planka/server/api/helpers/users/get-or-create-one-with-oidc.js

/*!
 * Copyright (c) 2024 PLANKA Software GmbH
 * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
 */

module.exports = {
  inputs: {
    code: {
      type: 'string',
      required: true,
    },
    nonce: {
      type: 'string',
      required: true,
    },
  },

  exits: {
    invalidOidcConfiguration: {},
    invalidCodeOrNonce: {},
    invalidUserinfoConfiguration: {},
    missingValues: {},
    emailAlreadyInUse: {},
    usernameAlreadyInUse: {},
    activeLimitReached: {},
  },

  async fn(inputs) {
    const client = await sails.hooks.oidc.getClient();

    if (!client) {
      throw 'invalidOidcConfiguration';
    }

    let tokenSet;
    try {
      tokenSet = await client.callback(
        sails.config.custom.oidcRedirectUri,
        {
          iss: sails.config.custom.oidcIssuer,
          code: inputs.code,
        },
        {
          nonce: inputs.nonce,
        },
      );
    } catch (error) {
      sails.log.warn(`Error while exchanging OIDC code: ${error}`);
      throw 'invalidCodeOrNonce';
    }

    let claims;
    if (sails.config.custom.oidcClaimsSource === 'id_token') {
      claims = tokenSet.claims();
    } else {
      try {
        claims = await client.userinfo(tokenSet);
      } catch (error) {
        let errorText;
        if (
          error instanceof SyntaxError &&
          error.message.includes('Unexpected token e in JSON at position 0')
        ) {
          errorText = 'response is signed';
        } else {
          errorText = error.toString();
        }

        sails.log.warn(`Error while fetching OIDC userinfo: ${errorText}`);
        throw 'invalidUserinfoConfiguration';
      }
    }

    const email = claims[sails.config.custom.oidcEmailAttribute];
    const name = claims[sails.config.custom.oidcNameAttribute];

    if (!email || !name) {
      throw 'missingValues';
    }

    let role = User.Roles.BOARD_USER;
    if (!sails.config.custom.oidcIgnoreRoles) {
      const claimsRoles = claims[sails.config.custom.oidcRolesAttribute];

      if (Array.isArray(claimsRoles)) {
        // Use a Set here to avoid quadratic time complexity
        const claimsRolesSet = new Set(claimsRoles);

        const foundRole = [User.Roles.ADMIN, User.Roles.PROJECT_OWNER, User.Roles.BOARD_USER].find(
          (roleItem) => {
            const configRoles = sails.config.custom[`oidc${_.upperFirst(roleItem)}Roles`];

            if (configRoles.includes('*')) {
              return true;
            }

            return configRoles.some((configRole) => claimsRolesSet.has(configRole));
          },
        );

        if (foundRole) {
          role = foundRole;
        }
      }
    }

    const values = {
      email,
      role,
      name,
      isSsoUser: true,
    };
    if (!sails.config.custom.oidcIgnoreUsername) {
      values.username = claims[sails.config.custom.oidcUsernameAttribute];
    }

    // This whole block technically needs to be executed in a transaction
    // with SERIALIZABLE isolation level (but Waterline does not support
    // that), so this will result in errors if for example users are deleted
    // concurrently with logging in via OIDC.
    let identityProviderUser = await IdentityProviderUser.qm.getOneByIssuerAndSub(
      sails.config.custom.oidcIssuer,
      claims.sub,
    );

    let user;
    let isCreated = false;

    if (identityProviderUser) {
      user = await User.qm.getOneById(identityProviderUser.userId);
    } else {
      // If no IDP/User mapping exists, search for the user by email.
      user = await User.qm.getOneByEmail(values.email);

      // Otherwise, create a new user.
      if (!user) {
        user = await sails.helpers.users.createOne
          .with({
            values,
            actorUser: User.OIDC,
          })
          .intercept('usernameAlreadyInUse', 'usernameAlreadyInUse')
          .intercept('activeLimitReached', 'activeLimitReached');

        isCreated = true;
      }

      identityProviderUser = await IdentityProviderUser.qm.createOne({
        userId: user.id,
        issuer: sails.config.custom.oidcIssuer,
        sub: claims.sub,
      });
    }

    if (!isCreated) {
      values.isDeactivated = false;

      const updateFieldKeys = ['email', 'name', 'isSsoUser', 'isDeactivated'];
      if (!sails.config.custom.oidcIgnoreUsername) {
        updateFieldKeys.push('username');
      }
      if (!sails.config.custom.oidcIgnoreRoles) {
        updateFieldKeys.push('role');
      }

      const updateValues = {};
      // eslint-disable-next-line no-restricted-syntax
      for (const k of updateFieldKeys) {
        if (values[k] !== user[k]) updateValues[k] = values[k];
      }

      if (Object.keys(updateValues).length > 0) {
        user = await sails.helpers.users.updateOne
          .with({
            record: user,
            values: updateValues,
            actorUser: User.OIDC,
          })
          .intercept('emailAlreadyInUse', 'emailAlreadyInUse')
          .intercept('usernameAlreadyInUse', 'usernameAlreadyInUse')
          .intercept('activeLimitReached', 'activeLimitReached');
      }
    }

    return user;
  },
};
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`/*!`
			`* Copyright (c) 2024 PLANKA Software GmbH`
			`* Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md`
			`*/`

			`module.exports = {`
			`inputs: {`
			`code: {`
			`type: 'string',`
			`required: true,`
			`},`
			`nonce: {`
			`type: 'string',`
			`required: true,`
			`},`
			`},`

