wekan/server/authentication.js

import Fiber from 'fibers';

Meteor.startup(() => {
  // Node Fibers 100% CPU usage issue
  // https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-381453161
  // https://github.com/meteor/meteor/issues/9796#issuecomment-381676326
  // https://github.com/sandstorm-io/sandstorm/blob/0f1fec013fe7208ed0fd97eb88b31b77e3c61f42/shell/server/00-startup.js#L99-L129
  Fiber.poolSize = 1e9;

  Accounts.validateLoginAttempt(function(options) {
    const user = options.user || {};
    return !user.loginDisabled;
  });

  Authentication = {};

  Authentication.checkUserId = function(userId) {
    if (userId === undefined) {
      const error = new Meteor.Error('Unauthorized', 'Unauthorized');
      error.statusCode = 401;
      throw error;
    }
    const admin = Users.findOne({ _id: userId, isAdmin: true });

    if (admin === undefined) {
      const error = new Meteor.Error('Forbidden', 'Forbidden');
      error.statusCode = 403;
      throw error;
    }
  };

  // This will only check if the user is logged in.
  // The authorization checks for the user will have to be done inside each API endpoint
  Authentication.checkLoggedIn = function(userId) {
    if (userId === undefined) {
      const error = new Meteor.Error('Unauthorized', 'Unauthorized');
      error.statusCode = 401;
      throw error;
    }
  };

  // An admin should be authorized to access everything, so we use a separate check for admins
  // This throws an error if otherReq is false and the user is not an admin
  Authentication.checkAdminOrCondition = function(userId, otherReq) {
    if (otherReq) return;
    const admin = Users.findOne({ _id: userId, isAdmin: true });
    if (admin === undefined) {
      const error = new Meteor.Error('Forbidden', 'Forbidden');
      error.statusCode = 403;
      throw error;
    }
  };

  // Helper function. Will throw an error if the user does not have read only access to the given board
  Authentication.checkBoardAccess = function(userId, boardId) {
    Authentication.checkLoggedIn(userId);

    const board = Boards.findOne({ _id: boardId });
    const normalAccess =
      board.permission === 'public' ||
      board.members.some(e => e.userId === userId && e.isActive);
    Authentication.checkAdminOrCondition(userId, normalAccess);
  };

  if (Meteor.isServer) {
    if (
      process.env.ORACLE_OIM_ENABLED === 'true' ||
      process.env.ORACLE_OIM_ENABLED === true
    ) {
      ServiceConfiguration.configurations.upsert(
        // eslint-disable-line no-undef
        { service: 'oidc' },
        {
          $set: {
            loginStyle: process.env.OAUTH2_LOGIN_STYLE,
            clientId: process.env.OAUTH2_CLIENT_ID,
            secret: process.env.OAUTH2_SECRET,
            serverUrl: process.env.OAUTH2_SERVER_URL,
            authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT,
            userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT,
            tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT,
            idTokenWhitelistFields:
              process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [],
            requestPermissions: process.env.OAUTH2_REQUEST_PERMISSIONS,
          },
        },
      );
    } else if (
      process.env.OAUTH2_ENABLED === 'true' ||
      process.env.OAUTH2_ENABLED === true
    ) {
      ServiceConfiguration.configurations.upsert(
        // eslint-disable-line no-undef
        { service: 'oidc' },
        {
          $set: {
            loginStyle: process.env.OAUTH2_LOGIN_STYLE,
            clientId: process.env.OAUTH2_CLIENT_ID,
            secret: process.env.OAUTH2_SECRET,
            serverUrl: process.env.OAUTH2_SERVER_URL,
            authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT,
            userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT,
            tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT,
            idTokenWhitelistFields:
              process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [],
            requestPermissions: process.env.OAUTH2_REQUEST_PERMISSIONS,
          },
          // OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [],
          // OAUTH2_REQUEST_PERMISSIONS || 'openid profile email',
        },
      );
    } else if (
      process.env.CAS_ENABLED === 'true' ||
      process.env.CAS_ENABLED === true
    ) {
      ServiceConfiguration.configurations.upsert(
        // eslint-disable-line no-undef
        { service: 'cas' },
        {
          $set: {
            baseUrl: process.env.CAS_BASE_URL,
            loginUrl: process.env.CAS_LOGIN_URL,
            serviceParam: 'service',
            popupWidth: 810,
            popupHeight: 610,
            popup: true,
            autoClose: true,
            validateUrl: process.env.CASE_VALIDATE_URL,
            casVersion: 3.0,
            attributes: {
              debug: process.env.DEBUG,
            },
          },
        },
      );
    } else if (
      process.env.SAML_ENABLED === 'true' ||
      process.env.SAML_ENABLED === true
    ) {
      ServiceConfiguration.configurations.upsert(
        // eslint-disable-line no-undef
        { service: 'saml' },
        {
          $set: {
            provider: process.env.SAML_PROVIDER,
            entryPoint: process.env.SAML_ENTRYPOINT,
            issuer: process.env.SAML_ISSUER,
            cert: process.env.SAML_CERT,
            idpSLORedirectURL: process.env.SAML_IDPSLO_REDIRECTURL,
            privateKeyFile: process.env.SAML_PRIVATE_KEYFILE,
            publicCertFile: process.env.SAML_PUBLIC_CERTFILE,
            identifierFormat: process.env.SAML_IDENTIFIER_FORMAT,
            localProfileMatchAttribute:
              process.env.SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE,
            attributesSAML: process.env.SAML_ATTRIBUTES || [
              'sn',
              'givenName',
              'mail',
            ],

