fix(registry): fix openid identifier match (case-insensitive)

namecheap · Nov 8, 2023 · 4a539e1 · b1ff · Nov 8, 2023 · b1ff
1 parent 58738ae
commit 4a539e1
Show file tree

Hide file tree

Showing 9 changed files with 67 additions and 85 deletions.
diff --git a/e2e/spec/news.spec.e2e.ts b/e2e/spec/news.spec.e2e.ts
@@ -12,7 +12,7 @@ Scenario('should open a news page and show news sources', async ({ I, newsPage:
     I.see('Pick a news source', newsPage.bannerHeadline);
 });
 
-Scenario.skip('should open an article page from a direct link', async ({ I, newsPage: newsPage }) => {
+Scenario.only('should open an article page from a direct link', async ({ I, newsPage: newsPage }) => {
     I.amOnPage(newsPage.url.main);
     I.waitInUrl(newsPage.url.main, 10);
     I.waitForElement(newsPage.newsSources, 10);

diff --git a/ilc/package-lock.json b/ilc/package-lock.json
diff --git a/registry/package-lock.json b/registry/package-lock.json
diff --git a/registry/package.json b/registry/package.json
@@ -8,7 +8,7 @@
         "compile": "tsc --incremental",
         "dev": "nodemon -e ts,json5 --exec \"npx tsc --incremental && dotenv -- npm run start\" ",
         "build": "npm run compile && cd ./client && npm run build",
-        "start": "node -r source-map-support/register ./build/server/index.js",
+        "start": "dotenv -- node -r source-map-support/register ./build/server/index.js",
         "start-docker": "npm run migrate && npm start",
         "knex": "knex",
         "migrate": "dotenv -- knex --knexfile config/knexfile.ts migrate:latest",

diff --git a/registry/server/auth.ts b/registry/server/auth.ts
@@ -318,10 +318,14 @@ export default async (app: Express, settingsService: SettingsService, config: an
 };
 
 async function getEntityWithCreds(provider: string, identifier: string, secret: string | null): Promise<User | null> {
-    const user = await db.select().from('auth_entities').first('identifier', 'id', 'role', 'secret').where({
-        provider,
-        identifier,
-    });
+    const user = await db
+        .select()
+        .from('auth_entities')
+        .first('identifier', 'id', 'role', 'secret')
+        .where({
+            provider,
+        })
+        .andWhereRaw('LOWER(identifier) = LOWER(?)', [identifier]);
     if (!user) {
         return null;
     }

diff --git a/registry/server/templates/services/resources/Resource.ts b/registry/server/templates/services/resources/Resource.ts
@@ -18,7 +18,10 @@ export abstract class Resource {
         ...Attributes.crossorigin,
     };
 
-    constructor(public uri: string, params?: Params) {
+    constructor(
+        public uri: string,
+        params?: Params,
+    ) {
         this.params = params || {};
     }
 

diff --git a/registry/server/templates/services/templatesRepository.ts b/registry/server/templates/services/templatesRepository.ts
@@ -14,10 +14,13 @@ export async function readTemplateWithAllVersions(templateName: string) {
         .select()
         .from<LocalizedTemplate>(tables.templatesLocalized)
         .where('templateName', templateName);
-    template.localizedVersions = localizedTemplates.reduce((acc, item) => {
-        acc[item.locale] = { content: item.content };
-        return acc;
-    }, {} as Record<string, object>);
+    template.localizedVersions = localizedTemplates.reduce(
+        (acc, item) => {
+            acc[item.locale] = { content: item.content };
+            return acc;
+        },
+        {} as Record<string, object>,
+    );
 
     return template;
 }

diff --git a/registry/tests/auth.spec.ts b/registry/tests/auth.spec.ts
@@ -15,6 +15,8 @@ import nock from 'nock';
 import * as bcrypt from 'bcrypt';
 import { muteConsole, unmuteConsole } from './utils/console';
 import { loadPlugins } from '../server/util/pluginManager';
+import { isSqlite } from '../server/util/db';
+import knex from 'knex';
 
 const generateResp403 = (username: string) => ({
     message: `Access denied. "${username}" has "readonly" access.`,
@@ -76,11 +78,11 @@ describe('Authentication / Authorization', () => {
                 Buffer.from('token_secret', 'utf8').toString('base64');
         });
 
-        it('should not authenticate with invalid creds', async () => {
+        it('should not authenticate with invalid credentails', async () => {
             await request.get('/protected').set('Authorization', `Bearer invalid`).expect(401);
         });
 
-        it('should authenticate with correct creds', async () => {
+        it('should authenticate with correct credentails', async () => {
             await request.get('/protected').set('Authorization', `Bearer ${authToken}`).expect(200, 'ok');
         });
 
@@ -363,6 +365,47 @@ describe('Authentication / Authorization', () => {
                     await agent.get('/auth/logout').expect(302);
                     await agent.get('/protected').expect(401);
                 });
+                it('should authenticate against OpenID server (case-insensitive identifier)', async () => {
+                    await db('auth_entities').where('identifier', userIdentifier.toUpperCase()).delete();
+                    await db('auth_entities').insert({
+                        identifier: userIdentifier.toUpperCase(),
+                        provider: 'openid',
+                        role: 'admin',
+                    });
+                    const res = await agent
+                        .get('/auth/openid')
+                        .expect(302)
+                        .expect(
+                            'Location',
+                            new RegExp(
+                                'https://ad\\.example\\.doesnotmatter\\.com/adfs/oauth2/authorize/\\?client_id=ba05c345-e144-4688-b0be-3e1097ddd32d&scope=openid&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A4000%2Fauth%2Fopenid%2Freturn&state=.+?$',
+                            ),
+                        );
+
+                    await agent
+                        .get(`/auth/openid/return?${getQueryOfCodeAndSessionState(res.header['location'])}`)
+                        .expect(302)
+                        .expect('Location', '/')
+                        .expect((res) => {
+                            let setCookie = res.header['set-cookie'];
+                            assert.ok(Array.isArray(setCookie));
+                            assert.ok(setCookie[0]);
+
+                            const parts: any = querystring.parse(setCookie[0].replace(/\s?;\s?/, '&'));
+                            const userInfo = JSON.parse(parts['ilc:userInfo']);
+
+                            assert.strictEqual(userInfo.identifier, userIdentifier.toUpperCase());
+                            assert.strictEqual(userInfo.role, 'admin');
+                        });
+
+                    // respect session cookie
+                    await agent.get('/protected').expect(200, 'ok');
+
+                    // correctly logout
+                    await agent.get('/auth/logout').expect(302);
+                    await agent.get('/protected').expect(401);
+                    await db('auth_entities').where('identifier', userIdentifier.toUpperCase()).delete();
+                });
 
                 it('should authenticate against OpenID server & perform impersonation', async () => {
                     getStub.withArgs(SettingKeys.AuthOpenIdUniqueIdentifierClaimName).returns(Promise.resolve('upn'));

diff --git a/start_all.js b/start_all.js
@@ -19,7 +19,7 @@ const commands = [
     },
     {
         cwd: 'registry',
-        command: `npm run migrate && npm run seed && npm run ${noWatch ? 'start' : 'dev'}`,
+        command: `npm run migrate && npm run ${noWatch ? 'start' : 'dev'}`,
         name: 'registry',
     },
 ];