Switched docker build to path based to allow .dockerignore to work. I…

…mplemented OIDC support. Updated README.md
glenndehaan · Aug 23, 2024 · bfe2d39 · bfe2d39
1 parent 89bc27a
commit bfe2d39
Show file tree

Hide file tree

Showing 8 changed files with 729 additions and 30 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -28,13 +28,15 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/')
         uses: docker/build-push-action@v5
         with:
+          context: .
           platforms: linux/amd64,linux/arm64
           push: true
           tags: glenndehaan/unifi-voucher-site:${{ github.ref_name }}
       - name: Build and push (latest)
         if: github.ref == 'refs/heads/master'
         uses: docker/build-push-action@v5
         with:
+          context: .
           platforms: linux/amd64,linux/arm64
           push: true
           tags: glenndehaan/unifi-voucher-site:latest
diff --git a/README.md b/README.md
@@ -57,6 +57,12 @@ services:
       AUTH_PASSWORD: '0000'
       # The Bearer token used for the API
       AUTH_TOKEN: '00000000-0000-0000-0000-000000000000'
+      # OIDC issuer base url provided by oauth provider. Example: https://auth.example.com/.well-known/openid-configuration
+      AUTH_OIDC_ISSUER_BASE_URL: ''
+      # OIDC UniFi Voucher base url (This application). Example: https://voucher.example.com
+      AUTH_OIDC_APP_BASE_URL: ''
+      # OIDC client id provided by oauth provider
+      AUTH_OIDC_CLIENT_ID: ''
       # Disables the login/authentication for the portal and API
       AUTH_DISABLE: 'false'
       # Voucher Types, format: expiration in minutes (required),single-use or multi-use vouchers value - '0' is for multi-use - '1' is for single-use (optional),upload speed limit in kbps (optional),download speed limit in kbps (optional),data transfer limit in MB (optional)
@@ -290,6 +296,31 @@ Once the SMTP environment variables are configured, the email feature will be av
 
 ![Example Email](https://github.com/user-attachments/assets/45615db3-df76-48b0-ad30-05236e3754c1)
 
+## OpenID Connect (OIDC) Authentication
+
+The UniFi Voucher Site allows seamless integration with OpenID Connect (OIDC), enabling users to authenticate through their preferred identity provider (IdP). The setup is straightforward, requiring configuration through environment variables to align with your existing OIDC provider.
+
+### Configuration
+
+To enable OIDC authentication, set the following environment variables in your application’s environment:
+
+- **`AUTH_OIDC_ISSUER_BASE_URL`**:
+  The base URL of your OIDC provider. This is typically the URL where the well-known OIDC configuration is hosted (e.g., `https://auth.example.com/.well-known/openid-configuration`).
+
+- **`AUTH_OIDC_APP_BASE_URL`**:
+  The base URL of your UniFi Voucher Site application. This should be the public URL where the site is accessible to users (e.g., `https://voucher.example.com`).
+
+- **`AUTH_OIDC_CLIENT_ID`**:
+  The client ID registered with your OIDC provider. This value is specific to the OIDC client created for the UniFi Voucher Site.
+
+> Please note that **enabling OIDC support will automatically disable the built-in login system**. Once OIDC is activated, all user authentication will be handled through your configured identity provider, and the local login mechanism will no longer be available.
+
+### OIDC Client Configuration
+
+When configuring your OIDC client, ensure that the following settings are enabled:
+
+- **Implicit Flow Support**: The OIDC client **must** support the Implicit flow. This is essential as the UniFi Voucher Site relies on this flow for authentication.
+
 ## Screenshots
 
 ### Login (Desktop)

diff --git a/middlewares/authorization.js b/middlewares/authorization.js
@@ -2,11 +2,15 @@
  * Import own modules
  */
 const jwt = require('../modules/jwt');
+const oidc = require('express-openid-connect');
 
 /**
  * Global variables
  */
 const authDisabled = (process.env.AUTH_DISABLE === 'true') || false;
+const oidcIssuerBaseUrl = process.env.AUTH_OIDC_ISSUER_BASE_URL || '';
+const oidcAppBaseUrl = process.env.AUTH_OIDC_APP_BASE_URL || '';
+const oidcClientId = process.env.AUTH_OIDC_CLIENT_ID || '';
 
 /**
  * Verifies if a user is signed in
@@ -23,8 +27,8 @@ module.exports = {
      * @return {Promise<void>}
      */
     web: async (req, res, next) => {
-        // Check if authentication is enabled
-        if(!authDisabled) {
+        // Check if authentication is enabled & OIDC is disabled
+        if(!authDisabled && (oidcIssuerBaseUrl === '' && oidcAppBaseUrl === '' && oidcClientId === '')) {
             // Check if user has an existing authorization cookie
             if (!req.cookies.authorization) {
                 res.redirect(302, `${req.headers['x-ingress-path'] ? req.headers['x-ingress-path'] : ''}/login`);
@@ -44,6 +48,12 @@ module.exports = {
             }
         }
 
+        // Check if authentication is enabled & OIDC is enabled
+        if(!authDisabled && (oidcIssuerBaseUrl !== '' && oidcAppBaseUrl !== '' && oidcClientId !== '')) {
+            const middleware = oidc.requiresAuth();
+            return middleware(req, res, next);
+        }
+
         next();
     },
 

diff --git a/modules/jwt.js b/modules/jwt.js
@@ -21,7 +21,7 @@ const settings = {
 };
 
 /**
- * Exports the UniFi voucher functions
+ * Exports the JWT functions
  */
 module.exports = {
     /**

diff --git a/modules/oidc.js b/modules/oidc.js
@@ -0,0 +1,41 @@
+/**
+ * Import base packages
+ */
+const crypto = require('crypto');
+const oidc = require('express-openid-connect');
+
+/**
+ * Import own modules
+ */
+const log = require('./log');
+
+/**
+ * OIDC Settings
+ *
+ * @type {{baseURL: string, idpLogout: boolean, authRequired: boolean, clientID: string, issuerBaseURL: string, secret: string}}
+ */
+const settings = {
+    issuerBaseURL: process.env.AUTH_OIDC_ISSUER_BASE_URL,
+    baseURL: process.env.AUTH_OIDC_APP_BASE_URL,
+    clientID: process.env.AUTH_OIDC_CLIENT_ID,
+    secret: '',
+    idpLogout: true,
+    authRequired: false
+};
+
+/**
+ * Exports the OIDC functions
+ */
+module.exports = {
+    /**
+     * Set the OIDC secret & setup OIDC middleware
+     *
+     * @param app
+     */
+    init: (app) => {
+        settings.secret = crypto.randomBytes(20).toString('hex');
+        log.info(`[OIDC] Set secret: ${settings.secret}`);
+        app.use(oidc.auth(settings));
+        log.info(`[OIDC] Issuer: ${settings.issuerBaseURL}, Client: ${settings.clientID}`);
+    }
+};
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,7 +21,7 @@ const settings = { @@
     };
     /**
-     * Exports the UniFi voucher functions
+     * Exports the JWT functions
      */
     module.exports = {
         /**
@@ Expand Down @@