🛠️ fix: Optionally add OpenID Sig. Algo. from Server Discovery (#5398)

* fix: Optionally add OpenID Sig. Algorithm from Server Discovery * chore: bump vite to 5.4.14 for CVE-2025-24010 * chore: remove deprecated code * fix: install missing undici * fix: Add @waylaidwanderer/fetch-event-source package
2025-12-21 10:50:14 +01:00 · 2025-01-21 21:49:27 -05:00 · 2025-01-21 21:49:27 -05:00 · 199e5e6eaf
commit 199e5e6eaf
parent fa9e778399
11 changed files with 101 additions and 2024 deletions
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@ -6,6 +6,7 @@ const { Issuer, Strategy: OpenIDStrategy, custom } = require('openid-client');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { findUser, createUser, updateUser } = require('~/models/userMethods');
 const { hashToken } = require('~/server/utils/crypto');
+const { isEnabled } = require('~/server/utils');
 const { logger } = require('~/config');

 let crypto;
@ -121,15 +122,16 @@ async function setupOpenId() {
      - introspection_signed_response_alg // not in v5
      - authorization_signed_response_alg // not in v5
    */
-    const supported_alg = {
-      id_token_signed_response_alg: issuer.id_token_signing_alg_values_supported?.[0] || 'RS256',
-    };
-    const client = new issuer.Client({
+    /** @type {import('openid-client').ClientMetadata} */
+    const clientMetadata = {
      client_id: process.env.OPENID_CLIENT_ID,
      client_secret: process.env.OPENID_CLIENT_SECRET,
      redirect_uris: [process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL],
-      ...supported_alg,
-    });
+    };
+    if (isEnabled(process.env.OPENID_SET_FIRST_SUPPORTED_ALGORITHM)) {
+      clientMetadata.id_token_signed_response_alg = issuer.id_token_signing_alg_values_supported?.[0] || 'RS256';
+    }
+    const client = new issuer.Client(clientMetadata);
    const requiredRole = process.env.OPENID_REQUIRED_ROLE;
    const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
    const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND;