Add sample

Katie Horne · Katie Horne · commit e02a57b9290a · 2017-03-30T12:18:17.000-07:00
diff --git a/.DS_Store b/.DS_Store
diff --git a/.env b/.env
@@ -0,0 +1,4 @@
+AUTH0_DOMAIN="YOUR_AUTH0_DOMAIN"
+SPA_PORT=3000
+CONTACTS_API_PORT=3001
+CALENDAR_API_PORT=3002
diff --git a/README.md b/README.md
@@ -0,0 +1,36 @@
+## Overview
+
+This is a sample application that demonstrates the usage of a single Resource Server with namespaced scoping representing multiple APIs. This sample consists of:
+
+- 2 Node.js APIs: `contacts` and `calendar` (you can think of them as microservices);
+- 1 Resource Server representing the 2 APIs;
+- 2 Namespaced scopes: `read:contacts` and `read:calendar`;
+- The Implicit Grant flow to obtain an `access_token` that works for both APIs
+
+## Setup
+
+You will need to create an API using the Auth0 Dashboard called `Organizer Service` with the unique identifier `organize` (this is later used in the `audience` parameter of your Authorization URL).
+
+The API needs two namespaced scopes:
+
+* `read:contacts`
+* `read:calendar`
+
+## Usage
+
+Prior to beginning, you may need to make some or all of the following changes so that the sample runs on your local environment:
+
+* `.env` (Please note that this file will, by default, be hidden):
+  * replace the placeholder with your Auth0 Domain
+  * update the ports you're using to serve your SPA and APIs
+* `calendar-api.js`: replace each of the two placeholders with your Auth0 Domain
+* `contacts-api.js`: replace each of the two placeholders with your Auth0 Domain
+* `index.html`:
+  * update the Authorization URL with your Auth0 Client ID and the port you're using to serve the SPA
+  * replace each of the two placeholders with the ports you're using to serve the `contacts` and `calendar` APIs
+
+### Run the Sample
+
+1. Navigate to the root of your sample folder.
+2. Run `npm install` to install the dependencies.
+3. Start the two Node.js APIs and the Node.js host for the SPA by running `npm run dev`
diff --git a/calendar-api.js b/calendar-api.js
@@ -0,0 +1,62 @@
+const express = require('express');
+const app = express();
+const jwt = require('express-jwt');
+const jwksRsa = require('jwks-rsa');
+const cors = require('cors');
+
+require('dotenv').config();
+
+const port = process.env.CALENDAR_API_PORT;
+const domain = process.env.AUTH0_DOMAIN;
+
+app.use(cors());
+
+// Validate the access token and enable the use of the jwtCheck middleware
+app.use(jwt({
+  // Dynamically provide a signing key based on the kid in the header
+  // and the singing keys provided by the JWKS endpoint
+  secret: jwksRsa.expressJwtSecret({
+    cache: true,
+    rateLimit: true,
+    jwksRequestsPerMinute: 5,
+    // Replace with your Auth0 Domain
+    jwksUri: `https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json`
+  }),
+
+
+  // Validate the audience and the issuer
+  audience: 'organize',
+  // Replace with your Auth0 Domain
+  issuer: `https://YOUR_AUTH0_DOMAIN/`,
+  algorithms: [ 'RS256' ]
+}));
+
+//middleware to check scopes
+const checkPermissions = function(req, res, next){
+  switch(req.path){
+    case '/api/appointments':{
+      var permissions = ['read:calendar'];
+      for(var i = 0; i < permissions.length; i++){
+        if(req.user.scope.includes(permissions[i])){
+          next();
+        } else {
+          res.status(403).send({message:'Forbidden'});
+        }
+      }
+      break;
+    }
+  }
+}
+
+app.use(checkPermissions);
+
+app.get('/api/appointments', function (req, res) {
+  res.send({ appointments: [
+    { title: "1 on 1", time: "Mon Nov 14 2016 14:30:00 GMT-0500 (EST)" },
+    { title: "All Hands", time: "Thurs Nov 14 2016 14:23:20 GMT-0500 (EST)" }
+  ] });
+});
+
+app.listen(port, function () {
+  console.log('Calendar API started on port: ' + port);
+});
diff --git a/contacts-api.js b/contacts-api.js
@@ -0,0 +1,63 @@
+const express = require('express');
+const app = express();
+const jwt = require('express-jwt');
+const jwksRsa = require('jwks-rsa');
+const cors = require('cors');
+
+require('dotenv').config();
+
+const port = process.env.CONTACTS_API_PORT;
+const domain = process.env.AUTH0_DOMAIN;
+
+app.use(cors());
+
+// Validate the access token and enable the use of the jwtCheck middleware
+app.use(jwt({
+  // Dynamically provide a signing key based on the kid in the header and
+  // the singing keys provided by the JWKS endpoint
+  secret: jwksRsa.expressJwtSecret({
+    cache: true,
+    rateLimit: true,
+    jwksRequestsPerMinute: 5,
+    // Replace with your Auth0 Domain
+    jwksUri: `https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json`
+  }),
+
+
+  // Validate the audience and the issuer
+  audience: 'organize',
+  // Replace with your Auth0 Domain
+  issuer: `https://YOUR_AUTH0_DOMAIN/`,
+  algorithms: [ 'RS256' ]
+}));
+
