🔐 feat: Enhance OpenID User Info Handling (#4561)

* oidc-changes Initial attempt at testing openidStrategy and adding OPENID_USERNAME_CLAIM setting * oidc-changes Add OPENID_NAME_CLAIM * oidc-changes cleanup oidc test code * oidc-changes using mongo memory server for test * oidc-changes Change tests to expect username all lowercase * oidc-changes Add more tests * chore: linting * refactor: Simplify OpenID full name retrieval logic * refactor: Simplify OpenID user info retrieval logic * refactor: move helper to openidStrategy.js --------- Co-authored-by: alihacks <alihacks@pm.me>
2025-12-17 00:40:14 +01:00 · 2024-10-27 11:41:48 -04:00 · 2024-10-27 11:41:48 -04:00 · a1647d76e0
commit a1647d76e0
parent 600d21780b
3 changed files with 219 additions and 13 deletions
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@ -14,6 +14,7 @@ try {
 } catch (err) {
  logger.error('[openidStrategy] crypto support is disabled!', err);
 }
+
 /**
 * Downloads an image from a URL using an access token.
 * @param {string} url
@ -53,6 +54,36 @@ const downloadImage = async (url, accessToken) => {
  }
 };

+/**
+ * Determines the full name of a user based on OpenID userinfo and environment configuration.
+ *
+ * @param {Object} userinfo - The user information object from OpenID Connect
+ * @param {string} [userinfo.given_name] - The user's first name
+ * @param {string} [userinfo.family_name] - The user's last name
+ * @param {string} [userinfo.username] - The user's username
+ * @param {string} [userinfo.email] - The user's email address
+ * @returns {string} The determined full name of the user
+ */
+function getFullName(userinfo) {
+  if (process.env.OPENID_NAME_CLAIM) {
+    return userinfo[process.env.OPENID_NAME_CLAIM];
+  }
+
+  if (userinfo.given_name && userinfo.family_name) {
+    return `${userinfo.given_name} ${userinfo.family_name}`;
+  }
+
+  if (userinfo.given_name) {
+    return userinfo.given_name;
+  }
+
+  if (userinfo.family_name) {
+    return userinfo.family_name;
+  }
+
+  return userinfo.username || userinfo.email;
+}
+
 /**
 * Converts an input into a string suitable for a username.
 * If the input is a string, it will be returned as is.
@ -117,16 +148,7 @@ async function setupOpenId() {
            );
          }

-          let fullName = '';
-          if (userinfo.given_name && userinfo.family_name) {
-            fullName = userinfo.given_name + ' ' + userinfo.family_name;
-          } else if (userinfo.given_name) {
-            fullName = userinfo.given_name;
-          } else if (userinfo.family_name) {
-            fullName = userinfo.family_name;
-          } else {
-            fullName = userinfo.username || userinfo.email;
-          }
+          const fullName = getFullName(userinfo);

          if (requiredRole) {
            let decodedToken = '';
@ -158,9 +180,14 @@ async function setupOpenId() {
            }
          }

-          const username = convertToUsername(
-            userinfo.username || userinfo.given_name || userinfo.email,
-          );
+          let username = '';
+          if (process.env.OPENID_USERNAME_CLAIM) {
+            username = userinfo[process.env.OPENID_USERNAME_CLAIM];
+          } else {
+            username = convertToUsername(
+              userinfo.username || userinfo.given_name || userinfo.email,
+            );
+          }

          if (!user) {
            user = {