diff --git a/package-lock.json b/package-lock.json index 6ff3917..a069bc5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,6 +11,7 @@ "dependencies": { "@passport-js/passport-twitter": "^1.0.8", "coffeescript": "^2.4.1", + "jwt-decode": "^4.0.0", "lodash": "^4.17.19", "passport": "^0.3.2", "passport-github2": "^0.1.12", @@ -4329,6 +4330,14 @@ "dev": true, "license": "ISC" }, + "node_modules/jwt-decode": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/jwt-decode/-/jwt-decode-4.0.0.tgz", + "integrity": "sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA==", + "engines": { + "node": ">=18" + } + }, "node_modules/lodash": { "version": "4.17.21", "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", diff --git a/package.json b/package.json index 334696d..67aaad8 100644 --- a/package.json +++ b/package.json @@ -7,6 +7,7 @@ "dependencies": { "@passport-js/passport-twitter": "^1.0.8", "coffeescript": "^2.4.1", + "jwt-decode": "^4.0.0", "lodash": "^4.17.19", "passport": "^0.3.2", "passport-github2": "^0.1.12", diff --git a/server/social.coffee b/server/social.coffee index e116632..622f9a7 100644 --- a/server/social.coffee +++ b/server/social.coffee @@ -17,6 +17,8 @@ url = require 'url' _ = require 'lodash' glob = require 'glob' +{ jwtDecode } = require('jwt-decode'); + passport = require('passport') # Export a function that generates security handler @@ -188,6 +190,8 @@ module.exports = exports = (log, loga, argv) -> userInfoURL: argv.oauth2_UserInfoURL }, (accessToken, refreshToken, params, profile, cb) -> + token = jwtDecode(accessToken) + extractUserInfo = (uiParam, uiDef) -> uiPath = '' if typeof uiParam == 'undefined' then (uiPath = uiDef) else (uiPath = uiParam) @@ -195,6 +199,8 @@ module.exports = exports = (log, loga, argv) -> sParts = uiPath.split('.') sFrom = sParts.shift() switch sFrom + when "token" + obj = token when "params" obj = params when "profile" @@ -207,10 +213,6 @@ module.exports = exports = (log, loga, argv) -> obj = obj[sParts.shift()] return obj - console.log("accessToken", accessToken) - console.log("refreshToken", refreshToken) - console.log("params", params) - console.log("profile", profile) if argv.oauth2_UsernameField? username_query = argv.oauth2_UsernameField else @@ -388,24 +390,31 @@ module.exports = exports = (log, loga, argv) -> # see http://ward.asia.wiki.org/login-to-view.html if argv.restricted? - allowedToView = (req) -> - allowed = [] if argv.allowed_domains? - if Array.isArray(argv.allowed_domains) - allowed = argv.allowed_domains - else - # accommodate copy bug to be fixed soon - # https://github.com/fedwiki/wiki/blob/4c6eee69e78c1ba3f3fc8d61f4450f70afb78f10/farm.coffee#L98-L103 - for k, v of argv.allowed_domains - allowed.push v - # emails = [ { value: 'ward.cunningham@gmail.com', type: 'account' } ] - emails = req.session?.passport?.user?.google?.emails - return false unless emails - for entry in emails - have = entry.value.split('@')[1] - for want in allowed - return true if want == have + try + allowed_domains = argv.allowed_domains + emails = req.session.passport.user.google.emails + for entry in emails + have = entry.value.split('@')[1] + for want in allowed_domains + return true if want == have + catch error + if emails? + console.log "argv.allowed_domains exists, but there was an error. Make sure it's value is an array in your config." + if argv.allowed_ids? + try + allowed_ids = argv.allowed_ids + idProvider = _.head(_.keys(req.session.passport.user)) + switch idProvider + when 'github', 'twitter', 'oauth2' + id = req.session.passport.user[idProvider].id + return true if (allowed_ids.length == 1 and allowed_ids[0] == "*") + for want in allowed_ids + return true if want == id + catch error + if idProvider? + console.log "argv.allowed_ids exists, but there was an error. Make sure it's value is an array in your config." false app.all '*', (req, res, next) ->