Update:/auth/openid/config API endpoint to require admin user and validate issuer URL

This commit is contained in:
advplyr 2023-12-17 10:41:39 -06:00
parent 4336714248
commit 728496010c

View File

@ -469,17 +469,38 @@ class Auth {
this.handleLoginSuccessBasedOnCookie.bind(this)) this.handleLoginSuccessBasedOnCookie.bind(this))
/** /**
* Used to auto-populate the openid URLs in config/authentication * Helper route used to auto-populate the openid URLs in config/authentication
* Takes an issuer URL as a query param and requests the config data at "/.well-known/openid-configuration"
*
* @example /auth/openid/config?issuer=http://192.168.1.66:9000/application/o/audiobookshelf/
*/ */
router.get('/auth/openid/config', async (req, res) => { router.get('/auth/openid/config', this.isAuthenticated, async (req, res) => {
if (!req.user.isAdminOrUp) {
Logger.error(`[Auth] Non-admin user "${req.user.username}" attempted to get issuer config`)
return res.sendStatus(403)
}
if (!req.query.issuer) { if (!req.query.issuer) {
return res.status(400).send('Invalid request. Query param \'issuer\' is required') return res.status(400).send('Invalid request. Query param \'issuer\' is required')
} }
// Strip trailing slash
let issuerUrl = req.query.issuer let issuerUrl = req.query.issuer
if (issuerUrl.endsWith('/')) issuerUrl = issuerUrl.slice(0, -1) if (issuerUrl.endsWith('/')) issuerUrl = issuerUrl.slice(0, -1)
const configUrl = `${issuerUrl}/.well-known/openid-configuration` // Append config pathname and validate URL
axios.get(configUrl).then(({ data }) => { let configUrl = null
try {
configUrl = new URL(`${issuerUrl}/.well-known/openid-configuration`)
if (!configUrl.pathname.endsWith('/.well-known/openid-configuration')) {
throw new Error('Invalid pathname')
}
} catch (error) {
Logger.error(`[Auth] Failed to get openid configuration. Invalid URL "${configUrl}"`, error)
return res.status(400).send('Invalid request. Query param \'issuer\' is invalid')
}
axios.get(configUrl.toString()).then(({ data }) => {
res.json({ res.json({
issuer: data.issuer, issuer: data.issuer,
authorization_endpoint: data.authorization_endpoint, authorization_endpoint: data.authorization_endpoint,