Change callback style

defaults/config.js

@@ -477,6 +477,9 @@ module.exports = {
 		clientID: "clientId",
 		secret: "secret",
 		logout: true,
+		usernameClaim: "preferred_username",
+		roleClaim: "roles",
+		requiredRoles: ["thelounge"],
 	},
 
 	// ## Debugging settings

server/config.ts

@@ -76,6 +76,9 @@ type OpenID = {
 	clientID: string;
 	secret: string;
 	logout: boolean;
+	usernameClaim: string;
+	roleClaim: string;
+	requiredRoles: string[];
 };
 
 type TlsOptions = any;

server/plugins/auth/openid.ts

@@ -1,44 +1,23 @@
-import colors from "chalk";
-
 import log from "../../log";
 import Config from "../../config";
 import type {AuthHandler} from "../auth";
-import * as express from "express";
 
-function openidAuthCommon(
-	user: string,
-	bindDN: string,
-	password: string,
-	callback: (success: boolean) => void
-) {
-	const config = Config.values;
-}
-
-function openIDCheckSession(user: string, password: string, callback: (success: boolean) => void) {
-	if (!user || !password) {
+const openIDAuth: AuthHandler = (manager, client, user, _, callback) => {
+	if (user === "") {
+		log.error(
+			`Authentication failed using header auth: empty username. Have you selected the right header?`
+		);
 		return callback(false);
 	}
-	// If success
-	callback(true);
-}
 
-const openIDAuth: AuthHandler = (manager, client, user, password, callback) => {
-	function callbackWrapper(valid: boolean) {
-		if (valid && !client) {
-			manager.addUser(user, null, true);
-		}
-
-		callback(valid);
+	// If no user is found, create it
+	if (!client) {
+		manager.addUser(user, null, true);
 	}
 
-	//return auth(user, password, callbackWrapper);
-	return false;
+	return callback(true);
 };
 
-function openIDLoadUsers(users: string[], callbackLoadUser) {
-	return false;
-}
-
 function isOpenIDEnabled() {
 	return !Config.values.public && Config.values.openid.enable;
 }
@@ -47,5 +26,4 @@ export default {
 	moduleName: "openid",
 	auth: openIDAuth,
 	isEnabled: isOpenIDEnabled,
-	loadUsers: openIDLoadUsers,
 };

server/server.ts

@@ -67,7 +67,10 @@ export type ClientConfiguration = Pick<
 
 // A random number that will force clients to reload the page if it differs
 const serverHash = Math.floor(Date.now() * Math.random());
+
+// OpenID code generators and verifiers
 const code_verifier = generators.codeVerifier();
+const code_challenge = generators.codeChallenge(code_verifier);
 
 var issuer: Issuer;
 
@@ -102,7 +105,6 @@ export default async function (
 		.use(allRequests)
 		.use(addSecurityHeaders)
 		.get("/", indexRequest)
-		.get("/openid-redirect", openidRedirectRequest)
 		.get("/service-worker.js", forceNoCacheRequest)
 		.get("/js/bundle.js.map", forceNoCacheRequest)
 		.get("/css/style.css.map", forceNoCacheRequest)
@@ -114,10 +116,9 @@ export default async function (
 	openidClient = new issuer.Client({
 		client_id: Config.values.openid.clientID,
 		client_secret: Config.values.openid.secret,
-		redirect_uris: [Config.values.openid.baseURL + "/openid-redirect"],
+		redirect_uris: [Config.values.openid.baseURL],
 		response_types: ["code"],
 	});
-	const code_challenge = generators.codeChallenge(code_verifier);
 	var redirectUrl = openidClient.authorizationUrl({
 		scope: "openid email profile",
 		code_challenge,
@@ -435,25 +436,6 @@ function forceNoCacheRequest(req: Request, res: Response, next: NextFunction) {
 	return next();
 }
 
-async function openidRedirectRequest(req: Request, res: Response) {
-	openidClient = new issuer.Client({
-		client_id: Config.values.openid.clientID,
-		client_secret: Config.values.openid.secret,
-		redirect_uris: [Config.values.openid.baseURL + "/openid-redirect"],
-		response_types: ["code"],
-	});
-	const params = openidClient.callbackParams(req);
-	const tokenSet = await openidClient.callback(
-		Config.values.openid.baseURL + "/openid-redirect",
-		params,
-		{code_verifier}
-	);
-	log.info("received and validated tokens", JSON.stringify(tokenSet));
-	log.info("validated ID Token claims", JSON.stringify(tokenSet.claims()));
-	const userinfo = await openidClient.userinfo(tokenSet);
-	log.info("userinfo", JSON.stringify(userinfo));
-}
-
 function indexRequest(req: Request, res: Response) {
 	res.setHeader("Content-Type", "text/html");
 
@@ -958,7 +940,7 @@ function getServerConfiguration(): ServerConfiguration {
 	return {...Config.values, ...{stylesheets: packages.getStylesheets()}};
 }
 
-function performAuthentication(this: Socket, data) {
+async function performAuthentication(this: Socket, data) {
 	if (!_.isPlainObject(data)) {
 		return;
 	}
@@ -1061,13 +1043,17 @@ function performAuthentication(this: Socket, data) {
 		}
 	}
 
-	// FIXME: Get rid of this (debug use only)
-	log.info(JSON.stringify(socket.handshake));
-
 	if (Config.values.openid.enable) {
-		// TODO: OpenID values
-		// set data.user to openid preferred_username
-		// set data.password to openid token
+		const params = openidClient.callbackParams(data.password);
+		const tokenSet = await openidClient.callback(
+			Config.values.openid.baseURL + "/openid-redirect",
+			params,
+			{code_verifier}
+		);
+		// TODO: OpenID handle undefined better
+		// TODO: OpenID role check
+		const userinfo = await openidClient.userinfo(tokenSet);
+		data.user = userinfo[Config.values.openid.usernameClaim];
 	}
 
 	Auth.initialize().then(() => {