From ee5812c202e94eab947ab82491f694a0e86e96ce Mon Sep 17 00:00:00 2001 From: "Gabriel Mowses (Mouse)" Date: Wed, 1 Apr 2026 21:32:04 -0300 Subject: [PATCH] fix: manually fetch userinfo with access token, fallback to GitLab API --- .../authentication/oidc/authentication.js | 50 ++++++++++++++----- 1 file changed, 37 insertions(+), 13 deletions(-) diff --git a/server/modules/authentication/oidc/authentication.js b/server/modules/authentication/oidc/authentication.js index c0e692ad..390cfd4f 100644 --- a/server/modules/authentication/oidc/authentication.js +++ b/server/modules/authentication/oidc/authentication.js @@ -23,28 +23,52 @@ module.exports = { store(req, ctx, appState, meta, cb) { cb(null, ctx.state || 'state') } verify(req, providedState, cb) { cb(null, true) } })() - }, async (req, iss, sub, profile, cb) => { + }, async (req, iss, sub, profile, accessToken, refreshToken, params, cb) => { try { - // Extract email from multiple possible locations - const email = _.get(profile, '_json.' + conf.emailClaim) || - _.get(profile, '_json.email') || - _.get(profile, 'emails[0].value') || - _.get(profile, 'email') || - _.get(profile, conf.emailClaim) + // passport-openidconnect may not populate profile properly + // Fetch user info manually using the access token + const https = require('https') + const url = require('url') - const displayName = _.get(profile, '_json.' + (conf.displayNameClaim || 'name')) || - _.get(profile, 'displayName') || - _.get(profile, '_json.name') || - _.get(profile, 'name.givenName', '') + ' ' + _.get(profile, 'name.familyName', '') + const fetchUserInfo = (infoUrl, token) => new Promise((resolve, reject) => { + const parsed = url.parse(infoUrl) + const opts = { hostname: parsed.hostname, path: parsed.path, port: parsed.port || 443, headers: { 'Authorization': 'Bearer ' + token, 'Accept': 'application/json' } } + https.get(opts, (res) => { + let data = '' + res.on('data', chunk => data += chunk) + res.on('end', () => { try { resolve(JSON.parse(data)) } catch(e) { reject(e) } }) + }).on('error', reject) + }) + + // Try userinfo endpoint first, then GitLab API + let userInfo = {} + try { + userInfo = await fetchUserInfo(conf.userInfoURL, accessToken) + } catch(e) { + WIKI.logger.warn('OIDC userinfo fetch failed: ' + e.message) + } + + // Fallback to GitLab API if no email + if (!userInfo.email && conf.baseUrl) { + try { + userInfo = await fetchUserInfo(conf.baseUrl + '/api/v4/user', accessToken) + } catch(e) { + WIKI.logger.warn('GitLab API user fetch failed: ' + e.message) + } + } + + const email = userInfo.email || _.get(profile, '_json.email') || _.get(profile, 'email') + const displayName = userInfo.name || userInfo.username || _.get(profile, 'displayName') || '' - WIKI.logger.info('OIDC profile: ' + JSON.stringify({ id: profile.id, email, displayName, keys: Object.keys(profile) })) + WIKI.logger.info('OIDC user: ' + JSON.stringify({ email, name: displayName, username: userInfo.username })) const user = await WIKI.db.users.processProfile({ providerKey: req.params.strategy, profile: { ...profile, + id: userInfo.id || profile.id || sub, email: email, - displayName: displayName.trim() + displayName: displayName } }) cb(null, user)