chore(deps): merge Wiki.js v2.5.312

2 months ago · dd386bbdde
parent 2e7e835382 d14b0a5509
commit dd386bbdde
9 changed files with 96 additions and 23 deletions
--- a/client/client-app.js
+++ b/client/client-app.js
@ -114,7 +114,11 @@ const graphQLWSLink = new WebSocketLink({
  uri: graphQLWSEndpoint,
  options: {
    reconnect: true,
-    lazy: true
+    lazy: true,
+    connectionParams: () => {
+      const token = Cookies.get('jwt')
+      return token ? { token } : {}
+    }
  }
 })

--- a/client/components/login.vue
+++ b/client/components/login.vue
@ -644,16 +644,22 @@ export default {
        Cookies.set('jwt', respObj.jwt, { expires: 365, secure: window.location.protocol === 'https:' })
        _.delay(() => {
          const loginRedirect = Cookies.get('loginRedirect')
+          const isValidRedirect = loginRedirect && loginRedirect.startsWith('/') && !loginRedirect.startsWith('//') && !loginRedirect.includes('://')
          if (loginRedirect === '/' && respObj.redirect) {
            Cookies.remove('loginRedirect')
            window.location.replace(respObj.redirect)
-          } else if (loginRedirect) {
+          } else if (isValidRedirect) {
            Cookies.remove('loginRedirect')
            window.location.replace(loginRedirect)
-          } else if (respObj.redirect) {
-            window.location.replace(respObj.redirect)
          } else {
-            window.location.replace('/')
+            if (loginRedirect) {
+              Cookies.remove('loginRedirect')
+            }
+            if (respObj.redirect) {
+              window.location.replace(respObj.redirect)
+            } else {
+              window.location.replace('/')
+            }
          }
        }, 1000)
      }
--- a/client/themes/default/scss/app.scss
+++ b/client/themes/default/scss/app.scss
@ -764,8 +764,17 @@
  .diagram {
    margin-top: 1rem;
    overflow: auto;
-    svg:first-child {
-      direction: ltr;
+
+    svg {
+      color-scheme: light !important;
+
+      &:first-child {
+        direction: ltr;
+      }
+
+      @at-root .theme--dark & {
+        color-scheme: dark !important;
+      }
    }
  }

--- a/server/controllers/auth.js
+++ b/server/controllers/auth.js
@ -73,16 +73,22 @@ router.all('/login/:strategy/callback', async (req, res, next) => {
    res.cookie('jwt', authResult.jwt, commonHelper.getCookieOpts())

    const loginRedirect = req.cookies['loginRedirect']
+    const isValidRedirect = loginRedirect && loginRedirect.startsWith('/') && !loginRedirect.startsWith('//') && !loginRedirect.includes('://')
    if (loginRedirect === '/' && authResult.redirect) {
      res.clearCookie('loginRedirect')
      res.redirect(authResult.redirect)
-    } else if (loginRedirect) {
+    } else if (isValidRedirect) {
      res.clearCookie('loginRedirect')
      res.redirect(loginRedirect)
-    } else if (authResult.redirect) {
-      res.redirect(authResult.redirect)
    } else {
-      res.redirect('/')
+      if (loginRedirect) {
+        res.clearCookie('loginRedirect')
+      }
+      if (authResult.redirect) {
+        res.redirect(authResult.redirect)
+      } else {
+        res.redirect('/')
+      }
    }
  } catch (err) {
    next(err)
--- a/server/core/servers.js
+++ b/server/core/servers.js
@ -4,6 +4,8 @@ const https = require('https')
 const { ApolloServer } = require('apollo-server-express')
 const Promise = require('bluebird')
 const _ = require('lodash')
+const jwt = require('jsonwebtoken')
+const cookie = require('cookie')

 /* global WIKI */

@ -125,7 +127,35 @@ module.exports = {
      context: ({ req, res }) => ({ req, res }),
      subscriptions: {
        onConnect: (connectionParams, webSocket) => {
+          let token = _.get(connectionParams, 'token', null)

