371 lines
9.6 KiB
JavaScript
371 lines
9.6 KiB
JavaScript
const openidModule = require('openid-client')
|
|
const crypto = require('crypto')
|
|
|
|
const store = {
|
|
client: null,
|
|
userAuthenticated: null,
|
|
secretKey: null,
|
|
redirectUrl: null,
|
|
authDisplayName: 'OpenID Connect'
|
|
}
|
|
|
|
const encryptionOptions = {
|
|
algorithm: 'aes256',
|
|
inputEncoding: 'utf8',
|
|
outputEncoding: 'hex'
|
|
}
|
|
|
|
const cookieNamePrefix = 'plugin-auth-openid-code-verifier-'
|
|
|
|
async function register ({
|
|
registerExternalAuth,
|
|
unregisterExternalAuth,
|
|
registerSetting,
|
|
settingsManager,
|
|
peertubeHelpers,
|
|
getRouter
|
|
}) {
|
|
const { logger } = peertubeHelpers
|
|
|
|
registerSetting({
|
|
name: 'auth-display-name',
|
|
label: 'Auth display name',
|
|
type: 'input',
|
|
private: true,
|
|
default: 'OpenID Connect'
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'discover-url',
|
|
label: 'Discover URL',
|
|
type: 'input',
|
|
private: true
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'client-id',
|
|
label: 'Client ID',
|
|
type: 'input',
|
|
private: true
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'client-secret',
|
|
label: 'Client secret',
|
|
type: 'input',
|
|
private: true
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'scope',
|
|
label: 'Scope',
|
|
type: 'input',
|
|
private: true,
|
|
default: 'openid email profile'
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'username-property',
|
|
label: 'Username property',
|
|
type: 'input',
|
|
private: true,
|
|
default: 'preferred_username'
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'mail-property',
|
|
label: 'Email property',
|
|
type: 'input',
|
|
private: true,
|
|
default: 'email'
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'display-name-property',
|
|
label: 'Display name property',
|
|
type: 'input',
|
|
private: true
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'role-property',
|
|
label: 'Role property',
|
|
type: 'input',
|
|
private: true
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'group-property',
|
|
label: 'Group property',
|
|
type: 'input',
|
|
private: true,
|
|
descriptionHTML: 'Property/claim that contains user groups (array)'
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'allowed-group',
|
|
label: 'Allowed group',
|
|
type: 'input',
|
|
private: true,
|
|
descriptionHTML: 'Will only allow login for users whose group array contains this group'
|
|
})
|
|
|
|
registerSetting({
|
|
name: 'signature-algorithm',
|
|
label: 'Token signature algorithm',
|
|
type: 'input',
|
|
private: true,
|
|
default: 'RS256'
|
|
})
|
|
|
|
const router = getRouter()
|
|
router.use('/code-cb', (req, res) => handleCb(peertubeHelpers, settingsManager, req, res))
|
|
|
|
store.redirectUrl = peertubeHelpers.config.getWebserverUrl() + '/plugins/auth-openid-connect/router/code-cb'
|
|
|
|
const secretKeyBuf = await getRandomBytes(16)
|
|
store.secretKey = secretKeyBuf.toString('hex')
|
|
|
|
settingsManager.onSettingsChange(settings => {
|
|
loadSettingsAndCreateClient(registerExternalAuth, unregisterExternalAuth, peertubeHelpers, settingsManager)
|
|
.catch(err => logger.error('Cannot load settings and create client after settings changes.', { err }))
|
|
|
|
if (settings['auth-display-name']) store.authDisplayName = settings['auth-display-name']
|
|
})
|
|
|
|
try {
|
|
await loadSettingsAndCreateClient(registerExternalAuth, unregisterExternalAuth, peertubeHelpers, settingsManager)
|
|
} catch (err) {
|
|
logger.error('Cannot load settings and create open id client.', { err })
|
|
}
|
|
|
|
store.authDisplayName = await settingsManager.getSetting('auth-display-name')
|
|
}
|
|
|
|
async function unregister () {
|
|
return
|
|
}
|
|
|
|
module.exports = {
|
|
register,
|
|
unregister
|
|
}
|
|
|
|
// ############################################################################
|
|
|
|
async function loadSettingsAndCreateClient (registerExternalAuth, unregisterExternalAuth, peertubeHelpers, settingsManager) {
|
|
const { logger } = peertubeHelpers
|
|
|
|
if (store.client) {
|
|
unregisterExternalAuth('openid-connect')
|
|
}
|
|
|
|
store.client = null
|
|
store.userAuthenticated = null
|
|
|
|
const settings = await settingsManager.getSettings([
|
|
'scope',
|
|
'discover-url',
|
|
'client-id',
|
|
'client-secret',
|
|
'signature-algorithm'
|
|
])
|
|
|
|
if (!settings['discover-url']) {
|
|
logger.info('Do not register external openid auth because discover URL is not set.')
