github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-22 09:46:30 -05:00
Code Issues Projects Releases Packages Wiki Activity

Fix crash when OAuth2 config parameters are missing

Browse source 
If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash.

This commit adds handling of these cases and improves error logging in `checkAuthorization`.

Fixes #608

Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2020-11-30 15:04:30 +01:00
parent 116fddd584
commit cc7fa947bf
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
1 changed files with 19 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
lib/web/auth/oauth2/index.js
View file

@ -52,7 +52,8 @@ function extractProfileAttribute (data, path) {
} }
function parseProfile (data) { function parseProfile (data) {
const id = extractProfileAttribute(data, config.oauth2.userProfileIdAttr) // only try to parse the id if a claim is configured
const id = config.oauth2.userProfileIdAttr ? extractProfileAttribute(data, config.oauth2.userProfileIdAttr) : undefined
const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr) const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr) const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)
const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr) const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)
@ -66,21 +67,27 @@ function parseProfile (data) {
} }
function checkAuthorization (data, done) { function checkAuthorization (data, done) {
const roles = extractProfileAttribute(data, config.oauth2.rolesClaim) // a role the user must have is set in the config
const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
if (config.oauth2.accessRole) { if (config.oauth2.accessRole) {
// check if we know which claim contains the list of groups a user is in
if (!config.oauth2.rolesClaim) {
// log error, but accept all logins
logger.error('oauth2: "accessRole" is configured, but "rolesClaim" is missing from the config. Can\'t check group membership!')
} else {
// parse and check role data
const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
if (!roles) { if (!roles) {
logger.error('oauth2: "accessRole" configured, but user profile doesn\'t contain roles attribute. Permission denied') logger.error('oauth2: "accessRole" is configured, but user profile doesn\'t contain roles attribute. Permission denied')
return done('Permission denied', null) return done('Permission denied', null)
} }
if (!roles.includes(config.oauth2.accessRole)) { if (!roles.includes(config.oauth2.accessRole)) {
const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
logger.debug(`oauth2: user "${username}" doesn't have the required role. Permission denied`) logger.debug(`oauth2: user "${username}" doesn't have the required role. Permission denied`)
return done('Permission denied', null) return done('Permission denied', null)
} }
} }
} }
}
OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) { OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) { this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {