merge oidc branch

Zoey2936 · Zoey2936 · commit 166538647784 · 2025-03-28T09:38:05.000+01:00
Signed-off-by: Zoey &lt;zoey@z0ey.de&gt;
diff --git a/backend/internal/token.js b/backend/internal/token.js
@@ -87,7 +87,7 @@ module.exports = {
 	getTokenFromOAuthClaim: (data) => {
 		let Token = new TokenModel();
 
-		data.scope  = 'user';
+		data.scope = 'user';
 		data.expiry = '1d';
 
 		return userModel
@@ -109,13 +109,12 @@ module.exports = {
 
 				let iss = 'api',
 					attrs = { id: user.id },
-					scope = [ data.scope ],
+					scope = [data.scope],
 					expiresIn = data.expiry;
 
-				return Token.create({ iss, attrs, scope, expiresIn })
-					.then((signed) => {
-						return { token: signed.token, expires: expiry.toISOString() };
-					});
+				return Token.create({ iss, attrs, scope, expiresIn }).then((signed) => {
+					return { token: signed.token, expires: expiry.toISOString() };
+				});
 			});
 	},
 
diff --git a/backend/package.json b/backend/package.json
@@ -23,7 +23,7 @@
     "moment": "2.30.1",
     "mysql2": "3.14.0",
     "node-rsa": "1.1.1",
-    "openid-client": "5.4.0",
+    "openid-client": "5.7.1",
     "objection": "3.1.5",
     "path": "0.12.7",
     "pg": "8.14.1",
diff --git a/backend/routes/oidc.js b/backend/routes/oidc.js
@@ -1,16 +1,16 @@
-const crypto        = require('crypto');
-const error         = require('../lib/error');
-const express       = require('express');
-const jwtdecode     = require('../lib/express/jwt-decode');
-const logger        = require('../logger').oidc;
-const oidc          = require('openid-client');
-const settingModel  = require('../models/setting');
+const crypto = require('crypto');
+const error = require('../lib/error');
+const express = require('express');
+const jwtdecode = require('../lib/express/jwt-decode');
+const logger = require('../logger').oidc;
+const oidc = require('openid-client');
+const settingModel = require('../models/setting');
 const internalToken = require('../internal/token');
 
 let router = express.Router({
 	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
+	strict: true,
+	mergeParams: true,
 });
 
 router
@@ -29,14 +29,13 @@ router
 		logger.info('Initializing OAuth flow');
 		settingModel
 			.query()
-			.where({id: 'oidc-config'})
+			.where({ id: 'oidc-config' })
 			.first()
 			.then((row) => getInitParams(req, row))
 			.then((params) => redirectToAuthorizationURL(res, params))
 			.catch((err) => redirectWithError(res, err));
 	});
 
-
 router
 	.route('/callback')
 	.options((req, res) => {
@@ -53,7 +52,7 @@ router
 		logger.info('Processing callback');
 		settingModel
 			.query()
-			.where({id: 'oidc-config'})
+			.where({ id: 'oidc-config' })
 			.first()
 			.then((settings) => validateCallback(req, settings))
 			.then((token) => redirectWithJwtToken(res, token))
@@ -74,9 +73,9 @@ let getClient = async (row) => {
 	}
 
 	return new issuer.Client({
-		client_id:      row.meta.clientID,
-		client_secret:  row.meta.clientSecret,
-		redirect_uris:  [row.meta.redirectURL],
+		client_id: row.meta.clientID,
+		client_secret: row.meta.clientSecret,
+		redirect_uris: [row.meta.redirectURL],
 		response_types: ['code'],
 	});
 };
@@ -90,10 +89,10 @@ let getClient = async (row) => {
  * */
 let getInitParams = async (req, row) => {
 	let client = await getClient(row),
-		state  = crypto.randomUUID(),
-		nonce  = crypto.randomUUID(),
-		url    = client.authorizationUrl({
-			scope:    'openid email profile',
+		state = crypto.randomUUID(),
+		nonce = crypto.randomUUID(),
+		url = client.authorizationUrl({
+			scope: 'openid email profile',
 			resource: `${req.protocol}://${req.get('host')}${req.originalUrl}`,
 			state,
 			nonce,
@@ -109,14 +108,17 @@ let getInitParams = async (req, row) => {
  * @return { {String}, {String} } state and nonce
  * */
 let parseStateFromCookie = (req) => {
+	if (!req.headers || !req.headers.cookie) {
+		return { state: undefined, nonce: undefined };
+	}
 	let state, nonce;
 	let cookies = req.headers.cookie.split(';');
 	for (let cookie of cookies) {
-		if (cookie.split('=')[0].trim() === 'npm_oidc') {
+		if (cookie.split('=')[0].trim() === 'npmplus_oidc') {
 			let raw = cookie.split('=')[1],
 				val = raw.split('--');
-			state   = val[0].trim();
-			nonce   = val[1].trim();
+			state = val[0].trim();
+			nonce = val[1].trim();
 			break;
 		}
 	}
@@ -132,15 +134,15 @@ let parseStateFromCookie = (req) => {
  * @return {Promise} a promise resolving to a jwt token
  * */
 let validateCallback = async (req, settings) => {
-	let client 	         = await getClient(settings);
+	let client = await getClient(settings);
 	let { state, nonce } = parseStateFromCookie(req);
 
