Jennie Robinson Faber
23154ff232
oidc-provider's devInteractions is a quick-start scaffold that, when
enabled, mutates configuration.url to its own urlFor('interaction')
helper — emitting /interaction/UID instead of our /oidc/interaction/UID.
That made /oidc/auth redirect to a 404 in local dev and forced a stale
TODO entry. We already have our own interaction handler at
server/routes/oidc/interaction/[uid].get.ts, so devInteractions is
unnecessary; disabling it makes dev match prod and clears the
oidc-provider warning "your configuration is not in effect".
195 lines
6.7 KiB
TypeScript
195 lines
6.7 KiB
TypeScript
/**
|
|
* OIDC Provider configuration for Ghost Guild.
|
|
*
|
|
* ghostguild.org acts as the identity provider. Outline wiki is the sole
|
|
* relying party (client). Members authenticate via the existing magic-link
|
|
* flow, and the provider issues standard OIDC tokens so Outline can identify
|
|
* them.
|
|
*/
|
|
import Provider from "oidc-provider";
|
|
import { MongoAdapter } from "./oidc-mongodb-adapter.js";
|
|
import Member from "../models/member.js";
|
|
import { connectDB } from "./mongoose.js";
|
|
|
|
if (process.env.NODE_ENV === 'production' && !process.env.OIDC_COOKIE_SECRET) {
|
|
throw new Error('OIDC_COOKIE_SECRET must be set in production')
|
|
}
|
|
|
|
let _provider: InstanceType<typeof Provider> | null = null;
|
|
|
|
export async function getOidcProvider() {
|
|
if (_provider) return _provider;
|
|
|
|
const config = useRuntimeConfig();
|
|
const issuer = process.env.OIDC_ISSUER || "https://ghostguild.org";
|
|
|
|
_provider = new Provider(issuer, {
|
|
adapter: MongoAdapter,
|
|
|
|
clients: [
|
|
{
|
|
client_id: process.env.OIDC_CLIENT_ID || "outline-wiki",
|
|
client_secret: process.env.OIDC_CLIENT_SECRET || "",
|
|
redirect_uris: [
|
|
"https://wiki.ghostguild.org/auth/oidc.callback",
|
|
// Local development callback
|
|
"http://localhost:3100/auth/oidc.callback",
|
|
],
|
|
post_logout_redirect_uris: [
|
|
"https://wiki.ghostguild.org",
|
|
"http://localhost:3100",
|
|
],
|
|
grant_types: ["authorization_code", "refresh_token"],
|
|
response_types: ["code"],
|
|
token_endpoint_auth_method: "client_secret_post",
|
|
},
|
|
],
|
|
|
|
claims: {
|
|
openid: ["sub"],
|
|
profile: ["name", "preferred_username"],
|
|
email: ["email", "email_verified"],
|
|
},
|
|
|
|
scopes: ["openid", "profile", "email", "offline_access"],
|
|
|
|
findAccount: async (_ctx: unknown, id: string) => {
|
|
await connectDB();
|
|
const member = await (Member as any).findById(id);
|
|
if (!member) return undefined;
|
|
|
|
return {
|
|
accountId: id,
|
|
async claims(_use: string, _scope: string) {
|
|
return {
|
|
sub: id,
|
|
name: member.name,
|
|
preferred_username: member.name,
|
|
email: member.email,
|
|
email_verified: true,
|
|
};
|
|
},
|
|
};
|
|
},
|
|
|
|
cookies: {
|
|
keys: (process.env.OIDC_COOKIE_SECRET || "dev-cookie-secret").split(","),
|
|
},
|
|
|
|
ttl: {
|
|
AccessToken: 3600, // 1 hour
|
|
AuthorizationCode: 600, // 10 minutes
|
|
RefreshToken: 14 * 24 * 60 * 60, // 14 days
|
|
Session: 14 * 24 * 60 * 60, // 14 days
|
|
Interaction: 900, // 15 minutes — must match magic-link JWT TTL so the interaction outlives the token
|
|
Grant: 14 * 24 * 60 * 60, // 14 days
|
|
},
|
|
|
|
features: {
|
|
devInteractions: { enabled: false },
|
|
revocation: { enabled: true },
|
|
rpInitiatedLogout: {
|
|
enabled: true,
|
|
logoutSource: async (ctx: any, form: string) => {
|
|
// Auto-submit oidc-provider's own form so the xsrf value stays
|
|
// inside the same request cycle that generated it. The previous
|
|
// approach extracted the xsrf into a separate cookie and bounced
|
|
// through a Nuxt page for a "are you sure?" confirmation, which
|
|
// kept desyncing and producing "xsrf token invalid" errors.
