Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
77d203b2b0
|
|||
|
fcbf25e3ce
|
|||
|
084ec7bbc1
|
|||
|
6b3339a883
|
@@ -18,6 +18,11 @@ class CoreIDAdapter {
|
||||
expiresAt = new Date(Date.now() + (expiresIn * 1000))
|
||||
}
|
||||
|
||||
if ( payload.uid ) {
|
||||
payload.originalUid = payload.uid
|
||||
payload.uid = payload.uid.toLowerCase()
|
||||
}
|
||||
|
||||
await this.coll().updateOne(
|
||||
{ _id },
|
||||
{ $set: { payload, ...(expiresAt ? { expiresAt } : undefined) } },
|
||||
@@ -34,6 +39,11 @@ class CoreIDAdapter {
|
||||
).limit(1).next()
|
||||
|
||||
if (!result) return undefined
|
||||
|
||||
if ( result?.payload?.originalUid ) {
|
||||
result.payload.uid = result.payload.originalUid
|
||||
}
|
||||
|
||||
return result.payload
|
||||
}
|
||||
|
||||
@@ -49,11 +59,16 @@ class CoreIDAdapter {
|
||||
|
||||
async findByUid(uid) {
|
||||
const result = await this.coll().find(
|
||||
{ 'payload.uid': uid },
|
||||
{ 'payload.uid': uid.toLowerCase() },
|
||||
{ payload: 1 },
|
||||
).limit(1).next()
|
||||
|
||||
if (!result) return undefined
|
||||
|
||||
if ( result?.payload?.originalUid ) {
|
||||
result.payload.uid = result.payload.originalUid
|
||||
}
|
||||
|
||||
return result.payload
|
||||
}
|
||||
|
||||
|
||||
@@ -119,14 +119,12 @@ class OpenIDController extends Controller {
|
||||
uid, prompt, params, session,
|
||||
} = await this.openid_connect.provider.interactionDetails(req, res)
|
||||
|
||||
console.log({uid, prompt, params, session})
|
||||
|
||||
const name = prompt.name
|
||||
if ( typeof this[name] !== 'function' ) {
|
||||
return this.fail(res, 'Sorry, something has gone wrong.')
|
||||
}
|
||||
|
||||
return this[name](req, res, { uid: uid, prompt, params, session })
|
||||
return this[name](req, res, { uid: uid.toLowerCase(), prompt, params, session })
|
||||
}
|
||||
|
||||
async consent(req, res, { uid, prompt, params, session }) {
|
||||
@@ -172,7 +170,7 @@ class OpenIDController extends Controller {
|
||||
{
|
||||
text: req.T('common.grant'),
|
||||
action: 'redirect',
|
||||
next: `/openid/interaction/${uid}/grant`,
|
||||
next: `/openid/interaction/${uid.toLowerCase()}/grant`,
|
||||
},
|
||||
],
|
||||
})
|
||||
@@ -180,7 +178,7 @@ class OpenIDController extends Controller {
|
||||
}
|
||||
|
||||
async login(req, res, { uid, prompt, params, session }) {
|
||||
return res.redirect(`/openid/interaction/${uid}/start-session`)
|
||||
return res.redirect(`/openid/interaction/${uid.toLowerCase()}/start-session`)
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -8,7 +8,7 @@ const Oauth2Controller = require('flitter-auth/controllers/Oauth2')
|
||||
*/
|
||||
class Oauth2 extends Oauth2Controller {
|
||||
static get services() {
|
||||
return [...super.services, 'Vue', 'configs', 'models']
|
||||
return [...super.services, 'Vue', 'configs', 'models', 'output']
|
||||
}
|
||||
|
||||
async authorize_post(req, res, next) {
|
||||
@@ -18,6 +18,24 @@ class Oauth2 extends Oauth2Controller {
|
||||
const StarshipClient = this.models.get('oauth:Client')
|
||||
const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
|
||||
|
||||
// Make sure the user has IAM access before proceeding
|
||||
const Application = this.models.get('Application')
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const application = await Application.findOne({ oauth_client_ids: starship_client.id })
|
||||
if ( !application ) {
|
||||
this.output.warning('IAM Denial!')
|
||||
return this.Vue.auth_message(res, {
|
||||
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
||||
next_destination: '/dash',
|
||||
})
|
||||
} else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
|
||||
this.output.warning('IAM Denial!')
|
||||
return this.Vue.auth_message(res, {
|
||||
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
||||
next_destination: '/dash',
|
||||
})
|
||||
}
|
||||
|
||||
req.user.authorize(starship_client)
|
||||
await req.user.save()
|
||||
return super.authorize_post(req, res, next)
|
||||
@@ -31,6 +49,24 @@ class Oauth2 extends Oauth2Controller {
|
||||
const StarshipClient = this.models.get('oauth:Client')
|
||||
const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
|
||||
|
||||
// Make sure the user has IAM access before proceeding
|
||||
const Application = this.models.get('Application')
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const application = await Application.findOne({ oauth_client_ids: starship_client.id })
|
||||
if ( !application ) {
|
||||
this.output.warning('IAM Denial!')
|
||||
return this.Vue.auth_message(res, {
|
||||
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
||||
next_destination: '/dash',
|
||||
})
|
||||
} else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
|
||||
this.output.warning('IAM Denial!')
|
||||
return this.Vue.auth_message(res, {
|
||||
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
||||
next_destination: '/dash',
|
||||
})
|
||||
}
|
||||
|
||||
if ( req.user.has_authorized(starship_client) ) {
|
||||
return this.Vue.invoke_action(res, {
|
||||
text: 'Grant Access',
|
||||
|
||||
Reference in New Issue
Block a user