add conference options to the broadcasts; implement auth to microsoft

lib/azure_ad.rb

@@ -0,0 +1,124 @@
+require 'omniauth-oauth2'
+
+# This file is from omniauth-microsoft_graph lib (not installed)
+# It is modified to make auth work
+
+module OmniAuth
+  module Strategies
+    class AzureAd < OmniAuth::Strategies::OAuth2
+      BASE_SCOPE_URL = 'https://graph.microsoft.com/'
+      BASE_SCOPES = %w[offline_access openid email profile].freeze
+      DEFAULT_SCOPE = 'offline_access openid email profile User.Read'.freeze
+
+      option :name, :azure_ad
+
+      option :client_options,
+             site: 'https://login.microsoftonline.com/'
+
+      option :authorize_options, %i[state callback_url scope response_mode]
+
+      option :token_params, {}
+
+      option :scope, DEFAULT_SCOPE
+      option :authorized_client_ids, []
+
+      uid { raw_info["id"] }
+
+      info do
+        {
+            #   'email' => raw_info["mail"],
+            #   'first_name' => raw_info["givenName"],
+            #   'last_name' => raw_info["surname"],
+            #   'name' => [raw_info["givenName"], raw_info["surname"]].join(' '),
+            #   'nickname' => raw_info["displayName"],
+        }
+      end
+
+      extra do
+        {
+            #   'raw_info' => raw_info,
+            #   'params' => access_token.params,
+            #   'aud' => options.client_id
+        }
+      end
+
+      def authorize_params
+        super.tap do |params|
+          options[:authorize_options].each do |k|
+            params[k] = request.params[k.to_s] unless [nil, ''].include?(request.params[k.to_s])
+          end
+
+          params[:scope] = get_scope(params)
+
+          session['omniauth.state'] = params[:state] if params[:state]
+        end
+      end
+
+      def raw_info
+        @raw_info ||= access_token.get('https://graph.microsoft.com/v1.0/me').parsed
+      end
+
+      def callback_url
+        options[:callback_url] || full_host + script_name + callback_path
+      end
+
+      def custom_build_access_token
+        token_response = get_access_token(request)
+        session[:microsoft_graph_api_token] = token_response.token
+        token_response
+      end
+
+      alias build_access_token custom_build_access_token
+
+      private
+
+      def get_access_token(request)
+        verifier = request.params['code']
+        redirect_uri = request.params['redirect_uri'] || request.params['callback_url']
+        if verifier && request.xhr?
+          client_get_token(verifier, redirect_uri || '/auth/azure_ad/callback')
+        elsif verifier
+          client_get_token(verifier, redirect_uri || callback_url)
+        elsif verify_token(request.params['access_token'])
+          ::OAuth2::AccessToken.from_hash(client, request.params.dup)
+        elsif request.content_type =~ /json/i
+          begin
+            body = JSON.parse(request.body.read)
+            request.body.rewind # rewind request body for downstream middlewares
+            verifier = body && body['code']
+            client_get_token(verifier, '/auth/azure_ad/callback') if verifier
+          rescue JSON::ParserError => e
+            warn "[omniauth google-oauth2] JSON parse error=#{e}"
+          end
+        end
+      end
+
+      def client_get_token(verifier, redirect_uri)
+        client.auth_code.get_token(verifier, get_token_options(redirect_uri), get_token_params)
+      end
+
+      def get_token_params
+        deep_symbolize(options.auth_token_params || {})
+      end
+
+      def get_token_options(redirect_uri = '')
+        { redirect_uri: redirect_uri }.merge(token_params.to_hash(symbolize_keys: true))
+      end
+
+      def get_scope(params)
+        raw_scope = params[:scope] || DEFAULT_SCOPE
+        scope_list = raw_scope.split(' ').map { |item| item.split(',') }.flatten
+        scope_list.map! { |s| s =~ %r{^https?://} || BASE_SCOPES.include?(s) ? s : "#{BASE_SCOPE_URL}#{s}" }
+        scope_list.join(' ')
+      end
+
+      def verify_token(access_token)
+        return false unless access_token
+        # access_token.get('https://graph.microsoft.com/v1.0/me').parsed
+        raw_response = client.request(:get, 'https://graph.microsoft.com/v1.0/me',
+                                      params: { access_token: access_token }).parsed
+        (raw_response['aud'] == options.client_id) || options.authorized_client_ids.include?(raw_response['aud'])
+      end
+    end
+  end
+end