-	const params   = client.callbackParams(req);
+	const params = client.callbackParams(req);
 	const tokenSet = await client.callback(settings.meta.redirectURL, params, { state, nonce });
-	let claims     = tokenSet.claims();
+	let claims = tokenSet.claims();
 
 	if (!claims.email) {
-		throw new error.AuthError('The Identity Provider didn\'t send the \'email\' claim');
+		throw new error.AuthError("The Identity Provider didn't send the 'email' claim");
 	} else {
 		logger.info('Successful authentication for email ' + claims.email);
 	}
@@ -150,18 +152,18 @@ let validateCallback = async (req, settings) => {
 
 let redirectToAuthorizationURL = (res, params) => {
 	logger.info('Authorization URL: ' + params.url);
-	res.cookie('npm_oidc', params.state + '--' + params.nonce);
+	res.cookie('npmplus_oidc', params.state + '--' + params.nonce);
 	res.redirect(params.url);
 };
 
 let redirectWithJwtToken = (res, token) => {
-	res.cookie('npm_oidc', token.token + '---' + token.expires);
+	res.cookie('npmplus_oidc', token.token + '---' + token.expires);
 	res.redirect('/login');
 };
 
 let redirectWithError = (res, error) => {
 	logger.error('Callback error: ' + error.message);
-	res.cookie('npm_oidc_error', error.message);
+	res.cookie('npmplus_oidc_error', error.message);
 	res.redirect('/login');
 };
 
diff --git a/backend/routes/settings.js b/backend/routes/settings.js
@@ -83,8 +83,8 @@ router
 					};
 
 					// Remove these temporary cookies used during oidc authentication
-					res.clearCookie('npm_oidc');
-					res.clearCookie('npm_oidc_error');
+					res.clearCookie('npmplus_oidc');
+					res.clearCookie('npmplus_oidc_error');
 				}
 				res.status(200).send(row);
 			})
diff --git a/backend/routes/tokens.js b/backend/routes/tokens.js
@@ -31,7 +31,7 @@ router
 			})
 			.then((data) => {
 				// clear this temporary cookie following a successful oidc authentication
-				res.clearCookie('npm_oidc');
+				res.clearCookie('npmplus_oidc');
 				res.status(200).send(data);
 			})
 			.catch(next);
diff --git a/backend/setup.js b/backend/setup.js
@@ -123,7 +123,7 @@ const setupDefaultSettings = () => {
 						.insert({
 							id: 'oidc-config',
 							name: 'Open ID Connect',
-							description: 'Sign in to Nginx Proxy Manager with an external Identity Provider',
+							description: 'Sign in to NPMplus with an external Identity Provider',
 							value: 'metadata',
 							meta: {},
 						})
diff --git a/backend/yarn.lock b/backend/yarn.lock
@@ -1490,6 +1490,11 @@ jackspeak@^3.1.2:
   optionalDependencies:
     "@pkgjs/parseargs" "^0.11.0"
 
+jose@^4.10.0:
+  version "4.15.9"
+  resolved "https://registry.yarnpkg.com/jose/-/jose-4.15.9.tgz#9b68eda29e9a0614c042fa29387196c7dd800100"
+  integrity sha512-1vUQX+IdDMVPj4k8kOxgUqlcK518yluMuGZwqlr44FS1ppZB/5GWh4rZG89erpOBOJjU/OBsnCVFfapsRz6nEA==
+
 js-yaml@^4.1.0:
   version "4.1.0"
   resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602"
@@ -1691,6 +1696,13 @@ lru-cache@^10.2.0:
   resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-10.4.3.tgz#410fc8a17b70e598013df257c2446b7f3383f119"
   integrity sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==
 
