feat: support for OIDC authentication

.example.env

@@ -58,6 +58,7 @@ DISALLOW_REGISTRATION=true
 # Optional - Disable anonymous link creation. Default is true.
 DISALLOW_ANONYMOUS_LINKS=true
 
+
 # Optional - This would be shown to the user on the settings page
 # It's only for display purposes and has no other use
 SERVER_IP_ADDRESS=
@@ -87,3 +88,15 @@ REPORT_EMAIL=
 
 # Optional - Support email to show on the app
 CONTACT_EMAIL=
+
+# Optional - Login with OIDC
+OIDC_ENABLED=false
+OIDC_ISSUER=
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_SCOPE=
+OIDC_EMAIL_CLAIM=
+OIDC_APP_URL=
+
+# Optional - Disable form-based login. Only makes sense when OIDC_ENABLED=true.
+DISALLOW_FORM_LOGIN=false

docker-compose.oidc.yml

@@ -0,0 +1,65 @@
+services:
+  server:
+    build:
+      context: .
+    volumes:
+       - db_data_sqlite:/var/lib/kutt
+       - custom:/kutt/custom
+    env_file: .env
+    environment:
+      DB_FILENAME: "/var/lib/kutt/data.sqlite"
+      DISALLOW_REGISTRATION: "false"
+      OIDC_ENABLED: "true"
+      OIDC_ISSUER: http://7f000001.nip.io:5556/dex
+      OIDC_CLIENT_ID: example-app
+      OIDC_CLIENT_SECRET: ZXhhbXBsZS1hcHAtc2VjcmV0
+      OIDC_SCOPE: openid profile email
+      OIDC_APP_URL: http://localhost:3000
+    ports:
+      - 3000:3000
+    links:
+      - oidc-server:7f000001.nip.io
+
+  oidc-server:
+    image: dexidp/dex:v2.43.1-alpine
+    ports:
+      - 5556:5556
+    domainname: 7f000001.nip.io
+    configs:
+      - source: config.yaml
+        target: /etc/dex/config.docker.yaml
+configs:
+  config.yaml:
+    content: |
+      issuer: http://7f000001.nip.io:5556/dex
+      storage:
+        type: sqlite3
+        config:
+          file: /var/dex/dex.db
+      web:
+        http: 0.0.0.0:5556
+      staticClients:
+        - id: example-app
+          redirectURIs:
+            - 'http://localhost:3000/login/oidc'
+          name: 'Example App'
+          secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+      connectors:
+        - type: mockCallback
+          id: mock
+          name: Example
+      enablePasswordDB: true
+      staticPasswords:
+      - email: "[email protected]"
+        # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
+        hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+        username: "user01"
+        userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+      - email: "[email protected]"
+        hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+        username: "user02"
+        userID: "a4588bda-8303-458e-965e-b9ae039ef7b7"
+
+volumes:
+  db_data_sqlite:
+  custom:

package.json

@@ -28,6 +28,7 @@
     "better-sqlite3": "11.8.1",
     "bull": "4.16.5",
     "cookie-parser": "1.4.7",
+    "cookie-session": "^2.1.0",
     "cors": "2.8.5",
     "date-fns": "2.30.0",
     "dotenv": "16.4.7",
@@ -46,6 +47,7 @@
     "mysql2": "3.12.0",
     "nanoid": "3.3.8",
     "nodemailer": "6.9.16",
+    "openid-client": "^5.7.0",
     "passport": "0.7.0",
     "passport-jwt": "4.0.1",
     "passport-local": "1.0.0",

server/env.js

@@ -50,6 +50,7 @@ const spec = {
   REDIS_DB: num({ default: 0 }),
   DISALLOW_ANONYMOUS_LINKS: bool({ default: true }),
   DISALLOW_REGISTRATION: bool({ default: true }),
+  DISALLOW_FORM_LOGIN: bool({ default: false }),
   SERVER_IP_ADDRESS: str({ default: "" }),
   SERVER_CNAME_ADDRESS: str({ default: "" }),
   CUSTOM_DOMAIN_USE_HTTPS: bool({ default: false }),
@@ -61,6 +62,13 @@ const spec = {
   MAIL_USER: str({ default: "" }),
   MAIL_FROM: str({ default: "", example: "Kutt <[email protected]>" }),
   MAIL_PASSWORD: str({ default: "" }),
+  OIDC_ENABLED: bool({ default: false }),
+  OIDC_ISSUER: str({ default: "" }),
+  OIDC_CLIENT_ID: str({ default: "" }),
+  OIDC_CLIENT_SECRET: str({ default: "" }),
+  OIDC_SCOPE: str({ default: "openid profile email" }),
+  OIDC_EMAIL_CLAIM: str({ default: "email" }),
+  OIDC_APP_URL: str({ default: "" }),
   ENABLE_RATE_LIMIT: bool({ default: false }),
   REPORT_EMAIL: str({ default: "" }),
   CONTACT_EMAIL: str({ default: "" }),

server/handlers/auth.handler.js

@@ -16,9 +16,10 @@ const CustomError = utils.CustomError;
 function authenticate(type, error, isStrict, redirect) {
   return function auth(req, res, next) {
     if (req.user) return next();
-    
+
     passport.authenticate(type, (err, user, info) => {
       if (err) return next(err);
+      if (type === 'oidc' && info instanceof Error) return next(info);
 
       if (
         req.isHTML &&
@@ -80,6 +81,7 @@ const jwtPage = authenticate("jwt", "Unauthorized.", true, "page");
 const jwtLoose = authenticate("jwt", "Unauthorized.", false, "header");
 const jwtLoosePage = authenticate("jwt", "Unauthorized.", false, "page");
 const apikey = authenticate("localapikey", "API key is not correct.", false, null);
+const oidc = authenticate("oidc", "Unauthorized", false, "page");
 
 function admin(req, res, next) {
   if (req.user.admin) return next();
@@ -388,6 +390,7 @@ module.exports = {
   local,
   login,
   newPassword,
+  oidc,
   resetPassword,
   signup,
   verify,

server/handlers/locals.handler.js

@@ -27,6 +27,8 @@ function config(req, res, next) {
   res.locals.server_ip_address = env.SERVER_IP_ADDRESS;
   res.locals.server_cname_address = env.SERVER_CNAME_ADDRESS;
   res.locals.disallow_registration = env.DISALLOW_REGISTRATION;
+  res.locals.disallow_form_login = env.DISALLOW_FORM_LOGIN;
+  res.locals.oidc_enabled = env.OIDC_ENABLED;
   res.locals.mail_enabled = env.MAIL_ENABLED;
   res.locals.report_email = env.REPORT_EMAIL;
   res.locals.custom_styles = utils.getCustomCSSFileNames();