more robust oauth

2026-04-26 13:16:00 +00:00 · 2022-11-27 10:43:25 +01:00
parent b1ae7d53b9
commit d84adcca5d
5 changed files with 51 additions and 10 deletions
--- a/packages/api/src/controllers/auth.js
+++ b/packages/api/src/controllers/auth.js
@@ -28,11 +28,13 @@ function authMiddleware(req, res, next) {
  if (!shouldAuthorizeApi()) {
    return next();
  }
-  if (SKIP_AUTH_PATHS.find(x => req.path == getExpressPath(x))) {
+  let skipAuth = !!SKIP_AUTH_PATHS.find(x => req.path == getExpressPath(x));
-    return next();
+
  }
  const authHeader = req.headers.authorization;
  if (!authHeader) {
    if (skipAuth) {
      return next();
    }
    return unauthorizedResponse(req, res, 'missing authorization header');
  }
  const token = authHeader.split(' ')[1];
@@ -41,6 +43,12 @@ function authMiddleware(req, res, next) {
    req.user = decoded;
    return next();
  } catch (err) {
    if (skipAuth) {
      return next();
    }
    console.log('Sending invalid token error', err.message);
    return unauthorizedResponse(req, res, 'invalid token');
  }
 }
@@ -63,6 +71,12 @@ module.exports = {
    const login = process.env.OAUTH_LOGIN_FIELD ? payload[process.env.OAUTH_LOGIN_FIELD] : 'oauth';
    if (
      process.env.OAUTH_ALLOWED_LOGINS &&
      !process.env.OAUTH_ALLOWED_LOGINS.split(',').find(x => x.toLowerCase().trim() != login.toLowerCase().trim())
    ) {
      return { error: `Username ${login} not allowed to log in` };
    }
    if (access_token) {
      return {
        accessToken: jwt.sign({ login }, tokenSecret, { expiresIn: '1m' }),
--- a/packages/api/src/controllers/config.js
+++ b/packages/api/src/controllers/config.js
@@ -28,7 +28,7 @@ module.exports = {
  get_meta: true,
  async get(_params, req) {
    const logins = getLogins();
-    const login = logins ? logins.find(x => x.login == (req.auth && req.auth.user)) : null;
+    const login = req.user ? req.user.login : logins ? logins.find(x => x.login == (req.auth && req.auth.user)) : null;
    const permissions = login ? login.permissions : process.env.PERMISSIONS;
    return {
@@ -41,6 +41,7 @@ module.exports = {
      permissions,
      login,
      oauth: process.env.OAUTH_AUTH,
      oauthLogout: process.env.OAUTH_LOGOUT,
      isLoginForm: !!process.env.AD_URL || (!!logins && !process.env.BASIC_AUTH),
      ...currentVersion,
    };
--- a/packages/web/src/clientAuth.ts
+++ b/packages/web/src/clientAuth.ts
@@ -21,9 +21,16 @@ export function handleOauthCallback() {
      code: sentCode,
      redirectUri: location.origin + location.pathname,
    }).then(authResp => {
-      const { accessToken } = authResp;
+      const { accessToken, error, errorMessage } = authResp;
-      localStorage.setItem('accessToken', accessToken);
+
-      internalRedirectTo('/');
+      if (accessToken) {
        console.log('Settings access token from OAUTH');
        localStorage.setItem('accessToken', accessToken);
        internalRedirectTo('/');
      } else {
        console.log('Error when processing OAUTH callback', error || errorMessage);
        internalRedirectTo(`/?page=not-logged&error=${error || errorMessage}`);
      }
    });
    return true;
--- a/packages/web/src/commands/stdCommands.ts
+++ b/packages/web/src/commands/stdCommands.ts
@@ -36,6 +36,7 @@ import runCommand from './runCommand';
 import { openWebLink } from '../utility/exportFileTools';
 import { getSettings } from '../utility/metadataLoaders';
 import { isMac } from '../utility/common';
 import { internalRedirectTo } from '../clientAuth';
 // function themeCommand(theme: ThemeDefinition) {
 //   return {
@@ -549,7 +550,20 @@ registerCommand({
  name: 'Logout',
  testEnabled: () => getCurrentConfig()?.login != null,
  onClick: () => {
-    window.location.href = 'config/logout';
+    const config = getCurrentConfig();
    if (config.oauth) {
      localStorage.removeItem('accessToken');
      if (config.oauthLogout) {
        window.location.href = config.oauthLogout;
      } else {
        internalRedirectTo('/?page=not-logged');
      }
    } else if (config.isLoginForm) {
      localStorage.removeItem('accessToken');
      internalRedirectTo('/?page=not-logged');
    } else {
      window.location.href = 'config/logout';
    }
  },
 });
--- a/packages/web/src/utility/api.ts
+++ b/packages/web/src/utility/api.ts
@@ -71,10 +71,15 @@ export async function apiCall(route: string, args: {} = undefined) {
    });
    if (resp.status == 401 && !apiDisabled) {
      const params = new URLSearchParams(location.search);
      disableApi();
      console.log('Disabling API', route);
-      // unauthorized
+      if (params.get('page') != 'login' && params.get('page') != 'not-logged') {
-      redirectToLogin();
+        // unauthorized
        redirectToLogin();
      }
      return;
    }
    const json = await resp.json();