|
|
return
|
|
}
|
|
|
|
if (!settings['client-id']) {
|
|
logger.info('Do not register external openid auth because client ID is not set.')
|
|
return
|
|
}
|
|
|
|
const discoverUrl = settings['discover-url']
|
|
const issuer = await openidModule.Issuer.discover(discoverUrl)
|
|
|
|
logger.debug('Discovered issuer %s.', discoverUrl)
|
|
|
|
const clientOptions = {
|
|
client_id: settings['client-id'],
|
|
redirect_uris: [ store.redirectUrl ],
|
|
response_types: [ 'code' ],
|
|
id_token_signed_response_alg: settings['signature-algorithm'],
|
|
authorization_signed_response_alg: settings['signature-algorithm']
|
|
}
|
|
|
|
if (settings['client-secret']) {
|
|
clientOptions.client_secret = settings['client-secret']
|
|
} else {
|
|
clientOptions.token_endpoint_auth_method = 'none'
|
|
}
|
|
|
|
store.client = new issuer.Client(clientOptions)
|
|
|
|
const result = registerExternalAuth({
|
|
authName: 'openid-connect',
|
|
authDisplayName: () => store.authDisplayName,
|
|
onAuthRequest: async (req, res) => {
|
|
try {
|
|
const codeVerifier = openidModule.generators.codeVerifier()
|
|
const codeChallenge = openidModule.generators.codeChallenge(codeVerifier)
|
|
const state = openidModule.generators.state()
|
|
|
|
const redirectUrl = store.client.authorizationUrl({
|
|
scope: settings['scope'],
|
|
response_mode: 'form_post',
|
|
code_challenge: codeChallenge,
|
|
code_challenge_method: 'S256',
|
|
state,
|
|
})
|
|
|
|
const cookieOptions = {
|
|
secure: true,
|
|
httpOnly: true,
|
|
sameSite: 'none',
|
|
maxAge: 1000 * 60 * 10 // 10 minutes
|
|
}
|
|
|
|
const encryptedCodeVerifier = await encrypt(codeVerifier)
|
|
res.cookie(cookieNamePrefix + 'code-verifier', encryptedCodeVerifier, cookieOptions)
|
|
|
|
const encryptedState = await encrypt(state)
|
|
res.cookie(cookieNamePrefix + 'state', encryptedState, cookieOptions)
|
|
|
|
return res.redirect(redirectUrl)
|
|
} catch (err) {
|
|
logger.error('Cannot handle auth request.', { err })
|
|
}
|
|
}
|
|
})
|
|
|
|
store.userAuthenticated = result.userAuthenticated
|
|
}
|
|
|
|
async function handleCb (peertubeHelpers, settingsManager, req, res) {
|
|
const { logger } = peertubeHelpers
|
|
|
|
if (!store.userAuthenticated) {
|
|
logger.info('Received callback but cannot userAuthenticated function does not exist.')
|
|
return onCBError(res)
|
|
}
|
|
|
|
const encryptedCodeVerifier = req.cookies[cookieNamePrefix + 'code-verifier']
|
|
if (!encryptedCodeVerifier) {
|
|
logger.error('Received callback but code verifier not found in request cookies.')
