Docker/planka
Docker/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2025-08-09 07:25:24 +02:00
Code Issues Releases Activity

Revert "merged"

Browse source
This commit is contained in:
Ran Shamay 2023-11-22 13:08:53 +02:00 committed by GitHub
parent ea73135ab4
commit f8882b521e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
93 changed files with 35496 additions and 1165 deletions
Download patch file Download diff file Expand all files Collapse all files

39
.github/workflows/build-and-push-docker-image-dev.yml vendored
View file

@ -1,39 +0,0 @@
name: Build and push Docker DEV image
on:
push:
paths-ignore:
- '.github/**'
- 'charts/**'
- 'docker-*.sh'
- '*.md'
branches: [master]
jobs:
build-and-push-docker-image-dev:
runs-on: self-hosted
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v4
with:
context: .
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: true
tags: |
ghcr.io/plankanban/planka:dev

1
.github/workflows/helm-chart-release.yml vendored
View file

@ -38,6 +38,5 @@ jobs:
uses: helm/chart-releaser-action@v1.5.0
with:
charts_dir: charts
mark_as_latest: false
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

29
Dockerfile.base
View file

@ -1,22 +1,27 @@
FROM node:18-alpine
FROM node:lts-alpine
ARG VIPS_VERSION=8.14.5
ARG ALPINE_VERSION=3.16
ARG VIPS_VERSION=8.13.3
RUN apk -U upgrade \
&& apk add \
bash pkgconf \
libjpeg-turbo libexif librsvg cgif tiff libspng libimagequant \
bash giflib glib lcms2 libexif \
libgsf libjpeg-turbo libpng librsvg libwebp \
orc pango tiff \
--repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/community/ \
--repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/main/ \
--no-cache \
&& apk add \
build-base gobject-introspection-dev meson \
libjpeg-turbo-dev libexif-dev librsvg-dev cgif-dev tiff-dev libspng-dev libimagequant-dev \
build-base giflib-dev glib-dev lcms2-dev libexif-dev \
libgsf-dev libjpeg-turbo-dev libpng-dev librsvg-dev libwebp-dev \
orc-dev pango-dev tiff-dev \
--virtual vips-dependencies \
--repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/community/ \
--repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/main/ \
--no-cache \
&& wget -O- https://github.com/libvips/libvips/releases/download/v${VIPS_VERSION}/vips-${VIPS_VERSION}.tar.xz | tar xJC /tmp \
&& wget -O- https://github.com/libvips/libvips/releases/download/v${VIPS_VERSION}/vips-${VIPS_VERSION}.tar.gz | tar xzC /tmp \
&& cd /tmp/vips-${VIPS_VERSION} \
&& meson setup build-dir \
&& cd build-dir \
&& ninja \
&& ninja test \
&& ninja install \
&& ./configure \
&& make \
&& make install-strip \
&& rm -rf /tmp/vips-${VIPS_VERSION}

7
README.md
View file

@ -20,9 +20,10 @@
## How to deploy Planka
There are many ways to install Planka
[Check them out](https://docs.planka.cloud/docs/intro)
There are 2 types of installation:
- [Without Docker](https://docs.planka.cloud/docs/installl-planka/Debian%20&%20Ubuntu) ([for Windows](https://docs.planka.cloud/docs/installl-planka/Windows))
- [Dockerized](https://docs.planka.cloud/docs/installl-planka/Docker%20Compose)
- [Automated installation](https://github.com/plankanban/planka-installer)
For configuration, please see the [configuration section](https://docs.planka.cloud/docs/category/configuration).

14
charts/planka/Chart.yaml
View file

@ -15,17 +15,17 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.11
version: 0.1.2
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.15.0"
appVersion: "1.12.0"
dependencies:
- alias: postgresql
condition: postgresql.enabled
name: postgresql
repository: &bitnami-repo https://charts.bitnami.com/bitnami
version: 12.5.1
- alias: postgresql
condition: postgresql.enabled
name: postgresql
repository: &bitnami-repo https://charts.bitnami.com/bitnami
version: 12.5.1

24
charts/planka/README.md
View file

@ -21,11 +21,7 @@ git clone https://github.com/Chris-Greaves/planka-helm-chart.git
cd planka-helm-chart
helm dependency build
export SECRETKEY=$(openssl rand -hex 64)
helm install planka . --set secretkey=$SECRETKEY \
--set admin_email="demo@demo.demo" \
--set admin_password="demo" \
--set admin_name="Demo Demo" \
--set admin_username="demo"
helm install planka . --set secretkey=$SECRETKEY
```
> **NOTE:** The command `openssl rand -hex 64` is needed to create a random hexadecimal key for planka. On Windows you can use Git Bash to run that command.
@ -43,19 +39,11 @@ To access Planka externally you can use the following configuration
```bash
# HTTP only
helm install planka . --set secretkey=$SECRETKEY \
--set admin_email="demo@demo.demo" \
--set admin_password="demo" \
--set admin_name="Demo Demo" \
--set admin_username="demo"
--set ingress.enabled=true \
--set ingress.hosts[0].host=planka.example.dev \
# HTTPS
helm install planka . --set secretkey=$SECRETKEY \
--set admin_email="demo@demo.demo" \
--set admin_password="demo" \
--set admin_name="Demo Demo" \
--set admin_username="demo"
--set ingress.enabled=true \
--set ingress.hosts[0].host=planka.example.dev \
--set ingress.tls[0].secretName=planka-tls \
@ -66,16 +54,6 @@ or create a values.yaml file like:
```yaml
secretkey: "<InsertSecretKey>"
# The admin section needs to be present for new instances of Planka, after the first start you can remove the lines starting with admin_. If you want the admin user to be unchangeable admin_email: has to stay
# After changing the config you have to run ```helm upgrade planka . -f values.yaml```
# Admin user
admin_email: "demo@demo.demo" # Do not remove if you want to prevent this user from being edited/deleted
admin_password: "demo"
admin_name: "Demo Demo"
admin_username: "demo"
# Admin user
ingress:
enabled: true
hosts:

41
charts/planka/templates/deployment.yaml
View file

@ -35,7 +35,7 @@ spec:
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.containerPort | default 1337 }}
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
httpGet:
@ -75,45 +75,6 @@ spec:
value: {{ required "A secret key needs to be generated using 'openssl rand -hex 64' and assigned to secretkey." .Values.secretkey }}
- name: TRUST_PROXY
value: "0"
- name: DEFAULT_ADMIN_EMAIL
value: {{ .Values.admin_email }}
- name: DEFAULT_ADMIN_PASSWORD
value: {{ .Values.admin_password }}
- name: DEFAULT_ADMIN_NAME
value: {{ .Values.admin_name }}
- name: DEFAULT_ADMIN_USERNAME
value: {{ .Values.admin_username }}
{{ range $k, $v := .Values.env }}
- name: {{ $k | quote }}
value: {{ $v | quote }}
{{- end }}
{{- if .Values.oidc.enabled }}
{{- $secretName := default (printf "%s-oidc" (include "planka.fullname" .)) .Values.oidc.existingSecret }}
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
key: clientId
name: {{ $secretName }}
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: clientSecret
name: {{ $secretName }}
- name: OIDC_ISSUER
value: {{ required "issuerUrl is required when configuring OIDC" .Values.oidc.issuerUrl | quote }}
- name: OIDC_SCOPES
value: {{ join " " .Values.oidc.scopes | default "openid profile email" | quote }}
{{- if .Values.oidc.admin.roles }}
- name: OIDC_ADMIN_ROLES
value: {{ join "," .Values.oidc.admin.roles | quote }}
{{- end }}
- name: OIDC_ROLES_ATTRIBUTE
value: {{ .Values.oidc.admin.rolesAttribute | default "groups" | quote }}
{{- if .Values.oidc.admin.ignoreRoles }}
- name: OIDC_IGNORE_ROLES
value: {{ .Values.oidc.admin.ignoreRoles | quote }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

17
charts/planka/templates/secret-oidc.yaml
View file

@ -1,17 +0,0 @@
{{- if .Values.oidc.enabled }}
{{- if eq (and (not (empty .Values.oidc.clientId)) (not (empty .Values.oidc.clientSecret))) (not (empty .Values.oidc.existingSecret)) -}}
{{- fail "Either specify inline `clientId` and `clientSecret` or refer to them via `existingSecret`" -}}
{{- end }}
{{- if (and (and (not (empty .Values.oidc.clientId)) (not (empty .Values.oidc.clientSecret))) (empty .Values.oidc.existingSecret)) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "planka.fullname" . }}-oidc
labels:
{{- include "planka.labels" . | nindent 4 }}
type: Opaque
data:
clientId: {{ .Values.oidc.clientId | b64enc | quote }}
clientSecret: {{ .Values.oidc.clientSecret | b64enc | quote }}
{{- end }}
{{- end }}

69
charts/planka/values.yaml
View file

@ -46,10 +46,6 @@ securityContext: {}
service:
type: ClusterIP
port: 1337
## @param service.containerPort Planka HTTP container port
## If empty will default to 1337
##
containerPort: 1337
ingress:
enabled: false
@ -113,68 +109,3 @@ persistence:
accessMode: ReadWriteOnce
size: 10Gi
## OpenID Identity Management configuration
##
## Example:
## ---------------
## oidc:
## enabled: true
## clientId: sxxaAIAxVXlCxTmc1YLHBbQr8NL8MqLI2DUbt42d
## clientSecret: om4RTMRVHRszU7bqxB7RZNkHIzA8e4sGYWxeCwIMYQXPwEBWe4SY5a0wwCe9ltB3zrq5f0dnFnp34cEHD7QSMHsKvV9AiV5Z7eqDraMnv0I8IFivmuV5wovAECAYreSI
## issuerUrl: https://auth.local/application/o/planka/
## admin:
## roles:
## - planka-admin
##
## ---------------
## NOTE: A minimal configuration requires setting `clientId`, `clientSecret` and `issuerUrl`. (plus `admin.roles` for administrators)
## ref: https://docs.planka.cloud/docs/Configuration/OIDC
##
oidc:
## @param oidc.enabled Enable single sign-on (SSO) with OpenID Connect (OIDC)
##
enabled: false
## OIDC credentials
## @param oidc.clientId A string unique to the provider that identifies your app.
## @param oidc.clientSecret A secret string that the provider uses to confirm ownership of a client ID.
##
## NOTE: Either specify inline `clientId` and `clientSecret` or refer to them via `existingSecret`
##
clientId: ""
clientSecret: ""
## @param oidc.existingSecret Name of an existing secret containing OIDC credentials
## NOTE: Must contain key `clientId` and `clientSecret`
## NOTE: When it's set, the `clientId` and `clientSecret` parameters are ignored
##
existingSecret: ""
## @param oidc.issuerUrl The OpenID connect metadata document endpoint
##
issuerUrl: ""
## @param oidc.scopes A list of scopes required for OIDC client.
## If empty will default to `openid`, `profile` and `email`
## NOTE: Planka needs the email and name claims
##
scopes: []
## Admin permissions configuration
admin:
## @param oidc.admin.ignoreRoles If set to true, the admin roles will be ignored.
## It is useful if you want to use OIDC for authentication but not for authorization.
## If empty will default to `false`
##
ignoreRoles: false
## @param oidc.admin.rolesAttribute The name of a custom group claim that you have configured in your OIDC provider
## If empty will default to `groups`
##
rolesAttribute: groups
## @param oidc.admin.roles The names of the admin groups
##
roles: []
# - planka-admin

2
client/.env
View file

@ -1 +1 @@
REACT_APP_VERSION=1.15.0
REACT_APP_VERSION=1.12.0

24736
client/package-lock.json generated Normal file
View file

File diff suppressed because it is too large Load diff

27
client/package.json
View file

@ -60,15 +60,14 @@
"dequal": "^2.0.3",
"easymde": "^2.18.0",
"history": "^5.3.0",
"oidc-client-ts": "^2.4.0",
"i18next": "^23.7.6",
"i18next": "^22.5.1",
"i18next-browser-languagedetector": "^7.2.0",
"initials": "^3.1.2",
"js-cookie": "^3.0.5",
"jwt-decode": "^4.0.0",
"jwt-decode": "^3.1.2",
"lodash": "^4.17.21",
"nanoid": "^5.0.3",
"node-sass": "^9.0.0",
"node-sass": "^8.0.0",
"oidc-client-ts": "^2.4.0",
"photoswipe": "^5.4.2",
"prop-types": "^15.8.1",
"react": "^18.2.0",
@ -77,13 +76,13 @@
"react-datepicker": "^4.21.0",
"react-dom": "^18.2.0",
"react-dropzone": "^14.2.3",
"react-oidc-context": "^2.3.1",
"react-i18next": "^13.5.0",
"react-i18next": "^12.3.1",
"react-input-mask": "^2.0.4",
"react-markdown": "^8.0.7",
"react-oidc-context": "^2.3.1",
"react-photoswipe-gallery": "^2.2.7",
"react-redux": "^8.1.3",
"react-router-dom": "^6.19.0",
"react-router-dom": "^6.18.0",
"react-scripts": "5.0.1",
"react-simplemde-editor": "^5.2.0",
"react-textarea-autosize": "^8.5.3",
@ -91,11 +90,11 @@
"redux-logger": "^3.0.6",
"redux-orm": "^0.16.2",
"redux-saga": "^1.2.3",
"semantic-ui-css": "^2.5.0",
"remark-breaks": "^4.0.0",
"remark-gfm": "^4.0.0",
"remark-breaks": "^3.0.3",
"remark-gfm": "^3.0.1",
"reselect": "^4.1.8",
"sails.io.js": "^1.2.1",
"semantic-ui-css": "^2.5.0",
"semantic-ui-react": "^2.1.4",
"socket.io-client": "^2.5.0",
"validator": "^13.11.0",
@ -103,9 +102,9 @@
"zxcvbn": "^4.4.2"
},
"devDependencies": {
"@testing-library/jest-dom": "^6.1.4",
"@testing-library/react": "^14.1.0",
"@testing-library/user-event": "^14.5.1",
"@testing-library/jest-dom": "^5.17.0",
"@testing-library/react": "^13.4.0",
"@testing-library/user-event": "^13.5.0",
"babel-preset-airbnb": "^5.0.0",
"chai": "^4.3.10",
"eslint": "^8.53.0",

8
client/src/actions/core.js
View file

@ -39,14 +39,6 @@ const initializeCore = (
},
});
// TODO: with success?
initializeCore.fetchConfig = (config) => ({
type: ActionTypes.CORE_INITIALIZE__CONFIG_FETCH,
payload: {
config,
},
});
const logout = () => ({
type: ActionTypes.LOGOUT,
payload: {},

28
client/src/actions/login.js
View file

@ -1,12 +1,5 @@
import ActionTypes from '../constants/ActionTypes';
const initializeLogin = (config) => ({
type: ActionTypes.LOGIN_INITIALIZE,
payload: {
config,
},
});
const authenticate = (data) => ({
type: ActionTypes.AUTHENTICATE,
payload: {
@ -28,33 +21,12 @@ authenticate.failure = (error) => ({
},
});
const authenticateUsingOidc = () => ({
type: ActionTypes.USING_OIDC_AUTHENTICATE,
payload: {},
});
authenticateUsingOidc.success = (accessToken) => ({
type: ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS,
payload: {
accessToken,
},
});
authenticateUsingOidc.failure = (error) => ({
type: ActionTypes.USING_OIDC_AUTHENTICATE__FAILURE,
payload: {
error,
},
});
const clearAuthenticateError = () => ({
type: ActionTypes.AUTHENTICATE_ERROR_CLEAR,
payload: {},
});
export default {
initializeLogin,
authenticate,
authenticateUsingOidc,
clearAuthenticateError,
};

7
client/src/api/access-tokens.js
View file

@ -4,15 +4,14 @@ import socket from './socket';
/* Actions */
const createAccessToken = (data, headers) => http.post('/access-tokens', data, headers);
const exchangeForAccessTokenUsingOidc = (data, headers) =>
http.post('/access-tokens/exchange-using-oidc', data, headers);
const exchangeOidcToken = (accessToken, headers) =>
http.post('/access-tokens/exchange', { token: accessToken }, headers);
const deleteCurrentAccessToken = (headers) =>
socket.delete('/access-tokens/me', undefined, headers);
export default {
createAccessToken,
exchangeForAccessTokenUsingOidc,
deleteCurrentAccessToken,
exchangeOidcToken,
};

12
client/src/api/http.js
View file

@ -5,15 +5,13 @@ import Config from '../constants/Config';
const http = {};
// TODO: add all methods
['GET', 'POST'].forEach((method) => {
['POST'].forEach((method) => {
http[method.toLowerCase()] = (url, data, headers) => {
const formData =
data &&
Object.keys(data).reduce((result, key) => {
result.append(key, data[key]);
const formData = Object.keys(data).reduce((result, key) => {
result.append(key, data[key]);
return result;
}, new FormData());
return result;
}, new FormData());
return fetch(`${Config.SERVER_BASE_URL}/api${url}`, {
method,

2
client/src/api/index.js
View file

@ -1,6 +1,5 @@
import http from './http';
import socket from './socket';
import root from './root';
import accessTokens from './access-tokens';
import users from './users';
import projects from './projects';
@ -21,7 +20,6 @@ import notifications from './notifications';
export { http, socket };
export default {
...root,
...accessTokens,
...users,
...projects,

9
client/src/api/root.js
View file

@ -1,9 +0,0 @@
import http from './http';
/* Actions */
const getConfig = (headers) => http.get('/config', undefined, headers);
export default {
getConfig,
};

5
client/src/components/CardModal/CardModal.jsx
View file

@ -217,7 +217,6 @@ const CardModal = React.memo(
onUserSelect={onUserAdd}
onUserDeselect={onUserRemove}
>
{/* eslint-disable-next-line jsx-a11y/control-has-associated-label */}
<button
type="button"
aria-label="add user to card"
@ -268,7 +267,6 @@ const CardModal = React.memo(
onMove={onLabelMove}
onDelete={onLabelDelete}
>
{/* eslint-disable-next-line jsx-a11y/control-has-associated-label */}
<button
type="button"
aria-label="add label to card"
@ -318,12 +316,11 @@ const CardModal = React.memo(
)}
</span>
{canEdit && (
// eslint-disable-next-line jsx-a11y/control-has-associated-label
<button
onClick={handleToggleStopwatchClick}
type="button"
aria-label="toggle stopwatch"
className={classNames(styles.attachment, styles.dueDate)}
onClick={handleToggleStopwatchClick}
>
<Icon
name={stopwatch.startedAt ? 'pause' : 'play'}

23
client/src/components/CardModal/Tasks/Tasks.jsx
View file

@ -48,21 +48,14 @@ const Tasks = React.memo(({ items, canEdit, onCreate, onUpdate, onMove, onDelete
return (
<>
{items.length > 0 && (
<>
<span className={styles.progressWrapper}>
<Progress
autoSuccess
value={completedItems.length}
total={items.length}
color="blue"
size="tiny"
className={styles.progress}
/>
</span>
<span className={styles.count}>
{completedItems.length}/{items.length}
</span>
</>
<Progress
autoSuccess
value={completedItems.length}
total={items.length}
color="blue"
size="tiny"
className={styles.progress}
/>
)}
<DragDropContext onDragStart={handleDragStart} onDragEnd={handleDragEnd}>
<Droppable droppableId="tasks" type={DroppableTypes.TASK}>

17
client/src/components/CardModal/Tasks/Tasks.module.scss
View file

@ -3,23 +3,6 @@
margin: 0 0 16px;
}
.progressWrapper {
display: inline-block;
padding: 3px 0;
vertical-align: top;
width: calc(100% - 50px);
}
.count {
color: #8c8c8c;
display: inline-block;
font-size: 14px;
line-height: 14px;
text-align: right;
vertical-align: top;
width: 50px;
}
.taskButton {
background: transparent;
border: none;

9
client/src/components/Header/Header.jsx
View file

@ -3,6 +3,7 @@ import PropTypes from 'prop-types';
import classNames from 'classnames';
import { Link } from 'react-router-dom';
import { Button, Icon, Menu } from 'semantic-ui-react';
import { useAuth } from 'react-oidc-context';
import { usePopup } from '../../lib/popup';
import Paths from '../../constants/Paths';
@ -29,6 +30,7 @@ const Header = React.memo(
onUserSettingsClick,
onLogout,
}) => {
const auth = useAuth();
const handleProjectSettingsClick = useCallback(() => {
if (canEditProject) {
onProjectSettingsClick();
@ -38,6 +40,11 @@ const Header = React.memo(
const NotificationsPopup = usePopup(NotificationsStep, POPUP_PROPS);
const UserPopup = usePopup(UserStep, POPUP_PROPS);
const onFullLogout = () => {
auth.signoutSilent();
onLogout();
};
return (
<div className={styles.wrapper}>
{!project && (
@ -88,7 +95,7 @@ const Header = React.memo(
<UserPopup
isLogouting={isLogouting}
onSettingsClick={onUserSettingsClick}
onLogout={onLogout}
onLogout={onFullLogout}
>
<Menu.Item className={classNames(styles.item, styles.itemHoverable)}>
{user.name}

52
client/src/components/Login/Login.jsx
View file

@ -1,9 +1,10 @@
import isEmail from 'validator/lib/isEmail';
import React, { useCallback, useEffect, useMemo, useRef } from 'react';
import { useAuth } from 'react-oidc-context';
