Separate environment configs (#6597)

* Separate environment configs * wip * wip * test * plugins * test * test * .sequelizerc, unfortunately can't go through /utils/environment due to not supporting TS * docker-compose -> docker compose * fix: .local wipes .development * Add custom validation message for invalid SECRET_KEY (often confused)
2024-02-27 09:24:23 -08:00
parent 415383a1c9
commit 60e52d0423
45 changed files with 489 additions and 409 deletions
--- a/plugins/oidc/plugin.json
+++ b/plugins/oidc/plugin.json
@@ -1,12 +1,5 @@
 {
  "name": "OIDC",
  "description": "Adds an OpenID compatible authentication provider.",
-  "requiredEnvVars": [
-    "OIDC_CLIENT_ID",
-    "OIDC_CLIENT_SECRET",
-    "OIDC_AUTH_URI",
-    "OIDC_TOKEN_URI",
-    "OIDC_USERINFO_URI",
-    "OIDC_DISPLAY_NAME"
-  ]
+  "requiredEnvVars": ["OIDC_CLIENT_ID", "OIDC_CLIENT_SECRET", "OIDC_AUTH_URI", "OIDC_TOKEN_URI", "OIDC_USERINFO_URI"]
 }
--- a/plugins/oidc/server/auth/oidc.ts
+++ b/plugins/oidc/server/auth/oidc.ts
@@ -5,7 +5,6 @@ import get from "lodash/get";
 import { Strategy } from "passport-oauth2";
 import { slugifyDomain } from "@shared/utils/domains";
 import accountProvisioner from "@server/commands/accountProvisioner";
-import env from "@server/env";
 import {
  OIDCMalformedUserInfoError,
  AuthenticationError,
@@ -19,6 +18,7 @@ import {
  getTeamFromContext,
  getClientFromContext,
 } from "@server/utils/passport";
+import env from "../env";

 const router = new Router();
 const providerName = "oidc";
--- a/plugins/oidc/server/env.ts
+++ b/plugins/oidc/server/env.ts
@@ -0,0 +1,79 @@
+import { IsOptional, IsUrl, MaxLength } from "class-validator";
+import { Environment } from "@server/env";
+import environment from "@server/utils/environment";
+import { CannotUseWithout } from "@server/utils/validators";
+
+class OIDCPluginEnvironment extends Environment {
+  /**
+   * OIDC client credentials. To enable authentication with any
+   * compatible provider.
+   */
+  @IsOptional()
+  @CannotUseWithout("OIDC_CLIENT_SECRET")
+  @CannotUseWithout("OIDC_AUTH_URI")
+  @CannotUseWithout("OIDC_TOKEN_URI")
+  @CannotUseWithout("OIDC_USERINFO_URI")
+  @CannotUseWithout("OIDC_DISPLAY_NAME")
+  public OIDC_CLIENT_ID = this.toOptionalString(environment.OIDC_CLIENT_ID);
+
+  @IsOptional()
+  @CannotUseWithout("OIDC_CLIENT_ID")
+  public OIDC_CLIENT_SECRET = this.toOptionalString(
+    environment.OIDC_CLIENT_SECRET
+  );
+
+  /**
+   * The name of the OIDC provider, eg "GitLab" – this will be displayed on the
+   * sign-in button and other places in the UI. The default value is:
+   * "OpenID Connect".
+   */
+  @MaxLength(50)
+  public OIDC_DISPLAY_NAME = environment.OIDC_DISPLAY_NAME ?? "OpenID Connect";
+
+  /**
+   * The OIDC authorization endpoint.
+   */
+  @IsOptional()
+  @IsUrl({
+    require_tld: false,
+    allow_underscores: true,
+  })
+  public OIDC_AUTH_URI = this.toOptionalString(environment.OIDC_AUTH_URI);
+
+  /**
+   * The OIDC token endpoint.
+   */
+  @IsOptional()
+  @IsUrl({
+    require_tld: false,
+    allow_underscores: true,
+  })
+  public OIDC_TOKEN_URI = this.toOptionalString(environment.OIDC_TOKEN_URI);
+
+  /**
+   * The OIDC userinfo endpoint.
+   */
+  @IsOptional()
+  @IsUrl({
+    require_tld: false,
+    allow_underscores: true,
+  })
+  public OIDC_USERINFO_URI = this.toOptionalString(
+    environment.OIDC_USERINFO_URI
+  );
+
+  /**
+   * The OIDC profile field to use as the username. The default value is
+   * "preferred_username".
+   */
+  public OIDC_USERNAME_CLAIM =
+    environment.OIDC_USERNAME_CLAIM ?? "preferred_username";
+
+  /**
+   * A space separated list of OIDC scopes to request. Defaults to "openid
+   * profile email".
+   */
+  public OIDC_SCOPES = environment.OIDC_SCOPES ?? "openid profile email";
+}
+
+export default new OIDCPluginEnvironment();
--- a/plugins/oidc/server/oidc.ts
+++ b/plugins/oidc/server/oidc.ts
@@ -0,0 +1,18 @@
+import invariant from "invariant";
+import OAuthClient from "@server/utils/oauth";
+import env from "./env";
+
+export default class OIDCClient extends OAuthClient {
+  endpoints = {
+    authorize: env.OIDC_AUTH_URI || "",
+    token: env.OIDC_TOKEN_URI || "",
+    userinfo: env.OIDC_USERINFO_URI || "",
+  };
+
+  constructor() {
+    invariant(env.OIDC_CLIENT_ID, "OIDC_CLIENT_ID is required");
+    invariant(env.OIDC_CLIENT_SECRET, "OIDC_CLIENT_SECRET is required");
+
+    super(env.OIDC_CLIENT_ID, env.OIDC_CLIENT_SECRET);
+  }
+}