Merge branch 'main' into feat/Multitenant-login-OIDC

2026-01-18 16:35:31 +01:00 · 2025-03-21 21:08:32 +01:00 · 2025-03-21 21:08:32 +01:00 · c14751cef5
commit c14751cef5
parent b9b0c03a63 cbba914290
417 changed files with 28394 additions and 9012 deletions
--- a/api/server/routes/tests/config.spec.js
+++ b/api/server/routes/tests/config.spec.js
@ -18,6 +18,7 @@ afterEach(() => {
  delete process.env.OPENID_ISSUER;
  delete process.env.OPENID_SESSION_SECRET;
  delete process.env.OPENID_BUTTON_LABEL;
+  delete process.env.OPENID_AUTO_REDIRECT;
  delete process.env.OPENID_AUTH_URL;
  delete process.env.GITHUB_CLIENT_ID;
  delete process.env.GITHUB_CLIENT_SECRET;
--- a/api/server/routes/auth.js
+++ b/api/server/routes/auth.js
@ -7,8 +7,17 @@ const {
 } = require('~/server/controllers/AuthController');
 const { loginController } = require('~/server/controllers/auth/LoginController');
 const { logoutController } = require('~/server/controllers/auth/LogoutController');
+const { verify2FAWithTempToken } = require('~/server/controllers/auth/TwoFactorAuthController');
+const {
+  enable2FA,
+  verify2FA,
+  disable2FA,
+  regenerateBackupCodes,
+  confirm2FA,
+} = require('~/server/controllers/TwoFactorController');
 const {
  checkBan,
+  logHeaders,
  loginLimiter,
  requireJwtAuth,
  checkInviteUser,
@ -27,6 +36,7 @@ const ldapAuth = !!process.env.LDAP_URL && !!process.env.LDAP_USER_SEARCH_BASE;
 router.post('/logout', requireJwtAuth, logoutController);
 router.post(
  '/login',
+  logHeaders,
  loginLimiter,
  checkBan,
  ldapAuth ? requireLdapAuth : requireLocalAuth,
@ -50,4 +60,11 @@ router.post(
 );
 router.post('/resetPassword', checkBan, validatePasswordReset, resetPasswordController);

+router.get('/2fa/enable', requireJwtAuth, enable2FA);
+router.post('/2fa/verify', requireJwtAuth, verify2FA);
+router.post('/2fa/verify-temp', checkBan, verify2FAWithTempToken);
+router.post('/2fa/confirm', requireJwtAuth, confirm2FA);
+router.post('/2fa/disable', requireJwtAuth, disable2FA);
+router.post('/2fa/backup/regenerate', requireJwtAuth, regenerateBackupCodes);
+
 module.exports = router;
--- a/api/server/routes/config.js
+++ b/api/server/routes/config.js
@ -47,16 +47,17 @@ router.get('/', async function (req, res) {
      githubLoginEnabled: !!process.env.GITHUB_CLIENT_ID && !!process.env.GITHUB_CLIENT_SECRET,
      googleLoginEnabled: !!process.env.GOOGLE_CLIENT_ID && !!process.env.GOOGLE_CLIENT_SECRET,
      appleLoginEnabled:
-          !!process.env.APPLE_CLIENT_ID &&
-          !!process.env.APPLE_TEAM_ID &&
-          !!process.env.APPLE_KEY_ID &&
-          !!process.env.APPLE_PRIVATE_KEY_PATH,
+        !!process.env.APPLE_CLIENT_ID &&
+        !!process.env.APPLE_TEAM_ID &&
+        !!process.env.APPLE_KEY_ID &&
+        !!process.env.APPLE_PRIVATE_KEY_PATH,
      openidLoginEnabled:
        !!process.env.OPENID_ENABLED &&
        !!process.env.OPENID_SESSION_SECRET,
      openidMultiTenantEnabled: !!process.env.OPENID_MULTI_TENANT,
      openidLabel: process.env.OPENID_BUTTON_LABEL || 'Continue with OpenID',
      openidImageUrl: process.env.OPENID_IMAGE_URL,
+      openidAutoRedirect: isEnabled(process.env.OPENID_AUTO_REDIRECT),
      serverDomain: process.env.DOMAIN_SERVER || 'http://localhost:3080',
      emailLoginEnabled,
      registrationEnabled: !ldap?.enabled && isEnabled(process.env.ALLOW_REGISTRATION),
@ -79,6 +80,7 @@ router.get('/', async function (req, res) {
      publicSharedLinksEnabled,
      analyticsGtmId: process.env.ANALYTICS_GTM_ID,
      instanceProjectId: instanceProject._id.toString(),
+      bundlerURL: process.env.SANDPACK_BUNDLER_URL,
    };

    if (ldap) {
--- a/api/server/routes/files/files.js
+++ b/api/server/routes/files/files.js
@ -16,7 +16,7 @@ const {
 } = require('~/server/services/Files/process');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { getOpenAIClient } = require('~/server/controllers/assistants/helpers');
-const { loadAuthValues } = require('~/app/clients/tools/util');
+const { loadAuthValues } = require('~/server/services/Tools/credentials');
 const { getAgent } = require('~/models/Agent');
 const { getFiles } = require('~/models/File');
 const { logger } = require('~/config');
--- a/api/server/routes/oauth.js
+++ b/api/server/routes/oauth.js
@ -1,7 +1,7 @@
 // file deepcode ignore NoRateLimitingForLogin: Rate limiting is handled by the `loginLimiter` middleware
 const express = require('express');
 const passport = require('passport');
-const { loginLimiter, checkBan, checkDomainAllowed } = require('~/server/middleware');
+const { loginLimiter, logHeaders, checkBan, checkDomainAllowed } = require('~/server/middleware');
 const { setAuthTokens } = require('~/server/services/AuthService');
 const { logger } = require('~/config');
 const { chooseOpenIdStrategy } = require('~/server/utils/openidHelper');
@ -13,6 +13,7 @@ const domains = {
  server: process.env.DOMAIN_SERVER,
 };

+router.use(logHeaders);
 router.use(loginLimiter);

 const oauthHandler = async (req, res) => {
@ -31,8 +32,10 @@ const oauthHandler = async (req, res) => {

 router.get('/error', (req, res) => {
  // A single error message is pushed by passport when authentication fails.
-  logger.error('Error in OAuth authentication:', { message: req.session?.messages?.pop() });
-  res.redirect(`${domains.client}/login`);
+  logger.error('Error in OAuth authentication:', { message: req.session.messages.pop() });
+
+  // Redirect to login page with auth_failed parameter to prevent infinite redirect loops
+  res.redirect(`${domains.client}/login?redirect=false`);
 });

 /**