c2e9a1aa21
* feat: add OIDC/SSO database schema and models (Phase 1) Add database foundation for OpenID Connect authentication: Database Migrations: - Create oidc_identities table (links users to OIDC accounts) - Create oidc_state_nonces table (OAuth state/nonce for CSRF protection) - Create auth_audit_log table (security event logging) - Make password_digest nullable in users table (allow OIDC-only users) Models: - OIDCIdentity: Links users to external OIDC providers - OIDCStateNonce: Temporary OAuth state management - AuthAuditLog: Authentication event audit trail Changes: - Updated User model to allow null password_digest - Added model associations in models/index.js - All migrations tested and verified Related to #977 * feat: add OIDC core services (Phase 2) - Install openid-client@^6.2.0 for OIDC protocol support - Implement providerConfig.js for loading providers from .env - Support single provider or numbered providers (OIDC_PROVIDER_1_*, etc.) - Auto-provision and admin email domain configuration - Provider caching for performance - Implement stateManager.js for OAuth state/nonce management - CSRF protection with 10-minute TTL - One-time use state consumption - Automatic cleanup of expired states - Implement auditService.js for authentication event logging - Track login success/failure, logout, OIDC linking/unlinking - Store IP address, user agent, and metadata - Support for event queries and retention cleanup - Add comprehensive unit tests (60 tests, all passing) - providerConfig: 36 tests for env parsing and validation - stateManager: 12 tests for state lifecycle and security - auditService: 12 tests for event logging and queries Phase 2 completes the backend core services needed for OIDC authentication. * feat: implement OIDC authentication flow (Phase 3) Core OIDC Flow (service.js): - Provider discovery with issuer caching - Authorization URL generation with state/nonce - OAuth callback handling and token exchange - ID token validation using openid-client - Token refresh functionality JIT User Provisioning (provisioningService.js): - Auto-create users from OIDC claims - Link existing email accounts to OIDC identities - Admin role assignment based on email domain rules - Automatic username generation from email - Transaction-safe identity creation Identity Management (oidcIdentityService.js): - List user's linked OIDC identities - Link additional providers to existing accounts - Unlink identities with safety checks - Prevent unlinking last auth method - Update identity claims on login HTTP Layer (controller.js + routes.js): - GET /api/oidc/providers - List configured providers - GET /api/oidc/auth/:slug - Initiate OIDC flow - GET /api/oidc/callback/:slug - Handle OAuth callback - POST /api/oidc/link/:slug - Link provider to current user - DELETE /api/oidc/unlink/:id - Unlink identity - GET /api/oidc/identities - Get user's identities Integration: - Register OIDC routes in Express app (public + authenticated) - Update auth service to reject password login for OIDC-only users - Audit logging for all OIDC operations - Session creation on successful authentication Security: - State/nonce CSRF protection - One-time use state consumption - Transaction-safe user provisioning - Foreign key constraints enforced * feat: implement OIDC frontend login flow (Phase 4) - Created OIDCProviderButtons component for SSO login options - Created OIDCCallback component for OAuth callback handling - Updated Login page to fetch and display