replaced authentik with generic oidc provider
This commit is contained in:
Gani Georgiev
+44
-28
@@ -15,6 +15,10 @@ import (
|
||||
"github.com/pocketbase/pocketbase/tools/security"
|
||||
)
|
||||
|
||||
// SecretMask is the default settings secrets replacement value
|
||||
// (see Settings.RedactClone()).
|
||||
const SecretMask string = "******"
|
||||
|
||||
// Settings defines common app configuration options.
|
||||
type Settings struct {
|
||||
mux sync.RWMutex
|
||||
@@ -47,8 +51,10 @@ type Settings struct {
|
||||
StravaAuth AuthProviderConfig `form:"stravaAuth" json:"stravaAuth"`
|
||||
GiteeAuth AuthProviderConfig `form:"giteeAuth" json:"giteeAuth"`
|
||||
LivechatAuth AuthProviderConfig `form:"livechatAuth" json:"livechatAuth"`
|
||||
AuthentikAuth AuthProviderConfig `form:"authentikAuth" json:"authentikAuth"`
|
||||
GiteaAuth AuthProviderConfig `form:"giteaAuth" json:"giteaAuth"`
|
||||
OIDCAuth AuthProviderConfig `form:"oidcAuth" json:"oidcAuth"`
|
||||
OIDC2Auth AuthProviderConfig `form:"oidc2Auth" json:"oidc2Auth"`
|
||||
OIDC3Auth AuthProviderConfig `form:"oidc3Auth" json:"oidc3Auth"`
|
||||
}
|
||||
|
||||
// New creates and returns a new default Settings instance.
|
||||
@@ -138,10 +144,16 @@ func New() *Settings {
|
||||
LivechatAuth: AuthProviderConfig{
|
||||
Enabled: false,
|
||||
},
|
||||
AuthentikAuth: AuthProviderConfig{
|
||||
GiteaAuth: AuthProviderConfig{
|
||||
Enabled: false,
|
||||
},
|
||||
GiteaAuth: AuthProviderConfig{
|
||||
OIDCAuth: AuthProviderConfig{
|
||||
Enabled: false,
|
||||
},
|
||||
OIDC2Auth: AuthProviderConfig{
|
||||
Enabled: false,
|
||||
},
|
||||
OIDC3Auth: AuthProviderConfig{
|
||||
Enabled: false,
|
||||
},
|
||||
}
|
||||
@@ -176,8 +188,10 @@ func (s *Settings) Validate() error {
|
||||
validation.Field(&s.StravaAuth),
|
||||
validation.Field(&s.GiteeAuth),
|
||||
validation.Field(&s.LivechatAuth),
|
||||
validation.Field(&s.AuthentikAuth),
|
||||
validation.Field(&s.GiteaAuth),
|
||||
validation.Field(&s.OIDCAuth),
|
||||
validation.Field(&s.OIDC2Auth),
|
||||
validation.Field(&s.OIDC3Auth),
|
||||
)
|
||||
}
|
||||
|
||||
@@ -211,8 +225,6 @@ func (s *Settings) RedactClone() (*Settings, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
mask := "******"
|
||||
|
||||
sensitiveFields := []*string{
|
||||
&clone.Smtp.Password,
|
||||
&clone.S3.Secret,
|
||||
@@ -235,14 +247,16 @@ func (s *Settings) RedactClone() (*Settings, error) {
|
||||
&clone.StravaAuth.ClientSecret,
|
||||
&clone.GiteeAuth.ClientSecret,
|
||||
&clone.LivechatAuth.ClientSecret,
|
||||
&clone.AuthentikAuth.ClientSecret,
|
||||
&clone.GiteaAuth.ClientSecret,
|
||||
&clone.OIDCAuth.ClientSecret,
|
||||
&clone.OIDC2Auth.ClientSecret,
|
||||
&clone.OIDC3Auth.ClientSecret,
|
||||
}
|
||||
|
||||
// mask all sensitive fields
|
||||
for _, v := range sensitiveFields {
|
||||
if v != nil && *v != "" {
|
||||
*v = mask
|
||||
*v = SecretMask
|
||||
}
|
||||
}
|
||||
|
||||
@@ -256,21 +270,23 @@ func (s *Settings) NamedAuthProviderConfigs() map[string]AuthProviderConfig {
|
