summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSheogorath2017-08-31 23:33:55 +0200
committerSheogorath2018-10-05 22:43:32 +0200
commit9f9c4089be2112bfd8a55dd2cb996c811afab898 (patch)
tree528fd1c47b3847955b97a39a22f7cc9eaa4376c6
parent32af96aa376576d060e16a2c0ff7ed5719d24e91 (diff)
Add OpenID to CodiMD
With OpenID every OpenID capable provider can provide authentication for users of a CodiMD instance. This means we have federated authentication. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
-rw-r--r--lib/config/default.js3
-rw-r--r--lib/config/environment.js3
-rw-r--r--lib/config/index.js1
-rw-r--r--lib/response.js4
-rw-r--r--lib/web/auth/index.js1
-rw-r--r--lib/web/auth/openid/index.js61
-rw-r--r--package.json1
-rw-r--r--public/views/shared/signin-modal.ejs21
8 files changed, 91 insertions, 4 deletions
diff --git a/lib/config/default.js b/lib/config/default.js
index cf7d2fc5..acfc2157 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -145,5 +145,6 @@ module.exports = {
email: true,
allowEmailRegister: true,
allowGravatar: true,
- allowPDFExport: true
+ allowPDFExport: true,
+ openID: true
}
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 6c4ce92f..65bacb4e 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -123,5 +123,6 @@ module.exports = {
email: toBooleanConfig(process.env.CMD_EMAIL),
allowEmailRegister: toBooleanConfig(process.env.CMD_ALLOW_EMAIL_REGISTER),
allowGravatar: toBooleanConfig(process.env.CMD_ALLOW_GRAVATAR),
- allowPDFExport: toBooleanConfig(process.env.CMD_ALLOW_PDF_EXPORT)
+ allowPDFExport: toBooleanConfig(process.env.CMD_ALLOW_PDF_EXPORT),
+ openID: toBooleanConfig(process.env.CMD_OPENID)
}
diff --git a/lib/config/index.js b/lib/config/index.js
index 7d059c5c..f8b68e30 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -96,6 +96,7 @@ config.isGoogleEnable = config.google.clientID && config.google.clientSecret
config.isDropboxEnable = config.dropbox.clientID && config.dropbox.clientSecret
config.isTwitterEnable = config.twitter.consumerKey && config.twitter.consumerSecret
config.isEmailEnable = config.email
+config.isOpenIDEnable = config.openID
config.isGitHubEnable = config.github.clientID && config.github.clientSecret
config.isGitLabEnable = config.gitlab.clientID && config.gitlab.clientSecret
config.isMattermostEnable = config.mattermost.clientID && config.mattermost.clientSecret
diff --git a/lib/response.js b/lib/response.js
index d30f2a8d..9f1740c8 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -88,6 +88,7 @@ function showIndex (req, res, next) {
email: config.isEmailEnable,
allowEmailRegister: config.allowEmailRegister,
allowPDFExport: config.allowPDFExport,
+ openID: config.isOpenIDEnable,
signin: authStatus,
infoMessage: req.flash('info'),
errorMessage: req.flash('error'),
@@ -142,7 +143,8 @@ function responseCodiMD (res, note) {
oauth2: config.isOAuth2Enable,
email: config.isEmailEnable,
allowEmailRegister: config.allowEmailRegister,
- allowPDFExport: config.allowPDFExport
+ allowPDFExport: config.allowPDFExport,
+ openID: config.isOpenIDEnable
})
}
diff --git a/lib/web/auth/index.js b/lib/web/auth/index.js
index 61e7c3f9..86ab4b28 100644
--- a/lib/web/auth/index.js
+++ b/lib/web/auth/index.js
@@ -45,6 +45,7 @@ if (config.isLDAPEnable) authRouter.use(require('./ldap'))
if (config.isSAMLEnable) authRouter.use(require('./saml'))
if (config.isOAuth2Enable) authRouter.use(require('./oauth2'))
if (config.isEmailEnable) authRouter.use(require('./email'))
+if (config.isOpenIDEnable) authRouter.use(require('./openid'))
