mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2025-07-09 03:04:08 -04:00
- Implement /auth/openid/mobile-redirect this will redirect to an app-link like audiobookshelf://oauth - An app must provide an `redirect_uri` parameter with the app-link in the authorization request to /auth/openid - The user will have to whitelist possible URLs, or explicitly allow all - Also modified MultiSelect to allow to hide the menu/popup
This commit is contained in:
parent
84160b2f07
commit
80fd2a1a18
@ -50,7 +50,11 @@ export default {
|
|||||||
label: String,
|
label: String,
|
||||||
disabled: Boolean,
|
disabled: Boolean,
|
||||||
readonly: Boolean,
|
readonly: Boolean,
|
||||||
showEdit: Boolean
|
showEdit: Boolean,
|
||||||
|
menuDisabled: {
|
||||||
|
type: Boolean,
|
||||||
|
default: false
|
||||||
|
},
|
||||||
},
|
},
|
||||||
data() {
|
data() {
|
||||||
return {
|
return {
|
||||||
@ -77,7 +81,7 @@ export default {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
showMenu() {
|
showMenu() {
|
||||||
return this.isFocused
|
return this.isFocused && !this.menuDisabled
|
||||||
},
|
},
|
||||||
wrapperClass() {
|
wrapperClass() {
|
||||||
var classes = []
|
var classes = []
|
||||||
|
@ -46,6 +46,9 @@
|
|||||||
|
|
||||||
<ui-text-input-with-label ref="openidClientSecret" v-model="newAuthSettings.authOpenIDClientSecret" :disabled="savingSettings" :label="'Client Secret'" class="mb-2" />
|
<ui-text-input-with-label ref="openidClientSecret" v-model="newAuthSettings.authOpenIDClientSecret" :disabled="savingSettings" :label="'Client Secret'" class="mb-2" />
|
||||||
|
|
||||||
|
<ui-multi-select ref="redirectUris" v-model="newAuthSettings.authOpenIDMobileRedirectURIs" :items="newAuthSettings.authOpenIDMobileRedirectURIs" :label="$strings.LabelMobileRedirectURIs" class="mb-2" :menuDisabled="true" :disabled="savingSettings" />
|
||||||
|
<p class="pl-4 text-sm text-gray-300 mb-2" v-html="$strings.LabelMobileRedirectURIsDescription" />
|
||||||
|
|
||||||
<ui-text-input-with-label ref="buttonTextInput" v-model="newAuthSettings.authOpenIDButtonText" :disabled="savingSettings" :label="$strings.LabelButtonText" class="mb-2" />
|
<ui-text-input-with-label ref="buttonTextInput" v-model="newAuthSettings.authOpenIDButtonText" :disabled="savingSettings" :label="$strings.LabelButtonText" class="mb-2" />
|
||||||
|
|
||||||
<div class="flex items-center pt-1 mb-2">
|
<div class="flex items-center pt-1 mb-2">
|
||||||
@ -187,6 +190,25 @@ export default {
|
|||||||
this.$toast.error('Client Secret required')
|
this.$toast.error('Client Secret required')
|
||||||
isValid = false
|
isValid = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function isValidRedirectURI(uri) {
|
||||||
|
// Check for somestring://someother/string
|
||||||
|
const pattern = new RegExp('^\\w+://[\\w\\.-]+$', 'i')
|
||||||
|
return pattern.test(uri)
|
||||||
|
}
|
||||||
|
|
||||||
|
const uris = this.newAuthSettings.authOpenIDMobileRedirectURIs
|
||||||
|
if (uris.includes('*') && uris.length > 1) {
|
||||||
|
this.$toast.error('Mobile Redirect URIs: Asterisk (*) must be the only entry if used')
|
||||||
|
isValid = false
|
||||||
|
} else {
|
||||||
|
uris.forEach(uri => {
|
||||||
|
if (uri !== '*' && !isValidRedirectURI(uri)) {
|
||||||
|
this.$toast.error(`Mobile Redirect URIs: Invalid URI ${uri}`)
|
||||||
|
isValid = false
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
return isValid
|
return isValid
|
||||||
},
|
},
|
||||||
async saveSettings() {
|
async saveSettings() {
|
||||||
|
@ -337,6 +337,8 @@
|
|||||||
"LabelMinute": "Minute",
|
"LabelMinute": "Minute",
|
||||||
"LabelMissing": "Fehlend",
|
"LabelMissing": "Fehlend",
|
||||||
"LabelMissingParts": "Fehlende Teile",
|
"LabelMissingParts": "Fehlende Teile",
|
||||||
|
