exports.initialize = function()

in Website/Website/auth.js [289:379]

• 70 lines of code
• 6 McCabe index (conditional complexity)

exports.initialize = function(host) {
    const telemetryClient = host.telemetryClient;
    const app = host.app;
    const query = initialize(host);
    host.query = query;

    // Send mock role info in OneBox mode
    if (host.conf.env.enableLocalOneBox) {
        app.get('/api/functionenabled', function(req, res) {
            res.type('application/json').send(functionEnabled(Object.keys(webComposition.api), host.conf.env.enableLocalOneBox));
        });
    } else {
        // Not OneBox mode
        query.preparePassport();
        app.use(passport.initialize());
        app.use(passport.session());

        const loginOptions = {
            failWithError: true
        };
        app.get('/login', passport.authenticate('azuread-openidconnect', loginOptions));
        app.post('/authReturn', passport.authenticate('azuread-openidconnect', loginOptions), function(req, res) {
            if (req.session) {
                res.redirect(req.session.returnTo || '/');
                delete req.session.returnTo;
            } else {
                res.redirect('/');
            }
        });

        app.all('*', ensureAuthenticated);
        app.get('/logout', function(req, res) {
            req.logout();
            res.redirect(logoutUrl);
        });
        app.get('/api/user/photo', (req, res) =>
            query
                .getProfilePhoto(req)
                .then(response => res.type(response.headers['content-type']).send(response.body))
                .catch(error => {
                    console.error(error);
                    res.status(500).json({ error: error.message });
                })
        );

        // https://www.npmjs.com/package/csurf
        // Node.js CSRF (Cross Site Request Forgery) protection middleware to add protection to POST API calls.
        // Start using CSRF protection for all POST APIs declared after this initialization.
        // You should never declare any POST handlers above this execution statement besides
        // the login handler or else they will not receive the CSRF protection.
        app.use(csrf());

        // Get user info and pass CSRF token back to client
        app.get('/api/user', function(req, res) {
            res.cookie('csrfToken', req.csrfToken());
            res.type('application/json').send({ id: req.user.email, name: req.user.displayName });
        });

        app.get('/api/functionenabled', function(req, res) {
            res.type('application/json').send(functionEnabled(req.user._json.roles, host.conf.env.enableLocalOneBox));
        });

        app.get('/api/isdatabrickssparktype', function(req, res) {
            res.type('application/json').send(isDatabricksSparkType(process.env.DATAX_SPARK_TYPE));
        });

        app.all('/api/*', (req, res, next) => {
            let roles = req.user._json.roles;
            let errorResult = checkPermission(roles, webComposition.api, req);
            if (!errorResult) {
                return next();
            } else {
                telemetryClient.trackNodeHttpRequest({ request: req, response: errorResult });
                return res.json({ body: errorResult, error: errorResult });
            }
        });

        // CSRF protection error handler
        app.use((err, req, res, next) => {
            if (err.code !== 'EBADCSRFTOKEN') {
                return next(err);
            }

            // Handle CSRF token errors here
            const message = 'The server understood the request but refuses to authorize it.';
            res.status(403).json({ body: message, error: message });
        });
    }

    app.post('/api/apiservice', (req, res) => serviceResponder(req, res, query.queryService));
};