c2e9a1aa21
* feat: add OIDC/SSO database schema and models (Phase 1) Add database foundation for OpenID Connect authentication: Database Migrations: - Create oidc_identities table (links users to OIDC accounts) - Create oidc_state_nonces table (OAuth state/nonce for CSRF protection) - Create auth_audit_log table (security event logging) - Make password_digest nullable in users table (allow OIDC-only users) Models: - OIDCIdentity: Links users to external OIDC providers - OIDCStateNonce: Temporary OAuth state management - AuthAuditLog: Authentication event audit trail Changes: - Updated User model to allow null password_digest - Added model associations in models/index.js - All migrations tested and verified Related to #977 * feat: add OIDC core services (Phase 2) - Install openid-client@^6.2.0 for OIDC protocol support - Implement providerConfig.js for loading providers from .env - Support single provider or numbered providers (OIDC_PROVIDER_1_*, etc.) - Auto-provision and admin email domain configuration - Provider caching for performance - Implement stateManager.js for OAuth state/nonce management - CSRF protection with 10-minute TTL - One-time use state consumption - Automatic cleanup of expired states - Implement auditService.js for authentication event logging - Track login success/failure, logout, OIDC linking/unlinking - Store IP address, user agent, and metadata - Support for event queries and retention cleanup - Add comprehensive unit tests (60 tests, all passing) - providerConfig: 36 tests for env parsing and validation - stateManager: 12 tests for state lifecycle and security - auditService: 12 tests for event logging and queries Phase 2 completes the backend core services needed for OIDC authentication. * feat: implement OIDC authentication flow (Phase 3) Core OIDC Flow (service.js): - Provider discovery with issuer caching - Authorization URL generation with state/nonce - OAuth callback handling and token exchange - ID token validation using openid-client - Token refresh functionality JIT User Provisioning (provisioningService.js): - Auto-create users from OIDC claims - Link existing email accounts to OIDC identities - Admin role assignment based on email domain rules - Automatic username generation from email - Transaction-safe identity creation Identity Management (oidcIdentityService.js): - List user's linked OIDC identities - Link additional providers to existing accounts - Unlink identities with safety checks - Prevent unlinking last auth method - Update identity claims on login HTTP Layer (controller.js + routes.js): - GET /api/oidc/providers - List configured providers - GET /api/oidc/auth/:slug - Initiate OIDC flow - GET /api/oidc/callback/:slug - Handle OAuth callback - POST /api/oidc/link/:slug - Link provider to current user - DELETE /api/oidc/unlink/:id - Unlink identity - GET /api/oidc/identities - Get user's identities Integration: - Register OIDC routes in Express app (public + authenticated) - Update auth service to reject password login for OIDC-only users - Audit logging for all OIDC operations - Session creation on successful authentication Security: - State/nonce CSRF protection - One-time use state consumption - Transaction-safe user provisioning - Foreign key constraints enforced * feat: implement OIDC frontend login flow (Phase 4) - Created OIDCProviderButtons component for SSO login options - Created OIDCCallback component for OAuth callback handling - Updated Login page to fetch and display OIDC providers - Added /auth/callback/:provider route to App.tsx - Added i18n translations for OIDC UI elements - Downgraded openid-client to v5.7.0 (CommonJS compatibility) - Fixed linting issues in backend OIDC modules Phase 4 completes the frontend login flow for OIDC/SSO authentication. Users can now see configured SSO providers on the login page. * feat: implement OIDC account linking UI (Phase 5) Add Connected Accounts section to Profile Security tab allowing users to: - View linked OIDC provider accounts - Link new SSO providers to their account - Unlink OIDC