Implement user account verification with LinkedIn during onboarding

Author: jankeromnes

components/dashboard/package.json

@@ -28,6 +28,7 @@
     "react-dom": "^17.0.1",
     "react-error-boundary": "^3.1.4",
     "react-intl-tel-input": "^8.2.0",
+    "react-linkedin-login-oauth2": "^2.0.1",
     "react-popper": "^2.3.0",
     "react-portal": "^4.2.2",
     "react-router-dom": "^5.2.0",

components/dashboard/src/images/sign-in-with-linkedin.svg

@@ -6,16 +6,19 @@
 
 import { User } from "@gitpod/gitpod-protocol";
 import { FC, useCallback, useState } from "react";
+import { useLinkedIn } from "react-linkedin-login-oauth2";
 import { TextInputField } from "../components/forms/TextInputField";
 import { useUpdateCurrentUserMutation } from "../data/current-user/update-mutation";
 import { useOnBlurError } from "../hooks/use-onblur-error";
 import { OnboardingStep } from "./OnboardingStep";
+import SignInWithLinkedIn from "../images/sign-in-with-linkedin.svg";
 
 type Props = {
     user: User;
+    linkedInClientId: string;
     onComplete(user: User): void;
 };
-export const StepUserInfo: FC<Props> = ({ user, onComplete }) => {
+export const StepUserInfo: FC<Props> = ({ user, linkedInClientId, onComplete }) => {
     const updateUser = useUpdateCurrentUserMutation();
     // attempt to split provided name for default input values
     const { first, last } = getInitialNameParts(user);
@@ -25,6 +28,17 @@ export const StepUserInfo: FC<Props> = ({ user, onComplete }) => {
     // Email purposefully not pre-filled
     const [emailAddress, setEmailAddress] = useState("");
 
+    const { linkedInLogin } = useLinkedIn({
+        clientId: linkedInClientId,
+        redirectUri: `${window.location.origin}/linkedin`,
+        onSuccess: (code) => {
+            console.log(code);
+        },
+        onError: (error) => {
+            console.log(error);
+        },
+    });
+
     const handleSubmit = useCallback(async () => {
         const additionalData = user.additionalData || {};
         const profile = additionalData.profile || {};
@@ -102,6 +116,13 @@ export const StepUserInfo: FC<Props> = ({ user, onComplete }) => {
                 onChange={setEmailAddress}
                 required
             />
+
+            <img
+                onClick={linkedInLogin}
+                src={SignInWithLinkedIn}
+                alt="Sign in with Linked In"
+                style={{ maxWidth: "180px", cursor: "pointer" }}
+            />
         </OnboardingStep>
     );
 };

components/dashboard/src/onboarding/StepUserInfo.tsx

@@ -5,7 +5,7 @@
  */
 
 import { User } from "@gitpod/gitpod-protocol";
-import { FunctionComponent, useCallback, useContext, useState } from "react";
+import { FunctionComponent, useCallback, useContext, useEffect, useState } from "react";
 import gitpodIcon from "../icons/gitpod.svg";
 import { Separator } from "../components/Separator";
 import { useHistory, useLocation } from "react-router";
@@ -40,6 +40,14 @@ const UserOnboarding: FunctionComponent<Props> = ({ user }) => {
 
     const [step, setStep] = useState(STEPS.ONE);
     const [completingError, setCompletingError] = useState("");
+    const [linkedInClientId, setLinkedInClientId] = useState("");
+
+    useEffect(() => {
+        (async () => {
+            const clientId = await getGitpodService().server.getLinkedInClientId();
+            setLinkedInClientId(clientId);
+        })();
+    }, []);
 
