refactoring

Author: derisen

CHANGELOG.md

@@ -0,0 +1,8 @@
+# CHANGELOG
+
+## 3/04/2020
+
+* Dependencies updated.
+* Configuration parameters separated.
+* Readme improved.
+* ES6 conventions introduced.

CODE_OF_CONDUCT.md

@@ -0,0 +1,9 @@
+# Microsoft Open Source Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+
+Resources:
+
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns

CONTRIBUTING.md

@@ -0,0 +1,18 @@
+# Contributing
+
+This project welcomes contributions and suggestions.  Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
+
+When you submit a pull request, a CLA bot will automatically determine whether you need to provide
+a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
+provided by the bot. You will only need to do this once across all repos using our CLA.
+
+## Instructions
+
+Follow these instructions to download and run the sample locally.
+
+1. Install [Node](https://nodejs.org/).
+2. Clone and download this repository.
+3. Navigate to the root of this repository, and install the dependencies: `npm install`
+4. Start the application: `npm start`

LICENSE copy

@@ -0,0 +1,21 @@
+    MIT License
+
+    Copyright (c) Microsoft Corporation. All rights reserved.
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE

README.md

@@ -1,57 +1,118 @@
 ---
 page_type: sample
-description: "This sample demonstrates how to protect a Node.js web API with Azure AD B2C using the Passport.js library."
 languages:
 - javascript
-- nodejs
+- node.js
 products:
-- azure
-- azure-active-directory
-urlFragment: nodejs-web-api-azure-ad
+- microsoft-identity-platform
+- azure-active-directory-b2c
+description: "A sample demonstrating how to protect a Node.js web API with Azure AD B2C using the Passport.js library."
+urlFragment: "active-directory-b2c-javascript-nodejs-webapi"
 ---
 
-
 # Node.js Web API with Azure AD B2C
 
 This sample demonstrates how to protect a Node.js web API with Azure AD B2C using the Passport.js library. The code here is pre-configured with a registered client ID. If you register your own app, you will need to replace the client ID.
 
-We have deployed this API to Azure to allow testing without running it locally. Checkout one of the apps in [Next Steps](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi/blob/master/README.md#next-steps) to use it!
+To see how to call this web API from a client application, refer to this [B2C Single Page Application sample](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp).
+
+## Contents
+
+| File/folder       | Description                                |
+|-------------------|--------------------------------------------|
+| `process.json`   | Contains configuration parameters for logging via Morgan.  |
+| `index.js`   | Main application logic resides here.                     |
+| `apiConfig.js`   | Contains configuration parameters for the sample. |
+| `.gitignore`      | Defines what to ignore at commit time.      |
+| `CHANGELOG.md`    | List of changes to the sample.             |
+| `CODE_OF_CONDUCT.md` | Code of Conduct information.            |
+| `CONTRIBUTING.md` | Guidelines for contributing to the sample. |
+| `LICENSE`         | The license for the sample.                |
+| `package.json`    | Package manifest for npm.                   |
+| `README.md`       | This README file.                          |
+| `SECURITY.md`     | Security disclosures.                      |
+| `server.js`     | Implements a simple Node server to api endpoint(s).  |
 
 ## Steps to Run
 
 1. Clone the code.
 
-	```bash
-	git clone https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi
-	```
+```console
+git clone https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2
+```
+
+2. Make sure you've installed [Node.js](https://nodejs.org/en/download/).
+
+3. Install the node dependencies:
 
-2. Make sure you've [installed Node](https://nodejs.org/en/download/).
+```console
+npm install && npm update
+```
 
-4. Install the node dependencies: 
+4. Run the Web API! By default it will run on `http://localhost:5000`
 
-	```bash
-	npm install && npm update
-	```
-5. Run the Web API! By default it will run on `http://localhost:5000`.
-	```bash
-	node index.js
-	```
+```console
+npm start
+```
 
 ## Next Steps
-The `/hello` endpoint in this sample is protected so an authorized request to it requires an access token in the header. 
-You can make authorized requests to this web API using an [iOS App](https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal) or [Android App](https://github.com/Azure-Samples/active-directory-b2c-android-native-msal). Make sure to update the app configs if you want it to point to your local hello api. 
 