			`exits: {`
			`invalidOidcConfiguration: {},`
			`invalidCodeOrNonce: {},`
			`invalidUserinfoConfiguration: {},`
			`missingValues: {},`
			`emailAlreadyInUse: {},`
			`usernameAlreadyInUse: {},`
			`activeLimitReached: {},`
			`},`

			`async fn(inputs) {`
			`const client = await sails.hooks.oidc.getClient();`

			`if (!client) {`
			`throw 'invalidOidcConfiguration';`
			`}`

			`let tokenSet;`
			`try {`
			`tokenSet = await client.callback(`
			`sails.config.custom.oidcRedirectUri,`
			`{`
			`iss: sails.config.custom.oidcIssuer,`
			`code: inputs.code,`
			`},`
			`{`
			`nonce: inputs.nonce,`
			`},`
			`);`
			`} catch (error) {`
			sails.log.warn(`Error while exchanging OIDC code: ${error}`);
			`throw 'invalidCodeOrNonce';`
			`}`

			`let claims;`
			`if (sails.config.custom.oidcClaimsSource === 'id_token') {`
			`claims = tokenSet.claims();`
			`} else {`
			`try {`
			`claims = await client.userinfo(tokenSet);`
			`} catch (error) {`
			`let errorText;`
			`if (`
			`error instanceof SyntaxError &&`
			`error.message.includes('Unexpected token e in JSON at position 0')`
			`) {`
			`errorText = 'response is signed';`
			`} else {`
			`errorText = error.toString();`
			`}`

			sails.log.warn(`Error while fetching OIDC userinfo: ${errorText}`);
			`throw 'invalidUserinfoConfiguration';`
			`}`
			`}`

			`const email = claims[sails.config.custom.oidcEmailAttribute];`
			`const name = claims[sails.config.custom.oidcNameAttribute];`

			`if (!email \|\| !name) {`
			`throw 'missingValues';`
			`}`

			`let role = User.Roles.BOARD_USER;`
			`if (!sails.config.custom.oidcIgnoreRoles) {`
			`const claimsRoles = claims[sails.config.custom.oidcRolesAttribute];`

			`if (Array.isArray(claimsRoles)) {`
			`// Use a Set here to avoid quadratic time complexity`
			`const claimsRolesSet = new Set(claimsRoles);`

			`const foundRole = [User.Roles.ADMIN, User.Roles.PROJECT_OWNER, User.Roles.BOARD_USER].find(`
			`(roleItem) => {`
			const configRoles = sails.config.custom[`oidc${_.upperFirst(roleItem)}Roles`];

			`if (configRoles.includes('*')) {`
			`return true;`
			`}`

			`return configRoles.some((configRole) => claimsRolesSet.has(configRole));`
			`},`
			`);`

			`if (foundRole) {`
			`role = foundRole;`
			`}`
			`}`
			`}`

			`const values = {`
			`email,`
			`role,`
			`name,`
			`isSsoUser: true,`
			`};`
			`if (!sails.config.custom.oidcIgnoreUsername) {`
			`values.username = claims[sails.config.custom.oidcUsernameAttribute];`
			`}`

			`// This whole block technically needs to be executed in a transaction`
			`// with SERIALIZABLE isolation level (but Waterline does not support`
			`// that), so this will result in errors if for example users are deleted`
			`// concurrently with logging in via OIDC.`
			`let identityProviderUser = await IdentityProviderUser.qm.getOneByIssuerAndSub(`
			`sails.config.custom.oidcIssuer,`
			`claims.sub,`
			`);`

			`let user;`
			`let isCreated = false;`

			`if (identityProviderUser) {`
			`user = await User.qm.getOneById(identityProviderUser.userId);`
			`} else {`
			`// If no IDP/User mapping exists, search for the user by email.`
			`user = await User.qm.getOneByEmail(values.email);`

			`// Otherwise, create a new user.`
			`if (!user) {`
			`user = await sails.helpers.users.createOne`
			`.with({`
			`values,`
			`actorUser: User.OIDC,`
			`})`
			`.intercept('usernameAlreadyInUse', 'usernameAlreadyInUse')`
			`.intercept('activeLimitReached', 'activeLimitReached');`

			`isCreated = true;`
			`}`

			`identityProviderUser = await IdentityProviderUser.qm.createOne({`
			`userId: user.id,`
			`issuer: sails.config.custom.oidcIssuer,`
			`sub: claims.sub,`
			`});`
			`}`

			`if (!isCreated) {`
			`values.isDeactivated = false;`

			`const updateFieldKeys = ['email', 'name', 'isSsoUser', 'isDeactivated'];`
			`if (!sails.config.custom.oidcIgnoreUsername) {`
			`updateFieldKeys.push('username');`
			`}`
			`if (!sails.config.custom.oidcIgnoreRoles) {`
			`updateFieldKeys.push('role');`
			`}`

			`const updateValues = {};`
			`// eslint-disable-next-line no-restricted-syntax`
			`for (const k of updateFieldKeys) {`
			`if (values[k] !== user[k]) updateValues[k] = values[k];`
			`}`

			`if (Object.keys(updateValues).length > 0) {`
			`user = await sails.helpers.users.updateOne`
			`.with({`
			`record: user,`
			`values: updateValues,`
			`actorUser: User.OIDC,`
			`})`
			`.intercept('emailAlreadyInUse', 'emailAlreadyInUse')`
			`.intercept('usernameAlreadyInUse', 'usernameAlreadyInUse')`
			`.intercept('activeLimitReached', 'activeLimitReached');`
			`}`
			`}`

			`return user;`
			`},`
			`};`