Possibility to configure an OpenID Connect provider on the instance level WIP (#128).

2024-04-17 18:30:39 +02:00
parent 3a5f27e751
commit 6c13d2e377
9 changed files with 139 additions and 24 deletions
--- a/server/lib/routers/api/auth.ts
+++ b/server/lib/routers/api/auth.ts
@ -4,6 +4,7 @@ import { asyncMiddleware } from '../../middlewares/async'
 import { getProsodyDomain } from '../../prosody/config/domain'
 import { prosodyRegisterUser, prosodyCheckUserPassword, prosodyUserRegistered } from '../../prosody/auth'
 import { getUserNickname } from '../../helpers'
+import { ExternalAuthOIDC } from '../../external-auth/oidc'

 /**
 * Instanciate the authentication API.
@ -14,6 +15,31 @@ async function initAuthApiRouter (options: RegisterServerOptions, router: Router
  router.get('/auth', asyncMiddleware(
    async (req: Request, res: Response, _next: NextFunction) => {
      const user = await options.peertubeHelpers.user.getAuthUser(res)
+
+      if (!user) {
+        // No Peertube user, but perhaps an external authentication?
+        const token = req.header('X-Peertube-Plugin-Livechat-OIDC-Token')
+        if (token) {
+          try {
+            const oidc = ExternalAuthOIDC.singleton()
+            if (await oidc.isOk()) {
+              const unserializedToken = await oidc.unserializeToken(token)
+              if (unserializedToken) {
+                res.status(200).json({
+                  jid: unserializedToken.jid,
+                  password: unserializedToken.password,
+                  nickname: unserializedToken.nickname
+                })
+                return
+              }
+            }
+          } catch (err) {
+            options.peertubeHelpers.logger.error(err)
+            // Just continue with the normal flow.
+          }
+        }
+      }
+
      if (!user) {
        res.sendStatus(403)
        return
--- a/server/lib/routers/oidc.ts
+++ b/server/lib/routers/oidc.ts
@ -71,7 +71,8 @@ async function initOIDCRouter (options: RegisterServerOptions): Promise<Router>
            {},
            externalAccountInfos,
            {
-              password: '**removed**' // removing the password from logs!
+              password: '**removed**', // removing the password from logs!
+              token: '**removed**' // same as password
            }
          )
        ))
@ -85,8 +86,7 @@ async function initOIDCRouter (options: RegisterServerOptions): Promise<Router>

        res.send(popupResultHTML({
          ok: true,
-          jid: externalAccountInfos.jid,
-          password: externalAccountInfos.password
+          token: externalAccountInfos.token
        }))
      } catch (err) {
        logger.error('[oidc router] Failed to process the OIDC callback: ' + (err as string))