Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2024-10-27 20:44:07 +00:00
Code Issues Projects Releases Wiki Activity

OIDC: allow configuring the request timeout (#1177)

Browse Source 
Add IdP timeout, controlled by env var GRIST_OIDC_SP_HTTP_TIMEOUT

---------

Co-authored-by: atropos <sv7n@pm.me>
This commit is contained in:
Florent 2024-09-03 23:10:18 +02:00 committed by GitHub
parent 16d246094b
commit b1a9e5f0da
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 60 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
app/server/lib/OIDCConfig.ts
View File

@ -47,7 +47,9 @@
* A JSON object with extra client metadata to pass to openid-client. Optional. * A JSON object with extra client metadata to pass to openid-client. Optional.
* Be aware that setting this object may override any other values passed to the openid client. * Be aware that setting this object may override any other values passed to the openid client.
* More info: https://github.com/panva/node-openid-client/tree/main/docs#new-clientmetadata-jwks-options * More info: https://github.com/panva/node-openid-client/tree/main/docs#new-clientmetadata-jwks-options
* * env GRIST_OIDC_SP_HTTP_TIMEOUT
* The timeout in milliseconds for HTTP requests to the IdP. The default value is set to 3500 by the
* openid-client library. See: https://github.com/panva/node-openid-client/blob/main/docs/README.md#customizing-http-requests
* *
* This version of OIDCConfig has been tested with Keycloak OIDC IdP following the instructions * This version of OIDCConfig has been tested with Keycloak OIDC IdP following the instructions
* at: * at:
@ -66,7 +68,7 @@
import * as express from 'express'; import * as express from 'express';
import { GristLoginSystem, GristServer } from './GristServer'; import { GristLoginSystem, GristServer } from './GristServer';
import { import {
Client, ClientMetadata, Issuer, errors as OIDCError, TokenSet, UserinfoResponse Client, ClientMetadata, custom, Issuer, errors as OIDCError, TokenSet, UserinfoResponse
} from 'openid-client'; } from 'openid-client';
import { Sessions } from './Sessions'; import { Sessions } from './Sessions';
import log from 'app/server/lib/log'; import log from 'app/server/lib/log';
@ -137,6 +139,9 @@ export class OIDCConfig {
envVar: 'GRIST_OIDC_IDP_CLIENT_SECRET', envVar: 'GRIST_OIDC_IDP_CLIENT_SECRET',
censor: true, censor: true,
}); });
const httpTimeout = section.flag('httpTimeout').readInt({
envVar: 'GRIST_OIDC_SP_HTTP_TIMEOUT',
});
this._namePropertyKey = section.flag('namePropertyKey').readString({ this._namePropertyKey = section.flag('namePropertyKey').readString({
envVar: 'GRIST_OIDC_SP_PROFILE_NAME_ATTR', envVar: 'GRIST_OIDC_SP_PROFILE_NAME_ATTR',
}); });
@ -173,6 +178,9 @@ export class OIDCConfig {
this._protectionManager = new ProtectionsManager(enabledProtections); this._protectionManager = new ProtectionsManager(enabledProtections);
this._redirectUrl = new URL(CALLBACK_URL, spHost).href; this._redirectUrl = new URL(CALLBACK_URL, spHost).href;
custom.setHttpOptionsDefaults({
...(httpTimeout !== undefined ? {timeout: httpTimeout} : {}),
});
await this._initClient({ issuerUrl, clientId, clientSecret, extraMetadata }); await this._initClient({ issuerUrl, clientId, clientSecret, extraMetadata });
if (this._client.issuer.metadata.end_session_endpoint === undefined && if (this._client.issuer.metadata.end_session_endpoint === undefined &&

51
test/server/lib/OIDCConfig.ts
View File

@ -5,7 +5,7 @@ import {Sessions} from "app/server/lib/Sessions";
import log from "app/server/lib/log"; import log from "app/server/lib/log";
import {assert} from "chai"; import {assert} from "chai";
import Sinon from "sinon"; import Sinon from "sinon";
import {Client, generators, errors as OIDCError} from "openid-client"; import {Client, custom, generators, errors as OIDCError} from "openid-client";
import express from "express"; import express from "express";
import _ from "lodash"; import _ from "lodash";
import {RequestWithLogin} from "app/server/lib/Authorizer"; import {RequestWithLogin} from "app/server/lib/Authorizer";
@ -192,6 +192,55 @@ describe('OIDCConfig', () => {
}); });
}); });
}); });
describe('GRIST_OIDC_SP_HTTP_TIMEOUT', function () {
[
{
itMsg: 'when omitted should not override openid-client default value',
expectedUserDefinedHttpOptions: {}
},
{
itMsg: 'should reject when the provided value is not a number',
env: {
GRIST_OIDC_SP_HTTP_TIMEOUT: '__NOT_A_NUMBER__',
},
expectedErrorMsg: /__NOT_A_NUMBER__ does not look like a number/,
},
{
itMsg: 'should override openid-client timeout accordingly to the provided value',
env: {
GRIST_OIDC_SP_HTTP_TIMEOUT: '10000',
},
shouldSetTimeout: true,
expectedUserDefinedHttpOptions: {
timeout: 10000
}
},
{
itMsg: 'should allow disabling the timeout by having its value set to 0',
env: {
GRIST_OIDC_SP_HTTP_TIMEOUT: '0',
},
expectedUserDefinedHttpOptions: {
timeout: 0
}
}
].forEach(ctx => {
it(ctx.itMsg, async () => {
const setHttpOptionsDefaultsStub = sandbox.stub(custom, 'setHttpOptionsDefaults');
setEnvVars();
Object.assign(process.env, ctx.env);
const promise = OIDCConfigStubbed.buildWithStub();
if (ctx.expectedErrorMsg) {
await assert.isRejected(promise, ctx.expectedErrorMsg);
} else {
await assert.isFulfilled(promise, 'initOIDC should have been fulfilled');
assert.isTrue(setHttpOptionsDefaultsStub.calledOnce, 'Should have called custom.setHttpOptionsDefaults');
assert.deepEqual(setHttpOptionsDefaultsStub.firstCall.args[0], ctx.expectedUserDefinedHttpOptions);
}
});
});
});
}); });
describe('GRIST_OIDC_IDP_ENABLED_PROTECTIONS', () => { describe('GRIST_OIDC_IDP_ENABLED_PROTECTIONS', () => {