"LabelMobileRedirectURIs": "Erlaubte Weiterleitungs-URIs für die mobile App",
|
||||||
|
"LabelMobileRedirectURIsDescription": "Dies ist eine Whitelist gültiger Umleitungs-URIs für mobile Apps. Der Standardwert ist <code>audiobookshelf://oauth</code>, den Sie entfernen oder durch zusätzliche URIs für die Integration von Drittanbieter-Apps ergänzen können. Die Verwendung eines Sternchens (<code>*</code>) als alleiniger Eintrag erlaubt jede URI.",
|
||||||
"LabelMore": "Mehr",
|
"LabelMore": "Mehr",
|
||||||
"LabelMoreInfo": "Mehr Info",
|
"LabelMoreInfo": "Mehr Info",
|
||||||
"LabelName": "Name",
|
"LabelName": "Name",
|
||||||
|
@ -343,6 +343,8 @@
|
|||||||
"LabelMinute": "Minute",
|
"LabelMinute": "Minute",
|
||||||
"LabelMissing": "Missing",
|
"LabelMissing": "Missing",
|
||||||
"LabelMissingParts": "Missing Parts",
|
"LabelMissingParts": "Missing Parts",
|
||||||
|
"LabelMobileRedirectURIs": "Allowed Mobile Redirect URIs",
|
||||||
|
"LabelMobileRedirectURIsDescription": "This is a whitelist of valid redirect URIs for mobile apps. The default one is <code>audiobookshelf://oauth</code>, which you can remove or supplement with additional URIs for third-party app integration. Using an asterisk (<code>*</code>) as the sole entry permits any URI.",
|
||||||
"LabelMore": "More",
|
"LabelMore": "More",
|
||||||
"LabelMoreInfo": "More Info",
|
"LabelMoreInfo": "More Info",
|
||||||
"LabelName": "Name",
|
"LabelName": "Name",
|
||||||
|
@ -8,6 +8,7 @@ const ExtractJwt = require('passport-jwt').ExtractJwt
|
|||||||
const OpenIDClient = require('openid-client')
|
const OpenIDClient = require('openid-client')
|
||||||
const Database = require('./Database')
|
const Database = require('./Database')
|
||||||
const Logger = require('./Logger')
|
const Logger = require('./Logger')
|
||||||
|
const e = require('express')
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @class Class for handling all the authentication related functionality.
|
* @class Class for handling all the authentication related functionality.
|
||||||
@ -15,6 +16,8 @@ const Logger = require('./Logger')
|
|||||||
class Auth {
|
class Auth {
|
||||||
|
|
||||||
constructor() {
|
constructor() {
|
||||||
|
// Map of openId sessions indexed by oauth2 state-variable
|
||||||
|
this.openIdAuthSession = new Map()
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -283,7 +286,26 @@ class Auth {
|
|||||||
// for API or mobile clients
|
// for API or mobile clients
|
||||||
const oidcStrategy = passport._strategy('openid-client')
|
const oidcStrategy = passport._strategy('openid-client')
|
||||||
const protocol = (req.secure || req.get('x-forwarded-proto') === 'https') ? 'https' : 'http'
|
const protocol = (req.secure || req.get('x-forwarded-proto') === 'https') ? 'https' : 'http'
|
||||||
oidcStrategy._params.redirect_uri = new URL(`${protocol}://${req.get('host')}/auth/openid/callback`).toString()
|
|
||||||
|
let redirect_uri = null
|
||||||
|
|
||||||
|
// The client wishes a different redirect_uri
|
||||||
|
// We will allow if it is in the whitelist, by saving it into this.openIdAuthSession and setting the redirect uri to /auth/openid/mobile-redirect
|
||||||
|
// where we will handle the redirect to it
|
||||||
|
if (req.query.redirect_uri) {
|
||||||
|
// Check if the redirect_uri is in the whitelist
|
||||||
|
if (Database.serverSettings.authOpenIDMobileRedirectURIs.includes(req.query.redirect_uri) ||
|
||||||
|
(Database.serverSettings.authOpenIDMobileRedirectURIs.length === 1 && Database.serverSettings.authOpenIDMobileRedirectURIs[0] === '*')) {
|
||||||
|
oidcStrategy._params.redirect_uri = new URL(`${protocol}://${req.get('host')}/auth/openid/mobile-redirect`).toString()
|
||||||
|
redirect_uri = req.query.redirect_uri
|
||||||
|
} else {
|
||||||
|
Logger.debug(`[Auth] Invalid redirect_uri=${req.query.redirect_uri} - not in whitelist`)