-Alternatively, you can [register your own app](https://apps.dev.microsoft.com) and point to this web API.
+### Using your own Azure AD B2C Tenant
+
+To have a proper understanding of Azure AD B2C as a developer, follow the tutorials on Azure [AD B2C documentation](https://docs.microsoft.com/en-us/azure/active-directory-b2c/). In the rest of this guide, we summarize the steps you need to go through.
+
+#### Step 1: Get your own Azure AD B2C Tenant
+
+First, you'll need an Azure AD B2C tenant. If you don't have an existing Azure AD B2C tenant that you can use for testing purposes, you can create your own by following [these instructions](https://azure.microsoft.com/documentation/articles/active-directory-b2c-get-started).
+
+#### Step 2: Create your own policies
+
+This sample uses a unified sign-up/sign-in policy. You can create [your own unified sign-up/sign-in policy](https://azure.microsoft.com/documentation/articles/active-directory-b2c-reference-policies). You may choose to include as many or as few identity providers as you wish.
+
+If you already have existing policies in your Azure AD B2C tenant, feel free to re-use those policies in this sample.  
+
+#### Step 3: Register your own web API with Azure AD B2C
 
-Customize your user experience further by supporting more identity providers.  Checkout the docs belows to learn how to add additional providers: 
+Follow the instructions at [register a Web API with Azure AD B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-web-application?tabs=applications) to register the Node.js Web API sample with your tenant. Registering your Web API allows you to define the scopes that your single page application will request access tokens for.
 
-- [Microsoft](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-msa-app)
-- [Facebook](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-fb-app)
-- [Google](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-goog-app)
-- [Amazon](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-amzn-app)
-- [LinkedIn](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-li-app)
+#### Step 4: Configure your application source code
 
+You can now fill in the variables in the `apiConfig.js` file of the Node.js Web API sample with the parameters you've obtained from the Azure Portal during the steps above.
+
+Configure the following variables:
+
+```javascript
+const clientID = "<Application ID for your Node.js Web API - found on Properties page in Azure portal e.g. 93733604-cc77-4a3c-a604-87084dd55348>";
+const b2cDomainHost = "<Domain of your B2C host eg. fabrikamb2c.b2clogin.com>";
+const tenantIdGuid = "<Application ID for your Node.js Web API - found on Properties page in Azure portal e.g. 775527ff-9a37-4307-8b3d-cc311f58d925>";
+const policyName = "<Name of your sign in / sign up policy, e.g. B2C_1_SUSI>";
+```
+
+> **NOTE**
+>
+>Developers using the [Azure China Environment](https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud), MUST use <your-tenant-name>.b2clogin.cn authority, instead of `login.chinacloudapi.cn`.
+>
+> In order to use <your-tenant-name>.b2clogin.*, you will need to configure you application and set `validateAuthority: false`. Learn more about using [b2clogin](https://docs.microsoft.com/en-us/azure/active-directory-b2c/b2clogin#set-the-validateauthority-property).
+
+Lastly, to run your Node.js Web API, run the following command from your shell or command line
+
+```bash
+npm install && npm update
+npm start
+```
+
+Your Node.js Web API sample is now running on Port 5000.
 
 ## Questions & Issues
 
-Please file any questions or problems with the sample as a GitHub issue.  You can also post on Stack Overflow with the tag `azure-ad-b2c`. For OAuth2.0 library issues, please see note below. 
+Please file any questions or problems with the sample as a GitHub issue.  You can also post on Stack Overflow with the tag `azure-ad-b2c`. For OAuth2.0 library issues, please see note below.
+
+## Contributing
+
+If you'd like to contribute to this sample, see [CONTRIBUTING.MD](./CONTRIBUTING.md).
+
+## Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

SECURITY.md

@@ -0,0 +1,37 @@
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)) of a security vulnerability, please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).

