🛂 feat: Required OpenID Role (#2279)

* feat: add possibility to filter by roles for OpenID provider --------- Co-authored-by: Sirius <siriusfrk@gmail.com>
2025-12-17 00:40:14 +01:00 · 2024-04-02 03:08:17 -04:00 · 2024-04-02 03:08:17 -04:00 · 1bafe80e78
commit 1bafe80e78
parent 49753a35e5
11 changed files with 599 additions and 441 deletions
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@ -2,6 +2,7 @@ const fs = require('fs');
 const path = require('path');
 const axios = require('axios');
 const passport = require('passport');
+const jwtDecode = require('jsonwebtoken/decode');
 const { Issuer, Strategy: OpenIDStrategy } = require('openid-client');
 const { logger } = require('~/config');
 const User = require('~/models/User');
@ -44,7 +45,9 @@ async function setupOpenId() {
      client_secret: process.env.OPENID_CLIENT_SECRET,
      redirect_uris: [process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL],
    });
-
+    const requiredRole = process.env.OPENID_REQUIRED_ROLE;
+    const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
+    const requiredRoleTokenKind = process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND;
    const openidLogin = new OpenIDStrategy(
      {
        client,
@ -71,6 +74,36 @@ async function setupOpenId() {
            fullName = userinfo.username || userinfo.email;
          }

+          if (requiredRole) {
+            let decodedToken = '';
+            if (requiredRoleTokenKind === 'access') {
+              decodedToken = jwtDecode(tokenset.access_token);
+            } else if (requiredRoleTokenKind === 'id') {
+              decodedToken = jwtDecode(tokenset.id_token);
+            }
+            const pathParts = requiredRoleParameterPath.split('.');
+            let found = true;
+            let roles = pathParts.reduce((o, key) => {
+              if (o === null || o === undefined || !(key in o)) {
+                found = false;
+                return [];
+              }
+              return o[key];
+            }, decodedToken);
+
+            if (!found) {
+              console.error(
+                `Key '${requiredRoleParameterPath}' not found in ${requiredRoleTokenKind} token!`,
+              );
+            }
+
+            if (!roles.includes(requiredRole)) {
+              return done(null, false, {
+                message: `You must have the "${requiredRole}" role to log in.`,
+              });
+            }
+          }
+
          if (!user) {
            user = new User({
              provider: 'openid',