||||
defer s.mux.RUnlock()
|
||||
|
||||
return map[string]AuthProviderConfig{
|
||||
auth.NameGoogle: s.GoogleAuth,
|
||||
auth.NameFacebook: s.FacebookAuth,
|
||||
auth.NameGithub: s.GithubAuth,
|
||||
auth.NameGitlab: s.GitlabAuth,
|
||||
auth.NameDiscord: s.DiscordAuth,
|
||||
auth.NameTwitter: s.TwitterAuth,
|
||||
auth.NameMicrosoft: s.MicrosoftAuth,
|
||||
auth.NameSpotify: s.SpotifyAuth,
|
||||
auth.NameKakao: s.KakaoAuth,
|
||||
auth.NameTwitch: s.TwitchAuth,
|
||||
auth.NameStrava: s.StravaAuth,
|
||||
auth.NameGitee: s.GiteeAuth,
|
||||
auth.NameLivechat: s.LivechatAuth,
|
||||
auth.NameAuthentik: s.AuthentikAuth,
|
||||
auth.NameGitea: s.GiteaAuth,
|
||||
auth.NameGoogle: s.GoogleAuth,
|
||||
auth.NameFacebook: s.FacebookAuth,
|
||||
auth.NameGithub: s.GithubAuth,
|
||||
auth.NameGitlab: s.GitlabAuth,
|
||||
auth.NameDiscord: s.DiscordAuth,
|
||||
auth.NameTwitter: s.TwitterAuth,
|
||||
auth.NameMicrosoft: s.MicrosoftAuth,
|
||||
auth.NameSpotify: s.SpotifyAuth,
|
||||
auth.NameKakao: s.KakaoAuth,
|
||||
auth.NameTwitch: s.TwitchAuth,
|
||||
auth.NameStrava: s.StravaAuth,
|
||||
auth.NameGitee: s.GiteeAuth,
|
||||
auth.NameLivechat: s.LivechatAuth,
|
||||
auth.NameGitea: s.GiteaAuth,
|
||||
auth.NameOIDC: s.OIDCAuth,
|
||||
auth.NameOIDC + "2": s.OIDC2Auth,
|
||||
auth.NameOIDC + "3": s.OIDC3Auth,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -481,11 +497,11 @@ func (c LogsConfig) Validate() error {
|
||||
|
||||
type AuthProviderConfig struct {
|
||||
Enabled bool `form:"enabled" json:"enabled"`
|
||||
ClientId string `form:"clientId" json:"clientId,omitempty"`
|
||||
ClientSecret string `form:"clientSecret" json:"clientSecret,omitempty"`
|
||||
AuthUrl string `form:"authUrl" json:"authUrl,omitempty"`
|
||||
TokenUrl string `form:"tokenUrl" json:"tokenUrl,omitempty"`
|
||||
UserApiUrl string `form:"userApiUrl" json:"userApiUrl,omitempty"`
|
||||
ClientId string `form:"clientId" json:"clientId"`
|
||||
ClientSecret string `form:"clientSecret" json:"clientSecret"`
|
||||
AuthUrl string `form:"authUrl" json:"authUrl"`
|
||||
TokenUrl string `form:"tokenUrl" json:"tokenUrl"`
|
||||
UserApiUrl string `form:"userApiUrl" json:"userApiUrl"`
|
||||
}
|
||||
|
||||
// Validate makes `ProviderConfig` validatable by implementing [validation.Validatable] interface.
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package settings_test
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"strings"
|
||||
@@ -54,10 +55,14 @@ func TestSettingsValidate(t *testing.T) {
|
||||
s.GiteeAuth.ClientId = ""
|
||||
s.LivechatAuth.Enabled = true
|
||||
s.LivechatAuth.ClientId = ""
|
||||
s.AuthentikAuth.Enabled = true
|
||||
s.AuthentikAuth.ClientId = ""
|
||||
s.GiteaAuth.Enabled = true
|
||||
s.GiteaAuth.ClientId = ""
|
||||
s.OIDCAuth.Enabled = true
|
||||
s.OIDCAuth.ClientId = ""
|
||||
s.OIDC2Auth.Enabled = true
|
||||
s.OIDC2Auth.ClientId = ""
|
||||
s.OIDC3Auth.Enabled = true
|
||||
s.OIDC3Auth.ClientId = ""
|
||||
|
||||
// check if Validate() is triggering the members validate methods.