            /*
            settings = {"saml":[{
              "provider":"openam",
              "entryPoint":"https://openam.idp.io/openam/SSORedirect/metaAlias/zimt/idp",
              "issuer": "https://sp.zimt.io/", //replace with url of your app
              "cert":"MIICizCCAfQCCQCY8tKaMc0 LOTS OF FUNNY CHARS ==",
              "idpSLORedirectURL": "http://openam.idp.io/openam/IDPSloRedirect/metaAlias/zimt/idp",
              "privateKeyFile": "certs/mykey.pem",  // path is relative to $METEOR-PROJECT/private
              "publicCertFile": "certs/mycert.pem",  // eg $METEOR-PROJECT/private/certs/mycert.pem
              "dynamicProfile": true // set to true if we want to create a user in Meteor.users dynamically if SAML assertion is valid
              "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", // Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
              "localProfileMatchAttribute": "telephoneNumber" // CAUTION: this will be mapped to profile.<localProfileMatchAttribute> attribute in Mongo if identifierFormat (see above) differs from urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,
              "attributesSAML": [telephoneNumber, sn, givenName, mail], // attrs from SAML attr statement, which will be used for local Meteor profile creation. Currently no real attribute mapping. If required use mapping on IdP side.
            }]}
            */
          },
        },
      );
    }
  }
});
Fix lint error in Fibers size setting 2018-04-18 16:03:49 +03:00			`import Fiber from 'fibers';`

add token authentication, only admin can use api 2017-05-11 12:15:02 +02:00			`Meteor.startup(() => {`
Fix Node Fibers 100% CPU issue. Thanks to kentonv ! Related wekan/wekan-mongodb#2, related meteor/meteor#9796 2018-04-16 21:18:09 +03:00			`// Node Fibers 100% CPU usage issue`
			`// https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-381453161`
			`// https://github.com/meteor/meteor/issues/9796#issuecomment-381676326`
			`// https://github.com/sandstorm-io/sandstorm/blob/0f1fec013fe7208ed0fd97eb88b31b77e3c61f42/shell/server/00-startup.js#L99-L129`
			`Fiber.poolSize = 1e9;`

Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`Accounts.validateLoginAttempt(function(options) {`
Fix: Error after sending invitation and joining board: Exception while invoking method 'login' TypeError: Cannot read property 'loginDisabled' of undefined. Thanks to nztqa ! Closes #1331 2017-11-19 17:51:26 +02:00			`const user = options.user \|\| {};`
			`return !user.loginDisabled;`
Add the ability for the admin : - disabling a login for a user (not himself) - enabling a login for a user - transfering the ownership of all user's boards to himself 2017-10-13 08:15:19 +02:00			`});`

add token authentication, only admin can use api 2017-05-11 12:15:02 +02:00			`Authentication = {};`

Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`Authentication.checkUserId = function(userId) {`
add token authentication, only admin can use api 2017-05-11 12:15:02 +02:00			`if (userId === undefined) {`
			`const error = new Meteor.Error('Unauthorized', 'Unauthorized');`
			`error.statusCode = 401;`
			`throw error;`
			`}`
			`const admin = Users.findOne({ _id: userId, isAdmin: true });`

