wikijs-fork/server/modules/authentication/azure/authentication.js

const _ = require('lodash')

/* global WIKI */

// ------------------------------------
// Azure AD Account
// ------------------------------------

const OIDCStrategy = require('passport-azure-ad').OIDCStrategy

module.exports = {
  init (passport, conf) {
    // Workaround for Chrome's SameSite cookies
    // cookieSameSite needs useCookieInsteadOfSession to work correctly.
    // cookieEncryptionKeys is extracted from conf.cookieEncryptionKeyString.
    // It's a concatnation of 44-character length strings each of which represents a single pair of key/iv.
    // Valid cookieEncryptionKeys enables both cookieSameSite and useCookieInsteadOfSession.
    const keyArray = [];
    if (conf.cookieEncryptionKeyString) {
      let keyString = conf.cookieEncryptionKeyString;
      while (keyString.length >= 44) {
        keyArray.push({ key: keyString.substring(0, 32), iv: keyString.substring(32, 44) });
        keyString = keyString.substring(44);
      }
    }
    passport.use(conf.key,
      new OIDCStrategy({
        identityMetadata: conf.entryPoint,
        clientID: conf.clientId,
        redirectUrl: conf.callbackURL,
        responseType: 'id_token',
        responseMode: 'form_post',
        scope: ['profile', 'email', 'openid'],
        allowHttpForRedirectUrl: WIKI.IS_DEBUG,
        passReqToCallback: true,
        cookieSameSite: keyArray.length > 0,
        useCookieInsteadOfSession: keyArray.length > 0,
        cookieEncryptionKeys: keyArray
      }, async (req, iss, sub, profile, cb) => {
        const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
        try {
          const user = await WIKI.models.users.processProfile({
            providerKey: req.params.strategy,
            profile: {
              id: profile.oid,
              displayName: profile.displayName,
              email: usrEmail,
              picture: ''
            }
          })
          cb(null, user)
        } catch (err) {
          cb(err, null)
        }
      })
    )
  }
}
feat: azure ad auth 2019-07-20 15:09:55 +00:00			`const _ = require('lodash')`

refactor: global namespace + admin pages UI 2018-03-05 20:49:36 +00:00			`/* global WIKI */`
feat: modular auth + queue tasks 2017-07-29 21:33:08 +00:00
			`// ------------------------------------`
			`// Azure AD Account`
			`// ------------------------------------`

feat: azure ad auth (wip) 2019-07-20 04:16:29 +00:00			`const OIDCStrategy = require('passport-azure-ad').OIDCStrategy`
feat: modular auth + queue tasks 2017-07-29 21:33:08 +00:00
feat: self-contained auth modules + login UI + icons 2017-09-11 03:00:03 +00:00			`module.exports = {`
			`init (passport, conf) {`
fix: enable passport-azure-ad workaround for SameSite cookies (#2567) This adds cookieEncryptionKeyString configuration in the Azure AD authentication module. It represents an array of cookie encryption strings and enables workaround for SameSite cookies. 2020-11-01 18:10:50 +00:00			`// Workaround for Chrome's SameSite cookies`
			`// cookieSameSite needs useCookieInsteadOfSession to work correctly.`
			`// cookieEncryptionKeys is extracted from conf.cookieEncryptionKeyString.`
			`// It's a concatnation of 44-character length strings each of which represents a single pair of key/iv.`
			`// Valid cookieEncryptionKeys enables both cookieSameSite and useCookieInsteadOfSession.`
			`const keyArray = [];`
			`if (conf.cookieEncryptionKeyString) {`
			`let keyString = conf.cookieEncryptionKeyString;`
			`while (keyString.length >= 44) {`
			`keyArray.push({ key: keyString.substring(0, 32), iv: keyString.substring(32, 44) });`
			`keyString = keyString.substring(44);`
			`}`
			`}`
fix: handle multi social auth strategies 2022-03-26 01:17:04 +00:00			`passport.use(conf.key,`
feat: azure ad auth (wip) 2019-07-20 04:16:29 +00:00			`new OIDCStrategy({`
			`identityMetadata: conf.entryPoint,`
feat: self-contained auth modules + login UI + icons 2017-09-11 03:00:03 +00:00			`clientID: conf.clientId,`
feat: azure ad auth (wip) 2019-07-20 04:16:29 +00:00			`redirectUrl: conf.callbackURL,`
			`responseType: 'id_token',`
			`responseMode: 'form_post',`
			`scope: ['profile', 'email', 'openid'],`
feat: social login providers with dynamic instances 2020-08-30 05:36:17 +00:00			`allowHttpForRedirectUrl: WIKI.IS_DEBUG,`
fix: enable passport-azure-ad workaround for SameSite cookies (#2567) This adds cookieEncryptionKeyString configuration in the Azure AD authentication module. It represents an array of cookie encryption strings and enables workaround for SameSite cookies. 2020-11-01 18:10:50 +00:00			`passReqToCallback: true,`
			`cookieSameSite: keyArray.length > 0,`
			`useCookieInsteadOfSession: keyArray.length > 0,`
			`cookieEncryptionKeys: keyArray`
feat: social login providers with dynamic instances 2020-08-30 05:36:17 +00:00			`}, async (req, iss, sub, profile, cb) => {`
fix: use preferred_username as alternate for Azure AD 2019-10-27 17:57:39 +00:00			`const usrEmail = _.get(profile, '_json.email', null) \|\| _.get(profile, '_json.preferred_username')`
feat: azure ad auth 2019-07-20 15:09:55 +00:00			`try {`
			`const user = await WIKI.models.users.processProfile({`
feat: social login providers with dynamic instances 2020-08-30 05:36:17 +00:00			`providerKey: req.params.strategy,`
feat: azure ad auth 2019-07-20 15:09:55 +00:00			`profile: {`
			`id: profile.oid,`
			`displayName: profile.displayName,`
fix: use preferred_username as alternate for Azure AD 2019-10-27 17:57:39 +00:00			`email: usrEmail,`
feat: azure ad auth 2019-07-20 15:09:55 +00:00			`picture: ''`
feat: social login providers with dynamic instances 2020-08-30 05:36:17 +00:00			`}`
feat: azure ad auth 2019-07-20 15:09:55 +00:00			`})`
			`cb(null, user)`
			`} catch (err) {`
			`cb(err, null)`
			`}`
			`})`
			`)`
feat: self-contained auth modules + login UI + icons 2017-09-11 03:00:03 +00:00			`}`
feat: modular auth + queue tasks 2017-07-29 21:33:08 +00:00			`}`