Add native support for OpenSRP web

[moshthepitt]

Introduction

Currently the Reveal web app ships with a tiny nodejs server that is responsible for:

• handling OAuth via the authorization code flow
• persisting user sessions securely
• handling redirects upon logging in i.e. if a user wanted to visit example.com/plans when not logged in, they are redirected to the login page and once logged in are redirected back to example.com/plans
• exposes an API endpoint that returns OAuth credentials that the front end web app can use. This endpoint is a view managed by the nodejs server and is login protected
• a nodejs view that simply loads the compiled frontend assets (html + css + js)

I think the time is now for us to move this functionality to the OpenSRP server application, and remove the nodejs dependency.

What is needed?

• A way to handle OAuth via the authorization code flow and pass the OAuth credentials to the frontend web app
• A way to securely persist session using httponly cookies
• A way to load the frontend assets via a Spring "view" (during the frontend web app deployment, its assets will be copied to some directory that OpenSRP server would be aware of via configuration).

[githengi]

@moshthepitt

• For oauth we could configure opensrp to act as an oauth client so that it get tokens from keycloak. Please list how the webapp should extract the token from OpenSRP
• This should be possible and I think session cookies are being saved but they are only visible to OpenSRP domain only. Please list the cookies that needs to be saved
• This is possible if we load the static complied files and configure so that those are loaded via protected paths. Is the web app a single page application if not. Could the compilation ensure links point to the correct paths.

[moshthepitt]

A way to securely persist session using httponly cookies

This should be possible and I think session cookies are being saved but they are only visible to OpenSRP domain only. Please list the cookies that needs to be saved

The session cookies don't matter so much. What matters is that the protected pages are only accessible to logged in users using whatever cookies/mechanism that Spring uses. The intention is that the web app will be deployed on the OpenSRP server domain.

[moshthepitt]

For oauth we could configure opensrp to act as an oauth client so that it get tokens from keycloak. Please list how the webapp should extract the token from OpenSRP

The express app exposes a secured endpoint at /oauth/state e.g. https://web.reveal-stage.smartregister.org/oauth/state that the web app accesses to extract the OAuth credentials. This is the currently expected payload (when authenticated):

{
    "session": {
        "authenticated": true,
        "extraData": {
            "roles": [
                "ROLE_OPENMRS",
                "ROLE_ALL_EVENTS",
                "ROLE_offline_access",
                "ROLE_PLANS_FOR_USER",
                "ROLE_uma_authorization"
            ],
            "email": null,
            "username": "superset-user",
            "user_id": "301faf1d-6cfb-4ed1-997c-46b44146ab05",
            "preferred_name": "Superset User",
            "family_name": "User",
            "given_name": "Superset",
            "email_verified": false,
            "oAuth2Data": {
                "access_token": "secret",
                "expires_in": 3600,
                "refresh_expires_in": 2592000,
                "refresh_token": "secret",
                "token_type": "bearer",
                "not-before-policy": 1595266243,
                "session_state": "cfbf4c00-b9a1-4779-bf5d-4c5191df6e78",
                "scope": "profile email"
            }
        },
        "user": {
            "email": "",
            "gravatar": "",
            "name": "",
            "username": "superset-user"
        }
    }
}

[moshthepitt]

A way to load the frontend assets via a Spring "view" (during the frontend web app deployment, its assets will be copied to some directory that OpenSRP server would be aware of via configuration).

This is possible if we load the static complied files and configure so that those are loaded via protected paths. Is the web app a single page application if not. Could the compilation ensure links point to the correct paths.

The web app is currently a single page application so once we get it to load in some view, and give it the ability to handle URL paths then it takes care of the rest.

[moshthepitt]

@githengi @dubdabasoduba ^^