import PropTypes from 'prop-types';
import classNames from 'classnames';
import { useTranslation } from 'react-i18next';
import { Button, Form, Grid, Header, Message } from 'semantic-ui-react';
import { Form, Grid, Header, Message } from 'semantic-ui-react';
import { useDidUpdate, usePrevious, useToggle } from '../../lib/hooks';
import { Input } from '../../lib/custom-ui';
@ -28,21 +29,6 @@ const createMessage = (error) => {
type: 'error',
content: 'common.invalidPassword',
};
case 'Use single sign-on':
return {
type: 'error',
content: 'common.useSingleSignOn',
};
case 'Email already in use':
return {
type: 'error',
content: 'common.emailAlreadyInUse',
};
case 'Username already in use':
return {
type: 'error',
content: 'common.usernameAlreadyInUse',
};
case 'Failed to fetch':
return {
type: 'warning',
@ -62,16 +48,8 @@ const createMessage = (error) => {
};
const Login = React.memo(
({
defaultData,
isSubmitting,
isSubmittingUsingOidc,
error,
withOidc,
onAuthenticate,
onAuthenticateUsingOidc,
onMessageDismiss,
}) => {
({ defaultData, isSubmitting, error, onAuthenticate, onMessageDismiss }) => {
const auth = useAuth();
const [t] = useTranslation();
const wasSubmitting = usePrevious(isSubmitting);
@ -192,19 +170,12 @@ const Login = React.memo(
content={t('action.logIn')}
floated="right"
loading={isSubmitting}
disabled={isSubmitting || isSubmittingUsingOidc}
disabled={isSubmitting}
/>
</Form>
{withOidc && (
<Button
type="button"
loading={isSubmittingUsingOidc}
disabled={isSubmitting || isSubmittingUsingOidc}
onClick={onAuthenticateUsingOidc}
>
{t('action.logInWithSSO')}
</Button>
)}
<Form.Button type="button" onClick={() => auth.signinRedirect()}>
Log in with SSO
</Form.Button>
</div>
</div>
</Grid.Column>
@ -235,15 +206,10 @@ const Login = React.memo(
);
Login.propTypes = {
/* eslint-disable react/forbid-prop-types */
defaultData: PropTypes.object.isRequired,
/* eslint-enable react/forbid-prop-types */
defaultData: PropTypes.object.isRequired, // eslint-disable-line react/forbid-prop-types
isSubmitting: PropTypes.bool.isRequired,
isSubmittingUsingOidc: PropTypes.bool.isRequired,
error: PropTypes.object, // eslint-disable-line react/forbid-prop-types
withOidc: PropTypes.bool.isRequired,
onAuthenticate: PropTypes.func.isRequired,
onAuthenticateUsingOidc: PropTypes.func.isRequired,
onMessageDismiss: PropTypes.func.isRequired,
};

19
client/src/components/LoginWrapper.jsx
View file

@ -1,19 +0,0 @@
import React from 'react';
import PropTypes from 'prop-types';
import { Loader } from 'semantic-ui-react';
import LoginContainer from '../containers/LoginContainer';
const LoginWrapper = React.memo(({ isInitializing }) => {
if (isInitializing) {
return <Loader active size="massive" />;
}
return <LoginContainer />;
});
LoginWrapper.propTypes = {
isInitializing: PropTypes.bool.isRequired,
};
export default LoginWrapper;

19
client/src/components/OIDC/OidcLogin.jsx Normal file
View file

@ -0,0 +1,19 @@
import { useAuth } from 'react-oidc-context';
import PropTypes from 'prop-types';
import React from 'react';
let isLoggingIn = true;
const OidcLogin = React.memo(({ onAuthenticate }) => {
const auth = useAuth();
if (isLoggingIn && auth.user) {
isLoggingIn = false;
const { user } = auth;
onAuthenticate(user);
}
});
OidcLogin.propTypes = {
onAuthenticate: PropTypes.func.isRequired,
};
export default OidcLogin;

3
client/src/components/OIDC/index.js Normal file
View file

@ -0,0 +1,3 @@
import OidcLogin from './OidcLogin';
export default OidcLogin;

44
client/src/components/Root.jsx
View file

@ -1,11 +1,12 @@
import React from 'react';
import PropTypes from 'prop-types';
import { AuthProvider } from 'react-oidc-context';
import { Provider } from 'react-redux';
import { Route, Routes } from 'react-router-dom';
import { ReduxRouter } from '../lib/redux-router';
import Paths from '../constants/Paths';
import LoginWrapperContainer from '../containers/LoginWrapperContainer';
import LoginContainer from '../containers/LoginContainer';
import CoreContainer from '../containers/CoreContainer';
import NotFound from './NotFound';
@ -14,29 +15,40 @@ import 'photoswipe/dist/photoswipe.css';
import 'easymde/dist/easymde.min.css';
import '../lib/custom-ui/styles.css';
import '../styles.module.scss';
import OidcLoginContainer from '../containers/OidcLoginContainer';
function Root({ store, history }) {
function Root({ store, history, config }) {
return (
<Provider store={store}>
<ReduxRouter history={history}>
<Routes>
<Route path={Paths.LOGIN} element={<LoginWrapperContainer />} />
<Route path={Paths.OIDC_CALLBACK} element={<LoginWrapperContainer />} />
<Route path={Paths.ROOT} element={<CoreContainer />} />
<Route path={Paths.PROJECTS} element={<CoreContainer />} />
<Route path={Paths.BOARDS} element={<CoreContainer />} />
<Route path={Paths.CARDS} element={<CoreContainer />} />
<Route path="*" element={<NotFound />} />
</Routes>
</ReduxRouter>
</Provider>
<AuthProvider
authority={config.authority}
client_id={config.clientId}
redirect_uri={config.redirectUri}
scope={config.scopes}
onSigninCallback={() => {
window.history.replaceState({}, document.title, window.location.pathname);
}}
>
<Provider store={store}>
<ReduxRouter history={history}>
<Routes>
<Route path={Paths.LOGIN} element={<LoginContainer />} />
<Route path={Paths.OIDC_LOGIN} element={<OidcLoginContainer />} />
<Route path={Paths.ROOT} element={<CoreContainer />} />
<Route path={Paths.PROJECTS} element={<CoreContainer />} />
<Route path={Paths.BOARDS} element={<CoreContainer />} />
<Route path={Paths.CARDS} element={<CoreContainer />} />
<Route path="*" element={<NotFound />} />
</Routes>
</ReduxRouter>
</Provider>
</AuthProvider>
);
}
Root.propTypes = {
/* eslint-disable react/forbid-prop-types */
store: PropTypes.object.isRequired,
history: PropTypes.object.isRequired,
config: PropTypes.object.isRequired,
/* eslint-enable react/forbid-prop-types */
};

4
client/src/components/UserSettingsModal/UserSettingsModal.jsx
View file

@ -16,8 +16,8 @@ const UserSettingsModal = React.memo(
phone,
organization,
language,
subscribeToOwnCards,
isLocked,
subscribeToOwnCards,
isAvatarUpdating,
usernameUpdateForm,
emailUpdateForm,
@ -106,8 +106,8 @@ UserSettingsModal.propTypes = {
phone: PropTypes.string,
organization: PropTypes.string,
language: PropTypes.string,
subscribeToOwnCards: PropTypes.bool.isRequired,
isLocked: PropTypes.bool.isRequired,
subscribeToOwnCards: PropTypes.bool.isRequired,
isAvatarUpdating: PropTypes.bool.isRequired,
/* eslint-disable react/forbid-prop-types */
usernameUpdateForm: PropTypes.object.isRequired,

12
client/src/components/UsersModal/Item/ActionsStep.jsx
View file

@ -153,15 +153,13 @@ const ActionsStep = React.memo(
context: 'title',
})}
</Menu.Item>
<Menu.Item className={styles.menuItem} onClick={handleDeleteClick}>
{t('action.deleteUser', {
context: 'title',
})}
</Menu.Item>
</>
)}
{!user.isDeletionLocked && (
<Menu.Item className={styles.menuItem} onClick={handleDeleteClick}>
{t('action.deleteUser', {
context: 'title',
})}
</Menu.Item>
)}
</Menu>
</Popup.Content>
</>

7
client/src/components/UsersModal/Item/Item.jsx
View file

@ -18,8 +18,6 @@ const Item = React.memo(
phone,
isAdmin,
isLocked,
isRoleLocked,
isDeletionLocked,
emailUpdateForm,
passwordUpdateForm,
usernameUpdateForm,
@ -49,7 +47,7 @@ const Item = React.memo(
<Table.Cell>{username || '-'}</Table.Cell>
<Table.Cell>{email}</Table.Cell>
<Table.Cell>
<Radio toggle checked={isAdmin} disabled={isRoleLocked} onChange={handleIsAdminChange} />
<Radio toggle checked={isAdmin} disabled={isLocked} onChange={handleIsAdminChange} />
</Table.Cell>
<Table.Cell textAlign="right">
<ActionsPopup
@ -61,7 +59,6 @@ const Item = React.memo(
phone,
isAdmin,
isLocked,
isDeletionLocked,
emailUpdateForm,
passwordUpdateForm,
usernameUpdateForm,
@ -94,8 +91,6 @@ Item.propTypes = {
phone: PropTypes.string,
isAdmin: PropTypes.bool.isRequired,
isLocked: PropTypes.bool.isRequired,
isRoleLocked: PropTypes.bool.isRequired,
isDeletionLocked: PropTypes.bool.isRequired,
/* eslint-disable react/forbid-prop-types */
emailUpdateForm: PropTypes.object.isRequired,
passwordUpdateForm: PropTypes.object.isRequired,

2
client/src/components/UsersModal/UsersModal.jsx
View file

@ -111,8 +111,6 @@ const UsersModal = React.memo(
phone={item.phone}
isAdmin={item.isAdmin}
isLocked={item.isLocked}
isRoleLocked={item.isRoleLocked}
isDeletionLocked={item.isDeletionLocked}
emailUpdateForm={item.emailUpdateForm}
passwordUpdateForm={item.passwordUpdateForm}
usernameUpdateForm={item.usernameUpdateForm}

5
client/src/constants/ActionTypes.js
View file

@ -12,19 +12,14 @@ export default {
/* Login */
LOGIN_INITIALIZE: 'LOGIN_INITIALIZE',
AUTHENTICATE: 'AUTHENTICATE',
AUTHENTICATE__SUCCESS: 'AUTHENTICATE__SUCCESS',
AUTHENTICATE__FAILURE: 'AUTHENTICATE__FAILURE',
USING_OIDC_AUTHENTICATE: 'USING_OIDC_AUTHENTICATE',
USING_OIDC_AUTHENTICATE__SUCCESS: 'USING_OIDC_AUTHENTICATE__SUCCESS',
USING_OIDC_AUTHENTICATE__FAILURE: 'USING_OIDC_AUTHENTICATE__FAILURE',
AUTHENTICATE_ERROR_CLEAR: 'AUTHENTICATE_ERROR_CLEAR',
/* Core */
CORE_INITIALIZE: 'CORE_INITIALIZE',
CORE_INITIALIZE__CONFIG_FETCH: 'CORE_INITIALIZE__CONFIG_FETCH',
LOGOUT: 'LOGOUT',
LOGOUT__ACCESS_TOKEN_INVALIDATE: 'LOGOUT__ACCESS_TOKEN_INVALIDATE',

2
client/src/constants/EntryActionTypes.js
View file

@ -11,11 +11,11 @@ export default {
/* Login */
AUTHENTICATE: `${PREFIX}/AUTHENTICATE`,
USING_OIDC_AUTHENTICATE: `${PREFIX}/USING_OIDC_AUTHENTICATE`,
AUTHENTICATE_ERROR_CLEAR: `${PREFIX}/AUTHENTICATE_ERROR_CLEAR`,
/* Core */
CORE_INITIALIZE: `${PREFIX}/CORE_INITIALIZE`,
LOGOUT: `${PREFIX}/LOGOUT`,
/* Modals */

4
client/src/constants/Paths.js
View file

@ -2,7 +2,7 @@ import Config from './Config';
const ROOT = `${Config.BASE_PATH}/`;
const LOGIN = `${Config.BASE_PATH}/login`;
const OIDC_CALLBACK = `${Config.BASE_PATH}/oidc-callback`;
const OIDC_LOGIN = `${Config.BASE_PATH}/oidclogin`;
