Merge pull request #1626 from joachimmathes/oauth2_authorization

hackmdio · Jun 5, 2023 · be1f4cf · be1f4cf
2 parents ae38fd3 + 0ec949d
commit be1f4cf
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/lib/auth/oauth2/strategy.js b/lib/auth/oauth2/strategy.js
@@ -4,6 +4,7 @@ const { Strategy, InternalOAuthError } = require('passport-oauth2')
 const config = require('../../config')
 
 function parseProfile (data) {
+  const id = extractProfileAttribute(data, config.oauth2.userProfileIdAttr)
   const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
   const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)
   const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)
@@ -14,7 +15,7 @@ function parseProfile (data) {
   }
 
   return {
-    id: username,
+    id: id || username,
     username: username,
     displayName: displayName,
     email: email,
@@ -41,6 +42,16 @@ function extractProfileAttribute (data, path) {
   return data
 }
 
+function checkAuthorization (data, done) {
+  const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
+
+  if (config.oauth2.accessRole && roles) {
+    if (!roles.includes(config.oauth2.accessRole)) {
+      return done('Permission denied', null)
+    }
+  }
+}
+
 class OAuth2CustomStrategy extends Strategy {
   constructor (options, verify) {
     options.customHeaders = options.customHeaders || {}
@@ -59,6 +70,7 @@ class OAuth2CustomStrategy extends Strategy {
       let profile, json
       try {
         json = JSON.parse(body)
+        checkAuthorization(json, done)
         profile = parseProfile(json)
       } catch (ex) {
         return done(new InternalOAuthError('Failed to parse user profile' + ex.toString()))

diff --git a/lib/config/environment.js b/lib/config/environment.js
@@ -98,6 +98,9 @@ module.exports = {
     userProfileURL: process.env.CMD_OAUTH2_USER_PROFILE_URL,
     scope: process.env.CMD_OAUTH2_SCOPE,
     state: process.env.CMD_OAUTH2_STATE,
+    rolesClaim: process.env.CMD_OAUTH2_ROLES_CLAIM,
+    accessRole: process.env.CMD_OAUTH2_ACCESS_ROLE,
+    userProfileIdAttr: process.env.CMD_OAUTH2_USER_PROFILE_ID_ATTR,
     userProfileUsernameAttr: process.env.CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR,
     userProfileDisplayNameAttr: process.env.CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR,
     userProfileEmailAttr: process.env.CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR,