Use a short-time cookie to remember where to callback to

This commit is contained in:
lukeIam 2023-09-14 18:49:19 +01:00
parent 405c954b65
commit af4c35069b
5 changed files with 2212 additions and 14 deletions

View File

@ -39,10 +39,10 @@
</form> </form>
<hr /> <hr />
<div class="w-full flex py-3"> <div class="w-full flex py-3">
<a href="http://localhost:3333/auth/google"> <a :href="`http://localhost:3333/auth/google?callback=${currentUrl}`">
<ui-btn color="primary" class="leading-none">Login with Google</ui-btn> <ui-btn color="primary" class="leading-none">Login with Google</ui-btn>
</a> </a>
<a href="http://localhost:3333/auth/openid"> <a :href="`http://localhost:3333/auth/openid?callback=${currentUrl}`">
<ui-btn color="primary" class="leading-none">Login with OpenId</ui-btn> <ui-btn color="primary" class="leading-none">Login with OpenId</ui-btn>
</a> </a>
</div> </div>
@ -69,7 +69,8 @@ export default {
}, },
confirmPassword: '', confirmPassword: '',
ConfigPath: '', ConfigPath: '',
MetadataPath: '' MetadataPath: '',
currentUrl: location.toString()
} }
}, },
watch: { watch: {

2160
package-lock.json generated

File diff suppressed because it is too large Load Diff

View File

@ -31,16 +31,17 @@
"license": "GPL-3.0", "license": "GPL-3.0",
"dependencies": { "dependencies": {
"axios": "^0.27.2", "axios": "^0.27.2",
"cookie-parser": "^1.4.6",
"express": "^4.17.1", "express": "^4.17.1",
"express-session": "^1.17.3", "express-session": "^1.17.3",
"graceful-fs": "^4.2.10", "graceful-fs": "^4.2.10",
"htmlparser2": "^8.0.1", "htmlparser2": "^8.0.1",
"node-tone": "^1.0.1", "node-tone": "^1.0.1",
"nodemailer": "^6.9.2",
"passport": "^0.6.0", "passport": "^0.6.0",
"passport-google-oauth20": "^2.0.0", "passport-google-oauth20": "^2.0.0",
"passport-jwt": "^4.0.1", "passport-jwt": "^4.0.1",
"passport-openidconnect": "^0.1.1", "passport-openidconnect": "^0.1.1",
"nodemailer": "^6.9.2",
"sequelize": "^6.32.1", "sequelize": "^6.32.1",
"socket.io": "^4.5.4", "socket.io": "^4.5.4",
"sqlite3": "^5.1.6", "sqlite3": "^5.1.6",