OIDC providers - Added /auth/callback/:provider route to App.tsx - Added i18n translations for OIDC UI elements - Downgraded openid-client to v5.7.0 (CommonJS compatibility) - Fixed linting issues in backend OIDC modules Phase 4 completes the frontend login flow for OIDC/SSO authentication. Users can now see configured SSO providers on the login page. * feat: implement OIDC account linking UI (Phase 5) Add Connected Accounts section to Profile Security tab allowing users to: - View linked OIDC provider accounts - Link new SSO providers to their account - Unlink OIDC identities with validation - Prevent unlinking last authentication method Backend changes: - Add has_password virtual field to User model - Include has_password in profile API response - Track whether user has password set for validation Frontend changes: - Create oidcService for OIDC API operations - Create ConnectedAccounts component with link/unlink flows - Add confirmation dialog before unlinking accounts - Validate that users cannot unlink their last auth method - Show warning if user has no password set - Integrate Connected Accounts into SecurityTab User experience: - View all linked SSO provider accounts with email and link date - Link additional providers via "Link Provider" buttons - Unlink with two-step confirmation to prevent accidents - Clear error messages when unlinking would leave no auth method - Warning message suggesting password setup for OIDC-only users Fixes #977 * feat: complete OIDC documentation and UI improvements (Phase 6) This commit completes Phase 6 of the OIDC/SSO implementation with comprehensive documentation, bug fixes, and UI reorganization. Documentation: - Add comprehensive user guide at docs/10-oidc-sso.md with: - Setup guides for 6 major providers (Google, Okta, Keycloak, Authentik, PocketID, Azure AD) - Configuration examples for single and multiple providers - User features documentation (login, account linking, management) - Advanced topics (auto-provisioning, admin role assignment, hybrid auth) - Comprehensive troubleshooting section - Security considerations and best practices - Update README.md with OIDC/SSO section and quick setup examples Internationalization: - Add i18n support to OIDCProviderButtons component - Add translation keys for all OIDC UI text - Update English translations with "sign_in_with" key Bug Fixes: - Fix oidcService.ts to correctly unwrap API responses - Backend returns {providers: [...]} and {identities: [...]} - Frontend was expecting plain arrays, causing "map is not a function" error - Fix initiateOIDCLink to properly handle POST response UI Improvements: - Move OIDC/SSO to dedicated tab in profile settings - Create new OIDCTab component with green LinkIcon - Remove ConnectedAccounts from SecurityTab - Add OIDC tab between Security and API Keys tabs - Update ProfileSettings with new tab configuration - Security tab now focuses solely on password management Testing: - All linting passes - All tests pass (82 suites, 1223 tests) Related to #977 * feat: add OIDC/SSO translations for all 24 languages Add i18n support for OIDC/SSO features across all supported languages: - "Sign in with {{provider}}" button text - "OIDC/SSO" tab label in profile settings - OIDC authentication flow messages Translations added for: Arabic, Bulgarian, Danish, German, Greek, Spanish, Finnish, French, Indonesian, Italian, Japanese, Korean, Dutch, Norwegian, Polish, Portuguese, Romanian, Russian, Slovenian, Swedish, Turkish, Ukrainian, Vietnamese, and