)
+	go build -o $(BIN_NAME) -tags "$(GO_BUILD_TAGS)" -ldflags ${LDFLAGS} ./cmd/$(TARGET)
 
 .PHONY: binary
+binary: GO_BUILD_TAGS += authgearlite
 binary:
 	rm -rf ./dist
 	mkdir ./dist
-	$(MAKE) build GO_BUILD_TAGS=authgearlite TARGET=authgear BIN_NAME=./dist/authgear-lite-"$(shell go env GOOS)"-"$(shell go env GOARCH)"-${GIT_HASH}
-	$(MAKE) build GO_BUILD_TAGS=authgearlite TARGET=portal BIN_NAME=./dist/authgear-portal-lite-"$(shell go env GOOS)"-"$(shell go env GOARCH)"-${GIT_HASH}
+	$(MAKE) build GO_BUILD_TAGS::="$(GO_BUILD_TAGS)" TARGET::=authgear BIN_NAME::=./dist/authgear-lite-"$(shell go env GOOS)"-"$(shell go env GOARCH)"-${GIT_HASH}
+	$(MAKE) build GO_BUILD_TAGS::="$(GO_BUILD_TAGS)" TARGET::=portal BIN_NAME::=./dist/authgear-portal-lite-"$(shell go env GOOS)"-"$(shell go env GOARCH)"-${GIT_HASH}
 
 .PHONY: check-tidy
 check-tidy:
@@ -130,14 +166,14 @@ build-image:
 	docker build --pull --file ./cmd/$(TARGET)/Dockerfile --tag $(IMAGE_NAME) --build-arg GIT_HASH=$(GIT_HASH) .
 
 .PHONY: tag-image
-tag-image: DOCKER_IMAGE = quay.io/theauthgear/$(IMAGE_NAME)
+tag-image: DOCKER_IMAGE ::= quay.io/theauthgear/$(IMAGE_NAME)
 tag-image:
 	docker tag $(IMAGE_NAME) $(DOCKER_IMAGE):latest
 	docker tag $(IMAGE_NAME) $(DOCKER_IMAGE):$(GIT_HASH)
 	if [ ! -z $(GIT_NAME) ]; then docker tag $(IMAGE_NAME) $(DOCKER_IMAGE):$(GIT_NAME); fi
 
 .PHONY: push-image
-push-image: DOCKER_IMAGE = quay.io/theauthgear/$(IMAGE_NAME)
+push-image: DOCKER_IMAGE ::= quay.io/theauthgear/$(IMAGE_NAME)
 push-image:
 	docker manifest inspect $(DOCKER_IMAGE):$(GIT_HASH) > /dev/null; if [ $$? -eq 0 ]; then \
 		echo "$(DOCKER_IMAGE):$(GIT_HASH) exists. Skip push"; \

custombuild/Makefile

@@ -1,20 +1,49 @@
+# The use of variables
+#
+# We use simply expanded variables in this Makefile.
+#
+# This means
+# 1. You use ::= instead of = because = defines a recursively expanded variable.
+#    See https://www.gnu.org/software/make/manual/html_node/Simple-Assignment.html
+# 2. You use ::= instead of := because ::= is a POSIX standard.
+#    See https://www.gnu.org/software/make/manual/html_node/Simple-Assignment.html
+# 3. You do not use ?= because it is shorthand to define a recursively expanded variable.
+#    See https://www.gnu.org/software/make/manual/html_node/Conditional-Assignment.html
+#    You should use the long form documented in the above link instead.
+# 4. When you override a variable in the command line, as documented in https://www.gnu.org/software/make/manual/html_node/Overriding.html
+#    you specify the variable with ::= instead of = or :=
+#    If you fail to do so, the variable becomes recursively expanded variable accidentally.
+#
 # GIT_NAME could be empty.
-GIT_NAME ?= $(shell git describe --exact-match 2>/dev/null)
-GIT_HASH ?= git-$(shell git rev-parse --short=12 HEAD)
+ifeq ($(origin GIT_NAME), undefined)
+	GIT_NAME ::= $(shell git describe --exact-match 2>/dev/null)
+endif
+ifeq ($(origin GIT_HASH), undefined)
+	GIT_HASH ::= git-$(shell git rev-parse --short=12 HEAD)
+endif
+ifeq ($(origin LDFLAGS), undefined)
+	LDFLAGS ::= "-X github.com/authgear/authgear-server/pkg/version.Version=${GIT_HASH}"
+endif
 
