feat: Add ability to enforce SSO

Closes #543, closes #545
2025-07-18 12:49:43 +02:00 · 2024-02-01 00:31:15 +01:00 · 2024-02-01 00:31:15 +01:00 · 6c826c7127
commit 6c826c7127
parent 988afba1d0
10 changed files with 80 additions and 46 deletions
--- a/server/.env.sample
+++ b/server/.env.sample
@ -33,6 +33,7 @@ SECRET_KEY=notsecretkey
 # OIDC_ROLES_ATTRIBUTE=groups
 # OIDC_IGNORE_USERNAME=true
 # OIDC_IGNORE_ROLES=true
+# OIDC_ENFORCED=true

 ## Do not edit this

--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -46,8 +46,11 @@ module.exports = {
  },

  async fn(inputs) {
-    const remoteAddress = getRemoteAddress(this.req);
+    if (sails.config.custom.oidcEnforced) {
+      throw Errors.USE_SINGLE_SIGN_ON;
+    }

+    const remoteAddress = getRemoteAddress(this.req);
    const user = await sails.helpers.users.getOneByEmailOrUsername(inputs.emailOrUsername);

    if (!user) {
--- a/server/api/controllers/show-config.js
+++ b/server/api/controllers/show-config.js
@ -10,6 +10,7 @@ module.exports = {
          response_mode: 'fragment',
        }),
        endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
+        isEnforced: sails.config.custom.oidcEnforced,
      };
    }

--- a/server/api/controllers/users/create.js
+++ b/server/api/controllers/users/create.js
@ -1,6 +1,9 @@
 const zxcvbn = require('zxcvbn');

 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
  EMAIL_ALREADY_IN_USE: {
    emailAlreadyInUse: 'Email already in use',
  },
@ -56,6 +59,9 @@ module.exports = {
  },

  exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
    emailAlreadyInUse: {
      responseType: 'conflict',
    },
@ -65,6 +71,10 @@ module.exports = {
  },

  async fn(inputs) {
+    if (sails.config.custom.oidcEnforced) {
+      throw Errors.NOT_ENOUGH_RIGHTS;
+    }
+
    const values = _.pick(inputs, [
      'email',
      'password',
--- a/server/config/custom.js
+++ b/server/config/custom.js
@ -44,6 +44,7 @@ module.exports.custom = {
  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
  oidcIgnoreUsername: process.env.OIDC_IGNORE_USERNAME === 'true',
  oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',
+  oidcEnforced: process.env.OIDC_ENFORCED === 'true',

  // TODO: move client base url to environment variable?
  oidcRedirectUri: `${