|
||||
err := s.Validate()
|
||||
@@ -89,8 +94,10 @@ func TestSettingsValidate(t *testing.T) {
|
||||
`"stravaAuth":{`,
|
||||
`"giteeAuth":{`,
|
||||
`"livechatAuth":{`,
|
||||
`"authentikAuth":{`,
|
||||
`"giteaAuth":{`,
|
||||
`"oidcAuth":{`,
|
||||
`"oidc2Auth":{`,
|
||||
`"oidc3Auth":{`,
|
||||
}
|
||||
|
||||
errBytes, _ := json.Marshal(err)
|
||||
@@ -145,10 +152,14 @@ func TestSettingsMerge(t *testing.T) {
|
||||
s2.GiteeAuth.ClientId = "gitee_test"
|
||||
s2.LivechatAuth.Enabled = true
|
||||
s2.LivechatAuth.ClientId = "livechat_test"
|
||||
s2.AuthentikAuth.Enabled = true
|
||||
s2.AuthentikAuth.ClientId = "authentik_test"
|
||||
s2.GiteaAuth.Enabled = true
|
||||
s2.GiteaAuth.ClientId = "gitea_test"
|
||||
s2.OIDCAuth.Enabled = true
|
||||
s2.OIDCAuth.ClientId = "oidc_test"
|
||||
s2.OIDC2Auth.Enabled = true
|
||||
s2.OIDC2Auth.ClientId = "oidc2_test"
|
||||
s2.OIDC3Auth.Enabled = true
|
||||
s2.OIDC3Auth.ClientId = "oidc3_test"
|
||||
|
||||
if err := s1.Merge(s2); err != nil {
|
||||
t.Fatal(err)
|
||||
@@ -199,47 +210,69 @@ func TestSettingsClone(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestSettingsRedactClone(t *testing.T) {
|
||||
testSecret := "test_secret"
|
||||
|
||||
s1 := settings.New()
|
||||
s1.Meta.AppName = "test123" // control field
|
||||
s1.Smtp.Password = "test123"
|
||||
s1.Smtp.Tls = true
|
||||
s1.S3.Secret = "test123"
|
||||
s1.AdminAuthToken.Secret = "test123"
|
||||
s1.AdminPasswordResetToken.Secret = "test123"
|
||||
s1.RecordAuthToken.Secret = "test123"
|
||||
s1.RecordPasswordResetToken.Secret = "test123"
|
||||
s1.RecordEmailChangeToken.Secret = "test123"
|
||||
s1.RecordVerificationToken.Secret = "test123"
|
||||
s1.GoogleAuth.ClientSecret = "test123"
|
||||
s1.FacebookAuth.ClientSecret = "test123"
|
||||
s1.GithubAuth.ClientSecret = "test123"
|
||||
s1.GitlabAuth.ClientSecret = "test123"
|
||||
s1.DiscordAuth.ClientSecret = "test123"
|
||||
s1.TwitterAuth.ClientSecret = "test123"
|
||||
s1.MicrosoftAuth.ClientSecret = "test123"
|
||||
s1.SpotifyAuth.ClientSecret = "test123"
|
||||
s1.KakaoAuth.ClientSecret = "test123"
|
||||
s1.TwitchAuth.ClientSecret = "test123"
|
||||
s1.StravaAuth.ClientSecret = "test123"
|
||||
s1.GiteeAuth.ClientSecret = "test123"
|
||||
s1.LivechatAuth.ClientSecret = "test123"
|
||||
s1.AuthentikAuth.ClientSecret = "test123"
|
||||
s1.GiteaAuth.ClientSecret = "test123"
|
||||
|
||||
// control fields
|
||||
s1.Meta.AppName = "test123"
|
||||
|
||||
// secrets
|
||||
s1.Smtp.Password = testSecret
|
||||
s1.S3.Secret = testSecret
|
||||
s1.AdminAuthToken.Secret = testSecret
|
||||
s1.AdminPasswordResetToken.Secret = testSecret
|
||||
s1.RecordAuthToken.Secret = testSecret
|
||||
s1.RecordPasswordResetToken.Secret = testSecret
|
||||
s1.RecordEmailChangeToken.Secret = testSecret
|
||||
s1.RecordVerificationToken.Secret = testSecret
|
||||
s1.GoogleAuth.ClientSecret = testSecret
|
||||
s1.FacebookAuth.ClientSecret = testSecret
|
||||
s1.GithubAuth.ClientSecret = testSecret
|
||||
s1.GitlabAuth.ClientSecret = testSecret
|
||||
s1.DiscordAuth.ClientSecret = testSecret
|
||||
s1.TwitterAuth.ClientSecret = testSecret
|
||||
s1.MicrosoftAuth.ClientSecret = testSecret
|
||||
s1.SpotifyAuth.ClientSecret = testSecret
|
||||
s1.KakaoAuth.ClientSecret = testSecret
|
||||
s1.TwitchAuth.ClientSecret = testSecret
|
||||
s1.StravaAuth.ClientSecret = testSecret
|
||||