const PROJECTS = `${Config.BASE_PATH}/projects/:id`;
const BOARDS = `${Config.BASE_PATH}/boards/:id`;
const CARDS = `${Config.BASE_PATH}/cards/:id`;
@ -10,8 +10,8 @@ const CARDS = `${Config.BASE_PATH}/cards/:id`;
export default {
ROOT,
LOGIN,
OIDC_CALLBACK,
PROJECTS,
BOARDS,
CARDS,
OIDC_LOGIN,
};

4
client/src/containers/CoreContainer.js
View file

@ -4,18 +4,18 @@ import selectors from '../selectors';
import Core from '../components/Core';
const mapStateToProps = (state) => {
const isInitializing = selectors.selectIsInitializing(state);
const isCoreInitializing = selectors.selectIsCoreInitializing(state);
const isSocketDisconnected = selectors.selectIsSocketDisconnected(state);
const currentModal = selectors.selectCurrentModal(state);
const currentProject = selectors.selectCurrentProject(state);
const currentBoard = selectors.selectCurrentBoard(state);
return {
isInitializing,
isSocketDisconnected,
currentModal,
currentProject,
currentBoard,
isInitializing: isCoreInitializing,
};
};

28
client/src/containers/LoginContainer.js
View file

@ -1,33 +1,23 @@
import { bindActionCreators } from 'redux';
import { connect } from 'react-redux';
import selectors from '../selectors';
import entryActions from '../entry-actions';
import Login from '../components/Login';
const mapStateToProps = (state) => {
const oidcConfig = selectors.selectOidcConfig(state);
const {
ui: {
authenticateForm: { data: defaultData, isSubmitting, isSubmittingUsingOidc, error },
},
} = state;
return {
defaultData,
isSubmitting,
isSubmittingUsingOidc,
error,
withOidc: !!oidcConfig,
};
};
const mapStateToProps = ({
ui: {
authenticateForm: { data: defaultData, isSubmitting, error },
},
}) => ({
defaultData,
isSubmitting,
error,
});
const mapDispatchToProps = (dispatch) =>
bindActionCreators(
{
onAuthenticate: entryActions.authenticate,
onAuthenticateUsingOidc: entryActions.authenticateUsingOidc,
onMessageDismiss: entryActions.clearAuthenticateError,
},
dispatch,

14
client/src/containers/LoginWrapperContainer.js
View file

@ -1,14 +0,0 @@
import { connect } from 'react-redux';
import selectors from '../selectors';
import LoginWrapper from '../components/LoginWrapper';
const mapStateToProps = (state) => {
const isInitializing = selectors.selectIsInitializing(state);
return {
isInitializing,
};
};
export default connect(mapStateToProps)(LoginWrapper);

26
client/src/containers/OidcLoginContainer.js Normal file
View file

@ -0,0 +1,26 @@
import { bindActionCreators } from 'redux';
import { connect } from 'react-redux';
import entryActions from '../entry-actions';
import OidcLogin from '../components/OIDC';
const mapStateToProps = ({
ui: {
authenticateForm: { data: defaultData, isSubmitting, error },
},
}) => ({
defaultData,
isSubmitting,
error,
});
const mapDispatchToProps = (dispatch) =>
bindActionCreators(
{
onAuthenticate: entryActions.authenticate,
onMessageDismiss: entryActions.clearAuthenticateError,
},
dispatch,
);
export default connect(mapStateToProps, mapDispatchToProps)(OidcLogin);

4
client/src/containers/UserSettingsModalContainer.js
View file

@ -14,8 +14,8 @@ const mapStateToProps = (state) => {
phone,
organization,
language,
subscribeToOwnCards,
isLocked,
subscribeToOwnCards,
isAvatarUpdating,
emailUpdateForm,
passwordUpdateForm,
@ -30,8 +30,8 @@ const mapStateToProps = (state) => {
phone,
organization,
language,
subscribeToOwnCards,
isLocked,
subscribeToOwnCards,
isAvatarUpdating,
emailUpdateForm,
passwordUpdateForm,

6
client/src/entry-actions/core.js
View file

@ -1,10 +1,16 @@
import EntryActionTypes from '../constants/EntryActionTypes';
const initializeCore = () => ({
type: EntryActionTypes.CORE_INITIALIZE,
payload: {},
});
const logout = () => ({
type: EntryActionTypes.LOGOUT,
payload: {},
});
export default {
initializeCore,
logout,
};

6
client/src/entry-actions/login.js
View file

@ -7,11 +7,6 @@ const authenticate = (data) => ({
},
});
const authenticateUsingOidc = () => ({
type: EntryActionTypes.USING_OIDC_AUTHENTICATE,
payload: {},
});
const clearAuthenticateError = () => ({
type: EntryActionTypes.AUTHENTICATE_ERROR_CLEAR,
payload: {},
@ -19,6 +14,5 @@ const clearAuthenticateError = () => ({
export default {
authenticate,
authenticateUsingOidc,
clearAuthenticateError,
};

10
client/src/index.js
View file

@ -1,11 +1,15 @@
import React from 'react';
import ReactDOM from 'react-dom/client';
import Config from './constants/Config';
import store from './store';
import history from './history';
import Root from './components/Root';
import './i18n';
const root = ReactDOM.createRoot(document.getElementById('root'));
root.render(React.createElement(Root, { store, history }));
fetch(`${Config.SERVER_BASE_URL}/api/appconfig`).then((response) => {
response.json().then((config) => {
const root = ReactDOM.createRoot(document.getElementById('root'));
root.render(React.createElement(Root, { store, history, config }));
});
});

2
client/src/locales/en/login.js
View file

@ -11,12 +11,10 @@ export default {
projectManagement: 'Project management',
serverConnectionFailed: 'Server connection failed',
unknownError: 'Unknown error, try again later',
useSingleSignOn: 'Use single sign-on',
},
action: {
logIn: 'Log in',
logInWithSSO: 'Log in with SSO',
},
},
};

2
client/src/locales/ja/core.js
View file

@ -8,7 +8,7 @@ export default {
time: 'HH:mm',
dateTime: '$t(format:date) $t(format:time)',
longDate: 'MMMMd日',
longDateTime: "MMMMd'日 ' HH:mm",
longDateTime: "MMMMd'日 ' HH:MM",
},
translation: {

12
client/src/models/User.js
View file

@ -43,14 +43,16 @@ export default class extends BaseModel {
organization: attr(),
language: attr(),
subscribeToOwnCards: attr(),
isAdmin: attr(),
isLocked: attr(),
isRoleLocked: attr(),
isDeletionLocked: attr(),
deletedAt: attr(),
createdAt: attr({
getDefault: () => new Date(),
}),
deletedAt: attr(),
isAdmin: attr({
getDefault: () => false,
}),
isLocked: attr({
getDefault: () => false,
}),
isAvatarUpdating: attr({
getDefault: () => false,
}),

1
client/src/reducers/auth.js
View file

@ -10,7 +10,6 @@ const initialState = {
export default (state = initialState, { type, payload }) => {
switch (type) {
case ActionTypes.AUTHENTICATE__SUCCESS:
case ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS:
return {
...state,
accessToken: payload.accessToken,

6
client/src/reducers/core.js
View file

@ -4,6 +4,7 @@ import ActionTypes from '../constants/ActionTypes';
import ModalTypes from '../constants/ModalTypes';
const initialState = {
isInitializing: true,
isLogouting: false,
currentModal: null,
};
@ -17,6 +18,11 @@ export default (state = initialState, { type, payload }) => {
...state,
currentModal: null,
};
case ActionTypes.CORE_INITIALIZE:
return {
...state,
isInitializing: false,
};
case ActionTypes.LOGOUT__ACCESS_TOKEN_INVALIDATE:
return {
...state,

2
client/src/reducers/index.js
View file

@ -3,7 +3,6 @@ import { combineReducers } from 'redux';
import router from './router';
import socket from './socket';
import orm from './orm';
import root from './root';
import auth from './auth';
import core from './core';
import ui from './ui';
@ -12,7 +11,6 @@ export default combineReducers({
router,
socket,
orm,
root,
auth,
core,
ui,

36
client/src/reducers/root.js
View file

@ -1,36 +0,0 @@
import ActionTypes from '../constants/ActionTypes';
const initialState = {
isInitializing: true,
config: null,
};
// eslint-disable-next-line default-param-last
export default (state = initialState, { type, payload }) => {
switch (type) {
case ActionTypes.LOGIN_INITIALIZE:
return {
...state,
isInitializing: false,
config: payload.config,
};
case ActionTypes.AUTHENTICATE__SUCCESS:
case ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS:
return {
...state,
isInitializing: true,
};
case ActionTypes.CORE_INITIALIZE:
return {
...state,
isInitializing: false,
};
case ActionTypes.CORE_INITIALIZE__CONFIG_FETCH:
return {
...state,
config: payload.config,
};
default:
return state;
}
};

20
client/src/reducers/ui/authenticate-form.js
View file

@ -1,7 +1,4 @@
import { LOCATION_CHANGE_HANDLE } from '../../lib/redux-router';
import ActionTypes from '../../constants/ActionTypes';
import Paths from '../../constants/Paths';
const initialState = {
data: {
@ -9,22 +6,12 @@ const initialState = {
password: '',
},
isSubmitting: false,
isSubmittingUsingOidc: false,
error: null,
};
// eslint-disable-next-line default-param-last
export default (state = initialState, { type, payload }) => {
switch (type) {
case LOCATION_CHANGE_HANDLE:
if (payload.location.pathname === Paths.OIDC_CALLBACK) {
return {
...state,
isSubmittingUsingOidc: true,
};
}
return state;
case ActionTypes.AUTHENTICATE:
return {
...state,
@ -35,7 +22,6 @@ export default (state = initialState, { type, payload }) => {
isSubmitting: true,
};
case ActionTypes.AUTHENTICATE__SUCCESS:
case ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS:
return initialState;
case ActionTypes.AUTHENTICATE__FAILURE:
return {
@ -43,12 +29,6 @@ export default (state = initialState, { type, payload }) => {
isSubmitting: false,
error: payload.error,
};
case ActionTypes.USING_OIDC_AUTHENTICATE__FAILURE:
return {
...state,
isSubmittingUsingOidc: false,
error: payload.error,
};
case ActionTypes.AUTHENTICATE_ERROR_CLEAR:
return {
...state,

12
client/src/sagas/core/index.js
View file

@ -1,8 +1,7 @@
import { all, apply, fork, select, take } from 'redux-saga/effects';
import { all, apply, fork, take } from 'redux-saga/effects';
import watchers from './watchers';
import services from './services';
import selectors from '../../selectors';
import { socket } from '../../api';
import ActionTypes from '../../constants/ActionTypes';
import Paths from '../../constants/Paths';
@ -15,12 +14,5 @@ export default function* coreSaga() {
yield take(ActionTypes.LOGOUT);
const oidcConfig = yield select(selectors.selectOidcConfig);
if (oidcConfig && oidcConfig.endSessionUrl !== null) {
// Redirect the user to the IDP to log out.