-LDFLAGS ?= "-X github.com/authgear/authgear-server/pkg/version.Version=${GIT_HASH}"
+# osusergo: https://godoc.org/github.com/golang/go/src/os/user
+# netgo: https://golang.org/doc/go1.5#net
+# static_build: https://github.com/golang/go/issues/26492#issuecomment-635563222
+#   The binary is static on Linux only. It is not static on macOS.
+# timetzdata: https://golang.org/doc/go1.15#time/tzdata
+GO_BUILD_TAGS ::= osusergo netgo static_build timetzdata
+GO_RUN_TAGS ::=
 
 .PHONY: start
 start:
-	go run -ldflags ${LDFLAGS} ./cmd/authgearx start
+	go run -tags "$(GO_RUN_TAGS)" -ldflags ${LDFLAGS} ./cmd/authgearx start
 
 .PHONY: start-portal
 start-portal:
-	go run -ldflags ${LDFLAGS} ./cmd/portalx start
+	go run -tags "$(GO_RUN_TAGS)" -ldflags ${LDFLAGS} ./cmd/portalx start
 
 .PHONY: build
 build:
-	go build -o $(BIN_NAME) -tags "osusergo netgo static_build timetzdata $(GO_BUILD_TAGS)" -ldflags ${LDFLAGS} ./cmd/$(TARGET)
+	go build -o $(BIN_NAME) -tags "$(GO_BUILD_TAGS)" -ldflags ${LDFLAGS} ./cmd/$(TARGET)
 
 .PHONY: build-image
 build-image:

pkg/portal/service/collaborator.go

@@ -465,11 +465,10 @@ func (s *CollaboratorService) SendInvitation(
 		return nil, err
 	}
 
-	// TODO(collaborator): Ideally we should prevent sending invitation to existing collaborator.
+	// Ideally we should prevent sending invitation to existing collaborator.
 	// However, this is not harmful to not have it.
 	// The collaborator will receive the invitation and they cannot accept it because
 	// we have database constraint to enforce this invariant.
-	// If Admin API have getUserByClaim, then we can detect this condition here.
 
 	// Check if the invitee has a pending invitation already.
 	invitations, err := s.ListInvitations(ctx, appID)
@@ -482,6 +481,20 @@ func (s *CollaboratorService) SendInvitation(
 		}
 	}
 
+	if AUTHGEARONCE {
+		inviteeExists, err := s.checkInviteeExistenceByEmail(ctx, invitedBy, inviteeEmail)
+		if err != nil {
+			return nil, err
+		}
+
+		if !inviteeExists {
+			err = s.createAccountForInvitee(ctx, invitedBy, inviteeEmail)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
 	code := generateCollaboratorInvitationCode()
 	now := s.Clock.NowUTC()
 	// Expire in 3 days.
@@ -748,22 +761,19 @@ func (s *CollaboratorService) CheckInviteeEmail(ctx context.Context, i *model.Co
 	id := relay.ToGlobalID("User", actorID)
 
 	params := graphqlutil.DoParams{
-		OperationName: "getUserNodes",
+		OperationName: "getUserNode",
 		Query: `
-		query getUserNodes($ids: [ID!]!) {
-			nodes(ids: $ids) {
+		query getUserNode($id: ID!) {
+			node(id: $id) {
 				... on User {
 					id
-					verifiedClaims {
-						name
-						value
-					}
+					standardAttributes
 				}
 			}
 		}
 		`,
 		Variables: map[string]interface{}{
-			"ids": []interface{}{id},
+			"id": id,
 		},
 	}
 
@@ -788,45 +798,121 @@ func (s *CollaboratorService) CheckInviteeEmail(ctx context.Context, i *model.Co
 		return fmt.Errorf("unexpected graphql errors: %v", result.Errors)
 	}
 