+// Middleware to check scopes
+const checkPermissions = function(req, res, next){
+  switch(req.path){
+    case '/api/contacts':{
+      var permissions = ['read:contacts'];
+      for(var i = 0; i < permissions.length; i++){
+        if(req.user.scope.includes(permissions[i])){
+          next();
+        } else {
+          res.status(403).send({message:'Forbidden'});
+        }
+      }
+      break;
+    }
+  }
+}
+
+app.use(checkPermissions);
+
+
+app.get('/api/contacts', function (req, res) {
+  res.send({ contacts: [
+    { name: "Jane", email: "jane@example.com" },
+    { name: "John", email: "john@example.com" }
+  ] });
+});
+
+app.listen(port, function () {
+  console.log('Contacts API started on port: ' + port);
+});
diff --git a/index.html b/index.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Single Page Application</title>
+  </head>
+  <body>
+    <!-- Edit this URL to reflect your Auth0 Client ID and the port you're using -->
+    <a href="https://auth0user.auth0.com/authorize?scope=read:contacts%20read:calendar&audience=organize&response_type=id_token%20token&client_id=YOUR_CLIENT_ID&redirect_uri=http://localhost:3000&nonce=NONCE">
+      Sign In
+    </a>
+
+    <div id="app" style="display:none;">
+      <button id="get-contacts">List Contacts</button>
+      <button id="get-appointments">List Appointments</button>
+      <div id="results"><pre></pre></div>
+    </div>
+
+    <script src="https://code.jquery.com/jquery-3.1.1.min.js"></script>
+    <script>
+    function getParameterByName(name) {
+      var match = RegExp('[#&]' + name + '=([^&]*)').exec(window.location.hash);
+      return match && decodeURIComponent(match[1].replace(/\+/g, ' '));
+    }
+
+    function getAccessToken() {
+      return getParameterByName('access_token');
+    }
+
+    function getIdToken() {
+      return getParameterByName('id_token');
+    }
+
+    $(function () {
+      var access_token = getAccessToken();
+      if (access_token) {
+        $('#app').show();
+      } else {
+        return
+      }
+
+      console.log('Your access token is ' + access_token)
+
+      // Use the access token to make API calls
+      $('#get-appointments').on('click', function(e) {
+        e.preventDefault();
+
+        // Change to the port you're using
+        $.ajax({
+          url: "http://localhost:3001/api/appointments",
+          method: "GET",
+          headers: { "Authorization": "Bearer " + access_token },
+          success: function (data) {
+            $('#results pre').text(JSON.stringify(data, null, 2))
+          }
+        });
+      });
+
+      $('#get-contacts').on('click', function(e) {
+        e.preventDefault();
+
+        // Change to the port you're using
+        $.ajax({
+          url: "http://localhost:3002/api/contacts",
+          method: "GET",
+          headers: { "Authorization": "Bearer " + access_token },
+          success: function (data) {
+            $('#results pre').text(JSON.stringify(data, null, 2))
+          }
+        });
+      });
+
+    });
+    </script>
+  </body>
+</html>
diff --git a/package.json b/package.json
@@ -0,0 +1,20 @@
+{
+  "name": "api-auth-implicit",
+  "version": "1.0.0",
+  "description": "A sample application to demonstrate the usage of multiple APIs in Auth0",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "dev": "node contacts-api.js | node calendar-api.js | node spa-host.js"
+  },
+  "author": "Fady Abdel Malik <fady@auth0.com>",
+  "license": "MIT",
+  "dependencies": {
+    "auth0-api-jwt-rsa-validation": "0.0.1",
+    "cors": "^2.8.1",
+    "dotenv": "^2.0.0",
+    "express": "^4.14.0",
+    "express-jwt": "^5.1.0",
+    "jwks-rsa": "^1.1.1"
+  }
+}
diff --git a/spa-host.js b/spa-host.js
@@ -0,0 +1,42 @@
+const express = require('express');
+const app = express();
+const path = require('path');
+const fs = require('fs');
+
+require('dotenv').config();
+
+const calendarApiPort = process.env.CALENDAR_API_PORT;
+const contactsApiPort = process.env.CONTACTS_API_PORT;
+const domain = process.env.AUTH0_DOMAIN;
+const port = process.env.SPA_PORT;
+
+app.get('/', function (req, res) {
+  let indexPath = path.join(__dirname + '/index.html');
+  replaceWithConfig(indexPath, (err, index) => {
+    if (err) { return res.send(404); }
+
+    res.send(index);
+  });
+  
+});
+
+app.listen(port, function () {
+  console.log('SPA being served on port: ' + port);
+});
+
+const replaceWithConfig = (filePath, cb) => {
+  let file = fs.readFile(filePath, (err, data) => {
+
+    data = data.toString();
+
+    if (err) { return cb(err) }
+
+    ['CALENDAR_API_PORT', 'CONTACTS_API_PORT', 'AUTH0_DOMAIN'].forEach((configParam) => {
+      let placeholder = '${' + configParam + '}'
+      data = data.replace(placeholder, process.env[configParam]);
+    });
+
+    return cb(null, data);
+
+  })
+}