apiConfig.js

@@ -0,0 +1,18 @@
+// Update these four variables with your values from the B2C portal
+const clientID = "93733604-cc77-4a3c-a604-87084dd55348"; 
+const b2cDomainHost = "fabrikamb2c.b2clogin.com";
+const tenantIdGuid = "775527ff-9a37-4307-8b3d-cc311f58d925"; // alternatively, you can use your tenant name as well
+const policyName = "B2C_1_SUSI";
+
+const config = {
+    identityMetadata: "https://" + b2cDomainHost + "/" + tenantIdGuid + "/" + policyName + "/v2.0/.well-known/openid-configuration/",
+    clientID: clientID,
+    policyName: policyName,
+    isB2C: true,
+    validateIssuer: false,
+    loggingLevel: 'info',
+    loggingNoPII: false,
+    passReqToCallback: false
+}
+
+module.exports = config;

index.js

@@ -1,69 +1,55 @@
-// Authors:
-// Shane Oatman https://github.com/shoatman
-// Sunil Bandla https://github.com/sunilbandla
-// Daniel Dobalian https://github.com/danieldobalian
-
-var express = require("express");
-var morgan = require("morgan");
-var passport = require("passport");
-var BearerStrategy = require('passport-azure-ad').BearerStrategy;
-
-/* Update these four variables with your values from the B2C portal */
-var clientID = "93733604-cc77-4a3c-a604-87084dd55348"; 
-var b2cDomainHost = "fabrikamb2c.b2clogin.com";
-var tenantIdGuid = "775527ff-9a37-4307-8b3d-cc311f58d925";
-var policyName = "B2C_1_SUSI";
-
-
-var options = {
-    identityMetadata: "https://" + b2cDomainHost + "/" + tenantIdGuid + "/" + policyName + "/v2.0/.well-known/openid-configuration/",
-
-    clientID: clientID,
-    policyName: policyName,
-    isB2C: true,
-    validateIssuer: false,
-    loggingLevel: 'info',
-    loggingNoPII: false,
-    passReqToCallback: false
-};
-
-var bearerStrategy = new BearerStrategy(options,
+const express = require("express");
+const morgan = require("morgan");
+const passport = require("passport");
+const config = require('./apiConfig');
+const BearerStrategy = require('passport-azure-ad').BearerStrategy;
+
+// A simple check for clientID placeholder
+if (config.clientID === 'YOUR_CLIENT_ID') {
+    console.error("Please update 'options' with the client id (application id) of your application");
+    return;
+}
+
+const bearerStrategy = new BearerStrategy(config,
     function (token, done) {
         // Send user info using the second argument
         done(null, {}, token);
     }
 );
 
-var app = express();
-app.use(morgan('dev'));
+const app = express();
 
+app.use(morgan('dev'));
 app.use(passport.initialize());
+
 passport.use(bearerStrategy);
 
-app.use(function (req, res, next) {
+//enable CORS
+app.use((req, res, next) => {
     res.header("Access-Control-Allow-Origin", "*");
     res.header("Access-Control-Allow-Headers", "Authorization, Origin, X-Requested-With, Content-Type, Accept");
     next();
 });
 
+// API endpoint
 app.get("/hello",
     passport.authenticate('oauth-bearer', {session: false}),
-    function (req, res) {
-        var claims = req.authInfo;
+    (req, res) => {
         console.log('User info: ', req.user);
-        console.log('Validated claims: ', claims);
+        console.log('Validated claims: ', req.authInfo);
 
-        if (claims['scp'].split(" ").indexOf("demo.read") >= 0) {
+        if (req.authInfo['scp'].split(" ").indexOf("demo.read") >= 0) {
             // Service relies on the name claim.  
-            res.status(200).json({'name': claims['name']});
+            res.status(200).json({'name': req.authInfo['name']});
         } else {
             console.log("Invalid Scope, 403");
             res.status(403).json({'error': 'insufficient_scope'}); 
         }
     }
 );
 
-var port = process.env.PORT || 5000;
-app.listen(port, function () {
+const port = process.env.PORT || 5000;
+
+app.listen(port, () => {
     console.log("Listening on port " + port);
 });