lib/microsoft_graph.rb

@@ -0,0 +1,107 @@
+require 'httparty'
+
+class MicrosoftGraph
+  BASE_URL = 'https://graph.microsoft.com/v1.0'.freeze
+
+  def initialize(current_user, client_id, client_secret, tenant_id, scopes)
+    @current_user = current_user
+    @uid = current_user.microsoft_user_id
+    @token = current_user.microsoft_access_token
+    @refresh_token = current_user.microsoft_refresh_token
+    @token_expires_at = current_user.microsoft_token_expires_at
+
+    @client_id = client_id
+    @client_secret = client_secret
+    @tenant_id = tenant_id
+    @scopes = scopes
+  end
+
+  def create_teams_meeting(subject)
+    if @refresh_token.nil? || @token_expires_at.nil?
+      raise ActionController::InvalidAuthenticityToken, 'Missing refresh token / token expiration'
+      return
+    end
+
+    # Obtain new token if token is expired or will expire in less than 5 minutes
+    if 5.minutes.from_now.to_i > @token_expires_at.seconds
+      refresh_access_token
+    end
+
+    if @token.nil?
+      raise ActionController::InvalidAuthenticityToken, 'Missing access token'
+      return
+    end
+
+    response = HTTParty.post(
+        "#{BASE_URL}/me/onlineMeetings",
+        body: {
+            subject: subject,
+            participants: {
+                organizer: {
+                    identity: {
+                        user: {
+                            id: @uid
+                        }
+                    }
+                }
+            }
+        }.to_json,
+        headers: {
+            Authorization: "Bearer #{@token}",
+            'Content-Type': 'application/json'
+        }
+    )
+
+    raise StandardError, 'Authenticated user does not have a permission to create Teams Online Meeting' if response.code == 403
+
+    if response.code != 201
+      Rails.logger.error('[Microsoft Graph Error]')
+      Rails.logger.error(response.inspect)
+      raise StandardError, "Failed to create teams meeting [#{response.code}]"
+    else
+      JSON.parse(response.body)
+    end
+  end
+
+  private
+
+  def refresh_token_url
+    "https://login.microsoftonline.com/#{@tenant_id}/oauth2/v2.0/token"
+  end
+
+  def refresh_access_token
+    response = HTTParty.post(refresh_token_url,
+                             headers: {
+                                 'Content-Type': 'application/x-www-form-urlencoded'
+                             },
+                             body: {
+                                 client_id: @client_id,
+                                 client_secret: @client_secret,
+                                 refresh_token: @refresh_token,
+                                 grant_type: 'refresh_token',
+                                 scope: @scopes
+                             })
+
+    if response.code != 200
+      Rails.logger.error '[Microsoft Graph Error] Failed to obtain new access token using refresh token'
+      Rails.logger.error(response.inspect)
+      raise StandardError, 'Failed to obtain new access token'
+    end
+
+    parsed_response = JSON.parse(response.body)
+
+    new_access_token = parsed_response['access_token']
+    new_refresh_token = parsed_response['refresh_token']
+    token_expires_in = parsed_response['expires_in'] # For how long access token is valid (in seconds)
+    token_new_expiration_time = Time.now.to_i + token_expires_in
+
+    @current_user.microsoft_access_token = new_access_token
+    @current_user.microsoft_refresh_token = new_refresh_token
+    @current_user.microsoft_token_expires_at = token_new_expiration_time
+    @current_user.save!
+
+    @token = new_access_token
+    @refresh_token = new_refresh_token
+    @token_expires_at = token_new_expiration_time
+  end
+end