Added Login with OIDC button to login page. Made login.ejs dynamic based on enabled authentication services. Made GitHub icon on login.ejs smaller. Refactored authorization.js middleware to support running both internal and OIDC authentication within the same instance. Added extra error to info.js when both authentication services are disabled but authentication itself is enabled. Updated status.js to correctly display both authentication services running at the same time. Updated README.md. Enabled /login when OIDC is enabled. Added missing middleware on /logout. Fixed JWT not initializing when authInternalEnabled is true

2026-03-31 06:24:00 -04:00 · 2024-10-03 13:56:28 +02:00
parent e1c1aa8c21
commit 4418f9c347
6 changed files with 123 additions and 67 deletions
--- a/middlewares/authorization.js
+++ b/middlewares/authorization.js
@@ -24,34 +24,48 @@ module.exports = {
     * @return {Promise<void>}
     */
    web: async (req, res, next) => {
-        // Check if authentication is enabled & OIDC is disabled
-        if(!variables.authDisabled && !variables.authOidcEnabled) {
+        let internal = false;
+        let oidc = false;
+
+        // Continue is authentication is disabled
+        if(variables.authDisabled) {
+            next();
+            return;
+        }
+
+        // Check if Internal auth is enabled then verify user status
+        if(variables.authInternalEnabled) {
            // Check if user has an existing authorization cookie
-            if (!req.cookies.authorization) {
-                res.redirect(302, `${req.headers['x-ingress-path'] ? req.headers['x-ingress-path'] : ''}/login`);
-                return;
-            }
+            if (req.cookies.authorization) {
+                // Check if token is correct and valid
+                try {
+                    const check = jwt.verify(req.cookies.authorization);

-            // Check if token is correct and valid
-            try {
-                const check = jwt.verify(req.cookies.authorization);
-
-                if(!check) {
-                    res.cookie('flashMessage', JSON.stringify({type: 'error', message: 'Invalid or expired login!'}), {httpOnly: true, expires: new Date(Date.now() + 24 * 60 * 60 * 1000)}).redirect(302, `${req.headers['x-ingress-path'] ? req.headers['x-ingress-path'] : ''}/login`);
-                }
-            } catch (e) {
-                res.cookie('flashMessage', JSON.stringify({type: 'error', message: 'Invalid or expired login!'}), {httpOnly: true, expires: new Date(Date.now() + 24 * 60 * 60 * 1000)}).redirect(302, `${req.headers['x-ingress-path'] ? req.headers['x-ingress-path'] : ''}/login`);
-                return;
+                    if(check) {
+                        internal = true;
+                    }
+                } catch (e) {}
            }
        }

-        // Check if authentication is enabled & OIDC is enabled
-        if(!variables.authDisabled && variables.authOidcEnabled) {
-            const middleware = oidc.requiresAuth();
-            return middleware(req, res, next);
+        // Check if OIDC is enabled then verify user status
+        if(variables.authOidcEnabled) {
+            oidc = req.oidc.isAuthenticated();
        }

-        next();
+        // Check if user is authorized by a service
+        if(internal || oidc) {
+            // Remove req.oidc if user is authenticated internally
+            if(internal) {
+                delete req.oidc;
+            }
+
+            next();
+            return;
+        }
+
+        // Fallback to login page
+        res.redirect(302, `${req.headers['x-ingress-path'] ? req.headers['x-ingress-path'] : ''}/login`);
    },

    /**