+lru-cache@^6.0.0:
+  version "6.0.0"
+  resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-6.0.0.tgz#6d6fe6570ebd96aaf90fcad1dafa3b2566db3a94"
+  integrity sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==
+  dependencies:
+    yallist "^4.0.0"
+
 lru-cache@^7.14.1:
   version "7.18.3"
   resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-7.18.3.tgz#f793896e0fd0e954a59dfdd82f0773808df6aa89"
@@ -1738,17 +1750,17 @@ mime-db@1.52.0:
   resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.52.0.tgz#bbabcdc02859f4987301c856e3387ce5ec43bf70"
   integrity sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==
 
-"mime-db@>= 1.43.0 < 2", mime-db@^1.53.0:
+"mime-db@>= 1.43.0 < 2", mime-db@^1.54.0:
   version "1.54.0"
   resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.54.0.tgz#cddb3ee4f9c64530dff640236661d42cb6a314f5"
   integrity sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==
 
 mime-types@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-3.0.0.tgz#148453a900475522d095a445355c074cca4f5217"
-  integrity sha512-XqoSHeCGjVClAmoGFG3lVFqQFRIrTVw2OH3axRqAcfaw+gHWIfnASS92AV+Rl/mk0MupgZTRHQOjxY6YVnzK5w==
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-3.0.1.tgz#b1d94d6997a9b32fd69ebaed0db73de8acb519ce"
+  integrity sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==
   dependencies:
-    mime-db "^1.53.0"
+    mime-db "^1.54.0"
 
 mime-types@~2.1.24, mime-types@~2.1.34:
   version "2.1.35"
@@ -1943,6 +1955,11 @@ object-assign@^4.1.1:
   resolved "https://registry.yarnpkg.com/object-assign/-/object-assign-4.1.1.tgz#2109adc7965887cfc05cbbd442cac8bfbb360863"
   integrity sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==
 
+object-hash@^2.0.1:
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/object-hash/-/object-hash-2.2.0.tgz#5ad518581eefc443bd763472b8ff2e9c2c0d54a5"
+  integrity sha512-gScRMn0bS5fH+IuwyIFgnh9zBdo4DV+6GhygmWM9HyNJSgS0hScp1f5vjtm7oIIOiT9trXrShAkLFSc2IqKNgw==
+
 object-inspect@^1.13.3:
   version "1.13.4"
   resolved "https://registry.yarnpkg.com/object-inspect/-/object-inspect-1.13.4.tgz#8375265e21bc20d0fa582c22e1b13485d6e00213"
@@ -1957,6 +1974,11 @@ objection@3.1.5:
     ajv-formats "^2.1.1"
     db-errors "^0.2.3"
 
+oidc-token-hash@^5.0.1:
+  version "5.1.0"
+  resolved "https://registry.yarnpkg.com/oidc-token-hash/-/oidc-token-hash-5.1.0.tgz#74bda0c35dd9f71ea9ce0db72ce8dabf5f90ef79"
+  integrity sha512-y0W+X7Ppo7oZX6eovsRkuzcSM40Bicg2JEJkDJ4irIt1wsYAP5MLSNv+QAogO8xivMffw/9OvV3um1pxXgt1uA==
+
 on-finished@2.4.1, on-finished@^2.4.1:
   version "2.4.1"
   resolved "https://registry.yarnpkg.com/on-finished/-/on-finished-2.4.1.tgz#58c8c44116e54845ad57f14ab10b03533184ac3f"
@@ -1976,6 +1998,16 @@ once@^1.3.0, once@^1.3.1, once@^1.4.0:
   dependencies:
     wrappy "1"
 
+openid-client@5.4.0:
+  version "5.4.0"
+  resolved "https://registry.yarnpkg.com/openid-client/-/openid-client-5.4.0.tgz#77f1cda14e2911446f16ea3f455fc7c405103eac"
+  integrity sha512-hgJa2aQKcM2hn3eyVtN12tEA45ECjTJPXCgUh5YzTzy9qwapCvmDTVPWOcWVL0d34zeQoQ/hbG9lJhl3AYxJlQ==
+  dependencies:
+    jose "^4.10.0"
+    lru-cache "^6.0.0"
+    object-hash "^2.0.1"
+    oidc-token-hash "^5.0.1"
+
 optionator@^0.9.3:
   version "0.9.4"
   resolved "https://registry.yarnpkg.com/optionator/-/optionator-0.9.4.tgz#7ea1c1a5d91d764fb282139c88fe11e182a3a734"
@@ -2792,9 +2824,9 @@ type-check@^0.4.0, type-check@~0.4.0:
     prelude-ls "^1.2.1"
 