+          if (!token) {
+            const cookieHeader = _.get(webSocket, 'upgradeReq.headers.cookie', '')
+            if (cookieHeader) {
+              const cookies = cookie.parse(cookieHeader)
+              token = cookies.jwt || null
+            }
+          }
+
+          if (!token) {
+            throw new Error('Unauthorized')
+          }
+
+          try {
+            const user = jwt.verify(token, WIKI.config.certs.public, {
+              audience: WIKI.config.auth.audience,
+              issuer: 'urn:wiki.js',
+              algorithms: ['RS256']
+            })
+
+            if (!_.includes(user.permissions, 'manage:system')) {
+              throw new Error('Forbidden')
+            }
+
+            return { user }
+          } catch (err) {
+            throw new Error('Unauthorized')
+          }
        },
        path: '/graphql-subscriptions'
      }
--- a/server/modules/authentication/oauth2/authentication.js
+++ b/server/modules/authentication/oauth2/authentication.js
@ -22,13 +22,15 @@ module.exports = {
      state: conf.enableCSRFProtection
    }, async (req, accessToken, refreshToken, profile, cb) => {
      try {
+        const picture = _.get(profile, conf.pictureClaim, '')
        const user = await WIKI.models.users.processProfile({
          providerKey: req.params.strategy,
          profile: {
            ...profile,
            id: _.get(profile, conf.userIdClaim),
            displayName: _.get(profile, conf.displayNameClaim, '???'),
-            email: _.get(profile, conf.emailClaim)
+            email: _.get(profile, conf.emailClaim),
+            picture: picture
          }
        })
        if (conf.mapGroups) {
--- a/server/modules/authentication/oauth2/definition.yml
+++ b/server/modules/authentication/oauth2/definition.yml
@ -54,38 +54,45 @@ props:
    default: email
    maxWidth: 500
    order: 8
+  pictureClaim:
+    type: String
+    title: Picture Claim
+    hint: Field containing the user avatar URL
+    default: picture
+    maxWidth: 500
+    order: 9
  mapGroups:
    type: Boolean
    title: Map Groups
    hint: Map groups matching names from the groups claim value
    default: false
-    order: 9
+    order: 10
  groupsClaim:
    type: String
    title: Groups Claim
    hint: Field containing the group names
    default: groups
    maxWidth: 500
-    order: 10
+    order: 11
  logoutURL:
    type: String
    title: Logout URL
    hint: (optional) Logout URL on the OAuth2 provider where the user will be redirected to complete the logout process.
-    order: 11
+    order: 12
  scope:
    type: String
    title: Scope
    hint: (optional) Application Client permission scopes.
-    order: 12
+    order: 13
  useQueryStringForAccessToken:
    type: Boolean
    default: false
    title: Pass access token via GET query string to User Info Endpoint
    hint: (optional) Pass the access token in an `access_token` parameter attached to the GET query string of the User Info Endpoint URL. Otherwise the access token will be passed in the Authorization header.
-    order: 13
+    order: 14
  enableCSRFProtection:
    type: Boolean
    default: true
    title: Enable CSRF protection
    hint: Pass a nonce state parameter during authentication to protect against CSRF attacks.
-    order: 14
+    order: 15
--- a/server/modules/authentication/oidc/authentication.js
+++ b/server/modules/authentication/oidc/authentication.js
@ -24,6 +24,7 @@ module.exports = {
        acrValues: conf.acrValues
      }, async (req, iss, uiProfile, idProfile, context, idToken, accessToken, refreshToken, params, cb) => {
        const profile = Object.assign({}, idProfile, uiProfile)
+        const picture = _.get(profile, '_json.' + conf.pictureClaim, '')

        try {
          const user = await WIKI.models.users.processProfile({
@ -31,7 +32,8 @@ module.exports = {
            profile: {
              ...profile,
              email: _.get(profile, '_json.' + conf.emailClaim),
-              displayName: _.get(profile, '_json.' + conf.displayNameClaim, '')
+              displayName: _.get(profile, '_json.' + conf.displayNameClaim, ''),
+              picture: picture
            }
          })
          if (conf.mapGroups) {
--- a/server/modules/authentication/oidc/definition.yml
+++ b/server/modules/authentication/oidc/definition.yml
@ -62,26 +62,33 @@ props:
    default: displayName
    maxWidth: 500
    order: 9
+  pictureClaim:
+    type: String
+    title: Picture Claim
+    hint: Field containing the user avatar URL
+    default: picture
+    maxWidth: 500
+    order: 10
  mapGroups:
    type: Boolean
    title: Map Groups
    hint: Map groups matching names from the groups claim value
    default: false
-    order: 10
+    order: 11
  groupsClaim:
    type: String
    title: Groups Claim
    hint: Field containing the group names
    default: groups
    maxWidth: 500
-    order: 11
+    order: 12
  logoutURL:
    type: String
    title: Logout URL
    hint: (optional) Logout URL on the OAuth2 provider where the user will be redirected to complete the logout process.
-    order: 12
+    order: 13
  acrValues:
    type: String
    title: ACR Values
    hint: (optional) Authentication Context Class Reference
-    order: 13
+    order: 14