     // We track this state here so we can persist it at the end of the flow instead of when it's selected
     // This is because setting the ide is how we indicate a user has onboarded, and want to defer that until the end
@@ -134,6 +142,7 @@ const UserOnboarding: FunctionComponent<Props> = ({ user }) => {
                     {step === STEPS.ONE && (
                         <StepUserInfo
                             user={user}
+                            linkedInClientId={linkedInClientId}
                             onComplete={(updatedUser) => {
                                 setUser(updatedUser);
                                 setStep(STEPS.TWO);

components/dashboard/src/onboarding/UserOnboarding.tsx

@@ -0,0 +1,8 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+export const LinkedInTokenDB = Symbol("LinkedInTokenDB");
+export interface LinkedInTokenDB {}

components/gitpod-db/src/linked-in-token-db.ts

@@ -340,6 +340,11 @@ export class GitpodTableDescriptionProvider implements TableDescriptionProvider
             timeColumn: "_lastModified",
             deletionColumn: "deleted",
         },
+        {
+            name: "d_b_linked_in_token",
+            primaryKeys: ["id"],
+            timeColumn: "_lastModified",
+        },
     ];
 
     public getSortedTables(): TableDescription[] {

components/gitpod-db/src/tables.ts

@@ -0,0 +1,15 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { Entity, PrimaryColumn } from "typeorm";
+import { TypeORM } from "../typeorm";
+
+@Entity()
+// on DB but not Typeorm: @Index("ind_lastModified", ["_lastModified"])   // DBSync
+export class DBLinkedInToken {
+    @PrimaryColumn(TypeORM.UUID_COLUMN_TYPE)
+    id: string;
+}

components/gitpod-db/src/typeorm/entity/db-linked-in-token.ts

@@ -0,0 +1,24 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { inject, injectable } from "inversify";
+import { Repository } from "typeorm";
+import { LinkedInTokenDB } from "../linked-in-token-db";
+import { DBLinkedInToken } from "./entity/db-linked-in-token";
+import { TypeORM } from "./typeorm";
+
+@injectable()
+export class LinkedInTokenDBImpl implements LinkedInTokenDB {
+    @inject(TypeORM) typeORM: TypeORM;
+
+    protected async getEntityManager() {
+        return (await this.typeORM.getConnection()).manager;
+    }
+
+    protected async getRepo(): Promise<Repository<DBLinkedInToken>> {
+        return (await this.getEntityManager()).getRepository<DBLinkedInToken>(DBLinkedInToken);
+    }
+}

components/gitpod-db/src/typeorm/linked-in-token-db-impl.ts

@@ -0,0 +1,24 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { MigrationInterface, QueryRunner } from "typeorm";
+import { tableExists } from "./helper/helper";
+
+const TABLE_NAME = "d_b_linked_in_token";
+
+export class LinkedInToken1680096507296 implements MigrationInterface {
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(
+            `CREATE TABLE IF NOT EXISTS ${TABLE_NAME} (id char(36) NOT NULL, _lastModified timestamp(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), PRIMARY KEY (id)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;`,
+        );
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        if (await tableExists(queryRunner, TABLE_NAME)) {
+            await queryRunner.query(`DROP TABLE ${TABLE_NAME}`);
+        }
+    }
+}

components/gitpod-db/src/typeorm/migration/1680096507296-LinkedInToken.ts

@@ -308,6 +308,8 @@ export interface GitpodServer extends JsonRpcServer<GitpodClient>, AdminServer,
     getBillingModeForUser(): Promise<BillingMode>;
     getBillingModeForTeam(teamId: string): Promise<BillingMode>;
 
+    getLinkedInClientId(): Promise<string>;
+
     /**
      * Analytics
      */

components/gitpod-protocol/src/gitpod-service.ts

@@ -2675,6 +2675,19 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         return this.billingModes.getBillingModeForTeam(team, new Date());
     }
 
