feat: support for OIDC authentication

.example.env

@@ -58,6 +58,7 @@ DISALLOW_REGISTRATION=true
 # Optional - Disable anonymous link creation. Default is true.
 DISALLOW_ANONYMOUS_LINKS=true
 
+
 # Optional - This would be shown to the user on the settings page
 # It's only for display purposes and has no other use
 SERVER_IP_ADDRESS=
@@ -87,3 +88,15 @@ REPORT_EMAIL=
 
 # Optional - Support email to show on the app
 CONTACT_EMAIL=
+
+# Optional - Login with OIDC
+OIDC_ENABLED=false
+OIDC_ISSUER=
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_SCOPE=
+OIDC_EMAIL_CLAIM=
+OIDC_APP_URL=
+
+# Optional - Disable form-based login. Only makes sense when OIDC_ENABLED=true.
+DISALLOW_FORM_LOGIN=false

docker-compose.oidc.yml

@@ -0,0 +1,77 @@
+services:
+  server:
+    build:
+      context: .
+    volumes:
+       - db_data_sqlite:/var/lib/kutt
+       - custom:/kutt/custom
+    env_file: .env
+    environment:
+      DB_FILENAME: "/var/lib/kutt/data.sqlite"
+      DISALLOW_REGISTRATION: "false"
+      OIDC_ENABLED: "true"
+      OIDC_ISSUER: http://7f000101.nip.io:8080
+      OIDC_CLIENT_ID: mock-client-id
+      OIDC_CLIENT_SECRET: some-client-Secret
+      OIDC_SCOPE: openid profile email
+      OIDC_APP_URL: http://localhost:3000
+    ports:
+      - 3000:3000
+    links:
+      - oidc-server-mock:7f000101.nip.io
+  oidc-server-mock:
+    container_name: oidc-server-mock
+    image: ghcr.io/soluto/oidc-server-mock:0.11.0
+    ports:
+      - 8080:8080
+    domainname: 7f000101.nip.io
+    environment:
+      SERVER_OPTIONS_INLINE: |
+        {
+          "AccessTokenJwtType": "JWT",
+          "Discovery": {
+            "ShowKeySet": true
+          },
+          "Authentication": {
+            "CookieSameSiteMode": "Lax",
+            "CheckSessionCookieSameSiteMode": "Lax"
+          }
+        }
+      CLIENTS_CONFIGURATION_INLINE: |
+        [
+          {
+            "ClientId": "mock-client-id",
+            "ClientSecrets": ["some-client-Secret"],
+            "Description": "Mock OIDC",
+            "AllowedGrantTypes": ["authorization_code"],
+            "AllowAccessTokensViaBrowser": true,
+            "RedirectUris": ["http://localhost:3000/*"],
+            "AllowedScopes": ["openid", "profile", "email"],
+            "IdentityTokenLifetime": 3600,
+            "AccessTokenLifetime": 3600
+          }
+        ]
+      USERS_CONFIGURATION_INLINE: |
+        [
+          {
+            "SubjectId":"1",
+            "Username":"user01",
+            "Password":"pwd",
+            "Claims": [
+              { "Type": "name", "Value": "User 01", "ValueType": "string" },
+              { "Type": "email", "Value": "[email protected]", "ValueType": "string" }
+            ],
+          },
+          {
+            "SubjectId":"2",
+            "Username":"user02",
+            "Password":"pwd",
+            "Claims": [
+              { "Type": "name", "Value": "User 02", "ValueType": "string" },
+              { "Type": "email", "Value": "[email protected]", "ValueType": "string" }
+            ],
+          }
+        ]
+volumes:
+  db_data_sqlite:
+  custom:

package.json

@@ -28,6 +28,7 @@
     "better-sqlite3": "11.8.1",
     "bull": "4.16.5",
     "cookie-parser": "1.4.7",
+    "cookie-session": "^2.1.0",
     "cors": "2.8.5",
     "date-fns": "2.30.0",
     "dotenv": "16.4.7",
@@ -46,6 +47,7 @@
     "mysql2": "3.12.0",
     "nanoid": "3.3.8",
     "nodemailer": "6.9.16",
+    "openid-client": "^5.7.0",
     "passport": "0.7.0",
     "passport-jwt": "4.0.1",
     "passport-local": "1.0.0",

server/env.js

@@ -50,6 +50,7 @@ const spec = {
   REDIS_DB: num({ default: 0 }),
   DISALLOW_ANONYMOUS_LINKS: bool({ default: true }),
   DISALLOW_REGISTRATION: bool({ default: true }),
+  DISALLOW_FORM_LOGIN: bool({ default: false }),
   SERVER_IP_ADDRESS: str({ default: "" }),
   SERVER_CNAME_ADDRESS: str({ default: "" }),
   CUSTOM_DOMAIN_USE_HTTPS: bool({ default: false }),
@@ -61,6 +62,13 @@ const spec = {
   MAIL_USER: str({ default: "" }),
   MAIL_FROM: str({ default: "", example: "Kutt <[email protected]>" }),
   MAIL_PASSWORD: str({ default: "" }),
+  OIDC_ENABLED: bool({ default: false }),
+  OIDC_ISSUER: str({ default: "" }),
+  OIDC_CLIENT_ID: str({ default: "" }),
+  OIDC_CLIENT_SECRET: str({ default: "" }),
+  OIDC_SCOPE: str({ default: "openid profile email" }),
+  OIDC_EMAIL_CLAIM: str({ default: "email" }),
+  OIDC_APP_URL: str({ default: "" }),
   ENABLE_RATE_LIMIT: bool({ default: false }),
   REPORT_EMAIL: str({ default: "" }),
   CONTACT_EMAIL: str({ default: "" }),

server/handlers/auth.handler.js

@@ -16,9 +16,10 @@ const CustomError = utils.CustomError;
 function authenticate(type, error, isStrict, redirect) {
   return function auth(req, res, next) {
     if (req.user) return next();
-    
+
     passport.authenticate(type, (err, user, info) => {
       if (err) return next(err);
+      if (type === 'oidc' && info instanceof Error) return next(info);
 
       if (
         req.isHTML &&
@@ -80,6 +81,7 @@ const jwtPage = authenticate("jwt", "Unauthorized.", true, "page");
 const jwtLoose = authenticate("jwt", "Unauthorized.", false, "header");
 const jwtLoosePage = authenticate("jwt", "Unauthorized.", false, "page");
 const apikey = authenticate("localapikey", "API key is not correct.", false, null);
+const oidc = authenticate("oidc", "Unauthorized", false, "page");
 
 function admin(req, res, next) {
   if (req.user.admin) return next();
@@ -388,6 +390,7 @@ module.exports = {
   local,
   login,
   newPassword,
+  oidc,
   resetPassword,
   signup,
   verify,

server/handlers/locals.handler.js

@@ -27,6 +27,8 @@ function config(req, res, next) {
   res.locals.server_ip_address = env.SERVER_IP_ADDRESS;
   res.locals.server_cname_address = env.SERVER_CNAME_ADDRESS;
   res.locals.disallow_registration = env.DISALLOW_REGISTRATION;
+  res.locals.disallow_form_login = env.DISALLOW_FORM_LOGIN;
+  res.locals.oidc_enabled = env.OIDC_ENABLED;
   res.locals.mail_enabled = env.MAIL_ENABLED;
   res.locals.report_email = env.REPORT_EMAIL;
   res.locals.custom_styles = utils.getCustomCSSFileNames();