Implement user account verification with LinkedIn during onboarding

Author: jankeromnes

components/dashboard/package.json

@@ -28,6 +28,7 @@
     "react-dom": "^17.0.1",
     "react-error-boundary": "^3.1.4",
     "react-intl-tel-input": "^8.2.0",
+    "react-linkedin-login-oauth2": "^2.0.1",
     "react-popper": "^2.3.0",
     "react-portal": "^4.2.2",
     "react-router-dom": "^5.2.0",

components/dashboard/src/images/sign-in-with-linkedin.svg

@@ -6,16 +6,20 @@
 
 import { User } from "@gitpod/gitpod-protocol";
 import { FC, useCallback, useState } from "react";
+import { useLinkedIn } from "react-linkedin-login-oauth2";
+import { LinkedInCallback } from "react-linkedin-login-oauth2";
 import { TextInputField } from "../components/forms/TextInputField";
 import { useUpdateCurrentUserMutation } from "../data/current-user/update-mutation";
 import { useOnBlurError } from "../hooks/use-onblur-error";
 import { OnboardingStep } from "./OnboardingStep";
+import SignInWithLinkedIn from "../images/sign-in-with-linkedin.svg";
 
 type Props = {
     user: User;
+    linkedInClientId: string;
     onComplete(user: User): void;
 };
-export const StepUserInfo: FC<Props> = ({ user, onComplete }) => {
+export const StepUserInfo: FC<Props> = ({ user, linkedInClientId, onComplete }) => {
     const updateUser = useUpdateCurrentUserMutation();
     // attempt to split provided name for default input values
     const { first, last } = getInitialNameParts(user);
@@ -25,6 +29,17 @@ export const StepUserInfo: FC<Props> = ({ user, onComplete }) => {
     // Email purposefully not pre-filled
     const [emailAddress, setEmailAddress] = useState("");
 
+    const { linkedInLogin } = useLinkedIn({
+        clientId: linkedInClientId,
+        redirectUri: `${window.location.origin}/linkedin`,
+        onSuccess: (code) => {
+            console.log("success", code);
+        },
+        onError: (error) => {
+            console.log("error", error);
+        },
+    });
+
     const handleSubmit = useCallback(async () => {
         const additionalData = user.additionalData || {};
         const profile = additionalData.profile || {};
@@ -56,6 +71,12 @@ export const StepUserInfo: FC<Props> = ({ user, onComplete }) => {
 
     const isValid = [firstNameError, lastNameError, emailError].every((e) => e.isValid);
 
+    // FIXME: might be cleaner to have this in a dedicated /linkedin route instead of relying on the onboarding to show up again
+    const params = new URLSearchParams(window.location.search);
+    if (params.get("code") && params.get("state")) {
+        return <LinkedInCallback />;
+    }
+
     return (
         <OnboardingStep
             title="Welcome to Gitpod"
@@ -102,6 +123,20 @@ export const StepUserInfo: FC<Props> = ({ user, onComplete }) => {
                 onChange={setEmailAddress}
                 required
             />
+
+            <div>
+                <p className="text-gray-500 text-sm mt-4">
+                    Verify your account by connecting with LinkedIn and receive 500 credits per month. 🎁
+                </p>
+                <button className="primary" onClick={linkedInLogin}>
+                    <img
+                        src={SignInWithLinkedIn}
+                        alt="Sign in with Linked In"
+                        style={{ maxWidth: "180px", cursor: "pointer" }}
+                    />
+                    Connect with LinkedIn
+                </button>
+            </div>
         </OnboardingStep>
     );
 };

components/dashboard/src/onboarding/StepUserInfo.tsx

@@ -5,7 +5,7 @@
  */
 
 import { User } from "@gitpod/gitpod-protocol";
-import { FunctionComponent, useCallback, useContext, useState } from "react";
+import { FunctionComponent, useCallback, useContext, useEffect, useState } from "react";
 import gitpodIcon from "../icons/gitpod.svg";
 import { Separator } from "../components/Separator";
 import { useHistory, useLocation } from "react-router";
@@ -40,6 +40,14 @@ const UserOnboarding: FunctionComponent<Props> = ({ user }) => {
 
     const [step, setStep] = useState(STEPS.ONE);
     const [completingError, setCompletingError] = useState("");
+    const [linkedInClientId, setLinkedInClientId] = useState("");
+
+    useEffect(() => {
+        (async () => {
+            const clientId = await getGitpodService().server.getLinkedInClientId();
+            setLinkedInClientId(clientId);
+        })();
+    }, []);
 