window.location.href = oidcConfig.endSessionUrl;
} else {
window.location.href = Paths.LOGIN;
}
window.location.href = Paths.LOGIN;
}

12
client/src/sagas/core/services/core.js
View file

@ -1,23 +1,13 @@
import { call, put, select, take } from 'redux-saga/effects';
import { call, put, take } from 'redux-saga/effects';
import request from '../request';
import requests from '../requests';
import selectors from '../../../selectors';
import actions from '../../../actions';
import api from '../../../api';
import i18n from '../../../i18n';
import { removeAccessToken } from '../../../utils/access-token-storage';
export function* initializeCore() {
const currentConfig = yield select(selectors.selectConfig); // TODO: add boolean selector?
let config;
if (!currentConfig) {
({ item: config } = yield call(api.getConfig)); // TODO: handle error
yield put(actions.initializeCore.fetchConfig(config));
}
const {
user,
board,

7
client/src/sagas/core/services/router.js
View file

@ -33,16 +33,15 @@ export function* handleLocationChange() {
switch (pathsMatch.pattern.path) {
case Paths.LOGIN:
case Paths.OIDC_CALLBACK:
yield call(goToRoot);
return;
break;
default:
}
const isInitializing = yield select(selectors.selectIsInitializing);
const isCoreInitializing = yield select(selectors.selectIsCoreInitializing);
if (isInitializing) {
if (isCoreInitializing) {
yield take(ActionTypes.CORE_INITIALIZE);
}

5
client/src/sagas/core/watchers/core.js
View file

@ -4,5 +4,8 @@ import services from '../services';
import EntryActionTypes from '../../../constants/EntryActionTypes';
export default function* coreWatchers() {
yield all([takeEvery(EntryActionTypes.LOGOUT, () => services.logout())]);
yield all([
takeEvery(EntryActionTypes.CORE_INITIALIZE, () => services.initializeCore()),
takeEvery(EntryActionTypes.LOGOUT, () => services.logout()),
]);
}

4
client/src/sagas/login/index.js
View file

@ -7,9 +7,7 @@ import ActionTypes from '../../constants/ActionTypes';
export default function* loginSaga() {
const watcherTasks = yield all(watchers.map((watcher) => fork(watcher)));
yield fork(services.initializeLogin);
yield take([ActionTypes.AUTHENTICATE__SUCCESS, ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS]);
yield take(ActionTypes.AUTHENTICATE__SUCCESS);
yield cancel(watcherTasks);
yield call(services.goToRoot);

85
client/src/sagas/login/services/login.js
View file

@ -1,25 +1,19 @@
import { nanoid } from 'nanoid';
import { call, put, select } from 'redux-saga/effects';
import { replace } from '../../../lib/redux-router';
import { call, put } from 'redux-saga/effects';
import selectors from '../../../selectors';
import actions from '../../../actions';
import api from '../../../api';
import { setAccessToken } from '../../../utils/access-token-storage';
import Paths from '../../../constants/Paths';
export function* initializeLogin() {
const { item: config } = yield call(api.getConfig); // TODO: handle error
yield put(actions.initializeLogin(config));
}
export function* authenticate(data) {
yield put(actions.authenticate(data));
let accessToken;
let accessToken = data.access_token;
try {
({ item: accessToken } = yield call(api.createAccessToken, data));
if (accessToken) {
({ item: accessToken } = yield call(api.exchangeOidcToken, accessToken));
} else {
({ item: accessToken } = yield call(api.createAccessToken, data));
}
} catch (error) {
yield put(actions.authenticate.failure(error));
return;
@ -29,76 +23,11 @@ export function* authenticate(data) {
yield put(actions.authenticate.success(accessToken));
}
export function* authenticateUsingOidc() {
const oidcConfig = yield select(selectors.selectOidcConfig);
const nonce = nanoid();
window.sessionStorage.setItem('oidc-nonce', nonce);
window.location.href = `${oidcConfig.authorizationUrl}&nonce=${encodeURIComponent(nonce)}`;
}
export function* authenticateUsingOidcCallback() {
// https://github.com/plankanban/planka/issues/511#issuecomment-1771385639
const params = new URLSearchParams(window.location.hash.substring(1) || window.location.search);
yield put(replace(Paths.LOGIN));
if (params.get('error') !== null) {
yield put(
actions.authenticateUsingOidc.failure(
new Error(
`OIDC Authorization error: ${params.get('error')}: ${params.get('error_description')}`,
),
),
);
return;
}
const nonce = window.sessionStorage.getItem('oidc-nonce');
if (nonce === null) {
yield put(
actions.authenticateUsingOidc.failure(
new Error('Unable to process OIDC response: no nonce issued'),
),
);
return;
}
const code = params.get('code');
if (code === null) {
yield put(
actions.authenticateUsingOidc.failure(new Error('Invalid OIDC response: no code parameter')),
);
return;
}
window.sessionStorage.removeItem('oidc-nonce');
if (code !== null) {
let accessToken;
try {
({ item: accessToken } = yield call(api.exchangeForAccessTokenUsingOidc, {
code,
nonce,
}));
} catch (error) {
yield put(actions.authenticateUsingOidc.failure(error));
return;
}
yield call(setAccessToken, accessToken);
yield put(actions.authenticateUsingOidc.success(accessToken));
}
}
export function* clearAuthenticateError() {
yield put(actions.clearAuthenticateError());
}
export default {
initializeLogin,
authenticate,
authenticateUsingOidc,
authenticateUsingOidcCallback,
clearAuthenticateError,
};

15
client/src/sagas/login/services/router.js
View file

@ -1,9 +1,7 @@
import { call, put, select, take } from 'redux-saga/effects';
import { call, put, select } from 'redux-saga/effects';
import { push } from '../../../lib/redux-router';
import { authenticateUsingOidcCallback } from './login';
import selectors from '../../../selectors';
import ActionTypes from '../../../constants/ActionTypes';
import Paths from '../../../constants/Paths';
export function* goToLogin() {
@ -29,17 +27,6 @@ export function* handleLocationChange() {
yield call(goToLogin);
break;
case Paths.OIDC_CALLBACK: {
const isInitializing = yield select(selectors.selectIsInitializing);
if (isInitializing) {
yield take(ActionTypes.LOGIN_INITIALIZE);
}
yield call(authenticateUsingOidcCallback);
break;
}
default:
}
}

1
client/src/sagas/login/watchers/login.js
View file

@ -8,7 +8,6 @@ export default function* loginWatchers() {
takeEvery(EntryActionTypes.AUTHENTICATE, ({ payload: { data } }) =>
services.authenticate(data),
),
takeEvery(EntryActionTypes.USING_OIDC_AUTHENTICATE, () => services.authenticateUsingOidc()),
takeEvery(EntryActionTypes.AUTHENTICATE_ERROR_CLEAR, () => services.clearAuthenticateError()),
]);
}

3
client/src/selectors/core.js
View file

@ -6,6 +6,8 @@ import Config from '../constants/Config';
export const selectAccessToken = ({ auth: { accessToken } }) => accessToken;
export const selectIsCoreInitializing = ({ core: { isInitializing } }) => isInitializing;
export const selectIsLogouting = ({ core: { isLogouting } }) => isLogouting;
const nextPosition = (items, index, excludedId) => {
@ -113,6 +115,7 @@ export const selectNextTaskPosition = createSelector(
export default {
selectAccessToken,
selectIsCoreInitializing,
selectIsLogouting,
selectNextBoardPosition,
selectNextLabelPosition,

2
client/src/selectors/index.js
View file

@ -1,6 +1,5 @@
import router from './router';
import socket from './socket';
import root from './root';
import core from './core';
import modals from './modals';
import users from './users';
@ -17,7 +16,6 @@ import attachments from './attachments';
export default {
...router,
...socket,
...root,
...core,
...modals,
...users,

11
client/src/selectors/root.js
View file

@ -1,11 +0,0 @@
export const selectIsInitializing = ({ root: { isInitializing } }) => isInitializing;
export const selectConfig = ({ root: { config } }) => config;
export const selectOidcConfig = (state) => selectConfig(state).oidc;
export default {
selectIsInitializing,
selectConfig,
selectOidcConfig,
};

2
client/src/utils/access-token-storage.js
View file

@ -1,5 +1,5 @@
import Cookies from 'js-cookie';
import { jwtDecode } from 'jwt-decode';
import jwtDecode from 'jwt-decode';
import Config from '../constants/Config';

16
docker-compose-db.yml
View file

@ -1,16 +0,0 @@
version: '3'
services:
postgres:
image: postgres:alpine
restart: unless-stopped
volumes:
- db-data:/var/lib/postgresql/data
ports:
- 5432:5432
environment:
- POSTGRES_DB=planka
- POSTGRES_HOST_AUTH_METHOD=trust
volumes:
db-data:

55
docker-compose-dev.yml
View file

@ -1,65 +1,16 @@
version: '3'
services:
planka:
image: ghcr.io/plankanban/planka:dev
command: >
bash -c
"for i in `seq 1 30`; do
./start.sh &&
s=$$? && break || s=$$?;
echo \"Tried $$i times. Waiting 5 seconds...\";
sleep 5;
done; (exit $$s)"
restart: unless-stopped
volumes:
- user-avatars:/app/public/user-avatars
- project-background-images:/app/public/project-background-images
- attachments:/app/private/attachments
ports:
- 3000:1337
environment:
