server: remove deprecated client-side auth path

Remove the FirestoreAuthStrategy passport strategy, the /session
POST/DELETE endpoints, and associated dead code (VerifyDone,
VerifyFunction, StrategyOptions, toError). These existed for
client-side Firebase Auth where the browser obtained an ID token
and posted it to /session. The new server-side auth flow
(/auth/login, /auth/signup, OAuth) makes this path unnecessary.

Author: bpowers

src/server/app.ts

@@ -241,7 +241,7 @@ class App {
 
     this.app.use(favicon(path.join(staticDir, 'favicon.ico')));
 
-    authn(this.app, this.authn);
+    authn(this.app);
 
     // Server-side auth endpoints (email/password, OAuth)
     const firebaseRestClient = createFirebaseRestClient({

src/server/authn.ts

@@ -3,8 +3,6 @@
 // Version 2.0, that can be found in the LICENSE file.
 
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
-import { Request, Response } from 'express';
-import { Strategy as BaseStrategy } from 'passport-strategy';
 import passport from 'passport';
 import { v4 as uuidV4 } from 'uuid';
 import * as logger from 'winston';
@@ -24,34 +22,10 @@ export interface VerifiedUserInfo {
   providerUserId: string;
 }
 
-interface StrategyOptions {}
-
 interface SerializedSessionUser {
   id: string;
 }
 
-type VerifyDone = (error: Error | null, user?: unknown) => void;
-
-interface VerifyFunction {
-  (firestoreIdToken: string, done: VerifyDone): Promise<void>;
-}
-
-function toError(error: unknown): Error {
-  if (error instanceof Error) {
-    return error;
-  }
-  if (typeof error === 'string') {
-    return new Error(error);
-  }
-  if (typeof error === 'object' && error !== null) {
-    const message = (error as Record<string, unknown>).message;
-    if (typeof message === 'string') {
-      return new Error(message);
-    }
-  }
-  return new Error(String(error));
-}
-
 function isSerializedSessionUser(value: unknown): value is SerializedSessionUser {
   return (
     typeof value === 'object' &&
@@ -60,42 +34,6 @@ function isSerializedSessionUser(value: unknown): value is SerializedSessionUser
   );
 }
 
-class FirestoreAuthStrategy extends BaseStrategy implements passport.Strategy {
-  readonly name: 'firestore-auth';
-  private readonly verify: VerifyFunction;
-
-  constructor(options: StrategyOptions, verify: VerifyFunction) {
-    super();
-    this.name = 'firestore-auth';
-    this.verify = verify;
-  }
-
-  authenticate(req: Request, _options?: unknown): void {
-    if (!req.body || !req.body.idToken) {
-      this.error(new Error('no idToken in body'));
-      return;
-    }
-
-    const idToken = req.body.idToken as string;
-
-    const verified: VerifyDone = (error, user): void => {
-      if (error) {
-        return this.error(error);
-      }
-      if (!user) {
-        return this.fail(401);
-      }
-      this.success(user as User);
-    };
-
-    this.verify(idToken, verified)
-      .then(() => {})
-      .catch((err) => {
-        this.error(toError(err));
-      });
-  }
-}
-
 function getProviderFromFirebaseUser(fbUser: admin.auth.UserRecord): AuthProvider {
   if (!fbUser.providerData || fbUser.providerData.length === 0) {
     return 'password';
@@ -276,25 +214,7 @@ export async function getOrCreateUserFromVerifiedInfo(
   return [user, undefined];
 }
 
-export const authn = (app: Application, firebaseAuthn: admin.auth.Auth): void => {
-  // const config = app.get('authentication');
-
-  // DEPRECATED: Use /auth/login instead. This endpoint exists for backward
-  // compatibility with existing mobile apps and will be removed in a future release.
-  passport.use(
-    new FirestoreAuthStrategy({}, async (firestoreIdToken: string, done: VerifyDone) => {
-      const [user, err] = await getOrCreateUserFromIdToken(app.db.user, firebaseAuthn, firestoreIdToken);
-      if (err !== undefined) {
-        logger.error(err);
-        done(err);
-      } else if (user) {
-        done(null, user);
-      } else {
-        throw new Error('unreachable');
-      }
-    }),
-  );
-
+export const authn = (app: Application): void => {
   passport.serializeUser((rawUser, done) => {
     if (!(rawUser instanceof User)) {
       done(new Error('serializeUser expected a User instance'));
@@ -325,12 +245,4 @@ export const authn = (app: Application, firebaseAuthn: admin.auth.Auth): void =>
 
   app.use(passport.initialize());
   app.use(passport.session());
-
-  app.post('/session', passport.authenticate('firestore-auth', {}), (req: Request, res: Response): void => {
-    res.sendStatus(200);
-  });
-
-  app.delete('/session', (_req: Request, _res: Response): void => {
-    console.log(`TODO: unset cookie`);
-  });
 };