|
|
// Clicking sign-out in the wiki is already confirmation enough.
|
|
ctx.type = "html";
|
|
ctx.status = 200;
|
|
ctx.body = `<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>Signing out — Ghost Guild</title>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
|
<style>
|
|
html, body { margin: 0; padding: 0; height: 100%; background: #1a1814; color: #e8d9b8; font-family: "Commit Mono", ui-monospace, monospace; }
|
|
body { display: grid; place-items: center; }
|
|
p { font-size: 13px; letter-spacing: 0.05em; text-transform: uppercase; color: #b09c76; }
|
|
form { display: none; }
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<p>Signing you out…</p>
|
|
${form}
|
|
<script>document.getElementById('op.logoutForm').submit()</script>
|
|
</body>
|
|
</html>`;
|
|
},
|
|
postLogoutSuccessSource: async (ctx: any) => {
|
|
// Kill the Ghost Guild session cookie so the user is fully signed
|
|
// out, not just logged out of Outline.
|
|
ctx.cookies.set("auth-token", null, {
|
|
httpOnly: true,
|
|
sameSite: "lax",
|
|
path: "/",
|
|
overwrite: true,
|
|
signed: false,
|
|
});
|
|
ctx.redirect("/auth/logout-success");
|
|
},
|
|
},
|
|
},
|
|
|
|
// Mount all OIDC endpoints under /oidc prefix
|
|
routes: {
|
|
authorization: "/oidc/auth",
|
|
backchannel_authentication: "/oidc/backchannel",
|
|
code_verification: "/oidc/device",
|
|
device_authorization: "/oidc/device/auth",
|
|
end_session: "/oidc/session/end",
|
|
introspection: "/oidc/token/introspection",
|
|
jwks: "/oidc/jwks",
|
|
pushed_authorization_request: "/oidc/request",
|
|
registration: "/oidc/reg",
|
|
revocation: "/oidc/token/revocation",
|
|
token: "/oidc/token",
|
|
userinfo: "/oidc/me",
|
|
},
|
|
|
|
interactions: {
|
|
url(_ctx: unknown, interaction: { uid: string }) {
|
|
return `/oidc/interaction/${interaction.uid}`;
|
|
},
|
|
},
|
|
|
|
renderError: async (ctx: any, out: Record<string, string>, _error: Error) => {
|
|
// Allow-list only the standard OIDC error response fields. Prevents
|
|
// leaking internal error messages / stack traces, keeps the query
|
|
// string short, and the Nuxt page escapes them on render via Vue's
|
|
// default interpolation (fixes the prior XSS via unescaped HTML
|
|
// interpolation in the old guildPageShell implementation).
|
|
const params = new URLSearchParams();
|
|
if (out.error) params.set("error", out.error);
|
|
if (out.error_description) params.set("error_description", out.error_description);
|
|
ctx.redirect(`/auth/oidc-error?${params.toString()}`);
|
|
},
|
|
|
|
// Allow Outline to use PKCE but don't require it
|
|
pkce: {
|
|
required: () => false,
|
|
},
|
|
|
|
// Skip consent for our first-party Outline client
|
|
loadExistingGrant: async (ctx: any) => {
|
|
const grant = new (ctx.oidc.provider.Grant as any)({
|
|
accountId: ctx.oidc.session!.accountId,
|
|
clientId: ctx.oidc.client!.clientId,
|
|
});
|
|
grant.addOIDCScope("openid profile email");
|
|
await grant.save();
|
|
return grant;
|
|
},
|
|
});
|
|
|
|
// oidc-provider extends Koa but calls super() with no args, so app.proxy
|
|
// defaults to false — which makes ctx.protocol ignore X-Forwarded-Proto and
|
|
// emit http:// URLs for form actions, discovery metadata, authorization
|
|
// redirects, etc. Setting proxy = true here makes Koa trust Traefik's
|
|
// X-Forwarded-Proto header and build https:// URLs in production.
|
|
(_provider as any).proxy = true;
|
|
|
|
return _provider;
|
|
}
|