TeamCodeStream
diff --git a/‎api_server/lib/oauth/oauth_module.js‎
Lines changed: 5 additions & 0 deletions b/‎api_server/lib/oauth/oauth_module.js‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎api_server/modules/github_auth/github_auth.js‎
Lines changed: 13 additions & 2 deletions b/‎api_server/modules/github_auth/github_auth.js‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎api_server/modules/github_auth/github_authorizer.js‎
Lines changed: 83 additions & 0 deletions b/‎api_server/modules/github_auth/github_authorizer.js‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎api_server/modules/github_enterprise_auth/github_enterprise_auth.js‎
Lines changed: 1 addition & 1 deletion b/‎api_server/modules/github_enterprise_auth/github_enterprise_auth.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api_server/modules/providers/provider_deauth_request.js‎
Lines changed: 39 additions & 18 deletions b/‎api_server/modules/providers/provider_deauth_request.js‎
Lines changed: 39 additions & 18 deletions
@@ -116,6 +116,11 @@ class OAuthModule extends APIServerModule {
 		return !!this.oauthConfig.tokenFromFragment;
 	}
 
+	// does this provider support signup?
+	supportsSignup () {
+		return this.oauthConfig.supportsSignup;
+	}
+	
 	// extract the access token from a fragment sent to the browser
 	extractTokenFromFragment (options) {
 		// special allowance for token in the fragment, which we can't access,
 
@@ -3,6 +3,7 @@
 'use strict';
 
 const OAuthModule = require(process.env.CS_API_TOP + '/lib/oauth/oauth_module.js');
+const GithubAuthorizer = require('./github_authorizer');
 
 const OAUTH_CONFIG = {
 	provider: 'github',
@@ -11,9 +12,10 @@ const OAUTH_CONFIG = {
 	authPath: 'login/oauth/authorize',
 	tokenPath: 'login/oauth/access_token',
 	exchangeFormat: 'query',
-	scopes: 'repo,read:user',
+	scopes: 'repo,read:user,user:email',
 	noGrantType: true,
-	hasIssues: true
+	hasIssues: true,
+	supportsSignup: true
 };
 
 class GithubAuth extends OAuthModule {
@@ -22,6 +24,15 @@ class GithubAuth extends OAuthModule {
 		super(config);
 		this.oauthConfig = OAUTH_CONFIG;
 	}
+
+	// match the given github identity to a CodeStream identity
+	async getUserIdentity (options) {
+		const authorizer = new GithubAuthorizer({ options });
+		return await authorizer.getGithubIdentity(
+			options.accessToken,
+			options.providerInfo
+		);
+	}
 }
 
 module.exports = GithubAuth;
@@ -0,0 +1,83 @@
+// provide a class to handle authorizing credentials for the github provider
+
+'use strict';
+
+const { Octokit } = require('@octokit/rest');
+const RandomString = require('randomstring');
+const ProviderErrors = require(process.env.CS_API_TOP + '/modules/providers/errors');
+
+class GithubAuthorizer {
+
+	constructor (options) {
+		Object.assign(this, options);
+		this.request = options.options.request;
+		this.request.errorHandler.add(ProviderErrors);
+	}
+
+	// return identifying information associated with the fetched access token
+	async getGithubIdentity (accessToken, providerInfo) {
+		this.accessToken = accessToken;
+		this.providerInfo = this.providerInfo || providerInfo;
+		this.octokit = new Octokit({ auth: accessToken });
+		const userData = await this.githubApiRequest('users', 'getAuthenticated');
+		let emailData = await this.githubApiRequest('users', 'listEmails');
+		this.request.log('user data: ' + JSON.stringify(userData, undefined, 5));
+		this.request.log('email data: ' + JSON.stringify(emailData, undefined, 5));
+		emailData = emailData instanceof Array ? emailData : null;
+		if (!userData || !emailData) {
+			throw this.request.errorHandler.error('noIdentityMatch');
+		}
+
+		const primaryEmail = emailData.find(e => e.primary);
+		return {
+			userId: userData.id,
+			accessToken,
+			username: userData.login,
+			fullName: userData.name,
+			email: primaryEmail.email
+		};
+	}
+
+	// make a github api request
+	async githubApiRequest(module, method) {
+		if (this.accessToken === 'invalid-token') {	// for testing
+			throw this.request.errorHandler.error('invalidProviderCredentials', { reason: 'invalid token' });
+		}
+		const mockCode = (
+			this.providerInfo &&
+			this.providerInfo.code && 
+			this.providerInfo.code.match(/^mock.*-(.+)-(.+)$/)
+		);
+		if (mockCode && mockCode.length >= 3) {
+			if (method === 'getAuthenticated') {
+				return this._mockIdentity(mockCode[1]);
+			}
+			else if (method === 'listEmails') {
+				return this._mockEmails();
+			}
+		}
+		try {
+			return (await this.octokit[module][method]()).data;
+		}
+		catch (error) {
+			throw this.request.errorHandler.error('invalidProviderCredentials', { reason: error.message });
+		}
+	}
+
+	_mockIdentity (mockUserId) {
+		return {
+			id: mockUserId,
+			login: RandomString.generate(8),
+			name: `${RandomString.generate(8)} ${RandomString.generate(8)}`
+		};
+	}
+
+	_mockEmails () {
+		return [{
+			primary: true,
+			email: this.providerInfo.mockEmail || `${RandomString.generate(8)}@${RandomString.generate(8)}.com`
+		}];
+	}
+}
+
+module.exports = GithubAuthorizer;
@@ -10,7 +10,7 @@ const OAUTH_CONFIG = {
 	authPath: 'login/oauth/authorize',
 	tokenPath: 'login/oauth/access_token',
 	exchangeFormat: 'query',
-	scopes: 'repo,read:user',
+	scopes: 'repo,read:user,user:email',
 	noGrantType: true,
 	hasIssues: true,
 	forEnterprise: true,
 