+    async getLinkedInClientId(ctx: TraceContextWithSpan): Promise<string> {
+        traceAPIParams(ctx, {});
+        this.checkAndBlockUser("getLinkedInClientID");
+        const clientId = this.config.linkedInSecrets?.clientId || "86lcfbj2vwm2ba"; // FIXME(janx)
+        if (!clientId) {
+            throw new ResponseError(
+                ErrorCodes.INTERNAL_SERVER_ERROR,
+                "LinkedIn is not properly configured (no Client ID)",
+            );
+        }
+        return clientId;
+    }
+
     // (SaaS) – admin
     async adminGetAccountStatement(ctx: TraceContext, userId: string): Promise<AccountStatement> {
         traceAPIParams(ctx, { userId });

components/server/ee/src/workspace/gitpod-server-impl.ts

@@ -224,6 +224,7 @@ const defaultFunctions: FunctionsConfig = {
     listUsage: { group: "default", points: 1 },
     getBillingModeForTeam: { group: "default", points: 1 },
     getBillingModeForUser: { group: "default", points: 1 },
+    getLinkedInClientId: { group: "default", points: 1 },
     tsAddMembersToOrg: { group: "default", points: 1 },
 
     trackEvent: { group: "default", points: 1 },

components/server/src/auth/rate-limiter.ts

@@ -26,13 +26,15 @@ export type Config = Omit<
     | "chargebeeProviderOptionsFile"
     | "stripeSecretsFile"
     | "stripeConfigFile"
+    | "linkedInSecretsFile"
     | "licenseFile"
     | "patSigningKeyFile"
 > & {
     hostUrl: GitpodHostUrl;
     workspaceDefaults: WorkspaceDefaults;
     chargebeeProviderOptions?: ChargebeeProviderOptions;
     stripeSecrets?: { publishableKey: string; secretKey: string };
+    linkedInSecrets?: { clientId: string; clientSecret: string };
     builtinAuthProvidersConfigured: boolean;
     inactivityPeriodForReposInDays?: number;
 
@@ -206,6 +208,11 @@ export interface ConfigSerialized {
     stripeConfigFile?: string;
     enablePayment?: boolean;
 
+    /**
+     * LinkedIn OAuth2 configuration
+     */
+    linkedInSecretsFile?: string;
+
     /**
      * Number of prebuilds that can be started in a given time period.
      * Key '*' specifies the default rate limit for a cloneURL, unless overriden by a specific cloneURL.
@@ -291,6 +298,16 @@ export namespace ConfigFile {
                 log.error("Could not load Stripe secrets", error);
             }
         }
+        let linkedInSecrets: { clientId: string; clientSecret: string } | undefined;
+        if (config.linkedInSecretsFile) {
+            try {
+                linkedInSecrets = JSON.parse(
+                    fs.readFileSync(filePathTelepresenceAware(config.linkedInSecretsFile), "utf-8"),
+                );
+            } catch (error) {
+                log.error("Could not load LinkedIn secrets", error);
+            }
+        }
         let license = config.license;
         const licenseFile = config.licenseFile;
         if (licenseFile) {
@@ -336,6 +353,7 @@ export namespace ConfigFile {
             builtinAuthProvidersConfigured,
             chargebeeProviderOptions,
             stripeSecrets,
+            linkedInSecrets,
             twilioConfig,
             license,
             workspaceGarbageCollection: {

components/server/src/config.ts

@@ -3576,6 +3576,10 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         return BillingMode.NONE;
     }
 
+    async getLinkedInClientId(ctx: TraceContextWithSpan): Promise<string> {
+        throw new ResponseError(ErrorCodes.SAAS_FEATURE, `Not implemented in this version`);
+    }
+
     //
     //#endregion
 

components/server/src/workspace/gitpod-server-impl.ts

@@ -282,6 +282,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 		EnablePayment:                chargebeeSecret != "" || stripeSecret != "" || stripeConfig != "",
 		ChargebeeProviderOptionsFile: fmt.Sprintf("%s/providerOptions", chargebeeMountPath),
 		StripeSecretsFile:            fmt.Sprintf("%s/apikeys", stripeSecretMountPath),
+		LinkedInSecretsFile:          fmt.Sprintf("%s/linkedin", linkedInSecretMountPath),
 		InsecureNoDomain:             false,
 		PrebuildLimiter: PrebuildRateLimiters{
 			// default limit for all cloneURLs