|
||||||
|
return res.status(400).send('Invalid redirect_uri')
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
oidcStrategy._params.redirect_uri = new URL(`${protocol}://${req.get('host')}/auth/openid/callback`).toString()
|
||||||
|
}
|
||||||
|
|
||||||
Logger.debug(`[Auth] Set oidc redirect_uri=${oidcStrategy._params.redirect_uri}`)
|
Logger.debug(`[Auth] Set oidc redirect_uri=${oidcStrategy._params.redirect_uri}`)
|
||||||
const client = oidcStrategy._client
|
const client = oidcStrategy._client
|
||||||
const sessionKey = oidcStrategy._key
|
const sessionKey = oidcStrategy._key
|
||||||
@ -327,6 +349,10 @@ class Auth {
|
|||||||
mobile: req.query.isRest?.toLowerCase() === 'true' // Used in the abs callback later
|
mobile: req.query.isRest?.toLowerCase() === 'true' // Used in the abs callback later
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// We cannot save redirect_uri in the session, because it the mobile client uses browser instead of the API
|
||||||
|
// for the request to mobile-redirect and as such the session is not shared
|
||||||
|
this.openIdAuthSession.set(params.state, { redirect_uri: redirect_uri })
|
||||||
|
|
||||||
// Now get the URL to direct to
|
// Now get the URL to direct to
|
||||||
const authorizationUrl = client.authorizationUrl({
|
const authorizationUrl = client.authorizationUrl({
|
||||||
...params,
|
...params,
|
||||||
@ -347,6 +373,37 @@ class Auth {
|
|||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
// This will be the oauth2 callback route for mobile clients
|
||||||
|
// It will redirect to an app-link like audiobookshelf://oauth
|
||||||
|
router.get('/auth/openid/mobile-redirect', (req, res) => {
|
||||||
|
try {
|
||||||
|
// Extract the state parameter from the request
|
||||||
|
const { state, code } = req.query
|
||||||
|
|
||||||
|
// Check if the state provided is in our list
|
||||||
|
if (!state || !this.openIdAuthSession.has(state)) {
|
||||||
|
Logger.error('[Auth] /auth/openid/mobile-redirect route: State parameter mismatch')
|
||||||
|
return res.status(400).send('State parameter mismatch')
|
||||||
|
}
|
||||||
|
|
||||||
|
let redirect_uri = this.openIdAuthSession.get(state).redirect_uri
|
||||||
|
|
||||||
|
if (!redirect_uri) {
|
||||||
|
Logger.error('[Auth] No redirect URI')
|
||||||
|
return res.status(400).send('No redirect URI')
|
||||||
|
}
|
||||||
|
|
||||||
|
this.openIdAuthSession.delete(state)
|
||||||
|
|
||||||
|
const redirectUri = `${redirect_uri}?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`
|
||||||
|
// Redirect to the overwrite URI saved in the map
|
||||||
|
res.redirect(redirectUri)
|
||||||
|
} catch (error) {
|
||||||
|
Logger.error(`[Auth] Error in /auth/openid/mobile-redirect route: ${error}`)
|
||||||
|
res.status(500).send('Internal Server Error')
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
// openid strategy callback route (this receives the token from the configured openid login provider)
|
// openid strategy callback route (this receives the token from the configured openid login provider)
|
||||||
router.get('/auth/openid/callback', (req, res, next) => {
|
router.get('/auth/openid/callback', (req, res, next) => {
|
||||||
const oidcStrategy = passport._strategy('openid-client')
|
const oidcStrategy = passport._strategy('openid-client')
|
||||||
|
@ -629,6 +629,23 @@ class MiscController {
|
|||||||
} else {
|
} else {
|
||||||
Logger.warn(`[MiscController] Invalid value for authActiveAuthMethods`)
|
Logger.warn(`[MiscController] Invalid value for authActiveAuthMethods`)
|
||||||
}
|
}
|
||||||
|
} else if (key === 'authOpenIDMobileRedirectURIs') {
|
||||||
|
function isValidRedirectURI(uri) {
|
||||||
|
const pattern = new RegExp('^\\w+://[\\w.-]+$', 'i');
|
||||||
|
return pattern.test(uri);
|
||||||
|
}
|
||||||
|
|
||||||
|
const uris = settingsUpdate[key]
|
||||||
|
if (!Array.isArray(uris) ||
|
||||||
|
(uris.includes('*') && uris.length > 1) ||
|
||||||
|
uris.some(uri => uri !== '*' && !isValidRedirectURI(uri))) {
|
||||||
|
Logger.warn(`[MiscController] Invalid value for authOpenIDMobileRedirectURIs`)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update the URIs
|
||||||
|
Database.serverSettings[key] = uris
|
||||||
|
hasUpdates = true
|
||||||
} else {
|
} else {
|
||||||
const updatedValueType = typeof settingsUpdate[key]
|
const updatedValueType = typeof settingsUpdate[key]
|
||||||
if (['authOpenIDAutoLaunch', 'authOpenIDAutoRegister'].includes(key)) {
|
if (['authOpenIDAutoLaunch', 'authOpenIDAutoRegister'].includes(key)) {
|
||||||
|
@ -71,6 +71,7 @@ class ServerSettings {
|
|||||||
this.authOpenIDAutoLaunch = false
|
this.authOpenIDAutoLaunch = false
|
||||||
this.authOpenIDAutoRegister = false
|
this.authOpenIDAutoRegister = false
|
||||||
this.authOpenIDMatchExistingBy = null
|
this.authOpenIDMatchExistingBy = null
|
||||||
|
this.authOpenIDMobileRedirectURIs = ['audiobookshelf://oauth']
|
||||||
|
|
||||||
if (settings) {
|
if (settings) {
|
||||||
this.construct(settings)
|
this.construct(settings)
|
||||||
@ -126,6 +127,7 @@ class ServerSettings {
|
|||||||
this.authOpenIDAutoLaunch = !!settings.authOpenIDAutoLaunch
|
this.authOpenIDAutoLaunch = !!settings.authOpenIDAutoLaunch
|
||||||
this.authOpenIDAutoRegister = !!settings.authOpenIDAutoRegister
|
this.authOpenIDAutoRegister = !!settings.authOpenIDAutoRegister
|
||||||
this.authOpenIDMatchExistingBy = settings.authOpenIDMatchExistingBy || null
|
this.authOpenIDMatchExistingBy = settings.authOpenIDMatchExistingBy || null
|
||||||
|
this.authOpenIDMobileRedirectURIs = settings.authOpenIDMobileRedirectURIs || ['audiobookshelf://oauth']
|
||||||
|
|
||||||
if (!Array.isArray(this.authActiveAuthMethods)) {
|
if (!Array.isArray(this.authActiveAuthMethods)) {
|
||||||
this.authActiveAuthMethods = ['local']
|
this.authActiveAuthMethods = ['local']
|
||||||
@ -211,7 +213,8 @@ class ServerSettings {
|
|||||||
authOpenIDButtonText: this.authOpenIDButtonText,
|
authOpenIDButtonText: this.authOpenIDButtonText,
|
||||||
authOpenIDAutoLaunch: this.authOpenIDAutoLaunch,
|
authOpenIDAutoLaunch: this.authOpenIDAutoLaunch,
|
||||||
authOpenIDAutoRegister: this.authOpenIDAutoRegister,
|
authOpenIDAutoRegister: this.authOpenIDAutoRegister,
|
||||||
authOpenIDMatchExistingBy: this.authOpenIDMatchExistingBy
|
authOpenIDMatchExistingBy: this.authOpenIDMatchExistingBy,
|
||||||
|
authOpenIDMobileRedirectURIs: this.authOpenIDMobileRedirectURIs // Do not return to client
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -220,6 +223,7 @@ class ServerSettings {
|
|||||||
delete json.tokenSecret
|
delete json.tokenSecret
|
||||||
delete json.authOpenIDClientID
|
delete json.authOpenIDClientID
|
||||||
delete json.authOpenIDClientSecret
|
delete json.authOpenIDClientSecret
|
||||||
|
delete json.authOpenIDMobileRedirectURIs
|
||||||
return json
|
return json
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -254,7 +258,8 @@ class ServerSettings {
|
|||||||
authOpenIDButtonText: this.authOpenIDButtonText,
|
authOpenIDButtonText: this.authOpenIDButtonText,
|
||||||
authOpenIDAutoLaunch: this.authOpenIDAutoLaunch,
|
authOpenIDAutoLaunch: this.authOpenIDAutoLaunch,
|
||||||
authOpenIDAutoRegister: this.authOpenIDAutoRegister,
|
authOpenIDAutoRegister: this.authOpenIDAutoRegister,
|
||||||
authOpenIDMatchExistingBy: this.authOpenIDMatchExistingBy
|
authOpenIDMatchExistingBy: this.authOpenIDMatchExistingBy,
|
||||||
|
authOpenIDMobileRedirectURIs: this.authOpenIDMobileRedirectURIs // Do not return to client
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user