diff --git a/src/backend/database/routes/users.ts b/src/backend/database/routes/users.ts index 065ebc0b..3e776b7f 100644 --- a/src/backend/database/routes/users.ts +++ b/src/backend/database/routes/users.ts @@ -12,9 +12,19 @@ import type {Request, Response, NextFunction} from 'express'; async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: string): Promise { try { - let jwksUrl: string | null = null; - const normalizedIssuerUrl = issuerUrl.endsWith('/') ? issuerUrl.slice(0, -1) : issuerUrl; + const possibleIssuers = [ + issuerUrl, + normalizedIssuerUrl, + issuerUrl.replace(/\/application\/o\/[^\/]+$/, ''), + normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '') + ]; + + const jwksUrls = [ + `${normalizedIssuerUrl}/.well-known/jwks.json`, + `${normalizedIssuerUrl}/jwks/`, + `${normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')}/.well-known/jwks.json` + ]; try { const discoveryUrl = `${normalizedIssuerUrl}/.well-known/openid-configuration`; @@ -22,53 +32,33 @@ async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: str if (discoveryResponse.ok) { const discovery = await discoveryResponse.json() as any; if (discovery.jwks_uri) { - jwksUrl = discovery.jwks_uri; - } else { - logger.warn('OIDC discovery document does not contain jwks_uri'); + jwksUrls.unshift(discovery.jwks_uri); } - } else { - logger.warn(`OIDC discovery failed with status: ${discoveryResponse.status}`); } } catch (discoveryError) { - logger.warn(`OIDC discovery failed: ${discoveryError}`); + logger.error(`OIDC discovery failed: ${discoveryError}`); } - if (!jwksUrl) { - jwksUrl = `${normalizedIssuerUrl}/.well-known/jwks.json`; - } + let jwks: any = null; + let jwksUrl: string | null = null; - if (!jwksUrl) { - const authentikJwksUrl = `${normalizedIssuerUrl}/jwks/`; + for (const url of jwksUrls) { try { - const jwksTestResponse = await fetch(authentikJwksUrl); - if (jwksTestResponse.ok) { - jwksUrl = authentikJwksUrl; + const response = await fetch(url); + if (response.ok) { + jwks = await response.json(); + jwksUrl = url; + break; } } catch (error) { - logger.warn(`Authentik JWKS URL also failed: ${error}`); + continue; } } - if (!jwksUrl) { - const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, ''); - const rootJwksUrl = `${baseUrl}/.well-known/jwks.json`; - try { - const jwksTestResponse = await fetch(rootJwksUrl); - if (jwksTestResponse.ok) { - jwksUrl = rootJwksUrl; - } - } catch (error) { - logger.warn(`Authentik root JWKS URL also failed: ${error}`); - } + if (!jwks) { + throw new Error('Failed to fetch JWKS from any URL'); } - const jwksResponse = await fetch(jwksUrl); - if (!jwksResponse.ok) { - throw new Error(`Failed to fetch JWKS from ${jwksUrl}: ${jwksResponse.status}`); - } - - const jwks = await jwksResponse.json() as any; - const header = JSON.parse(Buffer.from(idToken.split('.')[0], 'base64').toString()); const keyId = header.kid; @@ -81,12 +71,7 @@ async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: str const key = await importJWK(publicKey); const {payload} = await jwtVerify(idToken, key, { - issuer: [ - issuerUrl, - normalizedIssuerUrl, - issuerUrl.replace(/\/application\/o\/[^\/]+$/, ''), - normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '') - ], + issuer: possibleIssuers, audience: clientId, }); @@ -376,54 +361,64 @@ router.get('/oidc/callback', async (req, res) => { const tokenData = await tokenResponse.json() as any; - let userInfo; + let userInfo: any = null; + const userInfoUrls = []; + + const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url; + const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, ''); + + userInfoUrls.push(`${baseUrl}/userinfo/`); + userInfoUrls.push(`${normalizedIssuerUrl}/userinfo/`); + userInfoUrls.push(`${normalizedIssuerUrl}/userinfo`); + if (tokenData.id_token) { try { userInfo = await verifyOIDCToken(tokenData.id_token, config.issuer_url, config.client_id); } catch (error) { - logger.error('OIDC token verification failed, falling back to userinfo endpoint', error); - if (tokenData.access_token) { - const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url; - const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, ''); - const userInfoUrl = `${baseUrl}/userinfo/`; + logger.error('OIDC token verification failed, trying userinfo endpoints', error); + } + } + if (!userInfo && tokenData.access_token) { + for (const userInfoUrl of userInfoUrls) { + try { const userInfoResponse = await fetch(userInfoUrl, { headers: { 'Authorization': `Bearer ${tokenData.access_token}`, - }, + } }); if (userInfoResponse.ok) { userInfo = await userInfoResponse.json(); - } else { - logger.error(`Userinfo endpoint failed with status: ${userInfoResponse.status}`); + break; } + } catch (error) { + continue; } } - } else if (tokenData.access_token) { - const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url; - const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, ''); - const userInfoUrl = `${baseUrl}/userinfo/`; - - const userInfoResponse = await fetch(userInfoUrl, { - headers: { - 'Authorization': `Bearer ${tokenData.access_token}`, - }, - }); - - if (userInfoResponse.ok) { - userInfo = await userInfoResponse.json(); - } else { - logger.error(`Userinfo endpoint failed with status: ${userInfoResponse.status}`); - } } if (!userInfo) { + logger.error('Failed to get user information from all sources'); return res.status(400).json({error: 'Failed to get user information'}); } - const identifier = userInfo[config.identifier_path]; - const name = userInfo[config.name_path] || identifier; + const getNestedValue = (obj: any, path: string): any => { + if (!path || !obj) return null; + return path.split('.').reduce((current, key) => current?.[key], obj); + }; + + const identifier = getNestedValue(userInfo, config.identifier_path) || + userInfo[config.identifier_path] || + userInfo.sub || + userInfo.email || + userInfo.preferred_username; + + const name = getNestedValue(userInfo, config.name_path) || + userInfo[config.name_path] || + userInfo.name || + userInfo.given_name || + identifier; if (!identifier) { logger.error(`Identifier not found at path: ${config.identifier_path}`); diff --git a/src/ui/Navigation/LeftSidebar.tsx b/src/ui/Navigation/LeftSidebar.tsx index 9ddcec72..9c769e95 100644 --- a/src/ui/Navigation/LeftSidebar.tsx +++ b/src/ui/Navigation/LeftSidebar.tsx @@ -355,7 +355,7 @@ export function LeftSidebar({ } }; - const makeUserAdmin = async (e: React.FormEvent) => { + const handleMakeUserAdmin = async (e: React.FormEvent) => { e.preventDefault(); if (!newAdminUsername.trim()) return; @@ -380,7 +380,7 @@ export function LeftSidebar({ } }; - const removeAdminStatus = async (username: string) => { + const handleRemoveAdminStatus = async (username: string) => { if (!confirm(`Are you sure you want to remove admin status from ${username}?`)) return; if (!isAdmin) { @@ -392,10 +392,11 @@ export function LeftSidebar({ await removeAdminStatus(username); fetchUsers(); } catch (err: any) { + console.error('Failed to remove admin status:', err); } }; - const deleteUser = async (username: string) => { + const handleDeleteUser = async (username: string) => { if (!confirm(`Are you sure you want to delete user ${username}? This action cannot be undone.`)) return; if (!isAdmin) { @@ -407,6 +408,7 @@ export function LeftSidebar({ await deleteUser(username); fetchUsers(); } catch (err: any) { + console.error('Failed to delete user:', err); } };