From 58233a2fd5a65016fecd79882c49ed9da2dc82f2 Mon Sep 17 00:00:00 2001
From: michael-pattern <michael@patternresearch.net>
Date: Wed, 8 May 2024 17:51:27 -0400
Subject: [PATCH 1/3] Create login entries when the OAUTH_PERMISSIONS flag is
 truthy

---
 packages/api/src/utility/hasPermission.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/packages/api/src/utility/hasPermission.js b/packages/api/src/utility/hasPermission.js
index 04d28112..46ae1d1c 100644
--- a/packages/api/src/utility/hasPermission.js
+++ b/packages/api/src/utility/hasPermission.js
@@ -39,7 +39,7 @@ function getLogins() {
       permissions: process.env.PERMISSIONS,
     });
   }
-  if (process.env.LOGINS) {
+  if (process.env.LOGINS || process.env.OAUTH_PERMISSIONS) {
     const logins = _.compact(process.env.LOGINS.split(',').map(x => x.trim()));
     for (const login of logins) {
       const password = process.env[`LOGIN_PASSWORD_${login}`];
@@ -51,6 +51,13 @@ function getLogins() {
           permissions,
         });
       }
+      if (process.env.OAUTH_PERMISSIONS) {
+        res.push({
+          login,
+          password: null,
+          permissions,
+        })
+      }
     }
   }
 

From 26471517a98e083e88d0437e6fbce6108ba8f2a0 Mon Sep 17 00:00:00 2001
From: michael-pattern <michael@patternresearch.net>
Date: Wed, 8 May 2024 17:52:05 -0400
Subject: [PATCH 2/3] Only add users to basicAuth when password is truthy

---
 packages/api/src/main.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/api/src/main.js b/packages/api/src/main.js
index d9d81c61..6b97431c 100644
--- a/packages/api/src/main.js
+++ b/packages/api/src/main.js
@@ -48,7 +48,7 @@ function start() {
   if (logins && process.env.BASIC_AUTH) {
     app.use(
       basicAuth({
-        users: _.fromPairs(logins.map(x => [x.login, x.password])),
+        users: _.fromPairs(logins.filter(x => x.password).map(x => [x.login, x.password])),
         challenge: true,
         realm: 'DbGate Web App',
       })

From 696d870c2f5b6c414eb9d389b466e8131f35f212 Mon Sep 17 00:00:00 2001
From: michael-pattern <michael@patternresearch.net>
Date: Wed, 8 May 2024 17:52:50 -0400
Subject: [PATCH 3/3] Allow password-based user login only when password is
 truthy

---
 packages/api/src/controllers/auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/api/src/controllers/auth.js b/packages/api/src/controllers/auth.js
index 74c5ad45..0171f3ae 100644
--- a/packages/api/src/controllers/auth.js
+++ b/packages/api/src/controllers/auth.js
@@ -137,7 +137,7 @@ module.exports = {
       return { error: 'Logins not configured' };
     }
     const foundLogin = logins.find(x => x.login == login);
-    if (foundLogin && foundLogin.password == password) {
+    if (foundLogin && foundLogin.password && foundLogin.password == password) {
       return {
         accessToken: jwt.sign({ login }, tokenSecret, { expiresIn: getTokenLifetime() }),
       };