			`if (admin === undefined) {`
			`const error = new Meteor.Error('Forbidden', 'Forbidden');`
			`error.statusCode = 403;`
			`throw error;`
			`}`
			`};`

Added a non restrictive authentication function 2017-05-15 18:40:45 +02:00			`// This will only check if the user is logged in.`
			`// The authorization checks for the user will have to be done inside each API endpoint`
			`Authentication.checkLoggedIn = function(userId) {`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`if (userId === undefined) {`
Added a non restrictive authentication function 2017-05-15 18:40:45 +02:00			`const error = new Meteor.Error('Unauthorized', 'Unauthorized');`
			`error.statusCode = 401;`
			`throw error;`
			`}`
			`};`

Added a simple authorization function 2017-05-15 19:43:15 +02:00			`// An admin should be authorized to access everything, so we use a separate check for admins`
			`// This throws an error if otherReq is false and the user is not an admin`
			`Authentication.checkAdminOrCondition = function(userId, otherReq) {`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`if (otherReq) return;`
Added a simple authorization function 2017-05-15 19:43:15 +02:00			`const admin = Users.findOne({ _id: userId, isAdmin: true });`
			`if (admin === undefined) {`
			`const error = new Meteor.Error('Forbidden', 'Forbidden');`
			`error.statusCode = 403;`
			`throw error;`
			`}`
Fixed eslint errors 2017-05-15 22:10:46 +02:00			`};`
Added a simple authorization function 2017-05-15 19:43:15 +02:00
Extracted board access check function 2017-05-15 21:02:31 +02:00			`// Helper function. Will throw an error if the user does not have read only access to the given board`
			`Authentication.checkBoardAccess = function(userId, boardId) {`
			`Authentication.checkLoggedIn(userId);`

