k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-20 22:01:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a8f63b82e2da3859e8c5f8fd210dc6a381cf1642
TREK/server/src/routes/oidc.ts
T
jubnl bfd2553d1e feat(auth): split OIDC_ONLY into granular auth toggles 
Replaces the coarse oidc_only + allow_registration settings with four
independent toggles: password_login, password_registration, oidc_login,
oidc_registration. Each can be enabled/disabled individually in
Admin > Settings without affecting the others.

- Add resolveAuthToggles() in authService.ts as the central resolver;
  falls back to legacy oidc_only/allow_registration keys when new keys
  are absent (backward compat)
- OIDC_ONLY env var still works and overrides DB toggles for password_*,
  with a visual lock in the admin UI when active
- Server enforces lockout prevention: cannot disable all login methods
- oidc_login gate added to OIDC /login and /callback routes
- Remove oidc_only toggle from OIDC settings panel; replaced by the
  granular toggles in the Settings tab
- Add 6 new resolveAuthToggles() unit tests; fix AUTH-DB-033 error
  message assertion
- Update OIDC_ONLY descriptions in README, docker-compose, Helm values,
  Unraid template, and .env.example to clarify override semantics

Closes #492
2026-04-11 20:21:36 +02:00

134 lines
4.5 KiB
TypeScript
Raw Blame History

import express, { Request, Response } from 'express';
import { setAuthCookie } from '../services/cookie';
import {
getOidcConfig,
discover,
createState,
consumeState,
createAuthCode,
consumeAuthCode,
exchangeCodeForToken,
getUserInfo,
findOrCreateUser,
touchLastLogin,
generateToken,
frontendUrl,
getAppUrl,
} from '../services/oidcService';
import { resolveAuthToggles } from '../services/authService';
const router = express.Router();
// ---- GET /login ----------------------------------------------------------
router.get('/login', async (req: Request, res: Response) => {
if (!resolveAuthToggles().oidc_login) {
return res.status(403).json({ error: 'SSO login is disabled.' });
}
const config = getOidcConfig();
if (!config) return res.status(400).json({ error: 'OIDC not configured' });
if (config.issuer && !config.issuer.startsWith('https://') && process.env.NODE_ENV === 'production') {
return res.status(400).json({ error: 'OIDC issuer must use HTTPS in production' });
}
try {
const doc = await discover(config.issuer, config.discoveryUrl);
const appUrl = getAppUrl();
if (!appUrl) {
return res.status(500).json({ error: 'APP_URL is not configured. OIDC cannot be used.' });
}
const redirectUri = `${appUrl.replace(/\/+$/, '')}/api/auth/oidc/callback`;
const inviteToken = req.query.invite as string | undefined;
const state = createState(redirectUri, inviteToken);
const params = new URLSearchParams({
response_type: 'code',
client_id: config.clientId,
redirect_uri: redirectUri,
scope: process.env.OIDC_SCOPE || 'openid email profile',
state,
});
res.redirect(`${doc.authorization_endpoint}?${params}`);
} catch (err: unknown) {
console.error('[OIDC] Login error:', err instanceof Error ? err.message : err);
res.status(500).json({ error: 'OIDC login failed' });
}
});
// ---- GET /callback -------------------------------------------------------
router.get('/callback', async (req: Request, res: Response) => {
if (!resolveAuthToggles().oidc_login) {
return res.redirect(frontendUrl('/login?oidc_error=sso_disabled'));
}
const { code, state, error: oidcError } = req.query as { code?: string; state?: string; error?: string };
if (oidcError) {
console.error('[OIDC] Provider error:', oidcError);
return res.redirect(frontendUrl('/login?oidc_error=' + encodeURIComponent(oidcError)));
}
if (!code || !state) {
return res.redirect(frontendUrl('/login?oidc_error=missing_params'));
}
const pending = consumeState(state);
if (!pending) {
return res.redirect(frontendUrl('/login?oidc_error=invalid_state'));
}
const config = getOidcConfig();
if (!config) return res.redirect(frontendUrl('/login?oidc_error=not_configured'));
if (config.issuer && !config.issuer.startsWith('https://') && process.env.NODE_ENV === 'production') {
return res.redirect(frontendUrl('/login?oidc_error=issuer_not_https'));
}
try {
const doc = await discover(config.issuer, config.discoveryUrl);
const tokenData = await exchangeCodeForToken(doc, code, pending.redirectUri, config.clientId, config.clientSecret);
if (!tokenData._ok || !tokenData.access_token) {
console.error('[OIDC] Token exchange failed: status', tokenData._status);
return res.redirect(frontendUrl('/login?oidc_error=token_failed'));
}
const userInfo = await getUserInfo(doc.userinfo_endpoint, tokenData.access_token);
if (!userInfo.email) {
return res.redirect(frontendUrl('/login?oidc_error=no_email'));
}
const result = findOrCreateUser(userInfo, config, pending.inviteToken);
if ('error' in result) {
return res.redirect(frontendUrl('/login?oidc_error=' + result.error));
}
touchLastLogin(result.user.id);
const jwtToken = generateToken(result.user);
const authCode = createAuthCode(jwtToken);
res.redirect(frontendUrl('/login?oidc_code=' + authCode));
} catch (err: unknown) {
console.error('[OIDC] Callback error:', err);
res.redirect(frontendUrl('/login?oidc_error=server_error'));
}
});
// ---- GET /exchange -------------------------------------------------------
router.get('/exchange', (req: Request, res: Response) => {
const { code } = req.query as { code?: string };
if (!code) return res.status(400).json({ error: 'Code required' });
const result = consumeAuthCode(code);
if ('error' in result) return res.status(400).json({ error: result.error });
setAuthCookie(res, result.token);
res.json({ token: result.token });
});
export default router;
Reference in New Issue View Git Blame Copy Permalink