 type-is@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/type-is/-/type-is-2.0.0.tgz#7d249c2e2af716665cc149575dadb8b3858653af"
-  integrity sha512-gd0sGezQYCbWSbkZr75mln4YBidWUN60+devscpLF5mtRDUpiaTvKpBNrdaCvel1NdR2k6vclXybU5fBd2i+nw==
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/type-is/-/type-is-2.0.1.tgz#64f6cf03f92fce4015c2b224793f6bdd4b068c97"
+  integrity sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==
   dependencies:
     content-type "^1.0.5"
     media-typer "^1.1.0"
diff --git a/frontend/js/i18n/de-lang.json b/frontend/js/i18n/de-lang.json
@@ -82,7 +82,7 @@
     "form-title": "Hinzufügen {provider, select, letsencrypt{Certbot} other{Custom}} Zertifikat",
     "help-content": "TLS-Zertifikate (früher bekannt als SSL-Zertifikate) sind eine Art Verschlüsselungsschlüssel, mit dem Ihre Website für die:den Endbenutzer:in verschlüsselt werden kann.\nNPMplus verwendet standardmäßig einen Dienst namens Let's Encrypt, um kostenlos TLS-Zertifikate auszustellen.\nWenn Sie persönliche Informationen, Passwörter oder sensible Daten hinter NPM haben, ist es wahrscheinlich eine gute Idee, ein Zertifikat zu verwenden.\nNPMplus unterstützt auch die DNS-Authentifizierung, wenn Sie Ihre Website nicht mit dem Internet verbinden oder wenn Sie nur ein Platzhalterzertifikat benötigen.",
     "help-title": "TLS-Zertifikate",
-    "in-use"  : "In Verwendung",
+    "in-use": "In Verwendung",
     "inactive": "Inaktiv",
     "other-certificate": "Zertifikat",
     "other-certificate-key": "Zertifikat Schlüssel",
@@ -116,7 +116,7 @@
     "title": "Dead Hosts"
   },
   "footer": {
-    "text": " - MIT-Lizenz von <a href=\"{url1}\" target=\"_blank\">jc21.com</a> NPM, <a href=\"{url2}\" target=\"_blank\">ZoeyVid</a> NPMplus und Mitwirkende - Thema <a href=\"{url3}\" target=\"_blank\">Tabler v0.0.31</a>",
+    "text": " - MIT-Lizenz von <a href=\"{url1}\" target=\"_blank\">jc21.com</a> NPMplus, <a href=\"{url2}\" target=\"_blank\">ZoeyVid</a> NPMplus und Mitwirkende - Thema <a href=\"{url3}\" target=\"_blank\">Tabler v0.0.31</a>",
     "repo": "Repository auf GitHub",
     "toggle-dark": "Dark Modus ein-/ausschalten"
   },
@@ -187,6 +187,11 @@
     "default-site-description": "Was angezeigt werden soll, wenn Nginx einen unbekannten Host antrifft",
     "default-site-html": "Individuelle Seite",
     "default-site-redirect": "Weiterleitung",
+    "oidc-config": "Open ID Conncect Einstellungen",
+    "oidc-config-description": "Bei NPMplus mit einem externen Identitäts Anbieter anmelden (IdP)",
+    "oidc-not-configured": "Nicht konfiguriert",
+    "oidc-config-hint-1": "Setze die Konfiguration für einen IdP welcher Open ID Connect Discovery unerstützt.",
+    "oidc-config-hint-2": "Die 'Weiterleitungs URL' muss auf '[NPMplus basis URL]/api/oidc/callback' eingestellt sein, der IdP muss die 'email' senden and ein:e Nutzer:in mit dieser E-Mail-Adresse muss in NPMplus existieren.",
     "title": "Einstellungen"
   },
   "str": {
diff --git a/frontend/js/i18n/en-lang.json b/frontend/js/i18n/en-lang.json
@@ -80,7 +80,7 @@
     "empty": "There are no TLS Certificates",
     "force-renew": "Renew Now",
     "form-title": "Add {provider, select, letsencrypt{Certbot} other{Custom}} Certificate",
-    "help-content": "TLS certificates (previously known as SSL Certificates) are a form of encryption key which allows your site to be encrypted for the end user.\nNPMplus uses by default a service called Let's Encrypt to issue TLS certificates for free.\nIf you have any sort of personal information, passwords, or sensitive data behind NPM, it's probably a good idea to use a certificate.\nNPMplus also supports DNS authentication for if you're not running your site facing the internet, or if you just want a wildcard certificate.",