			`const board = Boards.findOne({ _id: boardId });`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`const normalAccess =`
			`board.permission === 'public' \|\|`
Fix checkBoardAccess authentication check 2019-12-16 18:10:48 +01:00			`board.members.some(e => e.userId === userId && e.isActive);`
Extracted board access check function 2017-05-15 21:02:31 +02:00			`Authentication.checkAdminOrCondition(userId, normalAccess);`
Fixed eslint errors 2017-05-15 22:10:46 +02:00			`};`
Extracted board access check function 2017-05-15 21:02:31 +02:00
authentification oauth2 2018-04-09 16:49:07 +02:00			`if (Meteor.isServer) {`
Added some CAS and SAML settings. Not tested. Please test and send pull requests if it does not work. See https://github.com/wekan/wekan/wiki/SAML and https://github.com/wekan/wekan/wiki/CAS Thanks to xet7 ! Related #3204, related #708 2020-09-14 19:57:50 +03:00			`if (`
Login with OIDC OAuth2 Oracle on premise identity manager OIM, with setting ORACLE_OIM_ENABLED=true. Thanks to xet7 ! 2020-10-02 23:15:39 +03:00			`process.env.ORACLE_OIM_ENABLED === 'true' \|\|`
			`process.env.ORACLE_OIM_ENABLED === true`
			`) {`
			`ServiceConfiguration.configurations.upsert(`
			`// eslint-disable-line no-undef`
			`{ service: 'oidc' },`
			`{`
			`$set: {`
			`loginStyle: process.env.OAUTH2_LOGIN_STYLE,`
			`clientId: process.env.OAUTH2_CLIENT_ID,`
			`secret: process.env.OAUTH2_SECRET,`
			`serverUrl: process.env.OAUTH2_SERVER_URL,`
			`authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT,`
			`userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT,`
			`tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT,`
			`idTokenWhitelistFields:`
			`process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS \|\| [],`
Fixed: With ORACLE_OIM_ENABLED, allow setting OAUTH2_REQUEST_PERMISSIONS with environment variable. Thanks to xet7 ! 2020-10-21 19:20:48 +03:00			`requestPermissions: process.env.OAUTH2_REQUEST_PERMISSIONS,`
Login with OIDC OAuth2 Oracle on premise identity manager OIM, with setting ORACLE_OIM_ENABLED=true. Thanks to xet7 ! 2020-10-02 23:15:39 +03:00			`},`
			`},`
			`);`
			`} else if (`
Added some CAS and SAML settings. Not tested. Please test and send pull requests if it does not work. See https://github.com/wekan/wekan/wiki/SAML and https://github.com/wekan/wekan/wiki/CAS Thanks to xet7 ! Related #3204, related #708 2020-09-14 19:57:50 +03:00			`process.env.OAUTH2_ENABLED === 'true' \|\|`
			`process.env.OAUTH2_ENABLED === true`
			`) {`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`ServiceConfiguration.configurations.upsert(`
			`// eslint-disable-line no-undef`
- [OAuth2 Login on Standalone Wekan](https://github.com/wekan/wekan/wiki/OAuth2). For example, Rocket.Chat can provide OAuth2 login to Wekan. Also, if you have Rocket.Chat using LDAP/SAML/Google/etc for logging into Rocket.Chat, then same users can login to Wekan when Rocket.Chat is providing OAuth2 login to Wekan. Thanks to salleman33 and xet7 ! Closes #234 2018-08-25 00:49:02 +03:00			`{ service: 'oidc' },`
			`{`
			`$set: {`
- OAUTH2_LOGIN_STYLE popup or redirect, part 2. Thanks to xet7 ! 2019-03-21 21:37:38 +02:00			`loginStyle: process.env.OAUTH2_LOGIN_STYLE,`
- [OAuth2 Login on Standalone Wekan](https://github.com/wekan/wekan/wiki/OAuth2). For example, Rocket.Chat can provide OAuth2 login to Wekan. Also, if you have Rocket.Chat using LDAP/SAML/Google/etc for logging into Rocket.Chat, then same users can login to Wekan when Rocket.Chat is providing OAuth2 login to Wekan. Thanks to salleman33 and xet7 ! Closes #234 2018-08-25 00:49:02 +03:00			`clientId: process.env.OAUTH2_CLIENT_ID,`
			`secret: process.env.OAUTH2_SECRET,`
			`serverUrl: process.env.OAUTH2_SERVER_URL,`
			`authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT,`
			`userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT,`
			`tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT,`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`idTokenWhitelistFields:`
			`process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS \|\| [],`
Try to fix OIDC login. Thanks to xet7 ! 2019-06-12 06:29:57 +03:00			`requestPermissions: process.env.OAUTH2_REQUEST_PERMISSIONS,`
- [OAuth2 Login on Standalone Wekan](https://github.com/wekan/wekan/wiki/OAuth2). For example, Rocket.Chat can provide OAuth2 login to Wekan. Also, if you have Rocket.Chat using LDAP/SAML/Google/etc for logging into Rocket.Chat, then same users can login to Wekan when Rocket.Chat is providing OAuth2 login to Wekan. Thanks to salleman33 and xet7 ! Closes #234 2018-08-25 00:49:02 +03:00			`},`
Try to fix OIDC login. Thanks to xet7 ! 2019-06-12 06:29:57 +03:00			`// OAUTH2_ID_TOKEN_WHITELIST_FIELDS \|\| [],`
			`// OAUTH2_REQUEST_PERMISSIONS \|\| 'openid profile email',`
