yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
728790e38f490eb338493cf147f5796461943dd8
outline/server/routes/api/auth.ts
Tom Moor 728790e38f feat: Validate Google, Azure, OIDC SSO access (#3590) 
* chore: Store expiresAt on UserAuthentications. This represents the time that the accessToken is no longer valid and should be exchanged using the refreshToken

* feat: Check and expire Google SSO

* fix: Better handling of multiple auth methods
Added more docs

* fix: Retry access validation with network errors

* Small refactor, add Azure token validation support

* doc

* test

* lint

* OIDC refresh support

* CheckSSOAccessTask -> ValidateSSOAccessTask
Added lastValidatedAt column
Skip checks if validated within 5min
Some edge cases around encrypted columns
2022-06-05 13:18:51 -07:00

129 lines
3.3 KiB
TypeScript
Raw Blame History

import invariant from "invariant";
import Router from "koa-router";
import { find } from "lodash";
import { parseDomain } from "@shared/utils/domains";
import env from "@server/env";
import auth from "@server/middlewares/authentication";
import { Team, TeamDomain } from "@server/models";
import { presentUser, presentTeam, presentPolicies } from "@server/presenters";
import ValidateSSOAccessTask from "@server/queues/tasks/ValidateSSOAccessTask";
import providers from "../auth/providers";
const router = new Router();
function filterProviders(team?: Team) {
return providers
.sort((provider) => (provider.id === "email" ? 1 : -1))
.filter((provider) => {
// guest sign-in is an exception as it does not have an authentication
// provider using passport, instead it exists as a boolean option on the team
if (provider.id === "email") {
return team?.emailSigninEnabled;
}
return (
!team ||
env.DEPLOYMENT !== "hosted" ||
find(team.authenticationProviders, {
name: provider.id,
enabled: true,
})
);
})
.map((provider) => ({
id: provider.id,
name: provider.name,
authUrl: provider.authUrl,
}));
}
router.post("auth.config", async (ctx) => {
// If self hosted AND there is only one team then that team becomes the
// brand for the knowledge base and it's guest signin option is used for the
// root login page.
if (env.DEPLOYMENT !== "hosted") {
const team = await Team.scope("withAuthenticationProviders").findOne();
if (team) {
ctx.body = {
data: {
name: team.name,
providers: filterProviders(team),
},
};
return;
}
}
const domain = parseDomain(ctx.request.hostname);
if (domain.custom) {
const team = await Team.scope("withAuthenticationProviders").findOne({
where: {
domain: ctx.request.hostname,
},
});
if (team) {
ctx.body = {
data: {
name: team.name,
hostname: ctx.request.hostname,
providers: filterProviders(team),
},
};
return;
}
}
// If subdomain signin page then we return minimal team details to allow
// for a custom screen showing only relevant signin options for that team.
else if (env.SUBDOMAINS_ENABLED && domain.teamSubdomain) {
const team = await Team.scope("withAuthenticationProviders").findOne({
where: {
subdomain: domain.teamSubdomain,
},
});
if (team) {
ctx.body = {
data: {
name: team.name,
hostname: ctx.request.hostname,
providers: filterProviders(team),
},
};
return;
}
}
// Otherwise, we're requesting from the standard root signin page
ctx.body = {
data: {
providers: filterProviders(),
},
};
});
router.post("auth.info", auth(), async (ctx) => {
const { user } = ctx.state;
const team = await Team.findByPk(user.teamId, {
include: [{ model: TeamDomain }],
});
invariant(team, "Team not found");
await ValidateSSOAccessTask.schedule({ userId: user.id });
ctx.body = {
data: {
user: presentUser(user, {
includeDetails: true,
}),
team: presentTeam(team),
},
policies: presentPolicies(user, [team]),
};
});
export default router;
Reference in New Issue View Git Blame Copy Permalink