s1.GiteeAuth.ClientSecret = testSecret
|
||||
s1.LivechatAuth.ClientSecret = testSecret
|
||||
s1.GiteaAuth.ClientSecret = testSecret
|
||||
s1.OIDCAuth.ClientSecret = testSecret
|
||||
s1.OIDC2Auth.ClientSecret = testSecret
|
||||
s1.OIDC3Auth.ClientSecret = testSecret
|
||||
|
||||
s1Bytes, err := json.Marshal(s1)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
s2, err := s1.RedactClone()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
encoded, err := json.Marshal(s2)
|
||||
s2Bytes, err := json.Marshal(s2)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
expected := `{"meta":{"appName":"test123","appUrl":"http://localhost:8090","hideControls":false,"senderName":"Support","senderAddress":"support@example.com","verificationTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eThank you for joining us at {APP_NAME}.\u003c/p\u003e\n\u003cp\u003eClick on the button below to verify your email address.\u003c/p\u003e\n\u003cp\u003e\n \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eVerify\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\n Thanks,\u003cbr/\u003e\n {APP_NAME} team\n\u003c/p\u003e","subject":"Verify your {APP_NAME} email","actionUrl":"{APP_URL}/_/#/auth/confirm-verification/{TOKEN}"},"resetPasswordTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to reset your password.\u003c/p\u003e\n\u003cp\u003e\n \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eReset password\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to reset your password, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n Thanks,\u003cbr/\u003e\n {APP_NAME} team\n\u003c/p\u003e","subject":"Reset your {APP_NAME} password","actionUrl":"{APP_URL}/_/#/auth/confirm-password-reset/{TOKEN}"},"confirmEmailChangeTemplate":{"body":"\u003cp\u003eHello,\u003c/p\u003e\n\u003cp\u003eClick on the button below to confirm your new email address.\u003c/p\u003e\n\u003cp\u003e\n \u003ca class=\"btn\" href=\"{ACTION_URL}\" target=\"_blank\" rel=\"noopener\"\u003eConfirm new email\u003c/a\u003e\n\u003c/p\u003e\n\u003cp\u003e\u003ci\u003eIf you didn't ask to change your email address, you can ignore this email.\u003c/i\u003e\u003c/p\u003e\n\u003cp\u003e\n Thanks,\u003cbr/\u003e\n {APP_NAME} team\n\u003c/p\u003e","subject":"Confirm your {APP_NAME} new email address","actionUrl":"{APP_URL}/_/#/auth/confirm-email-change/{TOKEN}"}},"logs":{"maxDays":5},"smtp":{"enabled":false,"host":"smtp.example.com","port":587,"username":"","password":"******","authMethod":"","tls":true},"s3":{"enabled":false,"bucket":"","region":"","endpoint":"","accessKey":"","secret":"******","forcePathStyle":false},"adminAuthToken":{"secret":"******","duration":1209600},"adminPasswordResetToken":{"secret":"******","duration":1800},"recordAuthToken":{"secret":"******","duration":1209600},"recordPasswordResetToken":{"secret":"******","duration":1800},"recordEmailChangeToken":{"secret":"******","duration":1800},"recordVerificationToken":{"secret":"******","duration":604800},"emailAuth":{"enabled":false,"exceptDomains":null,"onlyDomains":null,"minPasswordLength":0},"googleAuth":{"enabled":false,"clientSecret":"******"},"facebookAuth":{"enabled":false,"clientSecret":"******"},"githubAuth":{"enabled":false,"clientSecret":"******"},"gitlabAuth":{"enabled":false,"clientSecret":"******"},"discordAuth":{"enabled":false,"clientSecret":"******"},"twitterAuth":{"enabled":false,"clientSecret