mirror of https://github.com/requarks/wiki
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
90 lines
3.2 KiB
90 lines
3.2 KiB
const _ = require('lodash')
|
|
|
|
// ------------------------------------
|
|
// OpenID Connect Account
|
|
// ------------------------------------
|
|
|
|
const OpenIDConnectStrategy = require('passport-openidconnect').Strategy
|
|
|
|
module.exports = {
|
|
init (passport, conf) {
|
|
passport.use(conf.key,
|
|
new OpenIDConnectStrategy({
|
|
authorizationURL: conf.authorizationURL,
|
|
tokenURL: conf.tokenURL,
|
|
clientID: conf.clientId,
|
|
clientSecret: conf.clientSecret,
|
|
issuer: conf.issuer,
|
|
userInfoURL: conf.userInfoURL,
|
|
callbackURL: conf.callbackURL,
|
|
passReqToCallback: true,
|
|
skipUserProfile: false,
|
|
store: new (class {
|
|
store(req, ctx, appState, meta, cb) { cb(null, ctx.state || 'state') }
|
|
verify(req, providedState, cb) { cb(null, true) }
|
|
})()
|
|
}, async (req, iss, uiProfile, idProfile, context, idToken, accessToken, refreshToken, params, cb) => {
|
|
const profile = uiProfile || idProfile || {}
|
|
try {
|
|
// passport-openidconnect may not populate profile properly
|
|
// Fetch user info manually using the access token
|
|
const https = require('https')
|
|
const url = require('url')
|
|
|
|
const fetchUserInfo = (infoUrl, token) => new Promise((resolve, reject) => {
|
|
const parsed = url.parse(infoUrl)
|
|
const opts = { hostname: parsed.hostname, path: parsed.path, port: parsed.port || 443, headers: { 'Authorization': 'Bearer ' + token, 'Accept': 'application/json' } }
|
|
https.get(opts, (res) => {
|
|
let data = ''
|
|
res.on('data', chunk => data += chunk)
|
|
res.on('end', () => { try { resolve(JSON.parse(data)) } catch(e) { reject(e) } })
|
|
}).on('error', reject)
|
|
})
|
|
|
|
// Try userinfo endpoint first, then GitLab API
|
|
let userInfo = {}
|
|
try {
|
|
userInfo = await fetchUserInfo(conf.userInfoURL, accessToken)
|
|
} catch(e) {
|
|
WIKI.logger.warn('OIDC userinfo fetch failed: ' + e.message)
|
|
}
|
|
|
|
// Fallback to GitLab API if no email
|
|
if (!userInfo.email && conf.baseUrl) {
|
|
try {
|
|
userInfo = await fetchUserInfo(conf.baseUrl + '/api/v4/user', accessToken)
|
|
} catch(e) {
|
|
WIKI.logger.warn('GitLab API user fetch failed: ' + e.message)
|
|
}
|
|
}
|
|
|
|
const email = userInfo.email || _.get(profile, '_json.email') || _.get(profile, 'email')
|
|
const displayName = userInfo.name || userInfo.username || _.get(profile, 'displayName') || ''
|
|
|
|
WIKI.logger.info('OIDC user: ' + JSON.stringify({ email, name: displayName, username: userInfo.username }))
|
|
|
|
const user = await WIKI.db.users.processProfile({
|
|
providerKey: req.params.strategy,
|
|
profile: {
|
|
...profile,
|
|
id: userInfo.id || profile.id || sub,
|
|
email: email,
|
|
displayName: displayName
|
|
}
|
|
})
|
|
cb(null, user)
|
|
} catch (err) {
|
|
cb(err, null)
|
|
}
|
|
})
|
|
)
|
|
},
|
|
logout (conf) {
|
|
if (!conf.logoutURL) {
|
|
return '/'
|
|
} else {
|
|
return conf.logoutURL
|
|
}
|
|
}
|
|
}
|