Add OpenID to CodiMD

With OpenID every OpenID capable provider can provide authentication for
users of a CodiMD instance. This means we have federated
authentication.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2017-08-31 23:33:55 +02:00
parent 32af96aa37
commit 9f9c4089be
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD
8 changed files with 91 additions and 4 deletions

View file

@ -145,5 +145,6 @@ module.exports = {
email: true, email: true,
allowEmailRegister: true, allowEmailRegister: true,
allowGravatar: true, allowGravatar: true,
allowPDFExport: true allowPDFExport: true,
openID: true
} }

View file

@ -123,5 +123,6 @@ module.exports = {
email: toBooleanConfig(process.env.CMD_EMAIL), email: toBooleanConfig(process.env.CMD_EMAIL),
allowEmailRegister: toBooleanConfig(process.env.CMD_ALLOW_EMAIL_REGISTER), allowEmailRegister: toBooleanConfig(process.env.CMD_ALLOW_EMAIL_REGISTER),
allowGravatar: toBooleanConfig(process.env.CMD_ALLOW_GRAVATAR), allowGravatar: toBooleanConfig(process.env.CMD_ALLOW_GRAVATAR),
allowPDFExport: toBooleanConfig(process.env.CMD_ALLOW_PDF_EXPORT) allowPDFExport: toBooleanConfig(process.env.CMD_ALLOW_PDF_EXPORT),
openID: toBooleanConfig(process.env.CMD_OPENID)
} }

View file

@ -96,6 +96,7 @@ config.isGoogleEnable = config.google.clientID && config.google.clientSecret
config.isDropboxEnable = config.dropbox.clientID && config.dropbox.clientSecret config.isDropboxEnable = config.dropbox.clientID && config.dropbox.clientSecret
config.isTwitterEnable = config.twitter.consumerKey && config.twitter.consumerSecret config.isTwitterEnable = config.twitter.consumerKey && config.twitter.consumerSecret
config.isEmailEnable = config.email config.isEmailEnable = config.email
config.isOpenIDEnable = config.openID
config.isGitHubEnable = config.github.clientID && config.github.clientSecret config.isGitHubEnable = config.github.clientID && config.github.clientSecret
config.isGitLabEnable = config.gitlab.clientID && config.gitlab.clientSecret config.isGitLabEnable = config.gitlab.clientID && config.gitlab.clientSecret
config.isMattermostEnable = config.mattermost.clientID && config.mattermost.clientSecret config.isMattermostEnable = config.mattermost.clientID && config.mattermost.clientSecret

View file

@ -88,6 +88,7 @@ function showIndex (req, res, next) {
email: config.isEmailEnable, email: config.isEmailEnable,
allowEmailRegister: config.allowEmailRegister, allowEmailRegister: config.allowEmailRegister,
allowPDFExport: config.allowPDFExport, allowPDFExport: config.allowPDFExport,
openID: config.isOpenIDEnable,
signin: authStatus, signin: authStatus,
infoMessage: req.flash('info'), infoMessage: req.flash('info'),
errorMessage: req.flash('error'), errorMessage: req.flash('error'),
@ -142,7 +143,8 @@ function responseCodiMD (res, note) {
oauth2: config.isOAuth2Enable, oauth2: config.isOAuth2Enable,
email: config.isEmailEnable, email: config.isEmailEnable,
allowEmailRegister: config.allowEmailRegister, allowEmailRegister: config.allowEmailRegister,
allowPDFExport: config.allowPDFExport allowPDFExport: config.allowPDFExport,
openID: config.isOpenIDEnable
}) })
} }

View file

@ -45,6 +45,7 @@ if (config.isLDAPEnable) authRouter.use(require('./ldap'))
if (config.isSAMLEnable) authRouter.use(require('./saml')) if (config.isSAMLEnable) authRouter.use(require('./saml'))
if (config.isOAuth2Enable) authRouter.use(require('./oauth2')) if (config.isOAuth2Enable) authRouter.use(require('./oauth2'))
if (config.isEmailEnable) authRouter.use(require('./email')) if (config.isEmailEnable) authRouter.use(require('./email'))
if (config.isOpenIDEnable) authRouter.use(require('./openid'))
// logout // logout
authRouter.get('/logout', function (req, res) { authRouter.get('/logout', function (req, res) {

View file

@ -0,0 +1,61 @@
'use strict'
const Router = require('express').Router
const passport = require('passport')
const OpenIDStrategy = require('@passport-next/passport-openid').Strategy
const config = require('../../../config')
const models = require('../../../models')
const logger = require('../../../logger')
const {urlencodedParser} = require('../../utils')
const {setReturnToFromReferer} = require('../utils')
let openIDAuth = module.exports = Router()
passport.use(new OpenIDStrategy({
returnURL: config.serverURL + '/auth/openid/callback',
realm: config.serverURL,
profile: true
}, function (openid, profile, done) {
var stringifiedProfile = JSON.stringify(profile)
models.User.findOrCreate({
where: {
profileid: openid
},
defaults: {
profile: stringifiedProfile
}
}).spread(function (user, created) {
if (user) {
var needSave = false
if (user.profile !== stringifiedProfile) {
user.profile = stringifiedProfile
needSave = true
}
if (needSave) {
user.save().then(function () {
if (config.debug) { logger.info('user login: ' + user.id) }
return done(null, user)
})
} else {
if (config.debug) { logger.info('user login: ' + user.id) }
return done(null, user)
}
}
}).catch(function (err) {
logger.error('auth callback failed: ' + err)
return done(err, null)
})
}))
openIDAuth.post('/auth/openid', urlencodedParser, function (req, res, next) {
setReturnToFromReferer(req)
passport.authenticate('openid')(req, res, next)
})
// openID auth callback
openIDAuth.get('/auth/openid/callback',
passport.authenticate('openid', {
successReturnToOrRedirect: config.serverurl + '/',
failureRedirect: config.serverurl + '/'
})
)

View file

@ -15,6 +15,7 @@
"doctoc": "doctoc --title='# Table of Contents' README.md" "doctoc": "doctoc --title='# Table of Contents' README.md"
}, },
"dependencies": { "dependencies": {
"@passport-next/passport-openid": "^1.0.0",
"Idle.Js": "git+https://github.com/shawnmclean/Idle.js", "Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
"archiver": "^2.1.1", "archiver": "^2.1.1",
"async": "^2.1.4", "async": "^2.1.4",

View file

@ -78,7 +78,26 @@
</div> </div>
</form> </form>
<% } %> <% } %>
<% if((facebook || twitter || github || gitlab || mattermost || dropbox || google || ldap || oauth2) && email) { %> <% if((facebook || twitter || github || gitlab || mattermost || dropbox || google || ldap || oauth2) && openID) { %>
<hr>
<% }%>
<% if(openID) { %>
<h4>OpenID</h4>
<form data-toggle="validator" role="form" class="form-horizontal" method="post" enctype="application/x-www-form-urlencoded">
<div class="form-group">
<div class="col-sm-12">
<input type="text" class="form-control" name="openid_identifier" placeholder="OpenID" required>
<span class="help-block control-label with-errors" style="display: inline;"></span>
</div>
</div>
<div class="form-group">
<div class="col-sm-12">
<button type="submit" class="btn btn-primary" formaction="<%- url %>/auth/openid">Sign in</button>
</div>
</div>
</form>
<% } %>
<% if((facebook || twitter || github || gitlab || mattermost || dropbox || google || ldap || oauth2 || openID) && email) { %>
<hr> <hr>
<% }%> <% }%>
<% if(email) { %> <% if(email) { %>