Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-03-24 00:16:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update /auth/openid endpoints for correct PKCE handling

Browse Source 
- Provide error handling for /auth/openid
- Add session.mobile inside /auth/openid
- Proper PKCE handling for /auth/openid/callback
- redirect_uri handling for the token url in /auth/openid/callback

Co-authored-by: Denis Arnst <git@sapd.eu>
This commit is contained in:
advplyr 2023-11-11 10:52:05 -06:00
parent 237fe84c54
commit 557ef2ef79
1 changed files with 90 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
server/Auth.js
View File

@ -306,6 +306,7 @@ class Auth {
// openid strategy login route (this redirects to the configured openid login provider) // openid strategy login route (this redirects to the configured openid login provider)
router.get('/auth/openid', (req, res, next) => { router.get('/auth/openid', (req, res, next) => {
try {
// helper function from openid-client // helper function from openid-client
function pick(object, ...paths) { function pick(object, ...paths) {
const obj = {} const obj = {}
@ -377,11 +378,36 @@ class Auth {
// Redirect the user agent (browser) to the authorization URL // Redirect the user agent (browser) to the authorization URL
res.redirect(authorizationUrl) res.redirect(authorizationUrl)
} catch (error) {
Logger.error(`[Auth] Error in /auth/openid route: ${error}`)
res.status(500).send('Internal Server Error')
}
}) })
// openid strategy callback route (this receives the token from the configured openid login provider) // openid strategy callback route (this receives the token from the configured openid login provider)
router.get('/auth/openid/callback', router.get('/auth/openid/callback', (req, res, next) => {
passport.authenticate('openid-client'), const oidcStrategy = passport._strategy('openid-client')
const sessionKey = oidcStrategy._key
if (!req.session[sessionKey]) {
return res.status(400).send('No session')
}
// If the client sends us a code_verifier, we will tell passport to use this to send this in the token request
// The code_verifier will be validated by the oauth2 provider by comparing it to the code_challenge in the first request
// Crucial for API/Mobile clients
if (req.query.code_verifier) {
req.session[sessionKey].code_verifier = req.query.code_verifier
}
// While not required by the standard, the passport plugin re-sends the original redirect_uri in the token request
// We need to set it correctly, as some SSO providers (e.g. keycloak) check that parameter when it is provided
if (req.session[sessionKey].mobile) {
return passport.authenticate('openid-client', { redirect_uri: 'audiobookshelf://oauth' })(req, res, next)
} else {
return passport.authenticate('openid-client')(req, res, next)
}
},
// on a successfull login: read the cookies and react like the client requested (callback or json) // on a successfull login: read the cookies and react like the client requested (callback or json)
this.handleLoginSuccessBasedOnCookie.bind(this)) this.handleLoginSuccessBasedOnCookie.bind(this))