Commit Graph

107 Commits

Author SHA1 Message Date
mikiher
6d8720b404 Subfolder support for OIDC auth 2024-11-29 04:28:50 +02:00
mikiher
a382482173 Add in-memory user cache 2024-11-10 08:34:47 +02:00
mikiher
bf8407274e No auth for author images 2024-11-03 08:45:43 +02:00
advplyr
7a1623e6a1 Move cover path func to LibraryItem model 2024-11-02 12:56:40 -05:00
mikiher
4224b8a486 No auth and req.user for cover images 2024-11-02 15:17:11 +02:00
advplyr
5308fd8b46 Update:Create & update API endpoints to create with new data model 2024-08-17 17:18:40 -05:00
advplyr
1b914d5d4f Update:Log local auth login attempts for failed and successful #2533 #2579 2024-08-17 15:02:59 -05:00
advplyr
2472b86284 Update:Express middleware sets req.user to new data model, openid permissions functions moved to new data model 2024-08-11 16:07:29 -05:00
advplyr
9facf77ff1 Update remove old sync local sessions endpoint & update MeController routes to use new user model 2024-08-11 13:09:53 -05:00
advplyr
202ceb02b5 Update:Auth to use new user model
- Express requests include userNew to start migrating API controllers to new user model
2024-08-10 15:46:04 -05:00
advplyr
eca51457b7 Update jsdocs and auto-formatting 2024-08-04 16:13:40 -05:00
apocer
f75f0b8cc8 show dropdown if issuer has list of algorithms 2024-04-09 22:29:06 +02:00
basti
304d0f6d43 id_token_signed_respo... should be in new Client 2024-04-03 22:52:49 +02:00
basti
6c9a811472 Add ui and settings for OpenID Signing Algorithm 2024-04-03 16:18:13 +02:00
advplyr
a5d7a81519 Clean up formatting of advanced group/permission claims on authentication page 2024-03-30 14:17:34 -05:00
advplyr
7e8fd91fc5 Update OIDC advanced permissions check to only perform an update on changes
- Update permissions example to use UUIDv4 strings for allowedLibraries
- More validation on advanced permission JSON to ensure arrays are array of strings
- Only set allowedTags and allowedLibraries if the corresponding access all permission is false
2024-03-30 14:04:02 -05:00
Denis Arnst
90e1283058
OpenID: Allow email_verified null and also check username
Only disallow when email_verified explicitly false
Also check username besides preferred_username, even when its not included in OIDC checks (synology uses username)
2024-03-29 15:11:56 +01:00
Denis Arnst
8cd50d5684
OpenID: Don't downgrade root 2024-03-29 14:51:34 +01:00
Denis Arnst
1646f0ebc2
OpenID: Ignore admin for advanced permissions
Also removed some semicolons
2024-03-19 19:35:34 +01:00
Denis Arnst
f661e0835c
Auth: Simplify Code 2024-03-19 19:18:38 +01:00
Denis Arnst
56f1bfef50
Auth/OpenID: Implement Permissions via OpenID
* Ability to set group
* Ability to set more advanced permissions
* Modified TextInputWithLabel to provide an ability to specify a different placeholder then the name
2024-03-19 17:57:24 +01:00
Denis Arnst
2a722ab163
Auth: Fix crash on missing logout URL
When using OpenID
Also added debug information on openid errors
2024-03-12 18:07:13 +01:00
advplyr
def2988e12 Update:Passport openid-client request timeout set to 10s (default was 3.5s) #2669 2024-02-26 17:20:11 -06:00
advplyr
bf66e13377 Update jsdocs 2024-02-17 16:06:25 -06:00
Denis Arnst
c3ba7daa16 Auth: Remove is_rest cookie 2024-01-25 16:05:41 +01:00
Denis Arnst
82048cd4f3 SSO: Also save openid_id_token longer 2024-01-25 15:13:56 +01:00
Denis Arnst
edb5ff1e33 SSO: Remove pick function 2024-01-25 11:44:20 +01:00
Denis Arnst
d4ed6348ee Auth: Store auth_method longer
Its not unrealistic that someone keeps being logged into the app for more than a year
if not stored longer logout process might not work anymore
2024-01-25 11:20:44 +01:00
