Commit graph

43 commits

Author SHA1 Message Date
David Mehren
cc7fa947bf
Fix crash when OAuth2 config parameters are missing
If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash.

This commit adds handling of these cases and improves error logging in `checkAuthorization`.

Fixes #608

Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-30 15:04:30 +01:00
Joachim Mathes
729b387536 Add oauth2 authorization
Signed-off-by: Joachim Mathes <joachim_mathes@web.de>
2020-11-25 19:23:55 +01:00
Dexter Chua
a88b4aff2a Generic OAuth2: Set state: true
The OAuth2 specification RECOMMENDS setting the state to protect against
CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to
authenticate without the state set.

This is a cherry-pick of 852868419d.

Signed-off-by: haslersn <sebastian.hasler@gmx.net>
2020-10-22 22:50:34 +02:00
Simeon Keske
a134aa3f35
saml: make logger print actual error message
Signed-off-by: Simeon Keske <git@n0emis.eu>
Signed-off-by: Leo Maroni <git@em0lar.de>
2020-07-11 21:21:01 +02:00
Simeon Keske
bab0409ed0
add error handling to saml-certs
Signed-off-by: Simeon Keske <git@n0emis.eu>
Signed-off-by: Leo Maroni <git@em0lar.de>
2020-07-11 21:21:00 +02:00
Simeon Keske
17f0067ab2
allow to set a saml client certificate
Signed-off-by: Simeon Keske <git@n0emis.eu>
2020-07-11 21:19:49 +02:00
Victor Berger
5f3a1b6266 Backport of #278 for 1.6.1
This is a backport of #278 with the default value of `scope` changed to
`undefined`. This is thus a fully backward-compatible change.

Signed-off-by: Victor Berger <victor.berger@m4x.org>
2020-06-20 16:48:25 +02:00
ike
197223dc81 Add Google oauth variable: hostedDomain
Which is part of `passport-google-oauth2`.
It could be used as whitelist to a domain supported by google oauth.
Ref: https://github.com/jaredhanson/passport-google-oauth2/issues/3

Signed-off-by: ike <developer@ikewat.com>
2020-02-08 15:57:22 +08:00
Ralph Krimmel
3fb3ca54e9 Removing returnTo setting from referer in all other authentication sources
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-28 12:25:59 +01:00
Ralph Krimmel
e0a8872742 Moving the storage of referrer information to main authorization check instead of doing it in the authentication source
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-28 10:59:59 +01:00
Ralph Krimmel
3e8cf5778f Fixing linting problems
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-27 15:17:00 +01:00
foobarable
1881775379 Fixing redirection after SAML login
Saving referer into session in SAML auth so passport can redirect correctly after SAML login.

Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-27 15:08:30 +01:00
David Mehren
f78540c3fb
Move note actions to their own file.
Because of circular import problems, this commit also moves the error messages from response.js to errors.js

Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 13:51:53 +01:00
Sheogorath
b5fc6db75d
Rework debug logging
We have various places with overly simple if statements that could be
handled by our logging library. Also a lot of those logs are not marked
as debug logs but as info logs, which can cause confusion during
debugging.

This patch removed unneeded if clauses around debug logging statements,
reworks debug log messages towards ECMA templates and add some new
logging statements which might be helpful in order to debug things like
image uploads.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-08 21:27:29 +02:00
Sheogorath
4da68597f7
Fix eslint warnings
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.

There should no functional change be introduced.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 00:30:29 +02:00
Claudius
1d403e183d asyncified setting and verifying the password
Signed-off-by: Claudius <opensource@amenthes.de>
2019-05-13 19:37:21 +02:00
Emmanuel Ormancey
df53f465c0
Added a configuration option for passport-saml:
disableRequestedAuthnContext: true|false

By default only Password authmethod is accepted, this option allows any other method.

Issue and option described here:
https://github.com/bergie/passport-saml/issues/226

Signed-off-by: Emmanuel Ormancey <emmanuel.ormancey@cern.ch>
2019-04-06 17:54:58 +02:00
Sheogorath
cda878d377
Add required change for Google+ API deprecation
Since Google+ is shutting down soon, we need to get the profile data
from another URL. Since the library already supports it, all we need to
do is adding a single line of code.

