mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2025-01-22 00:07:52 +01:00
Update:/auth/openid/config API endpoint to require admin user and validate issuer URL
This commit is contained in:
parent
4336714248
commit
728496010c
@ -469,17 +469,38 @@ class Auth {
|
||||
this.handleLoginSuccessBasedOnCookie.bind(this))
|
||||
|
||||
/**
|
||||
* Used to auto-populate the openid URLs in config/authentication
|
||||
* Helper route used to auto-populate the openid URLs in config/authentication
|
||||
* Takes an issuer URL as a query param and requests the config data at "/.well-known/openid-configuration"
|
||||
*
|
||||
* @example /auth/openid/config?issuer=http://192.168.1.66:9000/application/o/audiobookshelf/
|
||||
*/
|
||||
router.get('/auth/openid/config', async (req, res) => {
|
||||
router.get('/auth/openid/config', this.isAuthenticated, async (req, res) => {
|
||||
if (!req.user.isAdminOrUp) {
|
||||
Logger.error(`[Auth] Non-admin user "${req.user.username}" attempted to get issuer config`)
|
||||
return res.sendStatus(403)
|
||||
}
|
||||
|
||||
if (!req.query.issuer) {
|
||||
return res.status(400).send('Invalid request. Query param \'issuer\' is required')
|
||||
}
|
||||
|
||||
// Strip trailing slash
|
||||
let issuerUrl = req.query.issuer
|
||||
if (issuerUrl.endsWith('/')) issuerUrl = issuerUrl.slice(0, -1)
|
||||
|
||||
const configUrl = `${issuerUrl}/.well-known/openid-configuration`
|
||||
axios.get(configUrl).then(({ data }) => {
|
||||
// Append config pathname and validate URL
|
||||
let configUrl = null
|
||||
try {
|
||||
configUrl = new URL(`${issuerUrl}/.well-known/openid-configuration`)
|
||||
if (!configUrl.pathname.endsWith('/.well-known/openid-configuration')) {
|
||||
throw new Error('Invalid pathname')
|
||||
}
|
||||
} catch (error) {
|
||||
Logger.error(`[Auth] Failed to get openid configuration. Invalid URL "${configUrl}"`, error)
|
||||
return res.status(400).send('Invalid request. Query param \'issuer\' is invalid')
|
||||
}
|
||||
|
||||
axios.get(configUrl.toString()).then(({ data }) => {
|
||||
res.json({
|
||||
issuer: data.issuer,
|
||||
authorization_endpoint: data.authorization_endpoint,
|
||||
|
Loading…
Reference in New Issue
Block a user