Prettier & eslint project style update 2019-06-28 12:52:09 -05:00			`},`
Revert autologin, because it broke OIDC login with Keycloak. Thanks to wb9688 and xet7 ! Fixes #4660, related https://github.com/wekan/wekan/pull/4588 2022-08-30 23:12:23 +03:00			`);`
Login with OIDC OAuth2 Oracle on premise identity manager OIM, with setting ORACLE_OIM_ENABLED=true. Thanks to xet7 ! 2020-10-02 23:15:39 +03:00			`} else if (`
			`process.env.CAS_ENABLED === 'true' \|\|`
			`process.env.CAS_ENABLED === true`
			`) {`
			`ServiceConfiguration.configurations.upsert(`
			`// eslint-disable-line no-undef`
			`{ service: 'cas' },`
			`{`
			`$set: {`
			`baseUrl: process.env.CAS_BASE_URL,`
			`loginUrl: process.env.CAS_LOGIN_URL,`
			`serviceParam: 'service',`
			`popupWidth: 810,`
			`popupHeight: 610,`
			`popup: true,`
			`autoClose: true,`
			`validateUrl: process.env.CASE_VALIDATE_URL,`
			`casVersion: 3.0,`
			`attributes: {`
			`debug: process.env.DEBUG,`
			`},`
Added some CAS and SAML settings. Not tested. Please test and send pull requests if it does not work. See https://github.com/wekan/wekan/wiki/SAML and https://github.com/wekan/wekan/wiki/CAS Thanks to xet7 ! Related #3204, related #708 2020-09-14 19:57:50 +03:00			`},`
			`},`
Login with OIDC OAuth2 Oracle on premise identity manager OIM, with setting ORACLE_OIM_ENABLED=true. Thanks to xet7 ! 2020-10-02 23:15:39 +03:00			`);`
			`} else if (`
			`process.env.SAML_ENABLED === 'true' \|\|`
			`process.env.SAML_ENABLED === true`
			`) {`
			`ServiceConfiguration.configurations.upsert(`
			`// eslint-disable-line no-undef`
			`{ service: 'saml' },`
			`{`
			`$set: {`
			`provider: process.env.SAML_PROVIDER,`
			`entryPoint: process.env.SAML_ENTRYPOINT,`
			`issuer: process.env.SAML_ISSUER,`
			`cert: process.env.SAML_CERT,`
			`idpSLORedirectURL: process.env.SAML_IDPSLO_REDIRECTURL,`
			`privateKeyFile: process.env.SAML_PRIVATE_KEYFILE,`
			`publicCertFile: process.env.SAML_PUBLIC_CERTFILE,`
			`identifierFormat: process.env.SAML_IDENTIFIER_FORMAT,`
			`localProfileMatchAttribute:`
			`process.env.SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE,`
			`attributesSAML: process.env.SAML_ATTRIBUTES \|\| [`
			`'sn',`
			`'givenName',`
			`'mail',`
			`],`
Added some CAS and SAML settings. Not tested. Please test and send pull requests if it does not work. See https://github.com/wekan/wekan/wiki/SAML and https://github.com/wekan/wekan/wiki/CAS Thanks to xet7 ! Related #3204, related #708 2020-09-14 19:57:50 +03:00
Login with OIDC OAuth2 Oracle on premise identity manager OIM, with setting ORACLE_OIM_ENABLED=true. Thanks to xet7 ! 2020-10-02 23:15:39 +03:00			`/*`
			`settings = {"saml":[{`
			`"provider":"openam",`
			`"entryPoint":"https://openam.idp.io/openam/SSORedirect/metaAlias/zimt/idp",`
			`"issuer": "https://sp.zimt.io/", //replace with url of your app`
			`"cert":"MIICizCCAfQCCQCY8tKaMc0 LOTS OF FUNNY CHARS ==",`
			`"idpSLORedirectURL": "http://openam.idp.io/openam/IDPSloRedirect/metaAlias/zimt/idp",`
			`"privateKeyFile": "certs/mykey.pem", // path is relative to $METEOR-PROJECT/private`
			`"publicCertFile": "certs/mycert.pem", // eg $METEOR-PROJECT/private/certs/mycert.pem`
			`"dynamicProfile": true // set to true if we want to create a user in Meteor.users dynamically if SAML assertion is valid`
			`"identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", // Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`
			`"localProfileMatchAttribute": "telephoneNumber" // CAUTION: this will be mapped to profile.<localProfileMatchAttribute> attribute in Mongo if identifierFormat (see above) differs from urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,`
			`"attributesSAML": [telephoneNumber, sn, givenName, mail], // attrs from SAML attr statement, which will be used for local Meteor profile creation. Currently no real attribute mapping. If required use mapping on IdP side.`
			`}]}`
			`*/`
			`},`
Added some CAS and SAML settings. Not tested. Please test and send pull requests if it does not work. See https://github.com/wekan/wekan/wiki/SAML and https://github.com/wekan/wekan/wiki/CAS Thanks to xet7 ! Related #3204, related #708 2020-09-14 19:57:50 +03:00			`},`
Login with OIDC OAuth2 Oracle on premise identity manager OIM, with setting ORACLE_OIM_ENABLED=true. Thanks to xet7 ! 2020-10-02 23:15:39 +03:00			`);`
			`}`
- [OAuth2 Login on Standalone Wekan](https://github.com/wekan/wekan/wiki/OAuth2). For example, Rocket.Chat can provide OAuth2 login to Wekan. Also, if you have Rocket.Chat using LDAP/SAML/Google/etc for logging into Rocket.Chat, then same users can login to Wekan when Rocket.Chat is providing OAuth2 login to Wekan. Thanks to salleman33 and xet7 ! Closes #234 2018-08-25 00:49:02 +03:00			`}`
add token authentication, only admin can use api 2017-05-11 12:15:02 +02:00			`});`