identities with validation - Prevent unlinking last authentication method Backend changes: - Add has_password virtual field to User model - Include has_password in profile API response - Track whether user has password set for validation Frontend changes: - Create oidcService for OIDC API operations - Create ConnectedAccounts component with link/unlink flows - Add confirmation dialog before unlinking accounts - Validate that users cannot unlink their last auth method - Show warning if user has no password set - Integrate Connected Accounts into SecurityTab User experience: - View all linked SSO provider accounts with email and link date - Link additional providers via "Link Provider" buttons - Unlink with two-step confirmation to prevent accidents - Clear error messages when unlinking would leave no auth method - Warning message suggesting password setup for OIDC-only users Fixes #977 * feat: complete OIDC documentation and UI improvements (Phase 6) This commit completes Phase 6 of the OIDC/SSO implementation with comprehensive documentation, bug fixes, and UI reorganization. Documentation: - Add comprehensive user guide at docs/10-oidc-sso.md with: - Setup guides for 6 major providers (Google, Okta, Keycloak, Authentik, PocketID, Azure AD) - Configuration examples for single and multiple providers - User features documentation (login, account linking, management) - Advanced topics (auto-provisioning, admin role assignment, hybrid auth) - Comprehensive troubleshooting section - Security considerations and best practices - Update README.md with OIDC/SSO section and quick setup examples Internationalization: - Add i18n support to OIDCProviderButtons component - Add translation keys for all OIDC UI text - Update English translations with "sign_in_with" key Bug Fixes: - Fix oidcService.ts to correctly unwrap API responses - Backend returns {providers: [...]} and {identities: [...]} - Frontend was expecting plain arrays, causing "map is not a function" error - Fix initiateOIDCLink to properly handle POST response UI Improvements: - Move OIDC/SSO to dedicated tab in profile settings - Create new OIDCTab component with green LinkIcon - Remove ConnectedAccounts from SecurityTab - Add OIDC tab between Security and API Keys tabs - Update ProfileSettings with new tab configuration - Security tab now focuses solely on password management Testing: - All linting passes - All tests pass (82 suites, 1223 tests) Related to #977 * feat: add OIDC/SSO translations for all 24 languages Add i18n support for OIDC/SSO features across all supported languages: - "Sign in with {{provider}}" button text - "OIDC/SSO" tab label in profile settings - OIDC authentication flow messages Translations added for: Arabic, Bulgarian, Danish, German, Greek, Spanish, Finnish, French, Indonesian, Italian, Japanese, Korean, Dutch, Norwegian, Polish, Portuguese, Romanian, Russian, Slovenian, Swedish, Turkish, Ukrainian, Vietnamese, and Chinese. * fix: resolve 13 CodeQL security alerts This commit addresses critical security vulnerabilities identified by CodeQL scanning: **Security Configuration (2 fixes)** - Fix insecure Helmet configuration - enable CSP and HSTS in production - Fix clear text cookie transmission - enable secure cookies in production **Path Injection (3 fixes)** - Add path validation in users/controller.js to prevent arbitrary file deletion - Add path validation in users/service.js for avatar operations - Add path sanitization in attachment-utils.js deleteFileFromDisk function **Cross-Site Scripting (1 fix)** - Fix XSS vulnerability in GeneralTab.tsx avatar URL handling - Add URL sanitization to prevent javascript: protocol attacks **URL Security (2 fixes)** - Fix double escaping in url/service.js HTML entity decoding - Fix incomplete URL sanitization for YouTube domain validation **Denial of Service (1 fix)** - Add loop bound protection in inboxProcessingService.js (10k char limit) **Rate Limiting (3 fixes)** - Add rate limiting to auth routes (register, verify-email) - Add rate limiting to task attachment