ref: Refactoring, fix linting

docker-compose-dev.yml

@@ -29,7 +29,11 @@ services:
       # - OIDC_ISSUER=
       # - OIDC_CLIENT_ID=
       # - OIDC_CLIENT_SECRET=
+      # - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=
+      # - OIDC_USERINFO_SIGNED_RESPONSE_ALG=
       # - OIDC_SCOPES=openid email profile
+      # - OIDC_RESPONSE_MODE=fragment
+      # - OIDC_USE_DEFAULT_RESPONSE_MODE=true
       # - OIDC_ADMIN_ROLES=admin
       # - OIDC_EMAIL_ATTRIBUTE=email
       # - OIDC_NAME_ATTRIBUTE=name

docker-compose.yml

@@ -36,7 +36,11 @@ services:
       # - OIDC_ISSUER=
       # - OIDC_CLIENT_ID=
       # - OIDC_CLIENT_SECRET=
+      # - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=
+      # - OIDC_USERINFO_SIGNED_RESPONSE_ALG=
       # - OIDC_SCOPES=openid email profile
+      # - OIDC_RESPONSE_MODE=fragment
+      # - OIDC_USE_DEFAULT_RESPONSE_MODE=true
       # - OIDC_ADMIN_ROLES=admin
       # - OIDC_EMAIL_ATTRIBUTE=email
       # - OIDC_NAME_ATTRIBUTE=name

server/.env.sample

@@ -27,7 +27,11 @@ SECRET_KEY=notsecretkey
 # OIDC_ISSUER=
 # OIDC_CLIENT_ID=
 # OIDC_CLIENT_SECRET=
+# OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=
+# OIDC_USERINFO_SIGNED_RESPONSE_ALG=
 # OIDC_SCOPES=openid email profile
+# OIDC_RESPONSE_MODE=fragment
+# OIDC_USE_DEFAULT_RESPONSE_MODE=true
 # OIDC_ADMIN_ROLES=admin
 # OIDC_EMAIL_ATTRIBUTE=email
 # OIDC_NAME_ATTRIBUTE=name

server/api/controllers/access-tokens/exchange-using-oidc.js

@@ -4,6 +4,9 @@ const Errors = {
   INVALID_CODE_OR_NONCE: {
     invalidCodeOrNonce: 'Invalid code or nonce',
   },
+  INVALID_USERINFO_SIGNATURE: {
+    invalidUserinfoSignature: 'Invalid signature on userinfo due to client misconfiguration',
+  },
   EMAIL_ALREADY_IN_USE: {
     emailAlreadyInUse: 'Email already in use',
   },
@@ -13,9 +16,6 @@ const Errors = {
   MISSING_VALUES: {
     missingValues: 'Unable to retrieve required values (email, name)',
   },
-  INVALID_USERINFO_SIGNATURE: {
-    invalidUserInfoSignature: "Invalid signature on userInfo due to client misconfiguration"
-  }
 };
 
 module.exports = {
@@ -34,6 +34,9 @@ module.exports = {
     invalidCodeOrNonce: {
       responseType: 'unauthorized',
     },
+    invalidUserinfoSignature: {
+      responseType: 'unauthorized',
+    },
     emailAlreadyInUse: {
       responseType: 'conflict',
     },
@@ -43,9 +46,6 @@ module.exports = {
     missingValues: {
       responseType: 'unprocessableEntity',
     },
-    invalidUserInfoSignature: {
-      responseType: 'unauthorized',
-    },
   },
 
   async fn(inputs) {
@@ -57,7 +57,7 @@ module.exports = {
         sails.log.warn(`Invalid code or nonce! (IP: ${remoteAddress})`);
         return Errors.INVALID_CODE_OR_NONCE;
       })
-      .intercept('invalidUserInfoSignature', () => Errors.INVALID_USERINFO_SIGNATURE)
+      .intercept('invalidUserinfoSignature', () => Errors.INVALID_USERINFO_SIGNATURE)
       .intercept('emailAlreadyInUse', () => Errors.EMAIL_ALREADY_IN_USE)
       .intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE)
       .intercept('missingValues', () => Errors.MISSING_VALUES);

server/api/controllers/show-config.js

@@ -4,16 +4,16 @@ module.exports = {
     if (sails.hooks.oidc.isActive()) {
       const oidcClient = sails.hooks.oidc.getClient();
 