+    "help-content": "TLS certificates (previously known as SSL Certificates) are a form of encryption key which allows your site to be encrypted for the end user.\nNPMplus uses by default a service called Let's Encrypt to issue TLS certificates for free.\nIf you have any sort of personal information, passwords, or sensitive data behind NPMplus, it's probably a good idea to use a certificate.\nNPMplus also supports DNS authentication for if you're not running your site facing the internet, or if you just want a wildcard certificate.",
     "help-title": "TLS Certificates",
     "in-use"  : "In use",
     "inactive": "Inactive",
@@ -187,6 +187,11 @@
     "default-site-description": "What to show when Nginx is hit with an unknown Host",
     "default-site-html": "Custom Page",
     "default-site-redirect": "Redirect",
+    "oidc-config": "Configurazione di Open ID Connect",
+    "oidc-config-description": "Accedere a NPMplus con un Identity Provider (IdP)",
+    "oidc-not-configured": "Not configured",
+    "oidc-config-hint-1": "Provide configuration for an IdP that supports Open ID Connect Discovery.",
+    "oidc-config-hint-2": "The 'Redirect URL' must be set to '[NPMplus base URL]/api/oidc/callback', the IdP must send the 'email' claim and a user with matching email address must exist in NPMplus.",
     "title": "Settings"
   },
   "str": {
diff --git a/frontend/js/i18n/it-lang.json b/frontend/js/i18n/it-lang.json
@@ -80,7 +80,7 @@
     "empty": "Non ci sono certificati TLS",
     "force-renew": "Rinnova ora",
     "form-title": "Aggiungi un certificato {provider, select, letsencrypt{Certbot} other{Custom}}",
-    "help-content": "I certificati TLS (noti precedentemente come certificati SSL) sono una forma di chiave di crittografia che consente la crittografia del tuo sito per l'utente finale.\nNPMplus utilizza di default un servizio chiamato Let's Encrypt per rilasciare gratuitamente certificati TLS.\nSe NPM protegge informazioni personali, password o dati sensibili, probabilmente è una buona idea utilizzare un certificato.\nNPMplus supporta anche l'autenticazione DNS nel caso in cui il tuo sito non sia accessibile da Internet o se desideri semplicemente un certificato wildcard.",
+    "help-content": "I certificati TLS (noti precedentemente come certificati SSL) sono una forma di chiave di crittografia che consente la crittografia del tuo sito per l'utente finale.\nNPMplus utilizza di default un servizio chiamato Let's Encrypt per rilasciare gratuitamente certificati TLS.\nSe NPMplus protegge informazioni personali, password o dati sensibili, probabilmente è una buona idea utilizzare un certificato.\nNPMplus supporta anche l'autenticazione DNS nel caso in cui il tuo sito non sia accessibile da Internet o se desideri semplicemente un certificato wildcard.",
     "help-title": "Certificati TLS",
     "in-use"  : "In uso",
     "inactive": "Inattivo",
@@ -187,6 +187,11 @@
     "default-site-description": "Cosa mostrare quando Nginx viene raggiunto da un host sconosciuto",
     "default-site-html": "Pagina personalizzata",
     "default-site-redirect": "Reindirizzamento",
+    "oidc-config": "Open ID Conncect Configuration",
+    "oidc-config-description": "Accedere a NPMplus con un Identity Provider esterno (IdP)",
+    "oidc-not-configured": "Non configurato",
+    "oidc-config-hint-1": "Fornire la configurazione di un IdP che supporta Open ID Connect Discovery.",
+    "oidc-config-hint-2": "L'URL di reindirizzamento' deve essere impostato su '[URL di base NPMplus]/api/oidc/callback', l'IdP deve inviare la richiesta 'email' e deve esistere in NPMplus un utente con un indirizzo email corrispondente.",
     "title": "Impostazioni"
   },
   "str": {
diff --git a/frontend/js/login/ui/login.js b/frontend/js/login/ui/login.js
diff --git a/frontend/yarn.lock b/frontend/yarn.lock
diff --git a/test/cypress/e2e/ui/Login.cy.js b/test/cypress/e2e/ui/Login.cy.js
diff --git a/test/cypress/support/constants.js b/test/cypress/support/constants.js
