mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2025-01-22 00:07:52 +01:00
Update:/auth/openid/config API endpoint to require admin user and validate issuer URL
This commit is contained in:
parent
4336714248
commit
728496010c
@ -296,7 +296,7 @@ class Auth {
|
|||||||
if (req.query.redirect_uri) {
|
if (req.query.redirect_uri) {
|
||||||
// Check if the redirect_uri is in the whitelist
|
// Check if the redirect_uri is in the whitelist
|
||||||
if (Database.serverSettings.authOpenIDMobileRedirectURIs.includes(req.query.redirect_uri) ||
|
if (Database.serverSettings.authOpenIDMobileRedirectURIs.includes(req.query.redirect_uri) ||
|
||||||
(Database.serverSettings.authOpenIDMobileRedirectURIs.length === 1 && Database.serverSettings.authOpenIDMobileRedirectURIs[0] === '*')) {
|
(Database.serverSettings.authOpenIDMobileRedirectURIs.length === 1 && Database.serverSettings.authOpenIDMobileRedirectURIs[0] === '*')) {
|
||||||
oidcStrategy._params.redirect_uri = new URL(`${protocol}://${req.get('host')}/auth/openid/mobile-redirect`).toString()
|
oidcStrategy._params.redirect_uri = new URL(`${protocol}://${req.get('host')}/auth/openid/mobile-redirect`).toString()
|
||||||
mobile_redirect_uri = req.query.redirect_uri
|
mobile_redirect_uri = req.query.redirect_uri
|
||||||
} else {
|
} else {
|
||||||
@ -381,7 +381,7 @@ class Auth {
|
|||||||
try {
|
try {
|
||||||
// Extract the state parameter from the request
|
// Extract the state parameter from the request
|
||||||
const { state, code } = req.query
|
const { state, code } = req.query
|
||||||
|
|
||||||
// Check if the state provided is in our list
|
// Check if the state provided is in our list
|
||||||
if (!state || !this.openIdAuthSession.has(state)) {
|
if (!state || !this.openIdAuthSession.has(state)) {
|
||||||
Logger.error('[Auth] /auth/openid/mobile-redirect route: State parameter mismatch')
|
Logger.error('[Auth] /auth/openid/mobile-redirect route: State parameter mismatch')
|
||||||
@ -469,17 +469,38 @@ class Auth {
|
|||||||
this.handleLoginSuccessBasedOnCookie.bind(this))
|
this.handleLoginSuccessBasedOnCookie.bind(this))
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Used to auto-populate the openid URLs in config/authentication
|
* Helper route used to auto-populate the openid URLs in config/authentication
|
||||||
|
* Takes an issuer URL as a query param and requests the config data at "/.well-known/openid-configuration"
|
||||||
|
*
|
||||||
|
* @example /auth/openid/config?issuer=http://192.168.1.66:9000/application/o/audiobookshelf/
|
||||||
*/
|
*/
|
||||||
router.get('/auth/openid/config', async (req, res) => {
|
router.get('/auth/openid/config', this.isAuthenticated, async (req, res) => {
|
||||||
|
if (!req.user.isAdminOrUp) {
|
||||||
|
Logger.error(`[Auth] Non-admin user "${req.user.username}" attempted to get issuer config`)
|
||||||
|
return res.sendStatus(403)
|
||||||
|
}
|
||||||
|
|
||||||
if (!req.query.issuer) {
|
if (!req.query.issuer) {
|
||||||
return res.status(400).send('Invalid request. Query param \'issuer\' is required')
|
return res.status(400).send('Invalid request. Query param \'issuer\' is required')
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Strip trailing slash
|
||||||
let issuerUrl = req.query.issuer
|
let issuerUrl = req.query.issuer
|
||||||
if (issuerUrl.endsWith('/')) issuerUrl = issuerUrl.slice(0, -1)
|
if (issuerUrl.endsWith('/')) issuerUrl = issuerUrl.slice(0, -1)
|
||||||
|
|
||||||
const configUrl = `${issuerUrl}/.well-known/openid-configuration`
|
// Append config pathname and validate URL
|
||||||
axios.get(configUrl).then(({ data }) => {
|
let configUrl = null
|
||||||
|
try {
|
||||||
|
configUrl = new URL(`${issuerUrl}/.well-known/openid-configuration`)
|
||||||
|
if (!configUrl.pathname.endsWith('/.well-known/openid-configuration')) {
|
||||||
|
throw new Error('Invalid pathname')
|
||||||
|
}
|
||||||
|
} catch (error) {
|
||||||
|
Logger.error(`[Auth] Failed to get openid configuration. Invalid URL "${configUrl}"`, error)
|
||||||
|
return res.status(400).send('Invalid request. Query param \'issuer\' is invalid')
|
||||||
|
}
|
||||||
|
|
||||||
|
axios.get(configUrl.toString()).then(({ data }) => {
|
||||||
res.json({
|
res.json({
|
||||||
issuer: data.issuer,
|
issuer: data.issuer,
|
||||||
authorization_endpoint: data.authorization_endpoint,
|
authorization_endpoint: data.authorization_endpoint,
|
||||||
|
Loading…
Reference in New Issue
Block a user