@@ -46,42 +46,63 @@ class ProviderDeauthRequest extends RestfulRequest {
 		const teamId = this.request.body.teamId.toLowerCase();
 		const provider = this.request.params.provider.toLowerCase();
 		let { host, subId } = this.request.body;
-		let key = `providerInfo.${teamId}.${provider}`;
+		let userKey = `providerInfo.${provider}`;
+		let teamKey = `providerInfo.${teamId}.${provider}`;
 		if (host) {
 			host = host.toLowerCase().replace(/\./g, '*');
-			key += `.hosts.${host}`;
+			userKey += `.hosts.${host}`;
+			teamKey += `.hosts.${host}`;
 		}
 		if (subId) {
-			key += `.multiple.${subId}`;
+			userKey += `.multiple.${subId}`;
+			teamKey += `.multiple.${subId}`;
 		}
-		const existingProviderInfo = this.user.getProviderInfo(provider, teamId);
+
+		const existingUserProviderInfo = this.user.getProviderInfo(provider);
 		if (
 			!host &&
-			existingProviderInfo &&
-			existingProviderInfo.hosts &&
-			Object.keys(existingProviderInfo.hosts).length > 0
+			existingUserProviderInfo &&
+			existingUserProviderInfo.hosts &&
+			Object.keys(existingUserProviderInfo.hosts).length > 0
 		) {
 			// if we have enterprise hosts for this provider, don't stomp on them
-			key += '.accessToken';
+			userKey += '.accessToken';
 		}
+
+		const existingTeamProviderInfo = this.user.getProviderInfo(provider, teamId);
+		if (
+			!host &&
+			existingTeamProviderInfo &&
+			existingTeamProviderInfo.hosts &&
+			Object.keys(existingTeamProviderInfo.hosts).length > 0
+		) {
+			// if we have enterprise hosts for this provider, don't stomp on them
+			teamKey += '.accessToken';
+		}
+
 		const op = {
 			$unset: {
-				[key]: true
+				[userKey]: true,
+				[teamKey]: true
 			},
 			$set: {
 				modifiedAt: Date.now()
 			}
 		};
+
 		// this is really only for "sharing model" chat providers, which will provide a subId
-		if (subId && existingProviderInfo && existingProviderInfo.multiple) {
-			const serviceAuth = this.api.services[`${provider}Auth`];
-			if (serviceAuth) {
-				const providerUserId = await serviceAuth.getUserId(existingProviderInfo.multiple[subId]);
-				if (providerUserId) {
-					const identity = `${provider}::${providerUserId}`;
-					if ((this.user.get('providerIdentities') || []).find(id => id === identity)) {
-						op.$pull = { providerIdentities: identity };
-					}
+		const serviceAuth = this.api.services[`${provider}Auth`];
+		if (
+			serviceAuth &&
+			subId &&
+			existingTeamProviderInfo &&
+			existingTeamProviderInfo.multiple
+		) {
+			const providerUserId = await serviceAuth.getUserId(existingTeamProviderInfo.multiple[subId]);
+			if (providerUserId) {
+				const identity = `${provider}::${providerUserId}`;
+				if ((this.user.get('providerIdentities') || []).find(id => id === identity)) {
+					op.$pull = { providerIdentities: identity };
 				}
 			}
 		}