mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-13 22:54:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add oauth2 authorization

Browse source 
Signed-off-by: Joachim Mathes <joachim_mathes@web.de>
This commit is contained in:
Joachim Mathes 2020-11-21 20:26:12 +01:00 committed by Joachim Mathes
parent c59d4c7c5c
commit 729b387536
3 changed files with 29 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

23
lib/web/auth/oauth2/index.js
View file

@ -4,6 +4,7 @@ const Router = require('express').Router
const passport = require('passport')
const { Strategy, InternalOAuthError } = require('passport-oauth2')
const config = require('../../../config')
const logger = require('../../../logger')
const { passportGeneralCallback } = require('../utils')
let oauth2Auth = module.exports = Router()
@ -31,6 +32,7 @@ class OAuth2CustomStrategy extends Strategy {
return done(new Error('Failed to parse user profile'))
}
checkAuthorization(json, done)
let profile = parseProfile(json)
profile.provider = 'oauth2'
@ -50,18 +52,36 @@ function extractProfileAttribute (data, path) {
}
function parseProfile (data) {
const id = extractProfileAttribute(data, config.oauth2.userProfileIdAttr)
const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)
const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)
return {
id: username,
id: id || username,
username: username,
displayName: displayName,
email: email
}
}
function checkAuthorization (data, done) {
const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
if (config.oauth2.accessRole) {
if (!roles) {
logger.error('oauth2: "accessRole" configured, but user profile doesn\'t contain roles attribute. Permission denied')
return done('Permission denied', null)
}
if (!roles.includes(config.oauth2.accessRole)) {
logger.debug(`oauth2: user "${username}" doesn't have the required role. Permission denied`)
return done('Permission denied', null)
}
}
}
OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {
var json
@ -76,6 +96,7 @@ OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
return done(new Error('Failed to parse user profile'))
}
checkAuthorization(json, done)
let profile = parseProfile(json)
profile.provider = 'oauth2'