more robust oauth

2026-04-26 07:36:00 +00:00 · 2022-11-27 10:43:25 +01:00
parent b1ae7d53b9
commit d84adcca5d
5 changed files with 51 additions and 10 deletions
--- a/packages/api/src/controllers/auth.js
+++ b/packages/api/src/controllers/auth.js
@@ -28,11 +28,13 @@ function authMiddleware(req, res, next) {
  if (!shouldAuthorizeApi()) {
    return next();
  }
-  if (SKIP_AUTH_PATHS.find(x => req.path == getExpressPath(x))) {
-    return next();
-  }
+  let skipAuth = !!SKIP_AUTH_PATHS.find(x => req.path == getExpressPath(x));
+
  const authHeader = req.headers.authorization;
  if (!authHeader) {
+    if (skipAuth) {
+      return next();
+    }
    return unauthorizedResponse(req, res, 'missing authorization header');
  }
  const token = authHeader.split(' ')[1];
@@ -41,6 +43,12 @@ function authMiddleware(req, res, next) {
    req.user = decoded;
    return next();
  } catch (err) {
+    if (skipAuth) {
+      return next();
+    }
+
+    console.log('Sending invalid token error', err.message);
+
    return unauthorizedResponse(req, res, 'invalid token');
  }
 }
@@ -63,6 +71,12 @@ module.exports = {

    const login = process.env.OAUTH_LOGIN_FIELD ? payload[process.env.OAUTH_LOGIN_FIELD] : 'oauth';

+    if (
+      process.env.OAUTH_ALLOWED_LOGINS &&
+      !process.env.OAUTH_ALLOWED_LOGINS.split(',').find(x => x.toLowerCase().trim() != login.toLowerCase().trim())
+    ) {
+      return { error: `Username ${login} not allowed to log in` };
+    }
    if (access_token) {
      return {
        accessToken: jwt.sign({ login }, tokenSecret, { expiresIn: '1m' }),
--- a/packages/api/src/controllers/config.js
+++ b/packages/api/src/controllers/config.js
@@ -28,7 +28,7 @@ module.exports = {
  get_meta: true,
  async get(_params, req) {
    const logins = getLogins();
-    const login = logins ? logins.find(x => x.login == (req.auth && req.auth.user)) : null;
+    const login = req.user ? req.user.login : logins ? logins.find(x => x.login == (req.auth && req.auth.user)) : null;
    const permissions = login ? login.permissions : process.env.PERMISSIONS;

    return {
@@ -41,6 +41,7 @@ module.exports = {
      permissions,
      login,
      oauth: process.env.OAUTH_AUTH,
+      oauthLogout: process.env.OAUTH_LOGOUT,
      isLoginForm: !!process.env.AD_URL || (!!logins && !process.env.BASIC_AUTH),
      ...currentVersion,
    };
--- a/packages/web/src/clientAuth.ts
+++ b/packages/web/src/clientAuth.ts
@@ -21,9 +21,16 @@ export function handleOauthCallback() {
      code: sentCode,
      redirectUri: location.origin + location.pathname,
    }).then(authResp => {
-      const { accessToken } = authResp;
-      localStorage.setItem('accessToken', accessToken);
-      internalRedirectTo('/');
+      const { accessToken, error, errorMessage } = authResp;
+
+      if (accessToken) {
+        console.log('Settings access token from OAUTH');
+        localStorage.setItem('accessToken', accessToken);
+        internalRedirectTo('/');
+      } else {
+        console.log('Error when processing OAUTH callback', error || errorMessage);
+        internalRedirectTo(`/?page=not-logged&error=${error || errorMessage}`);
+      }
    });

    return true;
--- a/packages/web/src/commands/stdCommands.ts
+++ b/packages/web/src/commands/stdCommands.ts
@@ -36,6 +36,7 @@ import runCommand from './runCommand';
 import { openWebLink } from '../utility/exportFileTools';
 import { getSettings } from '../utility/metadataLoaders';
 import { isMac } from '../utility/common';
+import { internalRedirectTo } from '../clientAuth';

 // function themeCommand(theme: ThemeDefinition) {
 //   return {
@@ -549,7 +550,20 @@ registerCommand({
  name: 'Logout',
  testEnabled: () => getCurrentConfig()?.login != null,
  onClick: () => {
-    window.location.href = 'config/logout';
+    const config = getCurrentConfig();
+    if (config.oauth) {
+      localStorage.removeItem('accessToken');
+      if (config.oauthLogout) {
+        window.location.href = config.oauthLogout;
+      } else {
+        internalRedirectTo('/?page=not-logged');
+      }
+    } else if (config.isLoginForm) {
+      localStorage.removeItem('accessToken');
+      internalRedirectTo('/?page=not-logged');
+    } else {
+      window.location.href = 'config/logout';
+    }
  },
 });

--- a/packages/web/src/utility/api.ts
+++ b/packages/web/src/utility/api.ts
@@ -71,10 +71,15 @@ export async function apiCall(route: string, args: {} = undefined) {
    });

    if (resp.status == 401 && !apiDisabled) {
+      const params = new URLSearchParams(location.search);
+
      disableApi();
      console.log('Disabling API', route);
-      // unauthorized
-      redirectToLogin();
+      if (params.get('page') != 'login' && params.get('page') != 'not-logged') {
+        // unauthorized
+        redirectToLogin();
+      }
+      return;
    }

    const json = await resp.json();