Commit graph

13 commits

Author SHA1 Message Date
Sheogorath
1f1b2bd386 fix(oauth2): Fix crash in rolesClaim extraction
This patch adds a try-catch around the rolesClaim extraction to prevent
full crashes of HedgeDoc when a user profile is read, that doesn't
contain any such claim, which can happen with some IdPs, like Keycloak,
that omit the attribute when it's empty.

As a result an authorized user would crash the entire server, which is
definitely unintended behaviour. The simply try-catch should resolve the
issue and make sure that roles is always defined even if the
`extractProfileAttribute` call fails.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2023-10-19 19:34:44 +02:00
David Mehren
d26dcd04a1
Adapt code for eslint-config-standard 17
Signed-off-by: David Mehren <git@herrmehren.de>
2022-05-01 21:19:44 +02:00
Erik Michelson
6e983ba5dc
Use libravatar image if email address is defined
We use the attribute `emails` (plural) for email addresses with other auth providers like LDAP or SAML. In case of OAuth2 we used the attribute `email` (singular) which resulted in problems.
Furthermore the OAuth2 strategy fell into the default fallback of the provider switch statement. This statement did not check email addresses but did generate the letter-avatar instantly.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-01-07 14:01:32 +01:00
Philip Molares
136d895d15 Linter: Fix all lint errors
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 12:15:14 +01:00
David Mehren
cc7fa947bf
Fix crash when OAuth2 config parameters are missing
If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash.

This commit adds handling of these cases and improves error logging in `checkAuthorization`.

Fixes #608

Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-30 15:04:30 +01:00
Joachim Mathes
729b387536 Add oauth2 authorization
Signed-off-by: Joachim Mathes <joachim_mathes@web.de>
2020-11-25 19:23:55 +01:00
Dexter Chua
a88b4aff2a Generic OAuth2: Set state: true
The OAuth2 specification RECOMMENDS setting the state to protect against
CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to
authenticate without the state set.

This is a cherry-pick of 852868419d.

Signed-off-by: haslersn <sebastian.hasler@gmx.net>
2020-10-22 22:50:34 +02:00
Victor Berger
5f3a1b6266 Backport of #278 for 1.6.1
This is a backport of #278 with the default value of `scope` changed to
`undefined`. This is thus a fully backward-compatible change.

Signed-off-by: Victor Berger <victor.berger@m4x.org>
2020-06-20 16:48:25 +02:00
Ralph Krimmel
3fb3ca54e9 Removing returnTo setting from referer in all other authentication sources
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-28 12:25:59 +01:00
Sheogorath
4da68597f7
Fix eslint warnings
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.

There should no functional change be introduced.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 00:30:29 +02:00
CloudYu
35a9f72a06 Fix typo
Signed-off-by: CloudYu <cloudyu322@gmail.com>
2018-11-27 22:14:37 +08:00
Claudius Coenen
56c043424d InternalOAuthError is not part of passport, but of passport-oauth2
This fixes part of #1056: an error while obtaining the profile
would have `502`-crashed the server.

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 14:38:47 +01:00
Pedro Ferreira
40b3855702 Add support for generic OAuth2 providers
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00