Add role checking support

2024-06-15 20:15:11 +02:00 · 2023-01-24 17:52:29 -05:00 · 2023-01-24 17:52:29 -05:00 · ab97c642e7
parent 61eaa1eb7e
commit ab97c642e7
1 changed files with 13 additions and 4 deletions
--- a/server/server.ts
+++ b/server/server.ts
@ -114,7 +114,7 @@ export default async function (
 		.use("/storage/", express.static(Config.getStoragePath(), staticOptions));

 	issuer = await Issuer.discover(Config.values.openid.issuerURL);
-	log.info("Discovered issuer", issuer.metadata.issuer);
+	log.info("Discovered OpenID issuer", issuer.metadata.issuer);
 	openidClient = new issuer.Client({
 		client_id: Config.values.openid.clientID,
 		client_secret: Config.values.openid.secret,
@ -126,7 +126,6 @@ export default async function (
 		code_challenge,
 		code_challenge_method: "S256",
 	});
-	log.info(redirectUrl);
 	issuerURL = redirectUrl;

 	if (Config.values.fileUpload.enable) {
@ -1045,17 +1044,27 @@ async function performAuthentication(this: Socket, data) {
 	}

 	if (Config.values.openid.enable) {
-		// TODO: OpenID handle error if data.password is invalid
 		try {
 			const tokenSet = await openidClient.callback(
 				Config.values.openid.baseURL,
 				openidClient.callbackParams(data.password),
 				{code_verifier}
 			);
-			// TODO: OpenID handle undefined better
 			// TODO: OpenID role check
 			const userinfo = await openidClient.userinfo(tokenSet);
+			log.info(JSON.stringify(userinfo));
 			data.user = userinfo[Config.values.openid.usernameClaim];
+			if (Config.values.openid.roleClaim !== "") {
+				const availabeRoles = _.get(userinfo, Config.values.openid.roleClaim) as string[];
+				const requiredRoles = Config.values.openid.requiredRoles;
+				const userAuthorized = requiredRoles.every((element) =>
+					availabeRoles.includes(element)
+				);
+				if (!userAuthorized) {
+					data.user = "";
+					data.password = "";
+				}
+			}
 		} catch (e) {
 			// Guaranteed to fail, probably
 			data.user = "";