- BASE_URL=http://localhost:3000
- DATABASE_URL=postgresql://postgres@postgres/planka
- SECRET_KEY=notsecretkey
# - TRUST_PROXY=0
# - TOKEN_EXPIRES_IN=365 # In days
# related: https://github.com/knex/knex/issues/2354
# As knex does not pass query parameters from the connection string we
# have to use environment variables in order to pass the desired values, e.g.
# - PGSSLMODE=<value>
# Configure knex to accept SSL certificates
# - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
# - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
# - DEFAULT_ADMIN_PASSWORD=demo
# - DEFAULT_ADMIN_NAME=Demo Demo
# - DEFAULT_ADMIN_USERNAME=demo
# - OIDC_ISSUER=
# - OIDC_CLIENT_ID=
# - OIDC_CLIENT_SECRET=
# - OIDC_SCOPES=openid email profile
# - OIDC_ADMIN_ROLES=admin
# - OIDC_ROLES_ATTRIBUTE=groups
# - OIDC_IGNORE_ROLES=true
depends_on:
- postgres
postgres:
image: postgres:14-alpine
image: postgres:alpine
restart: unless-stopped
volumes:
- db-data:/var/lib/postgresql/data
ports:
- 5432:5432
environment:
- POSTGRES_DB=planka
- POSTGRES_HOST_AUTH_METHOD=trust
volumes:
user-avatars:
project-background-images:
attachments:
db-data:

21
docker-compose.yml
View file

@ -20,11 +20,15 @@ services:
- 3000:1337
environment:
- BASE_URL=http://localhost:3000
- TRUST_PROXY=0
- DATABASE_URL=postgresql://postgres@postgres/planka
- SECRET_KEY=notsecretkey
# - TRUST_PROXY=0
# - TOKEN_EXPIRES_IN=365 # In days
# Can be removed after installation
- DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
- DEFAULT_ADMIN_PASSWORD=demo
- DEFAULT_ADMIN_NAME=Demo Demo
- DEFAULT_ADMIN_USERNAME=demo
- MAIL_HOST=smtp.gmail.com
@ -36,19 +40,6 @@ services:
# Configure knex to accept SSL certificates
# - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
# - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
# - DEFAULT_ADMIN_PASSWORD=demo
# - DEFAULT_ADMIN_NAME=Demo Demo
# - DEFAULT_ADMIN_USERNAME=demo
# - OIDC_ISSUER=
# - OIDC_CLIENT_ID=
# - OIDC_CLIENT_SECRET=
# - OIDC_SCOPES=openid email profile
# - OIDC_ADMIN_ROLES=admin
# - OIDC_ROLES_ATTRIBUTE=groups
# - OIDC_IGNORE_ROLES=true
depends_on:
- postgres

2118
package-lock.json generated Normal file
View file

File diff suppressed because it is too large Load diff

18
package.json
View file

@ -1,6 +1,6 @@
{
"name": "planka",
"version": "1.15.0",
"version": "1.12.0",
"private": true,
"homepage": "https://plankanban.github.io/planka",
"repository": {
@ -56,17 +56,17 @@
}
},
"dependencies": {
"concurrently": "^7.6.0",
"husky": "^8.0.2",
"lint-staged": "^13.0.3",
"nodemailer": "^6.9.7",
"nodemailer-direct-transport": "^3.3.2",
"nodemailer-smtp-transport": "^2.7.4",
"concurrently": "^8.2.2",
"husky": "^8.0.3",
"lint-staged": "^15.1.0"
"nodemailer-smtp-transport": "^2.7.4"
},
"devDependencies": {
"eslint": "^8.53.0",
"eslint-config-prettier": "^9.0.0",
"eslint-plugin-prettier": "^5.0.1",
"prettier": "^3.1.0"
"eslint": "^8.28.0",
"eslint-config-prettier": "^8.5.0",
"eslint-plugin-prettier": "^4.2.1",
"prettier": "^2.7.1"
}
}

20
server/.env.sample
View file

@ -4,6 +4,13 @@ BASE_URL=http://localhost:1337
DATABASE_URL=postgresql://postgres@localhost/planka
SECRET_KEY=notsecretkey
## Can be removed after installation
DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
DEFAULT_ADMIN_PASSWORD=demo
DEFAULT_ADMIN_NAME=Demo Demo
DEFAULT_ADMIN_USERNAME=demo
## Optional
# TRUST_PROXY=0
@ -17,19 +24,6 @@ SECRET_KEY=notsecretkey
# Configure knex to accept SSL certificates
# KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
# DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
# DEFAULT_ADMIN_PASSWORD=demo
# DEFAULT_ADMIN_NAME=Demo Demo
# DEFAULT_ADMIN_USERNAME=demo
# OIDC_ISSUER=
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=
# OIDC_SCOPES=openid email profile
# OIDC_ADMIN_ROLES=admin
# OIDC_ROLES_ATTRIBUTE=groups
# OIDC_IGNORE_ROLES=true
## Do not edit this
TZ=UTC

10
server/api/controllers/access-tokens/create.js
View file

@ -10,9 +10,6 @@ const Errors = {
INVALID_PASSWORD: {
invalidPassword: 'Invalid password',
},
USE_SINGLE_SIGN_ON: {
useSingleSignOn: 'Use single sign-on',
},
};
const emailOrUsernameValidator = (value) =>
@ -40,9 +37,6 @@ module.exports = {
invalidPassword: {
responseType: 'unauthorized',
},
useSingleSignOn: {
responseType: 'forbidden',
},
},
async fn(inputs) {
@ -57,10 +51,6 @@ module.exports = {
throw Errors.INVALID_EMAIL_OR_USERNAME;
}
if (user.isSso) {
throw Errors.USE_SINGLE_SIGN_ON;
}
if (!bcrypt.compareSync(inputs.password, user.password)) {
sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);
throw Errors.INVALID_PASSWORD;

71
server/api/controllers/access-tokens/exchange-using-oidc.js
View file

@ -1,71 +0,0 @@
const { getRemoteAddress } = require('../../../utils/remoteAddress');
const Errors = {
INVALID_CODE_OR_NONCE: {
invalidCodeOrNonce: 'Invalid code or nonce',
},
EMAIL_ALREADY_IN_USE: {
emailAlreadyInUse: 'Email already in use',
},
USERNAME_ALREADY_IN_USE: {
usernameAlreadyInUse: 'Username already in use',
},
MISSING_VALUES: {
missingValues: 'Unable to retrieve required values (email, name)',
},
};
module.exports = {
inputs: {
code: {
type: 'string',
required: true,
},
nonce: {
type: 'string',
required: true,
},
},
exits: {
invalidCodeOrNonce: {
responseType: 'unauthorized',
},
emailAlreadyInUse: {
responseType: 'conflict',
},
usernameAlreadyInUse: {
responseType: 'conflict',
},
missingValues: {
responseType: 'unprocessableEntity',
},
},
async fn(inputs) {
const remoteAddress = getRemoteAddress(this.req);
const user = await sails.helpers.users
.getOrCreateOneUsingOidc(inputs.code, inputs.nonce)
.intercept('invalidCodeOrNonce', () => {
sails.log.warn(`Invalid code or nonce! (IP: ${remoteAddress})`);
return Errors.INVALID_CODE_OR_NONCE;
})
.intercept('emailAlreadyInUse', () => Errors.EMAIL_ALREADY_IN_USE)
.intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE)
.intercept('missingValues', () => Errors.MISSING_VALUES);
const accessToken = sails.helpers.utils.createToken(user.id);
await Session.create({
accessToken,
remoteAddress,
userId: user.id,
userAgent: this.req.headers['user-agent'],
});
return {
item: accessToken,
};
},
};

177
server/api/controllers/access-tokens/exchange.js Normal file
View file

@ -0,0 +1,177 @@
const jwt = require('jsonwebtoken');
const jwksClient = require('jwks-rsa');
const openidClient = require('openid-client');
const { getRemoteAddress } = require('../../../utils/remoteAddress');
const Errors = {
INVALID_TOKEN: {
invalidToken: 'Access Token is invalid',
},
MISSING_VALUES: {
missingValues:
'Unable to retrieve required values. Verify the access token or UserInfo endpoint has email, username and name claims',
},
};
const jwks = jwksClient({
jwksUri: sails.config.custom.oidcJwksUri,
requestHeaders: {}, // Optional
timeout: 30000, // Defaults to 30s
});
const getJwtVerificationOptions = () => {
const options = {};
if (sails.config.custom.oidcIssuer) {
options.issuer = sails.config.custom.oidcIssuer;
}
if (sails.config.custom.oidcAudience) {
options.audience = sails.config.custom.oidcAudience;
}
return options;
};
const validateAndDecodeToken = async (accessToken, options) => {
const keys = await jwks.getSigningKeys();
let validToken = {};
const isTokenValid = keys.some((signingKey) => {
try {
const key = signingKey.getPublicKey();
validToken = jwt.verify(accessToken, key, options);
return 'true';
} catch (error) {
sails.log.error(error);
}
return false;
});
if (!isTokenValid) {
const tokenForLogging = jwt.decode(accessToken);
const remoteAddress = getRemoteAddress(this.req);
sails.log.warn(
`invalid token: sub: "${tokenForLogging.sub}" issuer: "${tokenForLogging.iss}" audience: "${tokenForLogging.aud}" exp: ${tokenForLogging.exp} (IP: ${remoteAddress})`,
);
throw Errors.INVALID_TOKEN;
}
return validToken;
};
const getUserInfo = async (accessToken, options) => {
if (sails.config.custom.oidcSkipUserInfo) {
return {};
}
const issuer = await openidClient.Issuer.discover(options.issuer);
const oidcClient = new issuer.Client({
client_id: 'irrelevant',
});
const userInfo = await oidcClient.userinfo(accessToken);
return userInfo;
};
const mergeUserData = (validToken, userInfo) => {
const oidcUser = { ...validToken, ...userInfo };
return oidcUser;
};
const getOrCreateUser = async (newUser) => {
const user = await User.findOne({
where: {
username: newUser.username,
},
});
if (user) {
return user;
}
return User.create(newUser).fetch();
};
module.exports = {
inputs: {
token: {
type: 'string',
required: true,
},
},
exits: {
invalidToken: {
responseType: 'unauthorized',
},
missingValues: {
responseType: 'unauthorized',
},
},
async fn(inputs) {
const options = getJwtVerificationOptions();
const validToken = await validateAndDecodeToken(inputs.token, options);
const userInfo = await getUserInfo(inputs.token, options);
const oidcUser = mergeUserData(validToken, userInfo);
const now = new Date();
let isAdmin = false;
if (sails.config.custom.oidcAdminRoles.includes('*')) isAdmin = true;
else if (Array.isArray(oidcUser[sails.config.custom.oidcRolesAttribute])) {
