mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 15:36:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix(oauth): add support for client_credentials flow
Some checks are pending
Backend tests / Linux without plugins (push) Waiting to run
Details
Backend tests / Linux with Plugins (push) Waiting to run
Details
Backend tests / Windows without plugins (push) Waiting to run
Details
Backend tests / Windows with Plugins (push) Waiting to run
Details
CodeQL / Analyze (push) Waiting to run
Details
Docker / docker (push) Waiting to run
Details
Frontend admin tests powered by Sauce Labs / with plugins (push) Waiting to run
Details
Frontend tests powered by Sauce Labs / Playwright Chrome (push) Waiting to run
Details
Frontend tests powered by Sauce Labs / Playwright Firefox (push) Waiting to run
Details
Frontend tests powered by Sauce Labs / Playwright Webkit (push) Waiting to run
Details
Loadtest / without plugins (push) Waiting to run
Details
Loadtest / with Plugins (push) Waiting to run
Details
Loadtest / long running (push) Waiting to run
Details
Perform type checks / perform type check (push) Waiting to run
Details
rate limit / test (push) Waiting to run
Details
Upgrade from latest release / Linux with Plugins (push) Waiting to run
Details
Windows Build / Build .zip (push) Waiting to run
Details

Browse source
This commit is contained in:
SamTV12345 2025-04-06 10:46:12 +02:00
parent 35ddea0c57
commit ab5b933fb3
4 changed files with 31 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

22
pnpm-lock.yaml generated
View file

@ -136,7 +136,7 @@ importers:
devDependencies: devDependencies:
vitepress: vitepress:
specifier: ^1.6.3 specifier: ^1.6.3
version: 1.6.3(@algolia/client-search@5.23.2)(@types/node@22.14.0)(axios@1.8.4)(postcss@8.5.3)(typescript@5.8.3) version: 1.6.3(@algolia/client-search@5.23.2)(@types/node@22.14.0)(axios@1.8.4)(jwt-decode@4.0.0)(postcss@8.5.3)(typescript@5.8.3)
src: src:
dependencies: dependencies:
@ -197,6 +197,9 @@ importers:
jsonwebtoken: jsonwebtoken:
specifier: ^9.0.2 specifier: ^9.0.2
version: 9.0.2 version: 9.0.2
jwt-decode:
specifier: ^4.0.0
version: 4.0.0
languages4translatewiki: languages4translatewiki:
specifier: 0.1.3 specifier: 0.1.3
version: 0.1.3 version: 0.1.3
@ -3515,6 +3518,10 @@ packages:
jws@3.2.2: jws@3.2.2:
resolution: {integrity: sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==} resolution: {integrity: sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==}
jwt-decode@4.0.0:
resolution: {integrity: sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA==}
engines: {node: '>=18'}
kebab-case@1.0.2: kebab-case@1.0.2:
resolution: {integrity: sha512-7n6wXq4gNgBELfDCpzKc+mRrZFs7D+wgfF5WRFLNAr4DA/qtr9Js8uOAVAfHhuLMfAcQ0pRKqbpjx+TcJVdE1Q==} resolution: {integrity: sha512-7n6wXq4gNgBELfDCpzKc+mRrZFs7D+wgfF5WRFLNAr4DA/qtr9Js8uOAVAfHhuLMfAcQ0pRKqbpjx+TcJVdE1Q==}
@ -6713,7 +6720,7 @@ snapshots:
transitivePeerDependencies: transitivePeerDependencies:
- typescript - typescript
'@vueuse/integrations@12.8.2(axios@1.8.4)(focus-trap@7.6.4)(typescript@5.8.3)': '@vueuse/integrations@12.8.2(axios@1.8.4)(focus-trap@7.6.4)(jwt-decode@4.0.0)(typescript@5.8.3)':
dependencies: dependencies:
'@vueuse/core': 12.8.2(typescript@5.8.3) '@vueuse/core': 12.8.2(typescript@5.8.3)
'@vueuse/shared': 12.8.2(typescript@5.8.3) '@vueuse/shared': 12.8.2(typescript@5.8.3)
@ -6721,6 +6728,7 @@ snapshots:
optionalDependencies: optionalDependencies:
axios: 1.8.4 axios: 1.8.4
focus-trap: 7.6.4 focus-trap: 7.6.4
jwt-decode: 4.0.0
transitivePeerDependencies: transitivePeerDependencies:
- typescript - typescript
@ -7502,7 +7510,7 @@ snapshots:
transitivePeerDependencies: transitivePeerDependencies:
- supports-color - supports-color
eslint-module-utils@2.12.0(@typescript-eslint/parser@7.18.0(eslint@9.24.0)(typescript@5.8.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.0)(eslint@9.24.0): eslint-module-utils@2.12.0(@typescript-eslint/parser@7.18.0(eslint@9.24.0)(typescript@5.8.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.0(eslint-plugin-import@2.31.0)(eslint@9.24.0))(eslint@9.24.0):
dependencies: dependencies:
debug: 3.2.7 debug: 3.2.7
optionalDependencies: optionalDependencies:
@ -7542,7 +7550,7 @@ snapshots:
doctrine: 2.1.0 doctrine: 2.1.0
eslint: 9.24.0 eslint: 9.24.0
eslint-import-resolver-node: 0.3.9 eslint-import-resolver-node: 0.3.9
eslint-module-utils: 2.12.0(@typescript-eslint/parser@7.18.0(eslint@9.24.0)(typescript@5.8.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.0)(eslint@9.24.0) eslint-module-utils: 2.12.0(@typescript-eslint/parser@7.18.0(eslint@9.24.0)(typescript@5.8.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.10.0(eslint-plugin-import@2.31.0)(eslint@9.24.0))(eslint@9.24.0)
hasown: 2.0.2 hasown: 2.0.2
is-core-module: 2.16.1 is-core-module: 2.16.1
is-glob: 4.0.3 is-glob: 4.0.3
@ -8445,6 +8453,8 @@ snapshots:
jwa: 1.4.1 jwa: 1.4.1
safe-buffer: 5.2.1 safe-buffer: 5.2.1
jwt-decode@4.0.0: {}
kebab-case@1.0.2: {} kebab-case@1.0.2: {}
keygrip@1.1.0: keygrip@1.1.0:
@ -9964,7 +9974,7 @@ snapshots:
fsevents: 2.3.3 fsevents: 2.3.3
tsx: 4.19.3 tsx: 4.19.3
vitepress@1.6.3(@algolia/client-search@5.23.2)(@types/node@22.14.0)(axios@1.8.4)(postcss@8.5.3)(typescript@5.8.3): vitepress@1.6.3(@algolia/client-search@5.23.2)(@types/node@22.14.0)(axios@1.8.4)(jwt-decode@4.0.0)(postcss@8.5.3)(typescript@5.8.3):
dependencies: dependencies:
'@docsearch/css': 3.8.2 '@docsearch/css': 3.8.2
'@docsearch/js': 3.8.2(@algolia/client-search@5.23.2) '@docsearch/js': 3.8.2(@algolia/client-search@5.23.2)
@ -9977,7 +9987,7 @@ snapshots:
'@vue/devtools-api': 7.7.2 '@vue/devtools-api': 7.7.2
'@vue/shared': 3.5.13 '@vue/shared': 3.5.13
'@vueuse/core': 12.8.2(typescript@5.8.3) '@vueuse/core': 12.8.2(typescript@5.8.3)
'@vueuse/integrations': 12.8.2(axios@1.8.4)(focus-trap@7.6.4)(typescript@5.8.3) '@vueuse/integrations': 12.8.2(axios@1.8.4)(focus-trap@7.6.4)(jwt-decode@4.0.0)(typescript@5.8.3)
focus-trap: 7.6.4 focus-trap: 7.6.4
mark.js: 8.11.1 mark.js: 8.11.1
minisearch: 7.1.2 minisearch: 7.1.2

