diff --git a/packages/api/src/controllers/auth.js b/packages/api/src/controllers/auth.js index 6e0d4407..167029b4 100644 --- a/packages/api/src/controllers/auth.js +++ b/packages/api/src/controllers/auth.js @@ -62,11 +62,12 @@ module.exports = { async oauthToken(params) { const { redirectUri, code } = params; + const scopeParam = process.env.OAUTH_SCOPE ? `&scope=${process.env.OAUTH_SCOPE}` : ''; const resp = await axios.default.post( `${process.env.OAUTH_TOKEN}`, `grant_type=authorization_code&code=${encodeURIComponent(code)}&redirect_uri=${encodeURIComponent( redirectUri - )}&client_id=${process.env.OAUTH_CLIENT_ID}&client_secret=${process.env.OAUTH_CLIENT_SECRET}` + )}&client_id=${process.env.OAUTH_CLIENT_ID}&client_secret=${process.env.OAUTH_CLIENT_SECRET}${scopeParam}` ); const { access_token, refresh_token } = resp.data; @@ -75,7 +76,10 @@ module.exports = { console.log('User payload returned from OAUTH:', payload); - const login = process.env.OAUTH_LOGIN_FIELD ? payload[process.env.OAUTH_LOGIN_FIELD] : 'oauth'; + const login = + process.env.OAUTH_LOGIN_FIELD && payload && payload[process.env.OAUTH_LOGIN_FIELD] + ? payload[process.env.OAUTH_LOGIN_FIELD] + : 'oauth'; if ( process.env.OAUTH_ALLOWED_LOGINS && @@ -113,7 +117,7 @@ module.exports = { !process.env.AD_ALLOWED_LOGINS.split(',').find(x => x.toLowerCase().trim() == login.toLowerCase().trim()) ) { return { error: `Username ${login} not allowed to log in` }; - } + } return { accessToken: jwt.sign({ login }, tokenSecret, { expiresIn: getTokenLifetime() }), }; @@ -129,7 +133,7 @@ module.exports = { if (!logins) { return { error: 'Logins not configured' }; } - const foundLogin = logins.find(x => x.login == login) + const foundLogin = logins.find(x => x.login == login); if (foundLogin && foundLogin.password == password) { return { accessToken: jwt.sign({ login }, tokenSecret, { expiresIn: getTokenLifetime() }), diff --git a/packages/api/src/controllers/config.js b/packages/api/src/controllers/config.js index 5289c8dc..706efda1 100644 --- a/packages/api/src/controllers/config.js +++ b/packages/api/src/controllers/config.js @@ -48,6 +48,7 @@ module.exports = { login, oauth: process.env.OAUTH_AUTH, oauthClient: process.env.OAUTH_CLIENT_ID, + oauthScope: process.env.OAUTH_SCOPE, oauthLogout: process.env.OAUTH_LOGOUT, isLoginForm: !!process.env.AD_URL || (!!logins && !process.env.BASIC_AUTH), ...currentVersion, diff --git a/packages/web/src/clientAuth.ts b/packages/web/src/clientAuth.ts index 58b655e7..15f1b278 100644 --- a/packages/web/src/clientAuth.ts +++ b/packages/web/src/clientAuth.ts @@ -71,19 +71,20 @@ export async function redirectToLogin(config = null, force = false) { if (config.oauth) { const state = `dbg-oauth:${Math.random().toString().substr(2)}`; + const scopeParam = config.oauthScope ? `&scope=${config.oauthScope}` : ''; sessionStorage.setItem('oauthState', state); console.log('Redirecting to OAUTH provider'); location.replace( `${config.oauth}?client_id=${config.oauthClient}&response_type=code&redirect_uri=${encodeURIComponent( location.origin + location.pathname - )}&state=${encodeURIComponent(state)}` + )}&state=${encodeURIComponent(state)}${scopeParam}` ); return; } } export function internalRedirectTo(path) { -const index = location.pathname.lastIndexOf('/'); + const index = location.pathname.lastIndexOf('/'); const newPath = index >= 0 ? location.pathname.substring(0, index) + path : path; location.replace(newPath); }