const userRoles = new Set(oidcUser[sails.config.custom.oidcRolesAttribute]);
isAdmin = sails.config.custom.oidcAdminRoles.findIndex((role) => userRoles.has(role)) > -1;
}
const newUser = {
email: oidcUser.email,
isAdmin,
name: oidcUser.name,
username: oidcUser.preferred_username,
subscribeToOwnCards: false,
createdAt: now,
updatedAt: now,
locked: true,
};
if (!newUser.email || !newUser.username || !newUser.name) {
sails.log.error(Errors.MISSING_VALUES.missingValues);
throw Errors.MISSING_VALUES;
}
const identityProviderUser = await IdentityProviderUser.findOne({
where: {
issuer: oidcUser.iss,
sub: oidcUser.sub,
},
}).populate('userId');
let user = identityProviderUser ? identityProviderUser.userId : {};
if (!identityProviderUser) {
user = await getOrCreateUser(newUser);
await IdentityProviderUser.create({
issuer: oidcUser.iss,
sub: oidcUser.sub,
userId: user.id,
});
}
const controlledFields = ['email', 'password', 'isAdmin', 'name', 'username'];
const updateFields = {};
controlledFields.forEach((field) => {
if (user[field] !== newUser[field]) {
updateFields[field] = newUser[field];
}
});
if (Object.keys(updateFields).length > 0) {
updateFields.updatedAt = now;
await User.updateOne({ id: user.id }).set(updateFields);
}
const plankaToken = sails.helpers.utils.createToken(user.id);
const remoteAddress = getRemoteAddress(this.req);
await Session.create({
accessToken: plankaToken,
remoteAddress,
userId: user.id,
userAgent: this.req.headers['user-agent'],
});
return {
item: plankaToken,
};
},
};

11
server/api/controllers/appconfig/index.js Normal file
View file

@ -0,0 +1,11 @@
module.exports = {
async fn() {
const config = {
authority: sails.config.custom.oidcIssuer,
clientId: sails.config.custom.oidcClientId,
redirectUri: sails.config.custom.oidcredirectUri,
scopes: sails.config.custom.oidcScopes,
};
return config;
},
};

22
server/api/controllers/show-config.js
View file

@ -1,22 +0,0 @@
module.exports = {
fn() {
let oidc = null;
if (sails.hooks.oidc.isActive()) {
const oidcClient = sails.hooks.oidc.getClient();
oidc = {
authorizationUrl: oidcClient.authorizationUrl({
scope: sails.config.custom.oidcScopes,
response_mode: 'fragment',
}),
endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
};
}
return {
item: {
oidc,
},
};
},
};

8
server/api/controllers/users/delete.js
View file

@ -1,7 +1,4 @@
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
USER_NOT_FOUND: {
userNotFound: 'User not found',
},
@ -17,9 +14,6 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
userNotFound: {
responseType: 'notFound',
},
@ -33,7 +27,7 @@ module.exports = {
}
if (user.email === sails.config.custom.defaultAdminEmail) {
throw Errors.NOT_ENOUGH_RIGHTS;
throw Errors.USER_NOT_FOUND; // Forbidden
}
user = await sails.helpers.users.deleteOne.with({

10
server/api/controllers/users/update-email.js
View file

@ -1,9 +1,6 @@
const bcrypt = require('bcrypt');
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
USER_NOT_FOUND: {
userNotFound: 'User not found',
},
@ -34,9 +31,6 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
userNotFound: {
responseType: 'notFound',
},
@ -65,8 +59,8 @@ module.exports = {
throw Errors.USER_NOT_FOUND;
}
if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
throw Errors.NOT_ENOUGH_RIGHTS;
if (user.email === sails.config.custom.defaultAdminEmail) {
throw Errors.USER_NOT_FOUND; // Forbidden
}
if (

10
server/api/controllers/users/update-password.js
View file

@ -4,9 +4,6 @@ const zxcvbn = require('zxcvbn');
const { getRemoteAddress } = require('../../../utils/remoteAddress');
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
USER_NOT_FOUND: {
userNotFound: 'User not found',
},
@ -36,9 +33,6 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
userNotFound: {
responseType: 'notFound',
},
@ -64,8 +58,8 @@ module.exports = {
throw Errors.USER_NOT_FOUND;
}
if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
throw Errors.NOT_ENOUGH_RIGHTS;
if (user.email === sails.config.custom.defaultAdminEmail) {
throw Errors.USER_NOT_FOUND; // Forbidden
}
if (

10
server/api/controllers/users/update-username.js
View file

@ -1,9 +1,6 @@
const bcrypt = require('bcrypt');
const Errors = {
NOT_ENOUGH_RIGHTS: {
notEnoughRights: 'Not enough rights',
},
USER_NOT_FOUND: {
userNotFound: 'User not found',
},
@ -36,9 +33,6 @@ module.exports = {
},
exits: {
notEnoughRights: {
responseType: 'forbidden',
},
userNotFound: {
responseType: 'notFound',
},
@ -67,8 +61,8 @@ module.exports = {
throw Errors.USER_NOT_FOUND;
}
if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
throw Errors.NOT_ENOUGH_RIGHTS;
if (user.email === sails.config.custom.defaultAdminEmail) {
throw Errors.USER_NOT_FOUND; // Forbidden
}
if (

6
server/api/controllers/users/update.js
View file

@ -72,12 +72,6 @@ module.exports = {
delete inputs.isAdmin;
delete inputs.name;
/* eslint-enable no-param-reassign */
} else if (user.isSso) {
if (!sails.config.custom.oidcIgnoreRoles) {
delete inputs.isAdmin; // eslint-disable-line no-param-reassign
}
delete inputs.name; // eslint-disable-line no-param-reassign
}
const values = {

7
server/api/helpers/users/create-one.js
View file

@ -9,7 +9,7 @@ const valuesValidator = (value) => {
return false;
}
if (!_.isNil(value.password) && !_.isString(value.password)) {
if (!_.isString(value.password)) {
return false;
}
@ -40,10 +40,6 @@ module.exports = {
async fn(inputs) {
const { values } = inputs;
if (values.password) {
values.password = bcrypt.hashSync(values.password, 10);
}
if (values.username) {
values.username = values.username.toLowerCase();
}
@ -51,6 +47,7 @@ module.exports = {
const user = await User.create({
...values,
email: values.email.toLowerCase(),
password: bcrypt.hashSync(values.password, 10),
})
.intercept(
{

4
server/api/helpers/users/delete-one.js
View file

@ -10,10 +10,6 @@ module.exports = {
},
async fn(inputs) {
await IdentityProviderUser.destroy({
userId: inputs.record.id,
});
await ProjectManager.destroy({
userId: inputs.record.id,
});

113
server/api/helpers/users/get-or-create-one-using-oidc.js
View file

@ -1,113 +0,0 @@
module.exports = {
inputs: {
code: {
type: 'string',
required: true,
},
nonce: {
type: 'string',
required: true,
},
},
exits: {
invalidCodeOrNonce: {},
missingValues: {},
emailAlreadyInUse: {},
usernameAlreadyInUse: {},
},
async fn(inputs) {
const client = sails.hooks.oidc.getClient();
let userInfo;
try {
const tokenSet = await client.callback(
sails.config.custom.oidcRedirectUri,
{ code: inputs.code },
{ nonce: inputs.nonce },
);
userInfo = await client.userinfo(tokenSet);
} catch (e) {
sails.log.warn(`Error while exchanging OIDC code: ${e}`);
throw 'invalidCodeOrNonce';
}
if (!userInfo.email || !userInfo.name) {
throw 'missingValues';
}
let isAdmin = false;
if (sails.config.custom.oidcAdminRoles.includes('*')) {
isAdmin = true;
} else {
const roles = userInfo[sails.config.custom.oidcRolesAttribute];
if (Array.isArray(roles)) {
// Use a Set here to avoid quadratic time complexity
const userRoles = new Set(userInfo[sails.config.custom.oidcRolesAttribute]);
isAdmin = sails.config.custom.oidcAdminRoles.findIndex((role) => userRoles.has(role)) > -1;
}
}
const values = {
isAdmin,
email: userInfo.email,
isSso: true,
name: userInfo.name,
username: userInfo.preferred_username,
subscribeToOwnCards: false,
};
let user;
// This whole block technically needs to be executed in a transaction
// with SERIALIZABLE isolation level (but Waterline does not support
// that), so this will result in errors if for example users are deleted
// concurrently with logging in via OIDC.
let identityProviderUser = await IdentityProviderUser.findOne({
issuer: sails.config.custom.oidcIssuer,
sub: userInfo.sub,
});
if (identityProviderUser) {
user = await sails.helpers.users.getOne(identityProviderUser.userId);
} else {
// If no IDP/User mapping exists, search for the user by email.
user = await sails.helpers.users.getOne({
email: values.email.toLowerCase(),
});
// Otherwise, create a new user.
if (!user) {
user = await sails.helpers.users
.createOne(values)
.intercept('usernameAlreadyInUse', 'usernameAlreadyInUse');
}
identityProviderUser = await IdentityProviderUser.create({
userId: user.id,
issuer: sails.config.custom.oidcIssuer,
sub: userInfo.sub,
});
}
const updateFieldKeys = ['email', 'isSso', 'name', 'username'];
if (!sails.config.custom.oidcIgnoreRoles) {
updateFieldKeys.push('isAdmin');
}
const updateValues = {};
// eslint-disable-next-line no-restricted-syntax
for (const k of updateFieldKeys) {
if (values[k] !== user[k]) updateValues[k] = values[k];
}
if (Object.keys(updateValues).length > 0) {
user = await sails.helpers.users
.updateOne(user, updateValues, {}) // FIXME: hack for last parameter
.intercept('emailAlreadyInUse', 'emailAlreadyInUse')
.intercept('usernameAlreadyInUse', 'usernameAlreadyInUse');
}
return user;
},
};

33
server/api/hooks/oidc/index.js
View file

@ -1,33 +0,0 @@
const openidClient = require('openid-client');
module.exports = function oidcServiceHook(sails) {
let client = null;
return {
/**
* Runs when this Sails app loads/lifts.
