From dad225ee9915347387a73af3e3eef20dd3c1f493 Mon Sep 17 00:00:00 2001
From: nicola <me@nicola.io>
Date: Wed, 11 May 2016 15:16:48 -0400
Subject: [PATCH 1/2] Making authentication strategy an option

---
 bin/lib/options.js             | 21 ++++++++++++++++-
 lib/create-app.js              |  3 ++-
 lib/create-server.js           |  7 ++++--
 lib/handlers/authentication.js | 43 ++++++++++++++++++++--------------
 lib/identity-provider.js       |  5 +++-
 lib/ldp.js                     |  4 ++++
 6 files changed, 60 insertions(+), 23 deletions(-)

diff --git a/bin/lib/options.js b/bin/lib/options.js
index a74da1ab1..e9633397a 100644
--- a/bin/lib/options.js
+++ b/bin/lib/options.js
@@ -26,9 +26,28 @@ module.exports = [
     name: 'webid',
     help: 'Enable WebID+TLS authentication (use `--no-webid` for HTTP instead of HTTPS)',
     flag: true,
-    question: 'Enable WebID-TLS authentication',
+    question: 'Enable WebID authentication',
     prompt: true
   },
+  {
+    name: 'auth',
+    help: 'Pick an authentication strategy `tls` or `oidc`',
+    question: 'What authentication strategy do you want to provide?',
+    type: 'list',
+    choices: [
+      'TLS',
+      'OpenID Connect'
+    ],
+    prompt: true,
+    default: 'TLS',
+    filter: (value) => {
+      if (value === 'TLS') return 'tls'
+      if (value === 'OpenID Connect') return 'oidc'
+    },
+    when: (answers) => {
+      return answers.webid
+    }
+  },
   {
     name: 'useOwner',
     question: 'Do you already have a WebID?',
diff --git a/lib/create-app.js b/lib/create-app.js
index b1517d14f..156bb3f4c 100644
--- a/lib/create-app.js
+++ b/lib/create-app.js
@@ -95,7 +95,8 @@ function createApp (argv = {}) {
       store: ldp,
       suffixAcl: ldp.suffixAcl,
       settings: 'settings',
-      inbox: 'inbox'
+      inbox: 'inbox',
+      auth: ldp.auth
     })
     var needsOverwrite = function (req, res, next) {
       checkMasterAcl(req, function (found) {
diff --git a/lib/create-server.js b/lib/create-server.js
index 69db9259d..8ea28c8ec 100644
--- a/lib/create-server.js
+++ b/lib/create-server.js
@@ -55,8 +55,11 @@ function createServer (argv) {
 
     var credentials = {
       key: key,
-      cert: cert,
-      requestCert: true
+      cert: cert
+    }
+
+    if (ldp.webid && ldp.auth === 'tls') {
+      credentials.requestCert = true
     }
 
     server = https.createServer(credentials, app)
diff --git a/lib/handlers/authentication.js b/lib/handlers/authentication.js
index 9ca7a476c..df9f003c6 100644
--- a/lib/handlers/authentication.js
+++ b/lib/handlers/authentication.js
@@ -2,6 +2,7 @@ module.exports = handler
 
 var webid = require('webid/tls')
 var debug = require('../debug').authentication
+var error = require('../http-error')
 
 function handler (req, res, next) {
   var ldp = req.app.locals.ldp
@@ -27,27 +28,33 @@ function handler (req, res, next) {
     return next()
   }
 