     // We track this state here so we can persist it at the end of the flow instead of when it's selected
     // This is because setting the ide is how we indicate a user has onboarded, and want to defer that until the end
@@ -134,6 +142,7 @@ const UserOnboarding: FunctionComponent<Props> = ({ user }) => {
                     {step === STEPS.ONE && (
                         <StepUserInfo
                             user={user}
+                            linkedInClientId={linkedInClientId}
                             onComplete={(updatedUser) => {
                                 setUser(updatedUser);
                                 setStep(STEPS.TWO);

components/dashboard/src/onboarding/UserOnboarding.tsx

@@ -0,0 +1,8 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+export const LinkedInTokenDB = Symbol("LinkedInTokenDB");
+export interface LinkedInTokenDB {}

components/gitpod-db/src/linked-in-token-db.ts

@@ -340,6 +340,11 @@ export class GitpodTableDescriptionProvider implements TableDescriptionProvider
             timeColumn: "_lastModified",
             deletionColumn: "deleted",
         },
+        {
+            name: "d_b_linked_in_token",
+            primaryKeys: ["id"],
+            timeColumn: "_lastModified",
+        },
     ];
 
     public getSortedTables(): TableDescription[] {

components/gitpod-db/src/tables.ts

@@ -0,0 +1,15 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { Entity, PrimaryColumn } from "typeorm";
+import { TypeORM } from "../typeorm";
+
+@Entity()
+// on DB but not Typeorm: @Index("ind_lastModified", ["_lastModified"])   // DBSync
+export class DBLinkedInToken {
+    @PrimaryColumn(TypeORM.UUID_COLUMN_TYPE)
+    id: string;
+}

components/gitpod-db/src/typeorm/entity/db-linked-in-token.ts

@@ -0,0 +1,24 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { inject, injectable } from "inversify";
+import { Repository } from "typeorm";
+import { LinkedInTokenDB } from "../linked-in-token-db";
+import { DBLinkedInToken } from "./entity/db-linked-in-token";
+import { TypeORM } from "./typeorm";
+
+@injectable()
+export class LinkedInTokenDBImpl implements LinkedInTokenDB {
+    @inject(TypeORM) typeORM: TypeORM;
+
+    protected async getEntityManager() {
+        return (await this.typeORM.getConnection()).manager;
+    }
+
+    protected async getRepo(): Promise<Repository<DBLinkedInToken>> {
+        return (await this.getEntityManager()).getRepository<DBLinkedInToken>(DBLinkedInToken);
+    }
+}

components/gitpod-db/src/typeorm/linked-in-token-db-impl.ts

@@ -0,0 +1,24 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { MigrationInterface, QueryRunner } from "typeorm";
+import { tableExists } from "./helper/helper";
+
+const TABLE_NAME = "d_b_linked_in_token";
+
+export class LinkedInToken1680096507296 implements MigrationInterface {
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(
+            `CREATE TABLE IF NOT EXISTS ${TABLE_NAME} (id char(36) NOT NULL, _lastModified timestamp(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), PRIMARY KEY (id)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;`,
+        );
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        if (await tableExists(queryRunner, TABLE_NAME)) {
+            await queryRunner.query(`DROP TABLE ${TABLE_NAME}`);
+        }
+    }
+}

components/gitpod-db/src/typeorm/migration/1680096507296-LinkedInToken.ts

@@ -308,6 +308,9 @@ export interface GitpodServer extends JsonRpcServer<GitpodClient>, AdminServer,
     getBillingModeForUser(): Promise<BillingMode>;
     getBillingModeForTeam(teamId: string): Promise<BillingMode>;
 