*/
async initialize() {
if (sails.config.custom.oidcIssuer) {
const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);
client = new issuer.Client({
client_id: sails.config.custom.oidcClientId,
client_secret: sails.config.custom.oidcClientSecret,
redirect_uris: [sails.config.custom.oidcRedirectUri],
response_types: ['code'],
});
sails.log.info('OIDC hook has been loaded successfully');
}
},
getClient() {
return client;
},
isActive() {
return client !== null;
},
};
};

17
server/api/models/User.js
View file

@ -24,11 +24,6 @@ module.exports = {
defaultsTo: false,
columnName: 'is_admin',
},
isSso: {
type: 'boolean',
defaultsTo: false,
columnName: 'is_sso',
},
name: {
type: 'string',
required: true,
@ -72,6 +67,10 @@ module.exports = {
type: 'ref',
columnName: 'password_changed_at',
},
locked: {
type: 'boolean',
columnName: 'locked',
},
// ╔═╗╔╦╗╔╗ ╔═╗╔╦╗╔═╗
// ║╣ ║║║╠╩╗║╣ ║║╚═╗
@ -110,16 +109,12 @@ module.exports = {
tableName: 'user_account',
customToJSON() {
const isDefaultAdmin = this.email === sails.config.custom.defaultAdminEmail;
return {
..._.omit(this, ['password', 'isSso', 'avatar', 'passwordChangedAt']),
isLocked: this.isSso || isDefaultAdmin,
isRoleLocked: (this.isSso && !sails.config.custom.oidcIgnoreRoles) || isDefaultAdmin,
isDeletionLocked: isDefaultAdmin,
..._.omit(this, ['password', 'avatar', 'passwordChangedAt']),
avatarUrl:
this.avatar &&
`${sails.config.custom.userAvatarsUrl}/${this.avatar.dirname}/square-100.${this.avatar.extension}`,
isLocked: this.email === sails.config.custom.defaultAdminEmail,
};
},
};

22
server/config/custom.js
View file

@ -31,20 +31,18 @@ module.exports.custom = {
attachmentsPath: path.join(sails.config.appPath, 'private', 'attachments'),
attachmentsUrl: `${process.env.BASE_URL}/attachments`,
oidcIssuer: process.env.OIDC_ISSUER,
oidcAudience: process.env.OIDC_AUDIENCE,
oidcClientId: process.env.OIDC_CLIENT_ID,
oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
oidcredirectUri: process.env.OIDC_REDIRECT_URI,
oidcJwksUri: process.env.OIDC_JWKS_URI,
oidcScopes: process.env.OIDC_SCOPES || 'openid profile email',
oidcSkipUserInfo: process.env.OIDC_SKIP_USER_INFO === 'true',
defaultAdminEmail: process.env.DEFAULT_ADMIN_EMAIL,
oidcIssuer: process.env.OIDC_ISSUER,
oidcClientId: process.env.OIDC_CLIENT_ID,
oidcClientSecret: process.env.OIDC_CLIENT_SECRET,
oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',
// TODO: move client base url to environment variable?
oidcRedirectUri: `${
sails.config.environment === 'production' ? process.env.BASE_URL : 'http://localhost:3000'
}/oidc-callback`,
mailConnectorHost: process.env.MAIL_HOST,
mailConnectorPort: process.env.MAIL_PORT || 25,
mailConnectorEmail: 'Planka <planka-noreplay@test.com>',

4
server/config/policies.js
View file

@ -23,8 +23,8 @@ module.exports.policies = {
'projects/create': ['is-authenticated', 'is-admin'],
'show-config': true,
'access-tokens/create': true,
'access-tokens/exchange-using-oidc': true,
'access-tokens/exchange': true,
'appconfig/index': true,
'mail/index': true,
};

4
server/config/routes.js
View file

@ -9,12 +9,12 @@
*/
module.exports.routes = {
'GET /api/config': 'show-config',
'GET /api/appconfig': 'appconfig/index',
'POST /api/mail': 'mail/index',
'POST /api/access-tokens': 'access-tokens/create',
'POST /api/access-tokens/exchange-using-oidc': 'access-tokens/exchange-using-oidc',
'POST /api/access-tokens/exchange': 'access-tokens/exchange',
'DELETE /api/access-tokens/me': 'access-tokens/delete',
'GET /api/users': 'users/index',

24
server/db/migrations/20230809022050_create_identity_provider_user.js Normal file
View file

@ -0,0 +1,24 @@
module.exports.up = (knex) =>
knex.schema.createTable('identity_provider_user', (table) => {
/* Columns */
table.bigInteger('id').primary().defaultTo(knex.raw('next_id()'));
table.timestamp('created_at', true);
table.timestamp('updated_at', true);
table
.bigInteger('user_id')
.notNullable()
.references('id')
.inTable('user_account')
.onDelete('CASCADE');
table.text('issuer').notNullable();
table.text('sub').notNullable();
/* Indexes */
table.index('user_id');
});
module.exports.down = (knex) => knex.schema.dropTable('identity_provider_user');

44
server/db/migrations/20230809022050_oidc_with_pkce_flow.js
View file

@ -1,44 +0,0 @@
module.exports.up = async (knex) => {
await knex.schema.createTable('identity_provider_user', (table) => {
/* Columns */
table.bigInteger('id').primary().defaultTo(knex.raw('next_id()'));
table.bigInteger('user_id').notNullable();
table.text('issuer').notNullable();
table.text('sub').notNullable();
table.timestamp('created_at', true);
table.timestamp('updated_at', true);
/* Indexes */
table.unique(['issuer', 'sub']);
table.index('user_id');
});
await knex.schema.table('user_account', (table) => {
/* Columns */
table.boolean('is_sso').notNullable().default(false);
/* Modifications */
table.setNullable('password');
});
return knex.schema.alterTable('user_account', (table) => {
table.boolean('is_sso').notNullable().alter();
});
};
module.exports.down = async (knex) => {
await knex.schema.dropTable('identity_provider_user');
return knex.schema.table('user_account', (table) => {
table.dropColumn('is_sso');
table.dropNullable('password');
});
};

11
server/db/migrations/20230809024146_all_null_password_field.js Normal file
View file

@ -0,0 +1,11 @@
module.exports.up = async (knex) => {
return knex.schema.table('user_account', (table) => {
table.setNullable('password');
});
};
module.exports.down = async (knex) => {
return knex.schema.table('user_account', (table) => {
table.dropNullable('password');
});
};

11
server/db/migrations/20230809025904_add_lock_to_user_account.js Normal file
View file

@ -0,0 +1,11 @@
module.exports.up = async (knex) => {
return knex.schema.table('user_account', (table) => {
table.boolean('locked').default(false);
});
};
module.exports.down = async (knex) => {
return knex.schema.table('user_account', (table) => {
table.dropColumn('locked');
});
};

5
server/db/seeds/default.js
View file

@ -3,7 +3,6 @@ const bcrypt = require('bcrypt');
const buildData = () => {
const data = {
isAdmin: true,
isSso: false,
};
if (process.env.DEFAULT_ADMIN_PASSWORD) {
@ -34,6 +33,10 @@ exports.seed = async (knex) => {
createdAt: new Date().toISOString(),
});
} catch (error) {
if (Object.keys(data).length === 0) {
return;
}
await knex('user_account').update(data).where('email', process.env.DEFAULT_ADMIN_EMAIL);
}
};

8101
server/package-lock.json generated Normal file
View file

File diff suppressed because it is too large Load diff

41
server/package.json
View file

@ -27,39 +27,40 @@
}
},
"dependencies": {
"bcrypt": "^5.1.1",
"dotenv": "^16.3.1",
"dotenv-cli": "^7.3.0",
"bcrypt": "^5.1.0",
"dotenv": "^16.0.3",
"dotenv-cli": "^6.0.0",
"filenamify": "^4.3.0",
"jsonwebtoken": "^9.0.2",
"knex": "^3.0.1",
"jsonwebtoken": "^9.0.0",
"jwks-rsa": "^3.0.1",
"knex": "^2.3.0",
"lodash": "^4.17.21",
"moment": "^2.29.4",
"move-file": "^2.1.0",
"nodemailer": "^6.9.7",
"openid-client": "^5.6.1",
"rimraf": "^5.0.5",
"sails": "^1.5.7",
"openid-client": "^5.4.3",
"rimraf": "^3.0.2",
"sails": "^1.5.3",
"sails-hook-orm": "^4.0.2",
"sails-hook-sockets": "^2.0.4",
"sails-hook-sockets": "^2.0.3",
"sails-postgresql-redacted": "^1.0.2-9",
"sharp": "^0.32.6",
"sharp": "^0.31.2",
"stream-to-array": "^2.3.0",
"uuid": "^9.0.1",
"validator": "^13.11.0",
"winston": "^3.11.0",
"uuid": "^9.0.0",
"validator": "^13.7.0",
"winston": "^3.8.2",
"zxcvbn": "^4.4.2"
},
"devDependencies": {
"chai": "^4.3.10",
"eslint": "^8.53.0",
"chai": "^4.3.7",
"eslint": "^8.28.0",
"eslint-config-airbnb-base": "^15.0.0",
"eslint-plugin-import": "^2.29.0",
"mocha": "^10.2.0",
"nodemon": "^3.0.1",
"supertest": "^6.3.3"
"eslint-plugin-import": "^2.26.0",
"mocha": "^10.1.0",
"nodemon": "^2.0.20",
"supertest": "^6.3.1"
},
"engines": {
"node": ">=18"
"node": "^12.10"
}
}