14
src/node/handler/APIHandler.ts
View file

@ -20,9 +20,10 @@
*/ */
import {MapArrayType} from "../types/MapType"; import {MapArrayType} from "../types/MapType";
import { jwtDecode } from "jwt-decode";
const api = require('../db/API'); const api = require('../db/API');
const padManager = require('../db/PadManager'); const padManager = require('../db/PadManager');
const settings = require('../utils/Settings');
import createHTTPError from 'http-errors'; import createHTTPError from 'http-errors';
import {Http2ServerRequest} from "node:http2"; import {Http2ServerRequest} from "node:http2";
import {publicKeyExported} from "../security/OAuth2Provider"; import {publicKeyExported} from "../security/OAuth2Provider";
@ -182,8 +183,17 @@ exports.handle = async function (apiVersion: string, functionName: string, field
throw new createHTTPError.Unauthorized('no or wrong API Key'); throw new createHTTPError.Unauthorized('no or wrong API Key');
} }
try { try {
await jwtVerify(req.headers.authorization!.replace("Bearer ", ""), publicKeyExported!, {algorithms: ['RS256'], const clientIds: string[] = settings.sso.clients?.map((client: {client_id: string}) => client.client_id);
const jwtToCheck = req.headers.authorization.replace("Bearer ", "")
const payload = jwtDecode(jwtToCheck)
// client_credentials
if (clientIds.includes(<string>payload.sub)) {
await jwtVerify(jwtToCheck, publicKeyExported!, {algorithms: ['RS256']})
} else {
// authorization_code
await jwtVerify(jwtToCheck, publicKeyExported!, {algorithms: ['RS256'],
requiredClaims: ["admin"]}) requiredClaims: ["admin"]})
}
} catch (e) { } catch (e) {
throw new createHTTPError.Unauthorized('no or wrong OAuth token'); throw new createHTTPError.Unauthorized('no or wrong OAuth token');
} }

2
src/node/security/OAuth2Provider.ts
View file

@ -30,7 +30,7 @@ const configuration: Configuration = {
if(account === undefined) { if(account === undefined) {
return undefined return undefined
} }
if (account.is_admin) { if (account.is_admin ) {
return { return {
accountId: id, accountId: id,
claims: () => ({ claims: () => ({

1
src/package.json
View file

@ -70,6 +70,7 @@
"socket.io-client": "^4.8.1", "socket.io-client": "^4.8.1",
"superagent": "10.2.0", "superagent": "10.2.0",
"swagger-ui-express": "^5.0.1", "swagger-ui-express": "^5.0.1",
"jwt-decode": "^4.0.0",
"tinycon": "0.6.8", "tinycon": "0.6.8",
"tsx": "4.19.3", "tsx": "4.19.3",
"ueberdb2": "^5.0.6", "ueberdb2": "^5.0.6",