Denis Arnst
f12ac685e8 /auth/openid: Restructure
- Distingush more explictly between mobile and web flow and simplify logic
- Allow state parameter to be passed in mobile flow
- Additional checks for correct parameters
- Remove unused id_token code
- Enforce S256 and don't allow plain PKCE
2024-01-25 11:13:34 +01:00
Denis Arnst
87ebf4722b OpenID/SSO: Implement Logout functionality 2024-01-24 22:47:50 +01:00
advplyr
19e1803633 Remove unused import 2024-01-22 17:56:41 -06:00
advplyr
728496010c Update:/auth/openid/config API endpoint to require admin user and validate issuer URL 2023-12-17 10:41:39 -06:00
Denis Arnst
cf00650c6d SSO/OpenID: Also fix possible race condition
- We need to define redirect_uri in the callback again, because the global params of passport can change between calls to the first route (ie. if multiple users log in at same time)
- Removed is_rest parameter as requirement for mobile flow (to maximise compatibility with possible oauth libraries)
- Also renamed some variables for clarity
2023-12-05 09:43:06 +01:00
Denis Arnst
e6ab28365f SSO/OpenID: Remove modifying redirect_uri in the callback
The redirect URI will be now correctly set to either /callback or /mobile-redirect in the /auth/openid route
2023-12-05 00:18:58 +01:00
Denis Arnst
80fd2a1a18 SSO/OpenID: Use a mobile-redirect route (Fixes #2379 and #2381)
- Implement /auth/openid/mobile-redirect this will redirect to an app-link like audiobookshelf://oauth
- An app must provide an `redirect_uri` parameter with the app-link in the authorization request to /auth/openid
- The user will have to whitelist possible URLs, or explicitly allow all
- Also modified MultiSelect to allow to hide the menu/popup
2023-12-04 22:36:34 +01:00
advplyr
84160b2f07 Fix:Server crash when user without a password attempts to login with a password #2378 2023-12-02 16:17:52 -06:00
advplyr
a719065b8d Auto formatting 2023-11-28 16:37:19 -06:00
Denis Arnst
36599a2984 SSO/OpenID: Rename probably misleading message 2023-11-28 21:16:39 +01:00
Denis Arnst
618028503b SSO/OpenID: Also Log token header 2023-11-28 20:07:49 +01:00
Denis Arnst
ad53894ea1 SSO/OpenID: Provide detailed error messages 2023-11-28 17:29:22 +01:00
advplyr
9beee3ed65 Fix:Change password api endpoint 2023-11-23 15:14:49 -06:00
advplyr
048e27f03f Update:Openid auth endpoint sets the mobile flag on session to be used in the callback
Co-authored-by: Denis Arnst <git@sapd.eu>
2023-11-20 15:41:38 -06:00
advplyr
aa933df525 Update oidc redirect_uri to check x-forwarded-proto header for proxies 2023-11-19 14:00:39 -06:00
advplyr
dcbfc963c1 Update protocol for redirect_uri in openid strategy to work for reverse proxies 2023-11-19 13:38:09 -06:00
advplyr
89eb857c14 Fix initialize openid auth strategy 2023-11-19 12:57:17 -06:00
advplyr
4c2c320b9d Remove global CORS for api endpoints and setup temp CORS check for ebook endpoint 2023-11-19 11:32:48 -06:00
advplyr
fb48636510 Openid auth failures redirect to login page with error message.
Remove remaining google oauth server settings
2023-11-11 13:10:24 -06:00
advplyr
1ad6722e6d Remove google-oauth passport strategy 2023-11-11 11:29:59 -06:00
advplyr
557ef2ef79 Update /auth/openid endpoints for correct PKCE handling
- Provide error handling for /auth/openid
- Add session.mobile inside /auth/openid
- Proper PKCE handling for /auth/openid/callback
- redirect_uri handling for the token url in /auth/openid/callback

Co-authored-by: Denis Arnst <git@sapd.eu>
2023-11-11 10:52:05 -06:00
advplyr
237fe84c54 Add new API endpoint for updating auth-settings and update passport auth strategies 2023-11-10 16:11:51 -06:00