Improve process and change libs

danny-avila · Jan 25, 2024 · 17af179 · 17af179
1 parent 17926ce
commit 17af179
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 26 deletions.
diff --git a/.env.example b/.env.example
@@ -266,6 +266,7 @@ OPENID_SESSION_SECRET=
 OPENID_SCOPE="openid profile email"
 OPENID_CALLBACK_URL=/oauth/openid/callback
 OPENID_REQUIRED_ROLE=
+OPENID_REQUIRED_ROLE_PARAMETER_PATH=
 
 OPENID_BUTTON_LABEL=
 OPENID_IMAGE_URL=

diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js
@@ -5,7 +5,7 @@ const passport = require('passport');
 const { Issuer, Strategy: OpenIDStrategy } = require('openid-client');
 const { logger } = require('~/config');
 const User = require('~/models/User');
-const jwtDecode = require('jwt-decode');
+const jwtDecode = require('jsonwebtoken/decode');
 
 let crypto;
 try {
@@ -46,6 +46,7 @@ async function setupOpenId() {
       redirect_uris: [process.env.DOMAIN_SERVER + process.env.OPENID_CALLBACK_URL],
     });
     const requiredRole = process.env.OPENID_REQUIRED_ROLE;
+    const requiredRoleParameterPath = process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH;
 
     const openidLogin = new OpenIDStrategy(
       {
@@ -73,16 +74,17 @@ async function setupOpenId() {
             fullName = userinfo.username || userinfo.email;
           }
 
-          const decodedAccessToken = jwtDecode.jwtDecode(tokenset.access_token);
-          let roles = [];
-          if (decodedAccessToken.roles) {
-            roles = decodedAccessToken.roles;
-          } else if (decodedAccessToken.realm_access && decodedAccessToken.realm_access.roles) {
-            roles = decodedAccessToken.realm_access.roles;
-          }
-          user.roles = roles;
+          const decodedAccessToken = jwtDecode(tokenset.access_token);
+          const pathParts = requiredRoleParameterPath.split('.');
+          user.roles = pathParts.reduce((o, key) => {
+            if (o === null || o === undefined || !(key in o)) {
+              console.error(`Key '${decodedAccessToken}' not found in access token!`);
+              return [];
+            }
+            return o[key];
+          }, decodedAccessToken);
 
-          if (requiredRole && !roles.includes(requiredRole)) {
+          if (requiredRole && !user.roles.includes(requiredRole)) {
             return done(null, false, {
               message: `You must have the "${requiredRole}" role to log in.`,
             });

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -37,13 +37,17 @@ services:
     image: mongo
     restart: always
     user: "${UID}:${GID}"
+    ports:
+      - 27017:27017
     volumes:
       - ./data-node:/data/db
     command: mongod --noauth
   meilisearch:
     container_name: chat-meilisearch
     image: getmeili/meilisearch:v1.5
     restart: always
+    ports:
+      - 7700:7700
     env_file:
       - .env
     user: "${UID}:${GID}"

diff --git a/docs/install/configuration/user_auth_system.md b/docs/install/configuration/user_auth_system.md
@@ -604,11 +604,15 @@ OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyon
   - Go to 'Users', select a user, and go to the 'Role Mappings' tab.
   - Assign the appropriate role (that matches `OPENID_REQUIRED_ROLE`) to the user.
 
-7. **Configure Client Scopes (Optional):**
+7. **Get path of roles list inside access token:**
+    - Decode your jwtToken from OpenID provider and determine path for roles list inside access token. For example, if you are using Keycloak, the path is `realm_access.roles`.
+    - Put this path in `OPENID_REQUIRED_ROLE_PARAMETER_PATH` variable in `.env` file.
+
+8. **Configure Client Scopes (Optional):**
   - If you want to include role information in the token, add a client scope and mapper.
   - Go to 'Client Scopes', create a new scope, and add a mapper to include the role information in the token.
 
-8. **Update Your Project's Configuration:**
+9. **Update Your Project's Configuration:**
   - Open the `.env` file in your project folder and add the following variables:
     ```
     OPENID_ISSUER=http://localhost:8080/auth/realms/[YourRealmName]
@@ -617,6 +621,7 @@ OPENID_CALLBACK_URL=/oauth/openid/callback # this should be the same for everyon
     OPENID_CALLBACK_URL=http://localhost:3080/oauth/openid/callback
     OPENID_SCOPE="openid profile email"
     OPENID_REQUIRED_ROLE=[YourRequiredRole]
+    OPENID_REQUIRED_ROLE_PARAMETER_PATH="realm_access.roles"
     ```
 
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -98,8 +98,5 @@
       "admin/",
       "packages/"
     ]
-  },
-  "dependencies": {
-    "jwt-decode": "^4.0.0"
   }
 }