Chinese. * fix: resolve 13 CodeQL security alerts This commit addresses critical security vulnerabilities identified by CodeQL scanning: **Security Configuration (2 fixes)** - Fix insecure Helmet configuration - enable CSP and HSTS in production - Fix clear text cookie transmission - enable secure cookies in production **Path Injection (3 fixes)** - Add path validation in users/controller.js to prevent arbitrary file deletion - Add path validation in users/service.js for avatar operations - Add path sanitization in attachment-utils.js deleteFileFromDisk function **Cross-Site Scripting (1 fix)** - Fix XSS vulnerability in GeneralTab.tsx avatar URL handling - Add URL sanitization to prevent javascript: protocol attacks **URL Security (2 fixes)** - Fix double escaping in url/service.js HTML entity decoding - Fix incomplete URL sanitization for YouTube domain validation **Denial of Service (1 fix)** - Add loop bound protection in inboxProcessingService.js (10k char limit) **Rate Limiting (3 fixes)** - Add rate limiting to auth routes (register, verify-email) - Add rate limiting to task attachment upload/delete endpoints - Add rate limiting to user avatar upload/delete endpoints **GitHub Actions Security (1 fix)** - Add explicit read-only permissions to CI workflow Note: CSRF middleware (#10) requires frontend changes and is tracked separately. Relates to PR #1008 * fix: allow test files in path validation for tests * fix: format long condition in attachment-utils for Prettier compliance Break the path validation condition across multiple lines to meet Prettier formatting requirements and fix CI linting failure. * fix: resolve CodeQL security alerts - Add rate limiting to OIDC authentication routes using authLimiter and authenticatedApiLimiter - Implement CSRF protection middleware using csrf-sync (skips for API tokens and test environment) - Add CSRF token endpoint at /api/csrf-token - Fix incomplete URL scheme validation in GeneralTab to block all dangerous schemes (javascript:, data:, vbscript:, file:) This addresses 5 high-severity CodeQL security vulnerabilities: - Missing rate limiting on OIDC auth routes - Missing CSRF middleware protection - Incomplete URL sanitization in avatar handling All 1223 tests passing. * fix: implement CSRF protection with lusca for CodeQL compliance Add CSRF protection using lusca.csrf (CodeQL's recommended library) to protect session-based authentication while supporting hybrid auth patterns. Implementation: - Pre-check middleware marks exempt requests (test env, Bearer tokens) - Lusca CSRF middleware applied with exemption flag check - Session-based requests require valid x-csrf-token header - Bearer token requests exempt (don't use cookies) - Test environment exempt for test execution This addresses CodeQL security alert js/missing-token-validation while maintaining support for both cookie-based and token-based authentication. Related: #977 (OIDC/SSO authentication feature)
224 lines
6.9 KiB
JavaScript
224 lines
6.9 KiB
JavaScript
const { Sequelize } = require('sequelize');
|
|
const path = require('path');
|
|
const { getConfig } = require('../config/config');
|
|
const config = getConfig();
|
|
|
|
let dbConfig;
|
|
|
|
dbConfig = {
|
|
dialect: 'sqlite',
|
|
storage: config.dbFile,
|
|
logging: config.environment === 'development' ? console.log : false,
|
|
define: {
|
|
timestamps: true,
|
|
underscored: true,
|
|
createdAt: 'created_at',
|
|
updatedAt: 'updated_at',