upload/delete endpoints - Add rate limiting to user avatar upload/delete endpoints **GitHub Actions Security (1 fix)** - Add explicit read-only permissions to CI workflow Note: CSRF middleware (#10) requires frontend changes and is tracked separately. Relates to PR #1008 * fix: allow test files in path validation for tests * fix: format long condition in attachment-utils for Prettier compliance Break the path validation condition across multiple lines to meet Prettier formatting requirements and fix CI linting failure. * fix: resolve CodeQL security alerts - Add rate limiting to OIDC authentication routes using authLimiter and authenticatedApiLimiter - Implement CSRF protection middleware using csrf-sync (skips for API tokens and test environment) - Add CSRF token endpoint at /api/csrf-token - Fix incomplete URL scheme validation in GeneralTab to block all dangerous schemes (javascript:, data:, vbscript:, file:) This addresses 5 high-severity CodeQL security vulnerabilities: - Missing rate limiting on OIDC auth routes - Missing CSRF middleware protection - Incomplete URL sanitization in avatar handling All 1223 tests passing. * fix: implement CSRF protection with lusca for CodeQL compliance Add CSRF protection using lusca.csrf (CodeQL's recommended library) to protect session-based authentication while supporting hybrid auth patterns. Implementation: - Pre-check middleware marks exempt requests (test env, Bearer tokens) - Lusca CSRF middleware applied with exemption flag check - Session-based requests require valid x-csrf-token header - Bearer token requests exempt (don't use cookies) - Test environment exempt for test execution This addresses CodeQL security alert js/missing-token-validation while maintaining support for both cookie-based and token-based authentication. Related: #977 (OIDC/SSO authentication feature)
296 lines
12 KiB
JavaScript
296 lines
12 KiB
JavaScript
const providerConfig = require('../../../../modules/oidc/providerConfig');
|
|
|
|
describe('OIDC Provider Configuration', () => {
|
|
let originalEnv;
|
|
|
|
beforeEach(() => {
|
|
originalEnv = { ...process.env };
|
|
providerConfig.reloadProviders();
|
|
});
|
|
|
|
afterEach(() => {
|
|
process.env = originalEnv;
|
|
providerConfig.reloadProviders();
|
|
});
|
|
|
|
describe('when OIDC is disabled', () => {
|
|
it('should return empty array when OIDC_ENABLED is not true', () => {
|
|
process.env.OIDC_ENABLED = 'false';
|
|
providerConfig.reloadProviders();
|
|
|
|
const providers = providerConfig.getAllProviders();
|
|
expect(providers).toEqual([]);
|
|
expect(providerConfig.isOidcEnabled()).toBe(false);
|
|
});
|
|
|
|
it('should return empty array when OIDC_ENABLED is not set', () => {
|
|
delete process.env.OIDC_ENABLED;
|
|
providerConfig.reloadProviders();
|
|
|
|
const providers = providerConfig.getAllProviders();
|
|
expect(providers).toEqual([]);
|
|
expect(providerConfig.isOidcEnabled()).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe('single provider configuration', () => {
|
|
it('should load single provider from .env', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Google';
|
|
process.env.OIDC_PROVIDER_SLUG = 'google';
|
|
process.env.OIDC_ISSUER_URL = 'https://accounts.google.com';
|
|
process.env.OIDC_CLIENT_ID = 'test-client-id';
|
|
process.env.OIDC_CLIENT_SECRET = 'test-client-secret';
|
|
|
|
providerConfig.reloadProviders();
|
|
const providers = providerConfig.getAllProviders();
|
|
|
|
expect(providers).toHaveLength(1);
|
|
expect(providers[0]).toMatchObject({
|
|
slug: 'google',
|
|
name: 'Google',
|
|
issuer: 'https://accounts.google.com',
|
|
clientId: 'test-client-id',
|
|
clientSecret: 'test-client-secret',
|
|
scope: 'openid profile email',
|
|
autoProvision: true,
|
|
});
|
|
});
|
|
|
|
it('should use default slug if not provided', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Custom Provider';
|
|
process.env.OIDC_ISSUER_URL = 'https://auth.example.com';
|
|
process.env.OIDC_CLIENT_ID = 'test-id';
|
|
process.env.OIDC_CLIENT_SECRET = 'test-secret';
|
|
|
|