-      const authorizationParameters = {
+      const authorizationUrlParams = {
         scope: sails.config.custom.oidcScopes,
-      }
+      };
 
-      if(!sails.config.custom.oidcDefaultResponseMode) {
-        authorizationParameters.response_mode = sails.config.custom.oidcResponseMode
+      if (!sails.config.custom.oidcUseDefaultResponseMode) {
+        authorizationUrlParams.response_mode = sails.config.custom.oidcResponseMode;
       }
 
       oidc = {
-        authorizationUrl: oidcClient.authorizationUrl(authorizationParameters),
+        authorizationUrl: oidcClient.authorizationUrl(authorizationUrlParams),
         endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
         isEnforced: sails.config.custom.oidcEnforced,
       };

server/api/helpers/users/get-or-create-one-using-oidc.js

@@ -11,8 +11,8 @@ module.exports = {
   },
 
   exits: {
-    invalidUserInfoSignature: {},
     invalidCodeOrNonce: {},
+    invalidUserinfoSignature: {},
     missingValues: {},
     emailAlreadyInUse: {},
     usernameAlreadyInUse: {},
@@ -35,10 +35,14 @@ module.exports = {
       );
       userInfo = await client.userinfo(tokenSet);
     } catch (e) {
-      if (e instanceof SyntaxError && e.message.includes('Unexpected token e in JSON at position 0')) {
-        sails.log.warn('Error while exchanging OIDC code: userInfo response is signed.');
-        throw 'invalidUserInfoSignature';
+      if (
+        e instanceof SyntaxError &&
+        e.message.includes('Unexpected token e in JSON at position 0')
+      ) {
+        sails.log.warn('Error while exchanging OIDC code: userinfo response is signed');
+        throw 'invalidUserinfoSignature';
       }
+
       sails.log.warn(`Error while exchanging OIDC code: ${e}`);
       throw 'invalidCodeOrNonce';
     }

server/api/hooks/oidc/index.js

@@ -31,10 +31,10 @@ module.exports = function defineOidcHook(sails) {
         redirect_uris: [sails.config.custom.oidcRedirectUri],
         response_types: ['code'],
         userinfo_signed_response_alg: sails.config.custom.oidcUserinfoSignedResponseAlg,
-      }
+      };
 
       if (sails.config.custom.oidcIdTokenSignedResponseAlg) {
-        metadata.id_token_signed_response_alg = sails.config.custom.oidcIdTokenSignedResponseAlg
+        metadata.id_token_signed_response_alg = sails.config.custom.oidcIdTokenSignedResponseAlg;
       }
 
       client = new issuer.Client(metadata);

server/config/custom.js

@@ -43,7 +43,7 @@ module.exports.custom = {
   oidcUserinfoSignedResponseAlg: process.env.OIDC_USERINFO_SIGNED_RESPONSE_ALG,
   oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
   oidcResponseMode: process.env.OIDC_RESPONSE_MODE || 'fragment',
-  oidcDefaultResponseMode: process.env.OIDC_DEFAULT_RESPONSE_MODE === 'true',
+  oidcUseDefaultResponseMode: process.env.OIDC_USE_DEFAULT_RESPONSE_MODE === 'true',
   oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
   oidcEmailAttribute: process.env.OIDC_EMAIL_ATTRIBUTE || 'email',
   oidcNameAttribute: process.env.OIDC_NAME_ATTRIBUTE || 'name',