dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

Handle OIDC users during database import (#424)

Browse Source 
* Update Docker image name for GitHub registry

* Fix image name casing in Docker workflow

* Remove untagged image cleanup step from workflow

Removed the step to delete untagged image versions from the workflow.

* Change Docker login to use GHCR credentials

Updated Docker login credentials for GitHub Container Registry.

* Remove cache moving step from Docker workflow

Removed the step to move the build cache in the Docker workflow.

* Refactor Docker image workflow for versioning and builds

* Update docker-image.yml

* Allow OIDC users to import database without password

* Skip import password prompt for OIDC users

* docs: clarify OIDC import unlocking flow

* docs: explain admin import password logic

---------

Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com>
Co-authored-by: Nikola Novoselec <nikolanovoselec@users.noreply.github.com>
This commit was merged in pull request #424.
This commit is contained in:
Nikola Novoselec
2025-10-21 23:24:57 +02:00
committed by GitHub
parent 19ab2011d9
commit 232d6fe6ea
2 changed files with 81 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/backend/database/database.ts
View File

@@ -901,17 +901,40 @@ app.post(
const userId = (req as AuthenticatedRequest).userId; const userId = (req as AuthenticatedRequest).userId;
const { password } = req.body; const { password } = req.body;
const mainDb = getDb();
if (!password) { const userRecords = await mainDb
return res.status(400).json({ .select()
error: "Password required for import", .from(users)
code: "PASSWORD_REQUIRED", .where(eq(users.id, userId));
});
if (!userRecords || userRecords.length === 0) {
return res.status(404).json({ error: "User not found" });
} }
const unlocked = await authManager.authenticateUser(userId, password); const isOidcUser = !!userRecords[0].is_oidc;
if (!unlocked) {
return res.status(401).json({ error: "Invalid password" }); if (!isOidcUser) {
// Local accounts still prove knowledge of the password so their DEK can be derived again.
if (!password) {
return res.status(400).json({
error: "Password required for import",
code: "PASSWORD_REQUIRED",
});
}
const unlocked = await authManager.authenticateUser(userId, password);
if (!unlocked) {
return res.status(401).json({ error: "Invalid password" });
}
} else if (!DataCrypto.getUserDataKey(userId)) {
// OIDC users skip the password prompt; make sure their DEK is unlocked via the OIDC session.
const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
if (!oidcUnlocked) {
return res.status(403).json({
error: "Failed to unlock user data with SSO credentials",
});
}
} }
apiLogger.info("Importing SQLite data", { apiLogger.info("Importing SQLite data", {
@@ -922,7 +945,14 @@ app.post(
mimetype: req.file.mimetype, mimetype: req.file.mimetype,
}); });
const userDataKey = DataCrypto.getUserDataKey(userId); let userDataKey = DataCrypto.getUserDataKey(userId);
if (!userDataKey && isOidcUser) {
// authenticateOIDCUser lazily provisions the session key; retry the fetch when it succeeds.
const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
if (oidcUnlocked) {
userDataKey = DataCrypto.getUserDataKey(userId);
}
}
if (!userDataKey) { if (!userDataKey) {
throw new Error("User data not unlocked"); throw new Error("User data not unlocked");
} }
@@ -976,7 +1006,6 @@ app.post(
}; };
try { try {
const mainDb = getDb();
try { try {
const importedHosts = importDb const importedHosts = importDb

46
src/ui/Desktop/Admin/AdminSettings.tsx
View File

@@ -45,6 +45,8 @@ import {
makeUserAdmin, makeUserAdmin,
removeAdminStatus, removeAdminStatus,
deleteUser, deleteUser,
getUserInfo,
getCookie,
isElectron, isElectron,
} from "@/ui/main-axios.ts"; } from "@/ui/main-axios.ts";
@@ -94,6 +96,14 @@ export function AdminSettings({
null, null,
); );
const [securityInitialized, setSecurityInitialized] = React.useState(true);
const [currentUser, setCurrentUser] = React.useState<{
id: string;
username: string;
is_admin: boolean;
is_oidc: boolean;
} | null>(null);
const [exportLoading, setExportLoading] = React.useState(false); const [exportLoading, setExportLoading] = React.useState(false);
const [importLoading, setImportLoading] = React.useState(false); const [importLoading, setImportLoading] = React.useState(false);
const [importFile, setImportFile] = React.useState<File | null>(null); const [importFile, setImportFile] = React.useState<File | null>(null);
@@ -101,6 +111,11 @@ export function AdminSettings({
const [showPasswordInput, setShowPasswordInput] = React.useState(false); const [showPasswordInput, setShowPasswordInput] = React.useState(false);
const [importPassword, setImportPassword] = React.useState(""); const [importPassword, setImportPassword] = React.useState("");
const requiresImportPassword = React.useMemo(
() => !currentUser?.is_oidc,
[currentUser?.is_oidc],
);
React.useEffect(() => { React.useEffect(() => {
if (isElectron()) { if (isElectron()) {
const serverUrl = (window as { configuredServerUrl?: string }) const serverUrl = (window as { configuredServerUrl?: string })
@@ -119,6 +134,23 @@ export function AdminSettings({
toast.error(t("admin.failedToFetchOidcConfig")); toast.error(t("admin.failedToFetchOidcConfig"));
} }
}); });
// Capture the current session so we know whether to ask for a password later.
getUserInfo()
.then((info) => {
if (info) {
setCurrentUser({
id: info.userId,
username: info.username,
is_admin: info.is_admin,
is_oidc: info.is_oidc,
});
}
})
.catch((err) => {
if (!err?.message?.includes("No server configured")) {
console.warn("Failed to fetch current user info", err);
}
});
fetchUsers(); fetchUsers();
}, []); }, []);
@@ -372,7 +404,7 @@ export function AdminSettings({
return; return;
} }
if (!importPassword.trim()) { if (requiresImportPassword && !importPassword.trim()) {
toast.error(t("admin.passwordRequired")); toast.error(t("admin.passwordRequired"));
return; return;
} }
@@ -395,7 +427,10 @@ export function AdminSettings({
const formData = new FormData(); const formData = new FormData();
formData.append("file", importFile); formData.append("file", importFile);
formData.append("password", importPassword); if (requiresImportPassword) {
// Preserve the existing password flow for non-OIDC accounts.
formData.append("password", importPassword);
}
const response = await fetch(apiUrl, { const response = await fetch(apiUrl, {
method: "POST", method: "POST",
@@ -1016,7 +1051,8 @@ export function AdminSettings({
</span> </span>
</Button> </Button>
</div> </div>
{importFile && ( {/* Only render the password field when a local account is performing the import. */}
{importFile && requiresImportPassword && (
<div className="space-y-2"> <div className="space-y-2">
<Label htmlFor="import-password">Password</Label> <Label htmlFor="import-password">Password</Label>
<PasswordInput <PasswordInput
@@ -1035,7 +1071,9 @@ export function AdminSettings({
<Button <Button
onClick={handleImportDatabase} onClick={handleImportDatabase}
disabled={ disabled={
importLoading || !importFile || !importPassword.trim() importLoading ||
!importFile ||
(requiresImportPassword && !importPassword.trim())
} }
className="w-full" className="w-full"
> >