Details:
https://github.com/hackmdio/codimd/issues/1160

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-09 14:42:06 +01:00
CloudYu
35a9f72a06 Fix typo
Signed-off-by: CloudYu <cloudyu322@gmail.com>
2018-11-27 22:14:37 +08:00
Claudius Coenen
56c043424d InternalOAuthError is not part of passport, but of passport-oauth2
This fixes part of #1056: an error while obtaining the profile
would have `502`-crashed the server.

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 14:38:47 +01:00
Sheogorath
9f9c4089be
Add OpenID to CodiMD
With OpenID every OpenID capable provider can provide authentication for
users of a CodiMD instance. This means we have federated
authentication.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-05 22:43:32 +02:00
Sheogorath
562985a115
Update passport-ldap
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-30 16:52:33 +02:00
Christoph (Sheogorath) Kern
551840ad57
Merge pull request #784 from pferreir/add-oauth2-support
Add "generic" OAuth2 support
2018-06-04 15:54:47 +02:00
Max Wu
e0629c7d27
Fix typo of "grouptAttribute" in saml auth module
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-04-27 21:52:05 +08:00
Pedro Ferreira
40b3855702 Add support for generic OAuth2 providers
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Sheogorath
2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Sheogorath
638eae0dfb
Add check for undefined UUID
This check is needed at there are tons of LDAP implementations out there
and none has at least one guaranteed unique field. As we currently check
three fields and added an option to select one yourself, it's still not
said that any of these fields is set. This will now create an error
and fail the authentication instead of letting people may get access to
other people's notes which are stored under a this way deterministic
wrong userid named `LDAP-undefined`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-18 00:27:07 +01:00
Felix Schäfer
12dae4465f Multiple emails from LDAP are already an Array
Signed-off-by: Felix Schäfer <felix@thegcat.net>
2018-03-09 14:39:08 +01:00
Dustin Frisch
d6ee10d176
Introduce ldap.useridField
Signed-off-by: Dustin Frisch <fooker@lab.sh>
2018-03-01 23:51:47 +01:00
Sheogorath
eddf8a3a33
Fix uncaught exception for non-existent user
Since we added user management it's possible to get non-existent users
which can cause a crash of the Backend server.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-30 21:53:36 +01:00
Lukas Kalbertodt
612b2d1811 Add setting ldap.usernameField
This determines which ldap field is used as the username on
HackMD. By default, the "id" is used as username, too. The id
is taken from the fields `uidNumber`, `uid` or
`sAMAccountName`. To give the user more flexibility, they can
now choose the field used for the username instead.
2017-12-09 12:30:48 +01:00
Norihito Nakae
2db2ff484f added guide for SAML settings 2017-12-04 20:13:15 +09:00
Norihito Nakae
a22be81feb fixed the SAML callback URL to unconfigurable. 2017-11-29 15:45:32 +09:00
Norihito Nakae
4a4ae9d332 Initial support for SAML authentication 2017-11-28 18:52:24 +09:00
Christoph Witzany
5cda55086a Add mattermost authentication 2017-10-31 10:34:51 +01:00
Sheogorath
881e800fd8 Merge pull request #562 from SISheogorath/fix/LDAP
Fix LDAP problem about missing uidNumber
2017-10-27 12:48:45 +02:00
Sheogorath
f93a14e3e1 Fix LDAP problem about missing uidNumber
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2017-10-12 14:52:28 +02:00
Kaiyu Shi
4ae8086301 Give google the correct name. 2017-09-04 16:04:20 +08:00
Max Wu
0a6793747c fix: export to gist occurred 404 not found 2017-05-17 02:42:44 +08:00
BoHong Li
ecb0533605 refactor(config.js): Extract config file
* Separate different config source to each files
* Freeze config object
2017-05-08 19:29:07 +08:00
BoHong Li
a7e3c4d535 refactor(auth.js): Remove base path 2017-05-08 19:29:06 +08:00
BoHong Li
d88502e331 refactor(app.js): Move passport serialize and deserialize to auth module 2017-05-08 19:29:06 +08:00
BoHong Li
69a9f7ca38 refactor(app.js, auth.js): Extract all auth method to individual modules 2017-05-08 19:24:38 +08:00