mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-25 04:24:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #609 from hedgedoc/fix/oauth2-auth

Browse source 
Fix crash when OAuth2 config parameters are missing
This commit is contained in:
David Mehren 2020-12-02 20:48:12 +01:00 committed by GitHub
commit 0989ae426e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

19
lib/web/auth/oauth2/index.js
View file

@ -52,7 +52,8 @@ function extractProfileAttribute (data, path) {
} }
function parseProfile (data) { function parseProfile (data) {
const id = extractProfileAttribute(data, config.oauth2.userProfileIdAttr) // only try to parse the id if a claim is configured
const id = config.oauth2.userProfileIdAttr ? extractProfileAttribute(data, config.oauth2.userProfileIdAttr) : undefined
const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr) const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr) const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)
const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr) const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)
@ -66,21 +67,27 @@ function parseProfile (data) {
} }
function checkAuthorization (data, done) { function checkAuthorization (data, done) {
const roles = extractProfileAttribute(data, config.oauth2.rolesClaim) // a role the user must have is set in the config
const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
if (config.oauth2.accessRole) { if (config.oauth2.accessRole) {
// check if we know which claim contains the list of groups a user is in
if (!config.oauth2.rolesClaim) {
// log error, but accept all logins
logger.error('oauth2: "accessRole" is configured, but "rolesClaim" is missing from the config. Can\'t check group membership!')
} else {
// parse and check role data
const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
if (!roles) { if (!roles) {
logger.error('oauth2: "accessRole" configured, but user profile doesn\'t contain roles attribute. Permission denied') logger.error('oauth2: "accessRole" is configured, but user profile doesn\'t contain roles attribute. Permission denied')
return done('Permission denied', null) return done('Permission denied', null)
} }
if (!roles.includes(config.oauth2.accessRole)) { if (!roles.includes(config.oauth2.accessRole)) {
const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
logger.debug(`oauth2: user "${username}" doesn't have the required role. Permission denied`) logger.debug(`oauth2: user "${username}" doesn't have the required role. Permission denied`)
return done('Permission denied', null) return done('Permission denied', null)
} }
} }
} }
}
OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) { OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) { this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {