Add ODIC Back-Channel Logout (#304)
* prevent returning expired sessions * add issuer to ODIC creds * get id token in ODIC * make session signin return session * working backchannel logout? * require https for ODIC provider * handle wellknown not being https * find session api progress * fix windows build * return session token on session * switch OIDC to #searchSessions * update pnpm * switch to using message on error obj * move odic callback * fix type errors * redirect old oidc callback * make redirect url a URL * remove scheduled task downloadCleanup * fix session search for oidc * fix signin result * cleanup code * ignore data dir * fix lint error
This commit is contained in:
@@ -0,0 +1,70 @@
|
||||
import sessionHandler from "~/server/internal/session";
|
||||
import authManager from "~/server/internal/auth";
|
||||
import type { Session } from "~/server/internal/session/types";
|
||||
|
||||
defineRouteMeta({
|
||||
openAPI: {
|
||||
tags: ["Auth", "OIDC"],
|
||||
description: "OIDC Signin callback",
|
||||
parameters: [],
|
||||
},
|
||||
});
|
||||
|
||||
export default defineEventHandler(async (h3) => {
|
||||
// dont cache login responses
|
||||
setHeader(h3, "Cache-Control", "no-store");
|
||||
|
||||
const enabledAuthManagers = authManager.getAuthProviders();
|
||||
if (!enabledAuthManagers.OpenID) return sendRedirect(h3, "/auth/signin");
|
||||
|
||||
const manager = enabledAuthManagers.OpenID;
|
||||
|
||||
const query = getQuery(h3);
|
||||
const code = query.code?.toString();
|
||||
if (!code)
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: "No code in query params.",
|
||||
});
|
||||
|
||||
const state = query.state?.toString();
|
||||
if (!state)
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: "No state in query params.",
|
||||
});
|
||||
|
||||
const result = await manager.authorize(code, state);
|
||||
|
||||
if (typeof result === "string")
|
||||
throw createError({
|
||||
statusCode: 403,
|
||||
statusMessage: `Failed to sign in: "${result}". Please try again.`,
|
||||
});
|
||||
|
||||
// Attach OIDC session data
|
||||
const oidcData: Session["oidc"] = {
|
||||
iss: result.claims.iss,
|
||||
};
|
||||
if (result.claims.sub) oidcData.sub = result.claims.sub;
|
||||
if (result.claims.sid) oidcData.sid = result.claims.sid;
|
||||
|
||||
const sessionResult = await sessionHandler.signin(h3, result.user.id, {
|
||||
rememberMe: true,
|
||||
oidc: oidcData,
|
||||
});
|
||||
if (sessionResult == "fail")
|
||||
throw createError({ statusCode: 500, message: "Failed to set session" });
|
||||
else if (sessionResult == "2fa") {
|
||||
return sendRedirect(
|
||||
h3,
|
||||
`/auth/mfa?redirect=${result.options.redirect ? encodeURIComponent(result.options.redirect) : "/"}`,
|
||||
);
|
||||
}
|
||||
|
||||
if (result.options.redirect) {
|
||||
return sendRedirect(h3, result.options.redirect);
|
||||
}
|
||||
|
||||
return sendRedirect(h3, "/");
|
||||
});
|
||||
@@ -0,0 +1,46 @@
|
||||
// import sessionHandler from "~/server/internal/session";
|
||||
import authManager from "~/server/internal/auth";
|
||||
|
||||
defineRouteMeta({
|
||||
openAPI: {
|
||||
tags: ["Auth", "OIDC"],
|
||||
description: "OIDC logout back-channel",
|
||||
parameters: [],
|
||||
},
|
||||
});
|
||||
|
||||
export default defineEventHandler(async (h3) => {
|
||||
// dont cache logout responses
|
||||
setHeader(h3, "Cache-Control", "no-store");
|
||||
|
||||
const enabledAuthManagers = authManager.getAuthProviders();
|
||||
if (!enabledAuthManagers.OpenID)
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
message: "OIDC not enabled.",
|
||||
});
|
||||
|
||||
const logout_token = (await readFormData(h3)).get("logout_token");
|
||||
if (typeof logout_token !== "string")
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
message: "Invalid OIDC logout notification.",
|
||||
});
|
||||
const okay = await enabledAuthManagers.OpenID.handleLogout(logout_token);
|
||||
if (!okay) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
message: "Invalid OIDC logout notification.",
|
||||
});
|
||||
}
|
||||
|
||||
// const result = OIDCLogoutTokenV1(logout_token);
|
||||
|
||||
// const manager = enabledAuthManagers.OpenID;
|
||||
|
||||
// const query = getQuery(h3);
|
||||
|
||||
return {
|
||||
success: true,
|
||||
};
|
||||
});
|
||||
@@ -98,7 +98,9 @@ export default defineEventHandler(async (h3) => {
|
||||
},
|
||||
});
|
||||
|
||||
await sessionHandler.signin(h3, mfaMec.userId, true);
|
||||
await sessionHandler.signin(h3, mfaMec.userId, {
|
||||
rememberMe: true,
|
||||
});
|
||||
await sessionHandler.mfa(h3, 10);
|
||||
|
||||
return {};
|
||||
|
||||
@@ -84,17 +84,16 @@ export default defineEventHandler<{
|
||||
});
|
||||
|
||||
// TODO: send user to forgot password screen or something to force them to change their password to new system
|
||||
const result = await sessionHandler.signin(
|
||||
h3,
|
||||
authMek.userId,
|
||||
body.rememberMe,
|
||||
);
|
||||
const result = await sessionHandler.signin(h3, authMek.userId, {
|
||||
rememberMe: body.rememberMe ?? false,
|
||||
});
|
||||
if (result === "fail")
|
||||
throw createError({
|
||||
statusCode: 500,
|
||||
message: "Failed to create session",
|
||||
});
|
||||
return { userId: authMek.userId, result };
|
||||
|
||||
return { result: result, userId: authMek.userId };
|
||||
}
|
||||
|
||||
// V2: argon2
|
||||
@@ -111,11 +110,9 @@ export default defineEventHandler<{
|
||||
statusMessage: t("errors.auth.invalidUserOrPass"),
|
||||
});
|
||||
|
||||
const result = await sessionHandler.signin(
|
||||
h3,
|
||||
authMek.userId,
|
||||
body.rememberMe,
|
||||
);
|
||||
const result = await sessionHandler.signin(h3, authMek.userId, {
|
||||
rememberMe: body.rememberMe ?? false,
|
||||
});
|
||||
if (result == "fail")
|
||||
throw createError({ statusCode: 500, message: "Failed to create session" });
|
||||
return { userId: authMek.userId, result };
|
||||
|
||||
Reference in New Issue
Block a user