Allow authentication via provider ID

gbv · Dec 12, 2024 · d609936 · d609936
1 parent cd418c4
commit d609936
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 5 deletions.
diff --git a/.docker/README.md b/.docker/README.md
@@ -27,6 +27,7 @@ services:
       # When used in Docker, this needs to be a publicly available URL
       - VITE_LOGIN_SERVER=http://localhost:3004
       - VITE_ALLOWED_USERS=uri1,uri2
+      - VITE_ALLOWED_PROVIDERS=provider1,provider2
     ports:
       - 3454:3454
     restart: unless-stopped

diff --git a/.docker/docker-compose.yml b/.docker/docker-compose.yml
@@ -11,6 +11,7 @@ services:
       - PORT=3454
       - VITE_LOGIN_SERVER=http://localhost:3004
       - VITE_ALLOWED_USERS=uri1,uri2
+      - VITE_ALLOWED_PROVIDERS=provider1,provider2
     ports:
       - 3454:3454
     restart: unless-stopped
diff --git a/README.md b/README.md
@@ -58,8 +58,11 @@ PORT=3454
 BASE_URL=https://coli-conc.gbv.de/coli-rich/app/
 # Login Server instance base URL
 VITE_LOGIN_SERVER=http://localhost:3004
-# Hardcoded list of allow user URIs that can perform enrichments in the backend
+# Hardcoded list of allowed user URIs that can perform enrichments in the backend
 VITE_ALLOWED_USERS=uri1,uri2
+# List of allowed provider IDs (works in addition to VITE_ALLOWED_USERS, i.e. if a user either has one of the 
+# specified URIs or has one of the specified providers linked, they can perform enrichments in the backend)
+VITE_ALLOWED_PROVIDERS=provider1,provider2
 # Local file path where submitted enrichments will be temporarily stored
 ENRICHMENTS_PATH=./enrichments
 ```

diff --git a/src/client/App.vue b/src/client/App.vue
@@ -21,9 +21,9 @@ const { showGoToTopButton, goToTop } = useGoToTop()
 import { useSubmitEnrichments } from "@/composables/submit-enrichments.js"
 const { submitEnrichments, successMessage, errorMessage, submitLoading, resetSubmit } = useSubmitEnrichments()
 
-import { version, name, showWhenExistsKey, examples, allowedUsers } from "@/config.js"
+import { version, name, showWhenExistsKey, examples, allowedUsers, allowedProviders } from "@/config.js"
 
-const hasBackendAccess = computed(() => allowedUsers.includes(user.value?.uri))
+const hasBackendAccess = computed(() => allowedUsers.includes(user.value?.uri) || allowedProviders.find(provider => user.value?.identities[provider]?.id))
 
 const ppninput = ref("")
 

diff --git a/src/client/config.js b/src/client/config.js
@@ -39,5 +39,6 @@ export const loginServerUrl = loginServer && loginServer.replace(/https?:\/\//,
 export const loginServerSsl = loginServer && loginServer.startsWith("https://")
 
 export const allowedUsers = (import.meta.env.VITE_ALLOWED_USERS || "").split(",").filter(Boolean).map(uri => uri.trim())
+export const allowedProviders = (import.meta.env.VITE_ALLOWED_PROVIDERS || "").split(",").filter(Boolean).map(uri => uri.trim())
 
 export const baseUrl = import.meta.env.BASE_URL || "/"
diff --git a/src/config.js b/src/config.js
@@ -53,6 +53,7 @@ export default {
   port,
   login,
   allowedUsers: (env.VITE_ALLOWED_USERS || "").split(",").filter(Boolean).map(uri => uri.trim()),
+  allowedProviders: (env.VITE_ALLOWED_PROVIDERS || "").split(",").filter(Boolean).map(uri => uri.trim()),
   enrichmentsPath,
   // methods
   log,

diff --git a/src/server/auth.js b/src/server/auth.js
@@ -82,8 +82,7 @@ const auth = [
   }, 
   authPreparation, 
   (req, res, next) => {
-    // TODO: Add provider check as alternative as soon as CBS login provider is configured in Login Server.
-    if (!config.allowedUsers.includes(req.user?.uri)) {
+    if (!config.allowedUsers.includes(req.user?.uri) && !config.allowedProviders.find(provider => req.user?.identities[provider]?.id)) {
       next(new ForbiddenAccessError("Access forbidden. User is not on the allowed list."))
     } else {
       next()