diff options
Diffstat (limited to 'server/lib/auth.ts')
| -rw-r--r-- | server/lib/auth.ts | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/server/lib/auth.ts b/server/lib/auth.ts index c47ec62d0..5a6dd9dec 100644 --- a/server/lib/auth.ts +++ b/server/lib/auth.ts | |||
| @@ -7,6 +7,7 @@ import { logger } from '@server/helpers/logger' | |||
| 7 | import { UserRole } from '@shared/models' | 7 | import { UserRole } from '@shared/models' |
| 8 | import { revokeToken } from '@server/lib/oauth-model' | 8 | import { revokeToken } from '@server/lib/oauth-model' |
| 9 | import { OAuthTokenModel } from '@server/models/oauth/oauth-token' | 9 | import { OAuthTokenModel } from '@server/models/oauth/oauth-token' |
| 10 | import { isUserUsernameValid, isUserRoleValid, isUserDisplayNameValid } from '@server/helpers/custom-validators/users' | ||
| 10 | 11 | ||
| 11 | const oAuthServer = new OAuthServer({ | 12 | const oAuthServer = new OAuthServer({ |
| 12 | useErrorHandler: true, | 13 | useErrorHandler: true, |
| @@ -120,10 +121,12 @@ async function proxifyPasswordGrant (req: express.Request, res: express.Response | |||
| 120 | 121 | ||
| 121 | for (const pluginAuth of pluginAuths) { | 122 | for (const pluginAuth of pluginAuths) { |
| 122 | const authOptions = pluginAuth.registerAuthOptions | 123 | const authOptions = pluginAuth.registerAuthOptions |
| 124 | const authName = authOptions.authName | ||
| 125 | const npmName = pluginAuth.npmName | ||
| 123 | 126 | ||
| 124 | logger.debug( | 127 | logger.debug( |
| 125 | 'Using auth method %s of plugin %s to login %s with weight %d.', | 128 | 'Using auth method %s of plugin %s to login %s with weight %d.', |
| 126 | authOptions.authName, pluginAuth.npmName, loginOptions.id, authOptions.getWeight() | 129 | authName, npmName, loginOptions.id, authOptions.getWeight() |
| 127 | ) | 130 | ) |
| 128 | 131 | ||
| 129 | try { | 132 | try { |
| @@ -131,9 +134,31 @@ async function proxifyPasswordGrant (req: express.Request, res: express.Response | |||
| 131 | if (loginResult) { | 134 | if (loginResult) { |
| 132 | logger.info( | 135 | logger.info( |
| 133 | 'Login success with auth method %s of plugin %s for %s.', | 136 | 'Login success with auth method %s of plugin %s for %s.', |
| 134 | authOptions.authName, pluginAuth.npmName, loginOptions.id | 137 | authName, npmName, loginOptions.id |
| 135 | ) | 138 | ) |
| 136 | 139 | ||
| 140 | if (!isUserUsernameValid(loginResult.username)) { | ||
| 141 | logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { loginResult }) | ||
| 142 | continue | ||
| 143 | } | ||
| 144 | |||
| 145 | if (!loginResult.email) { | ||
| 146 | logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { loginResult }) | ||
| 147 | continue | ||
| 148 | } | ||
| 149 | |||
| 150 | // role is optional | ||
| 151 | if (loginResult.role && !isUserRoleValid(loginResult.role)) { | ||
| 152 | logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { loginResult }) | ||
| 153 | continue | ||
| 154 | } | ||
| 155 | |||
| 156 | // display name is optional | ||
| 157 | if (loginResult.displayName && !isUserDisplayNameValid(loginResult.displayName)) { | ||
| 158 | logger.error('Auth method %s of plugin %s did not provide a valid display name.', authName, npmName, { loginResult }) | ||
| 159 | continue | ||
| 160 | } | ||
| 161 | |||
| 137 | res.locals.bypassLogin = { | 162 | res.locals.bypassLogin = { |
| 138 | bypass: true, | 163 | bypass: true, |
| 139 | pluginName: pluginAuth.npmName, | 164 | pluginName: pluginAuth.npmName, |