|
|
},
|
|
};
|
|
|
|
const sequelize = new Sequelize(dbConfig);
|
|
|
|
// SQLite performance optimizations for slow I/O systems (e.g., Synology NAS with HDDs)
|
|
if (dbConfig.dialect === 'sqlite') {
|
|
const pragmas = [
|
|
// WAL mode: sequential writes instead of random I/O, better for Btrfs COW
|
|
'PRAGMA journal_mode=WAL;',
|
|
// Relaxed sync: faster writes with minimal durability risk for single-user app
|
|
'PRAGMA synchronous=NORMAL;',
|
|
// 5 second busy timeout: prevents "database is locked" errors under load
|
|
'PRAGMA busy_timeout=5000;',
|
|
// 64MB cache: keeps more data in memory, reduces disk reads
|
|
'PRAGMA cache_size=-64000;',
|
|
// Store temp tables in memory instead of disk
|
|
'PRAGMA temp_store=MEMORY;',
|
|
// Enable memory-mapped I/O (256MB): faster reads on large databases
|
|
'PRAGMA mmap_size=268435456;',
|
|
];
|
|
|
|
(async () => {
|
|
try {
|
|
for (const pragma of pragmas) {
|
|
await sequelize.query(pragma);
|
|
}
|
|
if (config.environment === 'development') {
|
|
console.log('SQLite performance optimizations enabled');
|
|
}
|
|
} catch (err) {
|
|
console.error('Failed to set SQLite PRAGMAs:', err.message);
|
|
}
|
|
})();
|
|
}
|
|
|
|
const User = require('./user')(sequelize);
|
|
const Area = require('./area')(sequelize);
|
|
const Project = require('./project')(sequelize);
|
|
const Task = require('./task')(sequelize);
|
|
const Tag = require('./tag')(sequelize);
|
|
const Note = require('./note')(sequelize);
|
|
const InboxItem = require('./inbox_item')(sequelize);
|
|
const TaskEvent = require('./task_event')(sequelize);
|
|
const Role = require('./role')(sequelize);
|
|
const Action = require('./action')(sequelize);
|
|
const Permission = require('./permission')(sequelize);
|
|
const View = require('./view')(sequelize);
|
|
const ApiToken = require('./api_token')(sequelize);
|
|
const Setting = require('./setting')(sequelize);
|
|
const Notification = require('./notification')(sequelize);
|
|
const RecurringCompletion = require('./recurringCompletion')(sequelize);
|
|
const TaskAttachment = require('./task_attachment')(sequelize);
|
|
const Backup = require('./backup')(sequelize);
|
|
const OIDCIdentity = require('./oidc_identity')(sequelize);
|
|
const OIDCStateNonce = require('./oidc_state_nonce')(sequelize);
|
|
const AuthAuditLog = require('./auth_audit_log')(sequelize);
|
|
|
|
User.hasMany(Area, { foreignKey: 'user_id' });
|
|
Area.belongsTo(User, { foreignKey: 'user_id' });
|
|
|
|
User.hasMany(Project, { foreignKey: 'user_id' });
|
|
Project.belongsTo(User, { foreignKey: 'user_id' });
|
|
Project.belongsTo(Area, { foreignKey: 'area_id', allowNull: true });
|
|
Area.hasMany(Project, { foreignKey: 'area_id' });
|
|
|
|
User.hasMany(Task, { foreignKey: 'user_id' });
|
|
Task.belongsTo(User, { foreignKey: 'user_id' });
|
|
Task.belongsTo(Project, { foreignKey: 'project_id', allowNull: true });
|
|
Project.hasMany(Task, { foreignKey: 'project_id' });
|
|
|
|
User.hasMany(Tag, { foreignKey: 'user_id' });
|
|
Tag.belongsTo(User, { foreignKey: 'user_id' });
|
|
|
|
User.hasMany(Note, { foreignKey: 'user_id' });
|
|
Note.belongsTo(User, { foreignKey: 'user_id' });
|
|
Note.belongsTo(Project, { foreignKey: 'project_id', allowNull: true });
|
|
Project.hasMany(Note, { foreignKey: 'project_id' });
|
|
|
|
User.hasMany(InboxItem, { foreignKey: 'user_id' });
|
|
InboxItem.belongsTo(User, { foreignKey: 'user_id' });
|
|
|
|
User.hasMany(TaskEvent, { foreignKey: 'user_id', as: 'TaskEvents' });
