Dockery/Homarr
1
0
Fork 0
mirror of https://github.com/ajnart/homarr.git synced 2025-11-03 03:55:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: add environment variable to overwrite oidc scopes

Browse Source
This commit is contained in:
Meier Lukas
2024-02-18 11:51:26 +01:00
parent 46a57c1cf2
commit 34ef216f3f
2 changed files with 40 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
src/env.js
View File

@@ -1,13 +1,14 @@
const { z } = require('zod'); const { z } = require('zod');
const { createEnv } = require('@t3-oss/env-nextjs'); const { createEnv } = require('@t3-oss/env-nextjs');
const trueStrings = ["1", "t", "T", "TRUE", "true", "True"]; const trueStrings = ['1', 't', 'T', 'TRUE', 'true', 'True'];
const falseStrings = ["0", "f", "F", "FALSE", "false", "False"]; const falseStrings = ['0', 'f', 'F', 'FALSE', 'false', 'False'];
const zodParsedBoolean = () => z const zodParsedBoolean = () =>
.enum([...trueStrings, ...falseStrings]) z
.default("false") .enum([...trueStrings, ...falseStrings])
.transform((value) => trueStrings.includes(value)) .default('false')
.transform((value) => trueStrings.includes(value));
const portSchema = z const portSchema = z
.string() .string()
@@ -40,34 +41,38 @@ const env = createEnv({
HOSTNAME: z.string().optional(), HOSTNAME: z.string().optional(),
// Authentication // Authentication
AUTH_PROVIDER: z.string().default('credentials').transform(providers => providers.replaceAll(' ', '').split(',')), AUTH_PROVIDER: z
.string()
.default('credentials')
.transform((providers) => providers.replaceAll(' ', '').split(',')),
// LDAP // LDAP
...(authProviders.includes('ldap') ...(authProviders.includes('ldap')
? { ? {
AUTH_LDAP_URI: z.string().url(), AUTH_LDAP_URI: z.string().url(),
AUTH_LDAP_BIND_DN: z.string(), AUTH_LDAP_BIND_DN: z.string(),
AUTH_LDAP_BIND_PASSWORD: z.string(), AUTH_LDAP_BIND_PASSWORD: z.string(),
AUTH_LDAP_BASE: z.string(), AUTH_LDAP_BASE: z.string(),
AUTH_LDAP_USERNAME_ATTRIBUTE: z.string().default('uid'), AUTH_LDAP_USERNAME_ATTRIBUTE: z.string().default('uid'),
AUTH_LDAP_GROUP_CLASS: z.string().default('groupOfUniqueNames'), AUTH_LDAP_GROUP_CLASS: z.string().default('groupOfUniqueNames'),
AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: z.string().default('member'), AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: z.string().default('member'),
AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: z.string().default('dn'), AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: z.string().default('dn'),
AUTH_LDAP_ADMIN_GROUP: z.string().default('admin'), AUTH_LDAP_ADMIN_GROUP: z.string().default('admin'),
AUTH_LDAP_OWNER_GROUP: z.string().default('admin'), AUTH_LDAP_OWNER_GROUP: z.string().default('admin'),
} }
: {}), : {}),
// OIDC // OIDC
...(authProviders.includes('oidc') ...(authProviders.includes('oidc')
? { ? {
AUTH_OIDC_CLIENT_ID: z.string(), AUTH_OIDC_CLIENT_ID: z.string(),
AUTH_OIDC_CLIENT_SECRET: z.string(), AUTH_OIDC_CLIENT_SECRET: z.string(),
AUTH_OIDC_URI: z.string().url(), AUTH_OIDC_URI: z.string().url(),
// Custom Display name, defaults to OIDC // Custom Display name, defaults to OIDC
AUTH_OIDC_CLIENT_NAME: z.string().default('OIDC'), AUTH_OIDC_CLIENT_NAME: z.string().default('OIDC'),
AUTH_OIDC_ADMIN_GROUP: z.string().default('admin'), AUTH_OIDC_ADMIN_GROUP: z.string().default('admin'),
AUTH_OIDC_OWNER_GROUP: z.string().default('admin'), AUTH_OIDC_OWNER_GROUP: z.string().default('admin'),
AUTH_OIDC_AUTO_LOGIN: zodParsedBoolean() AUTH_OIDC_AUTO_LOGIN: zodParsedBoolean(),
} AUTH_OIDC_SCOPE_OVERWRITE: z.string().default('openid email profile groups'),
}
: {}), : {}),
}, },
@@ -124,6 +129,7 @@ const env = createEnv({
AUTH_OIDC_ADMIN_GROUP: process.env.AUTH_OIDC_ADMIN_GROUP, AUTH_OIDC_ADMIN_GROUP: process.env.AUTH_OIDC_ADMIN_GROUP,
AUTH_OIDC_OWNER_GROUP: process.env.AUTH_OIDC_OWNER_GROUP, AUTH_OIDC_OWNER_GROUP: process.env.AUTH_OIDC_OWNER_GROUP,
AUTH_OIDC_AUTO_LOGIN: process.env.AUTH_OIDC_AUTO_LOGIN, AUTH_OIDC_AUTO_LOGIN: process.env.AUTH_OIDC_AUTO_LOGIN,
AUTH_OIDC_SCOPE_OVERWRITE: process.env.AUTH_OIDC_SCOPE_OVERWRITE,
DEMO_MODE: process.env.DEMO_MODE, DEMO_MODE: process.env.DEMO_MODE,
}, },
skipValidation: !!process.env.SKIP_ENV_VALIDATION, skipValidation: !!process.env.SKIP_ENV_VALIDATION,

10
src/utils/auth/oidc.ts
View File

@@ -20,13 +20,17 @@ const provider: OAuthConfig<Profile> = {
clientId: env.AUTH_OIDC_CLIENT_ID, clientId: env.AUTH_OIDC_CLIENT_ID,
clientSecret: env.AUTH_OIDC_CLIENT_SECRET, clientSecret: env.AUTH_OIDC_CLIENT_SECRET,
wellKnown: `${env.AUTH_OIDC_URI}/.well-known/openid-configuration`, wellKnown: `${env.AUTH_OIDC_URI}/.well-known/openid-configuration`,
authorization: { params: { scope: 'openid email profile groups' } }, authorization: { params: { scope: env.AUTH_OIDC_SCOPE_OVERWRITE } },
idToken: true, idToken: true,
async profile(profile) { async profile(profile) {
const user = await adapter.getUserByEmail!(profile.email); const user = await adapter.getUserByEmail!(profile.email);
const isAdmin = profile.groups.includes(env.AUTH_OIDC_ADMIN_GROUP); if (!profile.groups) {
const isOwner = profile.groups.includes(env.AUTH_OIDC_OWNER_GROUP); Consola.warn('no groups found in profile of oidc user');
}
const isAdmin = profile.groups?.includes(env.AUTH_OIDC_ADMIN_GROUP);
const isOwner = profile.groups?.includes(env.AUTH_OIDC_OWNER_GROUP);
// check for role update // check for role update
if (user && (user.isAdmin != isAdmin || user.isOwner != isOwner)) { if (user && (user.isAdmin != isAdmin || user.isOwner != isOwner)) {