install/installer/pkg/components/server/configmap.go

@@ -16,6 +16,7 @@ const (
 	licenseFilePath                        = "/gitpod/license"
 	chargebeeMountPath                     = "/chargebee"
 	stripeSecretMountPath                  = "/stripe-secret"
+	linkedInSecretMountPath                = "/linkedin-secret"
 	githubAppCertSecret                    = "github-app-cert-secret"
 	IAMSessionPort                         = common.ServerIAMSessionPort
 	IAMSessionPortName                     = "session"

install/installer/pkg/components/server/constants.go

@@ -205,6 +205,29 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 		return nil
 	})
 
+	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
+		if cfg.WebApp != nil && cfg.WebApp.Server != nil && cfg.WebApp.Server.LinkedInSecret != "" {
+			linkedInSecret := cfg.WebApp.Server.LinkedInSecret
+
+			volumes = append(volumes,
+				corev1.Volume{
+					Name: "linkedin-secret",
+					VolumeSource: corev1.VolumeSource{
+						Secret: &corev1.SecretVolumeSource{
+							SecretName: linkedInSecret,
+						},
+					},
+				})
+
+			volumeMounts = append(volumeMounts, corev1.VolumeMount{
+				Name:      "linkedin-secret",
+				MountPath: linkedInSecretMountPath,
+				ReadOnly:  true,
+			})
+		}
+		return nil
+	})
+
 	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
 		if cfg.WebApp != nil && cfg.WebApp.Server != nil && cfg.WebApp.Server.GithubApp != nil {
 			volumes = append(volumes,

install/installer/pkg/components/server/deployment.go

@@ -36,6 +36,7 @@ type ConfigSerialized struct {
 	StripeSecretsFile                 string   `json:"stripeSecretsFile"`
 	StripeConfigFile                  string   `json:"stripeConfigFile"`
 	EnablePayment                     bool     `json:"enablePayment"`
+	LinkedInSecretsFile               string   `json:"linkedInSecretsFile"`
 	PATSigningKeyFile                 string   `json:"patSigningKeyFile"`
 	ShowSetupModal                    bool     `json:"showSetupModal"`
 

install/installer/pkg/components/server/types.go

@@ -259,6 +259,7 @@ type ServerConfig struct {
 	ChargebeeSecret                   string            `json:"chargebeeSecret"`
 	StripeSecret                      string            `json:"stripeSecret"`
 	StripeConfig                      string            `json:"stripeConfig"`
+	LinkedInSecret                    string            `json:"linkedInSecret"`
 	DisableDynamicAuthProviderLogin   bool              `json:"disableDynamicAuthProviderLogin"`
 	EnableLocalApp                    *bool             `json:"enableLocalApp"`
 	RunDbDeleter                      *bool             `json:"runDbDeleter"`

install/installer/pkg/config/v1/experimental/experimental.go

@@ -15162,6 +15162,11 @@ react-is@^17.0.1:
   resolved "https://registry.npmjs.org/react-is/-/react-is-17.0.2.tgz"
   integrity sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==
 
+react-linkedin-login-oauth2@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/react-linkedin-login-oauth2/-/react-linkedin-login-oauth2-2.0.1.tgz#e322245b69f3248bf68273aa0a0deeed2ddf859d"
+  integrity sha512-vlmChbRhLjWZVU/A96I09GcpH3xLFTawQbT/05Dl3kuLVupdaVo7YZf2qrDQmrdfDm4Qj8svX1gkwHkybAMKDg==
+
 react-onclickoutside@^6.12.0:
   version "6.12.2"
   resolved "https://registry.yarnpkg.com/react-onclickoutside/-/react-onclickoutside-6.12.2.tgz#8e6cf80c7d17a79f2c908399918158a7b02dda01"