+    getLinkedInClientId(): Promise<string>;
+    connectWithLinkedIn(code: string): Promise<void>;
+
     /**
      * Analytics
      */

components/gitpod-protocol/src/gitpod-service.ts

@@ -0,0 +1,42 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
+import { inject, injectable } from "inversify";
+import fetch from "node-fetch";
+import { ResponseError } from "vscode-jsonrpc";
+import { Config } from "../../../src/config";
+
+@injectable()
+export class LinkedInService {
+    @inject(Config) protected readonly config: Config;
+
+    async getAccessToken(code: string) {
+        const { clientId, clientSecret } = this.config.linkedInSecrets || {
+            clientId: "86lcfbj2vwm2ba", // FIXME(janx)
+            clientSecret: "zRctByb55dTZ9ss3", // FIXME(janx)
+        };
+        if (!clientId || !clientSecret) {
+            throw new ResponseError(
+                ErrorCodes.INTERNAL_SERVER_ERROR,
+                "LinkedIn is not properly configured (no Client ID or Client Secret)",
+            );
+        }
+        const redirectUri = this.config.hostUrl.with({ pathname: "/linkedin" }).toString();
+        const url = `https://www.linkedin.com/oauth/v2/accessToken?grant_type=authorization_code&code=${code}&redirect_uri=${redirectUri}&client_id=${clientId}&client_secret=${clientSecret}`;
+        const response = await fetch(url, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+        });
+        const data = await response.json();
+        if (data.error) {
+            throw new Error(data.error_description);
+        }
+        return data;
+    }
+}

components/server/ee/src/user/linkedin-service.ts

@@ -100,6 +100,7 @@ import { ChargebeeCouponComputer } from "../user/coupon-computer";
 import { ChargebeeService } from "../user/chargebee-service";
 import { Chargebee as chargebee } from "@gitpod/gitpod-payment-endpoint/lib/chargebee";
 import { StripeService } from "../user/stripe-service";
+import { LinkedInService } from "../user/linkedin-service";
 
 import { GitHubAppSupport } from "../github/github-app-support";
 import { GitLabAppSupport } from "../gitlab/gitlab-app-support";
@@ -161,6 +162,7 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
     @inject(UserCounter) protected readonly userCounter: UserCounter;
 
     @inject(UserService) protected readonly userService: UserService;
+    @inject(LinkedInService) protected readonly linkedInService: LinkedInService;
 
     @inject(UsageServiceDefinition.name)
     protected readonly usageService: UsageServiceClient;
@@ -2675,6 +2677,26 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         return this.billingModes.getBillingModeForTeam(team, new Date());
     }
 
+    async getLinkedInClientId(ctx: TraceContextWithSpan): Promise<string> {
+        traceAPIParams(ctx, {});
+        this.checkAndBlockUser("getLinkedInClientID");
+        const clientId = this.config.linkedInSecrets?.clientId || "86lcfbj2vwm2ba"; // FIXME(janx)
+        if (!clientId) {
+            throw new ResponseError(
+                ErrorCodes.INTERNAL_SERVER_ERROR,
+                "LinkedIn is not properly configured (no Client ID)",
+            );
+        }
+        return clientId;
+    }
+
+    async connectWithLinkedIn(ctx: TraceContextWithSpan, code: string): Promise<void> {
+        traceAPIParams(ctx, { code });
+        const user = this.checkAndBlockUser("connectWithLinkedIn");
+        const { accessToken, expiresAt } = await this.linkedInService.getAccessToken(code);
+        await this.userService.setLinkedInAccessToken(user, accessToken, expiresAt);
+    }
+
     // (SaaS) – admin
     async adminGetAccountStatement(ctx: TraceContext, userId: string): Promise<AccountStatement> {
         traceAPIParams(ctx, { userId });