View File

@ -32,7 +32,6 @@ class Auth {
clientSecret: global.ServerSettings.authGoogleOauth20ClientSecret, clientSecret: global.ServerSettings.authGoogleOauth20ClientSecret,
callbackURL: global.ServerSettings.authGoogleOauth20CallbackURL callbackURL: global.ServerSettings.authGoogleOauth20CallbackURL
}, (async function (accessToken, refreshToken, profile, done) { }, (async function (accessToken, refreshToken, profile, done) {
// TODO: what to use as username
// TODO: do we want to create the users which does not exist? // TODO: do we want to create the users which does not exist?
const user = await Database.userModel.getUserByEmail(profile.emails[0].value.toLowerCase()) const user = await Database.userModel.getUserByEmail(profile.emails[0].value.toLowerCase())
@ -59,7 +58,6 @@ class Auth {
skipUserProfile: false skipUserProfile: false
}, },
(function (issuer, profile, done) { (function (issuer, profile, done) {
// TODO: what to use as username
// TODO: do we want to create the users which does not exist? // TODO: do we want to create the users which does not exist?
var user = Database.userModel.getUserByEmail(profile.emails[0].value.toLowerCase()) var user = Database.userModel.getUserByEmail(profile.emails[0].value.toLowerCase())
@ -116,7 +114,20 @@ class Auth {
) )
// google-oauth20 strategy login route (this redirects to the google login) // google-oauth20 strategy login route (this redirects to the google login)
router.get('/auth/google', passport.authenticate('google', { scope: ['email'] })) router.get('/auth/google', (req, res, next) => {
const auth_func = passport.authenticate('google', { scope: ['email'] })
if (!req.query.callback || req.query.callback === "") {
res.status(400).send({
message: 'No callback parameter'
})
return
}
res.cookie('auth_cb', req.query.callback, {
maxAge: 120000 * 120, // Hack - this semms to be in UTC??
httpOnly: true
})
auth_func(req, res, next);
})
// google-oauth20 strategy callback route (this receives the token from google) // google-oauth20 strategy callback route (this receives the token from google)
router.get('/auth/google/callback', router.get('/auth/google/callback',
@ -125,13 +136,31 @@ class Auth {
// return the user login response json if the login was successfull // return the user login response json if the login was successfull
var data_json = await this.getUserLoginResponsePayload(req.user) var data_json = await this.getUserLoginResponsePayload(req.user)
// res.json(data_json) // res.json(data_json)
// TODO: figure out how to redirect back to the app page // TODO: do we want to somehow limit the values for auth_cb?
res.redirect(301, `http://localhost:3000/login?setToken=${data_json.user.token}`) if (req.cookies.auth_cb) {
res.redirect(302, `${req.cookies.auth_cb}?setToken=${data_json.user.token}`)
}
else {
res.status(400).send("No callback or already expired")
}
}).bind(this) }).bind(this)
) )
// openid strategy login route (this redirects to the configured openid login provider) // openid strategy login route (this redirects to the configured openid login provider)
router.get('/auth/openid', passport.authenticate('openidconnect')) router.get('/auth/openid', (req, res, next) => {
const auth_func = passport.authenticate('openidconnect')
if (!req.query.callback || req.query.callback === "") {
res.status(400).send({
message: 'No callback parameter'
})
return
}
res.cookie('auth_cb', req.query.callback, {
maxAge: 120000 * 120, // Hack - this semms to be in UTC??
httpOnly: true
})
auth_func(req, res, next);
})
// openid strategy callback route (this receives the token from the configured openid login provider) // openid strategy callback route (this receives the token from the configured openid login provider)
router.get('/auth/openid/callback', router.get('/auth/openid/callback',
@ -140,8 +169,12 @@ class Auth {
// return the user login response json if the login was successfull // return the user login response json if the login was successfull
var data_json = await this.getUserLoginResponsePayload(req.user) var data_json = await this.getUserLoginResponsePayload(req.user)
// res.json(data_json) // res.json(data_json)
// TODO: figure out how to redirect back to the app page if (req.cookies.auth_cb) {
res.redirect(301, `http://localhost:3000/login?setToken=${data_json.user.token}`) res.redirect(302, `${req.cookies.auth_cb}?setToken=${data_json.user.token}`)
}
else {
res.status(400).send("No callback or already expired")
}
}).bind(this) }).bind(this)
) )

View File

@ -5,6 +5,7 @@ const http = require('http')
const fs = require('./libs/fsExtra') const fs = require('./libs/fsExtra')
const fileUpload = require('./libs/expressFileupload') const fileUpload = require('./libs/expressFileupload')
const rateLimit = require('./libs/expressRateLimit') const rateLimit = require('./libs/expressRateLimit')
const cookieParser = require("cookie-parser");
const { version } = require('../package.json') const { version } = require('../package.json')
@ -136,6 +137,8 @@ class Server {
const app = express() const app = express()
// parse cookies in requests
app.use(cookieParser());
// enable express-session // enable express-session
app.use(expressSession({ app.use(expressSession({
secret: global.ServerSettings.tokenSecret, secret: global.ServerSettings.tokenSecret,