summaryrefslogtreecommitdiff
path: root/lib/web/auth
diff options
context:
space:
mode:
authorSheogorath2018-03-17 21:56:52 +0100
committerSheogorath2018-03-18 00:27:07 +0100
commit638eae0dfb2cf33d58eccca371a8dc98881cc5af (patch)
tree65d114d910cf52851ced9c5a3576b76715f5dfc8 /lib/web/auth
parent9cbe03d8a8eb503170b7b481e97c37d66447dd37 (diff)
Add check for undefined UUID
This check is needed at there are tons of LDAP implementations out there and none has at least one guaranteed unique field. As we currently check three fields and added an option to select one yourself, it's still not said that any of these fields is set. This will now create an error and fail the authentication instead of letting people may get access to other people's notes which are stored under a this way deterministic wrong userid named `LDAP-undefined`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to 'lib/web/auth')
-rw-r--r--lib/web/auth/ldap/index.js9
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/web/auth/ldap/index.js b/lib/web/auth/ldap/index.js
index 1a5c9938..6aa9789f 100644
--- a/lib/web/auth/ldap/index.js
+++ b/lib/web/auth/ldap/index.js
@@ -23,11 +23,18 @@ passport.use(new LDAPStrategy({
tlsOptions: config.ldap.tlsOptions || null
}
}, function (user, done) {
- var uuid = user.uidNumber || user.uid || user.sAMAccountName
+ var uuid = user.uidNumber || user.uid || user.sAMAccountName || undefined
if (config.ldap.useridField && user[config.ldap.useridField]) {
uuid = user[config.ldap.useridField]
}
+ if (typeof uuid === 'undefined') {
+ throw new Error('Could not determine UUID for LDAP user. Check that ' +
+ 'either uidNumber, uid or sAMAccountName is set in your LDAP directory ' +
+ 'or use another unique attribute and configure it using the ' +
+ '"useridField" option in ldap settings.')
+ }
+
var username = uuid
if (config.ldap.usernameField && user[config.ldap.usernameField]) {
username = user[config.ldap.usernameField]