components/server/ee/src/workspace/gitpod-server-impl.ts

@@ -224,6 +224,8 @@ const defaultFunctions: FunctionsConfig = {
     listUsage: { group: "default", points: 1 },
     getBillingModeForTeam: { group: "default", points: 1 },
     getBillingModeForUser: { group: "default", points: 1 },
+    getLinkedInClientId: { group: "default", points: 1 },
+    connectWithLinkedIn: { group: "default", points: 1 },
     tsAddMembersToOrg: { group: "default", points: 1 },
 
     trackEvent: { group: "default", points: 1 },

components/server/src/auth/rate-limiter.ts

@@ -26,13 +26,15 @@ export type Config = Omit<
     | "chargebeeProviderOptionsFile"
     | "stripeSecretsFile"
     | "stripeConfigFile"
+    | "linkedInSecretsFile"
     | "licenseFile"
     | "patSigningKeyFile"
 > & {
     hostUrl: GitpodHostUrl;
     workspaceDefaults: WorkspaceDefaults;
     chargebeeProviderOptions?: ChargebeeProviderOptions;
     stripeSecrets?: { publishableKey: string; secretKey: string };
+    linkedInSecrets?: { clientId: string; clientSecret: string };
     builtinAuthProvidersConfigured: boolean;
     inactivityPeriodForReposInDays?: number;
 
@@ -206,6 +208,11 @@ export interface ConfigSerialized {
     stripeConfigFile?: string;
     enablePayment?: boolean;
 
+    /**
+     * LinkedIn OAuth2 configuration
+     */
+    linkedInSecretsFile?: string;
+
     /**
      * Number of prebuilds that can be started in a given time period.
      * Key '*' specifies the default rate limit for a cloneURL, unless overriden by a specific cloneURL.
@@ -291,6 +298,16 @@ export namespace ConfigFile {
                 log.error("Could not load Stripe secrets", error);
             }
         }
+        let linkedInSecrets: { clientId: string; clientSecret: string } | undefined;
+        if (config.linkedInSecretsFile) {
+            try {
+                linkedInSecrets = JSON.parse(
+                    fs.readFileSync(filePathTelepresenceAware(config.linkedInSecretsFile), "utf-8"),
+                );
+            } catch (error) {
+                log.error("Could not load LinkedIn secrets", error);
+            }
+        }
         let license = config.license;
         const licenseFile = config.licenseFile;
         if (licenseFile) {
@@ -336,6 +353,7 @@ export namespace ConfigFile {
             builtinAuthProvidersConfigured,
             chargebeeProviderOptions,
             stripeSecrets,
+            linkedInSecrets,
             twilioConfig,
             license,
             workspaceGarbageCollection: {

components/server/src/config.ts

@@ -563,4 +563,6 @@ export class UserService {
     async mayCreateOrJoinOrganization(user: User): Promise<boolean> {
         return !user.organizationId;
     }
+
+    async setLinkedInAccessToken(user: User, accessToken: string, expiresAt: string): Promise<void> {}
 }

components/server/src/user/user-service.ts

@@ -3576,6 +3576,14 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         return BillingMode.NONE;
     }
 
+    async getLinkedInClientId(ctx: TraceContextWithSpan): Promise<string> {
+        throw new ResponseError(ErrorCodes.SAAS_FEATURE, `Not implemented in this version`);
+    }
+
+    async connectWithLinkedIn(ctx: TraceContextWithSpan, code: string): Promise<void> {
+        throw new ResponseError(ErrorCodes.SAAS_FEATURE, `Not implemented in this version`);
+    }
+
     //
     //#endregion
 

components/server/src/workspace/gitpod-server-impl.ts

@@ -282,6 +282,7 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 		EnablePayment:                chargebeeSecret != "" || stripeSecret != "" || stripeConfig != "",
 		ChargebeeProviderOptionsFile: fmt.Sprintf("%s/providerOptions", chargebeeMountPath),
 		StripeSecretsFile:            fmt.Sprintf("%s/apikeys", stripeSecretMountPath),
+		LinkedInSecretsFile:          fmt.Sprintf("%s/linkedin", linkedInSecretMountPath),
 		InsecureNoDomain:             false,
 		PrebuildLimiter: PrebuildRateLimiters{
 			// default limit for all cloneURLs