-	var userModels []*model.User
+	var email string
 	data := result.Data.(map[string]interface{})
-	nodes := data["nodes"].([]interface{})
-	for _, iface := range nodes {
-		// It could be null.
-		userNode, ok := iface.(map[string]interface{})
-		if !ok {
-			userModels = append(userModels, nil)
-		} else {
-			userModel := &model.User{}
-			globalID := userNode["id"].(string)
-			userModel.ID = globalID
-
-			// Use the last email claim.
-			verifiedClaims := userNode["verifiedClaims"].([]interface{})
-			for _, iface := range verifiedClaims {
-				claim := iface.(map[string]interface{})
-				name := claim["name"].(string)
-				value := claim["value"].(string)
-				if name == "email" {
-					userModel.Email = value
-				}
+	if userNode, ok := data["node"].(map[string]interface{}); ok {
+		if standardAttributes, ok := userNode["standardAttributes"].(map[string]interface{}); ok {
+			if e, ok := standardAttributes["email"].(string); ok {
+				email = e
 			}
+		}
+	}
+
+	if email != i.InviteeEmail {
+		return ErrCollaboratorInvitationInvalidEmail
+	}
+
+	return nil
+}
 
-			userModels = append(userModels, userModel)
+// checkInviteeExistenceByEmail calls HTTP request.
+func (s *CollaboratorService) checkInviteeExistenceByEmail(ctx context.Context, actorUserID string, inviteeEmail string) (inviteeExists bool, err error) {
+	params := graphqlutil.DoParams{
+		OperationName: "getUsersByStandardAttribute",
+		Query: `
+		query getUsersByStandardAttribute($name: String!, $value: String!) {
+			users: getUsersByStandardAttribute(attributeName: $name, attributeValue: $value) {
+				id
+			}
 		}
+		`,
+		Variables: map[string]interface{}{
+			"name":  "email",
+			"value": inviteeEmail,
+		},
 	}
 
-	if len(userModels) != 1 {
-		return fmt.Errorf("expected exact one user")
+	r, err := http.NewRequestWithContext(ctx, "POST", "/graphql", nil)
+	if err != nil {
+		return
 	}
 
-	user := userModels[0]
+	director, err := s.AdminAPI.SelfDirector(ctx, actorUserID, UsageInternal)
+	if err != nil {
+		return
+	}
 
-	if user.Email != i.InviteeEmail {
-		return ErrCollaboratorInvitationInvalidEmail
+	director(r)
+
+	result, err := graphqlutil.HTTPDo(s.HTTPClient.Client, r, params)
+	if err != nil {
+		return
 	}
 
-	return nil
+	if result.HasErrors() {
+		err = fmt.Errorf("unexpected graphql errors: %v", result.Errors)
+		return
+	}
+
+	data := result.Data.(map[string]interface{})
+	users := data["users"].([]interface{})
+	if len(users) > 0 {
+		inviteeExists = true
+		return
+	}
+
+	return
+}
+
+// createAccountForInvitee calls HTTP request.
+func (s *CollaboratorService) createAccountForInvitee(ctx context.Context, actorUserID string, inviteeEmail string) (err error) {
+	params := graphqlutil.DoParams{
+		OperationName: "createAccount",
+		Query: `
+		mutation createAccount($email: String!) {
+			createUser(input: {
+				definition: {
+					loginID: {
+						key: "email"
+						value: $email
+					}
+				}
+				sendPassword: true
+				setPasswordExpired: true
+			}) {
+				user {
+					id
+				}
+			}
+		}
+		`,
+		Variables: map[string]interface{}{
+			"email": inviteeEmail,
+		},
+	}
+
+	r, err := http.NewRequestWithContext(ctx, "POST", "/graphql", nil)
+	if err != nil {
+		return err
+	}
+
+	director, err := s.AdminAPI.SelfDirector(ctx, actorUserID, UsageInternal)
+	if err != nil {
+		return err
+	}
+
+	director(r)
+
+	result, err := graphqlutil.HTTPDo(s.HTTPClient.Client, r, params)
+	if err != nil {
+		return err
+	}
+
+	if result.HasErrors() {
+		return fmt.Errorf("unexpected graphql errors: %v", result.Errors)
+	}
+
+	return
 }
 
 func (s *CollaboratorService) checkQuotaInSend(ctx context.Context, appID string) error {

pkg/portal/service/collaborator_authgearonce.go

@@ -0,0 +1,6 @@
+//go:build authgearonce
+// +build authgearonce
+
+package service
+
+const AUTHGEARONCE = true

pkg/portal/service/collaborator_noauthgearonce.go

@@ -0,0 +1,6 @@
+//go:build !authgearonce
+// +build !authgearonce
+
+package service
+
+const AUTHGEARONCE = false