// logout
authRouter.get('/logout', function (req, res) {
diff --git a/lib/web/auth/openid/index.js b/lib/web/auth/openid/index.js
new file mode 100644
index 00000000..96f61807
--- /dev/null
+++ b/lib/web/auth/openid/index.js
@@ -0,0 +1,61 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const OpenIDStrategy = require('@passport-next/passport-openid').Strategy
+const config = require('../../../config')
+const models = require('../../../models')
+const logger = require('../../../logger')
+const {urlencodedParser} = require('../../utils')
+const {setReturnToFromReferer} = require('../utils')
+
+let openIDAuth = module.exports = Router()
+
+passport.use(new OpenIDStrategy({
+ returnURL: config.serverURL + '/auth/openid/callback',
+ realm: config.serverURL,
+ profile: true
+}, function (openid, profile, done) {
+ var stringifiedProfile = JSON.stringify(profile)
+ models.User.findOrCreate({
+ where: {
+ profileid: openid
+ },
+ defaults: {
+ profile: stringifiedProfile
+ }
+ }).spread(function (user, created) {
+ if (user) {
+ var needSave = false
+ if (user.profile !== stringifiedProfile) {
+ user.profile = stringifiedProfile
+ needSave = true
+ }
+ if (needSave) {
+ user.save().then(function () {
+ if (config.debug) { logger.info('user login: ' + user.id) }
+ return done(null, user)
+ })
+ } else {
+ if (config.debug) { logger.info('user login: ' + user.id) }
+ return done(null, user)
+ }
+ }
+ }).catch(function (err) {
+ logger.error('auth callback failed: ' + err)
+ return done(err, null)
+ })
+}))
+
+openIDAuth.post('/auth/openid', urlencodedParser, function (req, res, next) {
+ setReturnToFromReferer(req)
+ passport.authenticate('openid')(req, res, next)
+})
+
+// openID auth callback
+openIDAuth.get('/auth/openid/callback',
+ passport.authenticate('openid', {
+ successReturnToOrRedirect: config.serverurl + '/',
+ failureRedirect: config.serverurl + '/'
+ })
+)
diff --git a/package.json b/package.json
index 12172639..c260b65f 100644
--- a/package.json
+++ b/package.json
@@ -15,6 +15,7 @@
"doctoc": "doctoc --title='# Table of Contents' README.md"
},
"dependencies": {
+ "@passport-next/passport-openid": "^1.0.0",
"Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
"archiver": "^2.1.1",
"async": "^2.1.4",
diff --git a/public/views/shared/signin-modal.ejs b/public/views/shared/signin-modal.ejs
index f0cffad9..b413511c 100644
--- a/public/views/shared/signin-modal.ejs
+++ b/public/views/shared/signin-modal.ejs
@@ -78,7 +78,26 @@
</div>
</form>
<% } %>
- <% if((facebook || twitter || github || gitlab || mattermost || dropbox || google || ldap || oauth2) && email) { %>
+ <% if((facebook || twitter || github || gitlab || mattermost || dropbox || google || ldap || oauth2) && openID) { %>
+ <hr>
+ <% }%>
+ <% if(openID) { %>
+ <h4>OpenID</h4>
+ <form data-toggle="validator" role="form" class="form-horizontal" method="post" enctype="application/x-www-form-urlencoded">
+ <div class="form-group">
+ <div class="col-sm-12">
+ <input type="text" class="form-control" name="openid_identifier" placeholder="OpenID" required>
+ <span class="help-block control-label with-errors" style="display: inline;"></span>
+ </div>
+ </div>
+ <div class="form-group">
+ <div class="col-sm-12">
+ <button type="submit" class="btn btn-primary" formaction="<%- url %>/auth/openid">Sign in</button>
+ </div>
+ </div>
+ </form>
+ <% } %>
+ <% if((facebook || twitter || github || gitlab || mattermost || dropbox || google || ldap || oauth2 || openID) && email) { %>
<hr>
<% }%>
<% if(email) { %>