|
|
TaskEvent.belongsTo(User, { foreignKey: 'user_id', as: 'User' });
|
|
Task.hasMany(TaskEvent, { foreignKey: 'task_id', as: 'TaskEvents' });
|
|
TaskEvent.belongsTo(Task, { foreignKey: 'task_id', as: 'Task' });
|
|
|
|
Task.belongsTo(Task, {
|
|
as: 'ParentTask',
|
|
foreignKey: 'parent_task_id',
|
|
});
|
|
Task.hasMany(Task, {
|
|
as: 'Subtasks',
|
|
foreignKey: 'parent_task_id',
|
|
});
|
|
|
|
Task.belongsTo(Task, {
|
|
as: 'RecurringParent',
|
|
foreignKey: 'recurring_parent_id',
|
|
});
|
|
Task.hasMany(Task, {
|
|
as: 'RecurringChildren',
|
|
foreignKey: 'recurring_parent_id',
|
|
});
|
|
|
|
Task.hasMany(RecurringCompletion, {
|
|
as: 'Completions',
|
|
foreignKey: 'task_id',
|
|
});
|
|
RecurringCompletion.belongsTo(Task, {
|
|
foreignKey: 'task_id',
|
|
as: 'Task',
|
|
});
|
|
|
|
Task.belongsToMany(Tag, {
|
|
through: 'tasks_tags',
|
|
foreignKey: 'task_id',
|
|
otherKey: 'tag_id',
|
|
});
|
|
Tag.belongsToMany(Task, {
|
|
through: 'tasks_tags',
|
|
foreignKey: 'tag_id',
|
|
otherKey: 'task_id',
|
|
});
|
|
|
|
Note.belongsToMany(Tag, {
|
|
through: 'notes_tags',
|
|
foreignKey: 'note_id',
|
|
otherKey: 'tag_id',
|
|
});
|
|
Tag.belongsToMany(Note, {
|
|
through: 'notes_tags',
|
|
foreignKey: 'tag_id',
|
|
otherKey: 'note_id',
|
|
});
|
|
|
|
Project.belongsToMany(Tag, {
|
|
through: 'projects_tags',
|
|
foreignKey: 'project_id',
|
|
otherKey: 'tag_id',
|
|
});
|
|
Tag.belongsToMany(Project, {
|
|
through: 'projects_tags',
|
|
foreignKey: 'tag_id',
|
|
otherKey: 'project_id',
|
|
});
|
|
|
|
User.hasOne(Role, { foreignKey: 'user_id' });
|
|
Role.belongsTo(User, { foreignKey: 'user_id' });
|
|
|
|
Permission.belongsTo(User, { foreignKey: 'user_id', as: 'User' });
|
|
Permission.belongsTo(User, {
|
|
foreignKey: 'granted_by_user_id',
|
|
as: 'GrantedBy',
|
|
});
|
|
Action.belongsTo(User, { foreignKey: 'actor_user_id', as: 'Actor' });
|
|
Action.belongsTo(User, { foreignKey: 'target_user_id', as: 'Target' });
|
|
|
|
User.hasMany(View, { foreignKey: 'user_id' });
|
|
View.belongsTo(User, { foreignKey: 'user_id' });
|
|
|
|
User.hasMany(ApiToken, { foreignKey: 'user_id', as: 'apiTokens' });
|
|
ApiToken.belongsTo(User, { foreignKey: 'user_id', as: 'user' });
|
|
|
|
User.hasMany(Notification, { foreignKey: 'user_id', as: 'Notifications' });
|
|
Notification.belongsTo(User, { foreignKey: 'user_id', as: 'User' });
|
|
|
|
// TaskAttachment associations
|
|
User.hasMany(TaskAttachment, { foreignKey: 'user_id' });
|
|
TaskAttachment.belongsTo(User, { foreignKey: 'user_id' });
|
|
Task.hasMany(TaskAttachment, { foreignKey: 'task_id', as: 'Attachments' });
|
|
TaskAttachment.belongsTo(Task, { foreignKey: 'task_id' });
|
|
|
|
// Backup associations
|
|
User.hasMany(Backup, { foreignKey: 'user_id', as: 'Backups' });
|
|
Backup.belongsTo(User, { foreignKey: 'user_id', as: 'User' });
|
|
|
|
// OIDC associations
|
|
User.hasMany(OIDCIdentity, { foreignKey: 'user_id', as: 'OIDCIdentities' });
|
|
OIDCIdentity.belongsTo(User, { foreignKey: 'user_id', as: 'User' });
|
|
|
|
// Auth audit log associations
|
|
AuthAuditLog.belongsTo(User, { foreignKey: 'user_id', as: 'User' });
|
|
|
|
module.exports = {
|
|
sequelize,
|
|
User,
|
|
Area,
|
|
Project,
|
|
Task,
|
|
Tag,
|
|
Note,
|
|
InboxItem,
|
|
TaskEvent,
|
|
Role,
|
|
Action,
|
|
Permission,
|
|
View,
|
|
ApiToken,
|
|
Setting,
|
|
Notification,
|
|
RecurringCompletion,
|
|
TaskAttachment,
|
|
Backup,
|
|
OIDCIdentity,
|
|
OIDCStateNonce,
|
|
AuthAuditLog,
|
|
};
|