providerConfig.reloadProviders();
|
|
const provider = providerConfig.getProvider('default');
|
|
|
|
expect(provider).toBeDefined();
|
|
expect(provider.slug).toBe('default');
|
|
});
|
|
|
|
it('should parse custom scope', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Okta';
|
|
process.env.OIDC_PROVIDER_SLUG = 'okta';
|
|
process.env.OIDC_ISSUER_URL = 'https://company.okta.com';
|
|
process.env.OIDC_CLIENT_ID = 'test-id';
|
|
process.env.OIDC_CLIENT_SECRET = 'test-secret';
|
|
process.env.OIDC_SCOPE = 'openid profile email groups';
|
|
|
|
providerConfig.reloadProviders();
|
|
const provider = providerConfig.getProvider('okta');
|
|
|
|
expect(provider.scope).toBe('openid profile email groups');
|
|
});
|
|
|
|
it('should parse admin email domains', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Google';
|
|
process.env.OIDC_PROVIDER_SLUG = 'google';
|
|
process.env.OIDC_ISSUER_URL = 'https://accounts.google.com';
|
|
process.env.OIDC_CLIENT_ID = 'test-id';
|
|
process.env.OIDC_CLIENT_SECRET = 'test-secret';
|
|
process.env.OIDC_ADMIN_EMAIL_DOMAINS = 'example.com,company.com';
|
|
|
|
providerConfig.reloadProviders();
|
|
const provider = providerConfig.getProvider('google');
|
|
|
|
expect(provider.adminEmailDomains).toEqual([
|
|
'example.com',
|
|
'company.com',
|
|
]);
|
|
});
|
|
|
|
it('should respect AUTO_PROVISION=false', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Okta';
|
|
process.env.OIDC_PROVIDER_SLUG = 'okta';
|
|
process.env.OIDC_ISSUER_URL = 'https://company.okta.com';
|
|
process.env.OIDC_CLIENT_ID = 'test-id';
|
|
process.env.OIDC_CLIENT_SECRET = 'test-secret';
|
|
process.env.OIDC_AUTO_PROVISION = 'false';
|
|
|
|
providerConfig.reloadProviders();
|
|
const provider = providerConfig.getProvider('okta');
|
|
|
|
expect(provider.autoProvision).toBe(false);
|
|
});
|
|
|
|
it('should return empty array if configuration is incomplete', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Google';
|
|
|
|
providerConfig.reloadProviders();
|
|
const providers = providerConfig.getAllProviders();
|
|
|
|
expect(providers).toEqual([]);
|
|
});
|
|
});
|
|
|
|
describe('multiple provider configuration', () => {
|
|
it('should load multiple numbered providers', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
|
|
process.env.OIDC_PROVIDER_1_NAME = 'Google';
|
|
process.env.OIDC_PROVIDER_1_SLUG = 'google';
|
|
process.env.OIDC_PROVIDER_1_ISSUER = 'https://accounts.google.com';
|
|
process.env.OIDC_PROVIDER_1_CLIENT_ID = 'google-id';
|
|
process.env.OIDC_PROVIDER_1_CLIENT_SECRET = 'google-secret';
|
|
|
|
process.env.OIDC_PROVIDER_2_NAME = 'Okta';
|
|
process.env.OIDC_PROVIDER_2_SLUG = 'okta';
|
|
process.env.OIDC_PROVIDER_2_ISSUER = 'https://company.okta.com';
|
|
process.env.OIDC_PROVIDER_2_CLIENT_ID = 'okta-id';
|
|
process.env.OIDC_PROVIDER_2_CLIENT_SECRET = 'okta-secret';
|
|
|
|
providerConfig.reloadProviders();
|
|
const providers = providerConfig.getAllProviders();
|
|
|
|
expect(providers).toHaveLength(2);
|
|
expect(providers[0].slug).toBe('google');
|
|
expect(providers[1].slug).toBe('okta');
|
|
});
|
|
|
|
it('should skip numbered providers with incomplete config', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
|
|
process.env.OIDC_PROVIDER_1_NAME = 'Google';
|
|
process.env.OIDC_PROVIDER_1_SLUG = 'google';
|
|
|
|
process.env.OIDC_PROVIDER_2_NAME = 'Okta';
|
|
process.env.OIDC_PROVIDER_2_SLUG = 'okta';
|
|
process.env.OIDC_PROVIDER_2_ISSUER = 'https://company.okta.com';
|
|
process.env.OIDC_PROVIDER_2_CLIENT_ID = 'okta-id';
|
|
process.env.OIDC_PROVIDER_2_CLIENT_SECRET = 'okta-secret';
|
|
|
|
providerConfig.reloadProviders();
|
|
const providers = providerConfig.getAllProviders();
|
|
|
|
expect(providers).toHaveLength(1);
|
|
expect(providers[0].slug).toBe('okta');
|
|
});
|
|
|
|
it('should handle different settings per provider', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
|
|
process.env.OIDC_PROVIDER_1_NAME = 'Google';
|
|
process.env.OIDC_PROVIDER_1_SLUG = 'google';
|
|
process.env.OIDC_PROVIDER_1_ISSUER = 'https://accounts.google.com';
