MGough/discourse-connect-auth0-action.js

## discourse-connect-auth0-action.js
// Based on: https://blog.leog.me/discourse-sso-with-auth0-e49486d0294a
// This must be the last action in the flow, as it potentially redirects the user to discourse and doesn't have a `onContinuePostLogin` hook as we're not expecting Discourse to return them

const DISCOURSE_AUTH0_CLIENT_ID = "<Your client ID>";
const DISCOURSE_DOMAIN = "<Your Discourse Domain>";
// We use this to avoid sending users to Discourse with unverified emails
// As we want Auth0 to handle email verification by default, not Discourse.
// If they're sent to discourse then they'll receive an email from discourse as well as Auth0 asking to independently verify their emails.
const DISCOURSE_NON_VERIFIED_EMAIL_REDIRECT_URL = "<A URL for users with unverified emails>";

/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
  // Check whether the Auth0 client is the one we want to apply this rule to
  if (event.client.client_id === DISCOURSE_AUTH0_CLIENT_ID) {
    // If they're verified it's safe to send them through to discourse
    if (event.user.email_verified) {
      // Check out Discourse's SSO implementation requirements already in discourse-sso package
      // at https://meta.discourse.org/t/official-single-sign-on-for-discourse-sso/13045#heading--implement
      const DiscourseSSO = require('discourse-sso');

      // Setup sso_secret variable on your client variables on Auth0 so you don't need to have it inline in your code
      const sso = new DiscourseSSO(event.secrets.sso_secret);

      // Validate the query payload with its signature (it uses the sso_secret passed to the DiscourseSSO instance)
      if (sso.validate(event.request.query.sso, event.request.query.sig)) {

        // Extract nonce information
        const nonce = sso.getNonce(event.request.query.sso);

        const userparams = {
          // Required, will throw exception otherwise
          "nonce": nonce,
          "external_id": event.user.user_id,
          "email": event.user.email,
          // Optional
          "username": event.user.nickname,
          // Just in case we somehow make a mistake one day...
          // If we send a user that doesn't have a verified email then we tell Discourse to use its own email verification flow
          "require_activation": !event.user.email_verified,
          "suppress_welcome_message": false
        };

        const query = sso.buildLoginString(userparams);

        api.redirect.sendUserTo(`https://${DISCOURSE_DOMAIN}/session/sso_login?${query}`);
        return;
      }
    }
    // They're trying to login to the forum, but their email isn't verified!
    api.redirect.sendUserTo(DISCOURSE_NON_VERIFIED_EMAIL_REDIRECT_URL);
  }
};
	// Based on: https://blog.leog.me/discourse-sso-with-auth0-e49486d0294a
	// This must be the last action in the flow, as it potentially redirects the user to discourse and doesn't have a `onContinuePostLogin` hook as we're not expecting Discourse to return them

	const DISCOURSE_AUTH0_CLIENT_ID = "<Your client ID>";
	const DISCOURSE_DOMAIN = "<Your Discourse Domain>";
	// We use this to avoid sending users to Discourse with unverified emails
	// As we want Auth0 to handle email verification by default, not Discourse.
	// If they're sent to discourse then they'll receive an email from discourse as well as Auth0 asking to independently verify their emails.
	const DISCOURSE_NON_VERIFIED_EMAIL_REDIRECT_URL = "<A URL for users with unverified emails>";

	/**
	* Handler that will be called during the execution of a PostLogin flow.
	*
	* @param {Event} event - Details about the user and the context in which they are logging in.
	* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
	*/
	exports.onExecutePostLogin = async (event, api) => {
	// Check whether the Auth0 client is the one we want to apply this rule to
	if (event.client.client_id === DISCOURSE_AUTH0_CLIENT_ID) {
	// If they're verified it's safe to send them through to discourse
	if (event.user.email_verified) {
	// Check out Discourse's SSO implementation requirements already in discourse-sso package
	// at https://meta.discourse.org/t/official-single-sign-on-for-discourse-sso/13045#heading--implement
	const DiscourseSSO = require('discourse-sso');

	// Setup sso_secret variable on your client variables on Auth0 so you don't need to have it inline in your code
	const sso = new DiscourseSSO(event.secrets.sso_secret);

	// Validate the query payload with its signature (it uses the sso_secret passed to the DiscourseSSO instance)
	if (sso.validate(event.request.query.sso, event.request.query.sig)) {

	// Extract nonce information
	const nonce = sso.getNonce(event.request.query.sso);

	const userparams = {
	// Required, will throw exception otherwise
	"nonce": nonce,
	"external_id": event.user.user_id,
	"email": event.user.email,
	// Optional
	"username": event.user.nickname,
	// Just in case we somehow make a mistake one day...
	// If we send a user that doesn't have a verified email then we tell Discourse to use its own email verification flow
	"require_activation": !event.user.email_verified,
	"suppress_welcome_message": false
	};

	const query = sso.buildLoginString(userparams);

	api.redirect.sendUserTo(`https://${DISCOURSE_DOMAIN}/session/sso_login?${query}`);
	return;
	}
	}
	// They're trying to login to the forum, but their email isn't verified!
	api.redirect.sendUserTo(DISCOURSE_NON_VERIFIED_EMAIL_REDIRECT_URL);
	}
	};