Create Automated Tests for Testing meiliNG/oAuth2 Endpoints.

Things to implement

• Basic Check of User Authentication
• Revoking User Application Authentication
• Deleting Application
• Authorized Permissions
• Redirect URI updates
• Add/Remove Allowed Permissions on Application
• Add/Remove Client Secret
• Creating Application

https://swagger.io/docs/specification/authentication/openid-connect-discovery/

https://[base-server-url]/.well-known/openid-configuration
https://[base-server-url]/.well-known/oauth-authorization-server

Prerequisites

#5, #6

[https://github.com/fastify/fastify-swagger]

Currently, Testing Full functionality of Meiling Gatekeeper requires a proper frontend:

Which is available as following:

• Stella IT's proprietary frontend (hosted on Stella IT Accounts)
• an open-source frontend based on React (https://github.com/stella-IT/meiling-dev.stella-it.com)
  -> development was ceased due to favor of new proprietary frontend based on vue + nuxt.js.

But testing requires proper frontend at the moment.
Therefore, We can host Stella IT's proprietary frontend (with removed some proprietary stuff that only works on Stella IT's internal fork. e.g. Stella IT Korean ID Verification System, E2E Session Exchange) on fe.staging.meili.ng for everyone to test it out.

Essential scopes such as openid, profile, email doesn't setup since table Permission is empty on clean installation.

Please refer OpenID Connect Spec for details.

Currently CORS Policy for /v1/meiling/* is enforced on /v1/oauth/*.
This seems to be a relatively easy fix.

CORS policy for /v1/oauth/* should be wildcard.
Since JavaScript Applications can access it.

Currently it is implemented by @kdhkr, but due to lack of API Docs, This seems to be a hard task.
This issue is for tracking any issues arise from implementing opensource frontend of meiliNG

If the client doesn't have registered client_secret, It will be considered as public application.

Public applications can NOT have proper client_secret, therefore PKCE as defined on #1 should be implemented beforehand.

• building schema using TypeBox
• fastify validation

• #42
  ex. throw new Meiling.V1.Error({ type: Meiling.V1.Error.ErrorType.INVALID_REQUEST })
• make sure error returned by implemenation of #38 to have backwards compatibility with previous errors.

Requested by @o0000ol

/auth and /token endpoints should implement PKCE (Proof Key for Code Exchange)

Video Reference

Things to do

• Add external notification api configuration point (currently, private repository)
• Create common function to call external notification api
• implement phone verification in session

https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint

• Implemented for access_token
• Implemented for refresh_token
• Implemented for id_token

Since there are several services that utilizes SAML 2.0 (e.g. Notion.so).
how about consider supporting one?

e.g. https://www.notion.so/help/saml-sso-configuration

Reference:
https://openapi.kftc.or.kr/main

https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

Since meiling is using Prisma 3.7.0. We can now utilize Database-side implementation of JSON filtering. Which significantly improves performance than current approach (getting all, run Array.prototype.filter() on meiling)

Docs: https://www.prisma.io/docs/concepts/components/prisma-client/working-with-fields/working-with-json-fields

Requested by @Baw-Appie

Grant Type

Minimum Requirements

• authorization_code
  • PKCE #1
• refresh_token

MVP Requirements

• device_code

Current Progress

meiling should able to define user data to collect (ex. firstname = optional).
This should be implemented in config.json

Feature to implement

User should able to reset password since a lot of user forgot their password, and very frequently.

Implement flow

• Requesting challenge
• Verify Challenge
• Change Password

Escalated from Stella IT Community Discord.
Reported by @RutsuKun

A publicly available test account is required for client unit testing.

This is an example that requires a publicly available test account.
@zeroday0619/httpx-oauth/commit/c1a27f281e1d906cd50d16de0e88bd568eff4f1c

How to reproduce

1. Use meiliNG v0.9.5 or later
2. Set FASTIFY_LISTEN to unix socket path
3. Start meiliNG with yarn start
4. See fastify logs reporting meiliNG has started up with wrong port.

The /v1/oauth/token endpoint should return JWT based id_token when it was requested with openid permission.