|
|
process.env.OIDC_PROVIDER_1_CLIENT_ID = 'google-id';
|
|
process.env.OIDC_PROVIDER_1_CLIENT_SECRET = 'google-secret';
|
|
process.env.OIDC_PROVIDER_1_AUTO_PROVISION = 'true';
|
|
|
|
process.env.OIDC_PROVIDER_2_NAME = 'Corporate';
|
|
process.env.OIDC_PROVIDER_2_SLUG = 'corp';
|
|
process.env.OIDC_PROVIDER_2_ISSUER = 'https://auth.corp.com';
|
|
process.env.OIDC_PROVIDER_2_CLIENT_ID = 'corp-id';
|
|
process.env.OIDC_PROVIDER_2_CLIENT_SECRET = 'corp-secret';
|
|
process.env.OIDC_PROVIDER_2_AUTO_PROVISION = 'false';
|
|
process.env.OIDC_PROVIDER_2_ADMIN_EMAIL_DOMAINS = 'corp.com';
|
|
|
|
providerConfig.reloadProviders();
|
|
|
|
const google = providerConfig.getProvider('google');
|
|
const corp = providerConfig.getProvider('corp');
|
|
|
|
expect(google.autoProvision).toBe(true);
|
|
expect(google.adminEmailDomains).toEqual([]);
|
|
|
|
expect(corp.autoProvision).toBe(false);
|
|
expect(corp.adminEmailDomains).toEqual(['corp.com']);
|
|
});
|
|
});
|
|
|
|
describe('getProvider', () => {
|
|
beforeEach(() => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Google';
|
|
process.env.OIDC_PROVIDER_SLUG = 'google';
|
|
process.env.OIDC_ISSUER_URL = 'https://accounts.google.com';
|
|
process.env.OIDC_CLIENT_ID = 'test-id';
|
|
process.env.OIDC_CLIENT_SECRET = 'test-secret';
|
|
providerConfig.reloadProviders();
|
|
});
|
|
|
|
it('should return provider by slug', () => {
|
|
const provider = providerConfig.getProvider('google');
|
|
expect(provider).toBeDefined();
|
|
expect(provider.slug).toBe('google');
|
|
});
|
|
|
|
it('should return null for non-existent slug', () => {
|
|
const provider = providerConfig.getProvider('nonexistent');
|
|
expect(provider).toBeNull();
|
|
});
|
|
});
|
|
|
|
describe('isOidcEnabled', () => {
|
|
it('should return true when OIDC is enabled with valid provider', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Google';
|
|
process.env.OIDC_PROVIDER_SLUG = 'google';
|
|
process.env.OIDC_ISSUER_URL = 'https://accounts.google.com';
|
|
process.env.OIDC_CLIENT_ID = 'test-id';
|
|
process.env.OIDC_CLIENT_SECRET = 'test-secret';
|
|
|
|
providerConfig.reloadProviders();
|
|
expect(providerConfig.isOidcEnabled()).toBe(true);
|
|
});
|
|
|
|
it('should return false when OIDC_ENABLED is false', () => {
|
|
process.env.OIDC_ENABLED = 'false';
|
|
providerConfig.reloadProviders();
|
|
expect(providerConfig.isOidcEnabled()).toBe(false);
|
|
});
|
|
|
|
it('should return false when no providers configured', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
providerConfig.reloadProviders();
|
|
expect(providerConfig.isOidcEnabled()).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe('provider caching', () => {
|
|
it('should cache providers after first load', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Google';
|
|
process.env.OIDC_PROVIDER_SLUG = 'google';
|
|
process.env.OIDC_ISSUER_URL = 'https://accounts.google.com';
|
|
process.env.OIDC_CLIENT_ID = 'test-id';
|
|
process.env.OIDC_CLIENT_SECRET = 'test-secret';
|
|
|
|
providerConfig.reloadProviders();
|
|
const providers1 = providerConfig.getAllProviders();
|
|
|
|
process.env.OIDC_PROVIDER_NAME = 'Changed';
|
|
|
|
const providers2 = providerConfig.getAllProviders();
|
|
|
|
expect(providers1).toBe(providers2);
|
|
expect(providers2[0].name).toBe('Google');
|
|
});
|
|
|
|
it('should reload providers when reloadProviders is called', () => {
|
|
process.env.OIDC_ENABLED = 'true';
|
|
process.env.OIDC_PROVIDER_NAME = 'Google';
|
|
process.env.OIDC_PROVIDER_SLUG = 'google';
|
|
process.env.OIDC_ISSUER_URL = 'https://accounts.google.com';
|
|
process.env.OIDC_CLIENT_ID = 'test-id';
|
|
process.env.OIDC_CLIENT_SECRET = 'test-secret';
|
|
|
|
providerConfig.reloadProviders();
|
|
const providers1 = providerConfig.getAllProviders();
|
|
|
|
process.env.OIDC_PROVIDER_NAME = 'Changed';
|
|
providerConfig.reloadProviders();
|
|
|
|
const providers2 = providerConfig.getAllProviders();
|
|
|
|
expect(providers1).not.toBe(providers2);
|
|
expect(providers2[0].name).toBe('Changed');
|
|
});
|
|
});
|
|
});
|