-  var certificate = req.connection.getPeerCertificate()
-  // Certificate is empty? skip
-  if (certificate === null || Object.keys(certificate).length === 0) {
-    debug('No client certificate found in the request. Did the user click on a cert?')
-    setEmptySession(req)
-    return next()
-  }
-
-  // Verify webid
-  webid.verify(certificate, function (err, result) {
-    if (err) {
-      debug('Error processing certificate: ' + err.message)
+  if (ldp.auth === 'tls') {
+    var certificate = req.connection.getPeerCertificate()
+    // Certificate is empty? skip
+    if (certificate === null || Object.keys(certificate).length === 0) {
+      debug('No client certificate found in the request. Did the user click on a cert?')
       setEmptySession(req)
       return next()
     }
-    req.session.userId = result
-    req.session.identified = true
-    debug('Identified user: ' + req.session.userId)
-    res.set('User', req.session.userId)
-    return next()
-  })
+
+    // Verify webid
+    webid.verify(certificate, function (err, result) {
+      if (err) {
+        debug('Error processing certificate: ' + err.message)
+        setEmptySession(req)
+        return next()
+      }
+      req.session.userId = result
+      req.session.identified = true
+      debug('Identified user: ' + req.session.userId)
+      res.set('User', req.session.userId)
+      return next()
+    })
+  } else if (ldp.auth === 'oidc') {
+    return next(error(500, 'OIDC not implemented yet'))
+  } else {
+    return next(error(500, 'Authentication method not supported'))
+  }
 }
 
 function setEmptySession (req) {
diff --git a/lib/identity-provider.js b/lib/identity-provider.js
index a2d8d108e..66bca2b00 100644
--- a/lib/identity-provider.js
+++ b/lib/identity-provider.js
@@ -41,6 +41,7 @@ function IdentityProvider (options) {
   this.defaultContainers = options.defaultContainers || defaultContainers
   this.inbox = options.inbox
   this.settings = options.settings
+  this.auth = options.auth || 'tls'
 }
 
 // Generate the future webid from the options and the IdentityProvider Settings
@@ -580,7 +581,9 @@ IdentityProvider.prototype.middleware = function (corsSettings, firstUser) {
   }
 
   router.post('/new', parser, setFirstUser(firstUser), this.post.bind(this))
-  router.post('/cert', parser, this.newCert.bind(this))
+  if (this.auth === 'tls') {
+    router.post('/cert', parser, this.newCert.bind(this))
+  }
   router.all('/*', function (req, res) {
     var host = uriAbs(req)
     // TODO replace the hardcoded link with an arg
diff --git a/lib/ldp.js b/lib/ldp.js
index e5f4bba44..401e63528 100644
--- a/lib/ldp.js
+++ b/lib/ldp.js
@@ -65,6 +65,10 @@ function LDP (argv) {
     this.skin = true
   }
 
+  if (this.webid && !this.auth) {
+    this.auth = 'tls'
+  }
+
   if (this.proxy && this.proxy[0] !== '/') {
     this.proxy = '/' + this.proxy
   }

From 31008dfb24723d510c25e9836c1ebf08e81b54fc Mon Sep 17 00:00:00 2001
From: nicola <me@nicola.io>
Date: Wed, 11 May 2016 15:44:20 -0400
Subject: [PATCH 2/2] better cli ui

---
 bin/lib/options.js | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/bin/lib/options.js b/bin/lib/options.js
index e9633397a..ceeac3d54 100644
--- a/bin/lib/options.js
+++ b/bin/lib/options.js
@@ -31,18 +31,18 @@ module.exports = [
   },
   {
     name: 'auth',
-    help: 'Pick an authentication strategy `tls` or `oidc`',
-    question: 'What authentication strategy do you want to provide?',
+    help: 'Pick an authentication strategy for WebID: `tls` or `oidc`',
+    question: 'Select authentication strategy',
     type: 'list',
     choices: [
-      'TLS',
-      'OpenID Connect'
+      'WebID-TLS',
+      'WebID-OpenID Connect'
     ],
     prompt: true,
-    default: 'TLS',
+    default: 'WebID-TLS',
     filter: (value) => {
-      if (value === 'TLS') return 'tls'
-      if (value === 'OpenID Connect') return 'oidc'
+      if (value === 'WebID-TLS') return 'tls'
+      if (value === 'WebID-OpenID Connect') return 'oidc'
     },
     when: (answers) => {
       return answers.webid