|
|
return onCBError(res)
|
|
}
|
|
|
|
const encryptedState = req.cookies[cookieNamePrefix + 'state']
|
|
if (!encryptedState) {
|
|
logger.error('Received callback but state not found in request cookies.')
|
|
return onCBError(res)
|
|
}
|
|
|
|
try {
|
|
const codeVerifier = await decrypt(encryptedCodeVerifier)
|
|
const state = await decrypt(encryptedState)
|
|
|
|
const params = store.client.callbackParams(req)
|
|
const tokenSet = await store.client.callback(store.redirectUrl, params, {
|
|
code_verifier: codeVerifier,
|
|
state,
|
|
})
|
|
|
|
const accessToken = tokenSet.access_token
|
|
const userInfo = await store.client.userinfo(accessToken)
|
|
|
|
const settings = await settingsManager.getSettings([
|
|
'mail-property',
|
|
'username-property',
|
|
'display-name-property',
|
|
'role-property',
|
|
'group-property',
|
|
'allowed-group'
|
|
])
|
|
|
|
logger.debug('Got userinfo from openid auth.', { userInfo, settings })
|
|
|
|
let role
|
|
if (settings['role-property']) {
|
|
let roleToParse = userInfo[settings['role-property']]
|
|
if (Array.isArray(roleToParse)) roleToParse = roleToParse[0]
|
|
|
|
role = parseInt('' + roleToParse, 10)
|
|
|
|
if (isNaN(role)) {
|
|
logger.error('Cannot load role ' + roleToParse + ' from OpenID: not a number.')
|
|
role = null
|
|
}
|
|
}
|
|
|
|
if (settings['group-property'] && settings['allowed-group']) {
|
|
const groups = userInfo[settings['group-property']]
|
|
|
|
if (!groups.includes(settings['allowed-group'])) {
|
|
throw {
|
|
name: "AllowedGroupNotFound",
|
|
message: "User is not in allowed group"
|
|
}
|
|
}
|
|
}
|
|
|
|
let displayName
|
|
if (settings['display-name-property']) {
|
|
displayName = userInfo[settings['display-name-property']]
|
|
}
|
|
|
|
let username = userInfo[settings['username-property']] || ''
|
|
username = username.replace(/[^a-z0-9._]/g, '_')
|
|
|
|
store.userAuthenticated({
|
|
res,
|
|
req,
|
|
username,
|
|
email: userInfo[settings['mail-property']],
|
|
displayName,
|
|
role
|
|
})
|
|
} catch (err) {
|
|
logger.error('Error in handle callback.', { err })
|
|
onCBError(res)
|
|
}
|
|
}
|
|
|
|
function onCBError (res) {
|
|
res.redirect('/login?externalAuthError=true')
|
|
}
|
|
|
|
async function encrypt (data) {
|
|
const { algorithm, inputEncoding, outputEncoding } = encryptionOptions
|
|
|
|
const iv = await getRandomBytes(16)
|
|
|
|
const cipher = crypto.createCipheriv(algorithm, store.secretKey, iv)
|
|
let encrypted = cipher.update(data, inputEncoding, outputEncoding)
|
|
encrypted += cipher.final(outputEncoding)
|
|
|
|
return iv.toString(outputEncoding) + ':' + encrypted
|
|
}
|
|
|
|
async function decrypt (data) {
|
|
const { algorithm, inputEncoding, outputEncoding } = encryptionOptions
|
|
|
|
const encryptedArray = data.split(':')
|
|
const iv = Buffer.from(encryptedArray[0], outputEncoding)
|
|
const encrypted = Buffer.from(encryptedArray[1], outputEncoding)
|
|
const decipher = crypto.createDecipheriv(algorithm, store.secretKey, iv)
|
|
|
|
return decipher.update(encrypted, outputEncoding, inputEncoding) + decipher.final(inputEncoding)
|
|
}
|
|
|
|
function getRandomBytes (size) {
|
|
return new Promise((res, rej) => {
|
|
crypto.randomBytes(size, (err, buf) => {
|
|
if (err) return rej(err)
|
|
|
|
return res(buf)
|
|
})
|
|
})
|
|
}
|