":"******"},"microsoftAuth":{"enabled":false,"clientSecret":"******"},"spotifyAuth":{"enabled":false,"clientSecret":"******"},"kakaoAuth":{"enabled":false,"clientSecret":"******"},"twitchAuth":{"enabled":false,"clientSecret":"******"},"stravaAuth":{"enabled":false,"clientSecret":"******"},"giteeAuth":{"enabled":false,"clientSecret":"******"},"livechatAuth":{"enabled":false,"clientSecret":"******"},"authentikAuth":{"enabled":false,"clientSecret":"******"},"giteaAuth":{"enabled":false,"clientSecret":"******"}}`
|
||||
if bytes.Equal(s1Bytes, s2Bytes) {
|
||||
t.Fatalf("Expected the 2 settings to differ, got \n%s", s2Bytes)
|
||||
}
|
||||
|
||||
if encodedStr := string(encoded); encodedStr != expected {
|
||||
t.Fatalf("Expected\n%v\ngot\n%v", expected, encodedStr)
|
||||
if strings.Contains(string(s2Bytes), testSecret) {
|
||||
t.Fatalf("Expected %q secret to be replaced with mask, got \n%s", testSecret, s2Bytes)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(s2Bytes), settings.SecretMask) {
|
||||
t.Fatalf("Expected the secrets to be replaced with the secret mask, got \n%s", s2Bytes)
|
||||
}
|
||||
|
||||
if !strings.Contains(string(s2Bytes), `"appName":"test123"`) {
|
||||
t.Fatalf("Missing control field in \n%s", s2Bytes)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -250,7 +283,7 @@ func TestNamedAuthProviderConfigs(t *testing.T) {
|
||||
s.FacebookAuth.ClientId = "facebook_test"
|
||||
s.GithubAuth.ClientId = "github_test"
|
||||
s.GitlabAuth.ClientId = "gitlab_test"
|
||||
s.GitlabAuth.Enabled = true
|
||||
s.GitlabAuth.Enabled = true // control
|
||||
s.DiscordAuth.ClientId = "discord_test"
|
||||
s.TwitterAuth.ClientId = "twitter_test"
|
||||
s.MicrosoftAuth.ClientId = "microsoft_test"
|
||||
@@ -260,8 +293,10 @@ func TestNamedAuthProviderConfigs(t *testing.T) {
|
||||
s.StravaAuth.ClientId = "strava_test"
|
||||
s.GiteeAuth.ClientId = "gitee_test"
|
||||
s.LivechatAuth.ClientId = "livechat_test"
|
||||
s.AuthentikAuth.ClientId = "authentik_test"
|
||||
s.GiteaAuth.ClientId = "gitea_test"
|
||||
s.OIDCAuth.ClientId = "oidc_test"
|
||||
s.OIDC2Auth.ClientId = "oidc2_test"
|
||||
s.OIDC3Auth.ClientId = "oidc3_test"
|
||||
|
||||
result := s.NamedAuthProviderConfigs()
|
||||
|
||||
@@ -272,21 +307,23 @@ func TestNamedAuthProviderConfigs(t *testing.T) {
|
||||
encodedStr := string(encoded)
|
||||
|
||||
expectedParts := []string{
|
||||
`"discord":{"enabled":false,"clientId":"discord_test"}`,
|
||||
`"facebook":{"enabled":false,"clientId":"facebook_test"}`,
|
||||
`"github":{"enabled":false,"clientId":"github_test"}`,
|
||||
`"gitlab":{"enabled":true,"clientId":"gitlab_test"}`,
|
||||
`"google":{"enabled":false,"clientId":"google_test"}`,
|
||||
`"microsoft":{"enabled":false,"clientId":"microsoft_test"}`,
|
||||
`"spotify":{"enabled":false,"clientId":"spotify_test"}`,
|
||||
`"twitter":{"enabled":false,"clientId":"twitter_test"}`,
|
||||
`"kakao":{"enabled":false,"clientId":"kakao_test"}`,
|
||||
`"twitch":{"enabled":false,"clientId":"twitch_test"}`,
|
||||
`"strava":{"enabled":false,"clientId":"strava_test"}`,
|
||||
`"gitee":{"enabled":false,"clientId":"gitee_test"}`,
|
||||
`"livechat":{"enabled":false,"clientId":"livechat_test"}`,
|
||||
`"authentik":{"enabled":false,"clientId":"authentik_test"}`,
|
||||
`"gitea":{"enabled":false,"clientId":"gitea_test"}`,
|
||||
`"discord":{"enabled":false,"clientId":"discord_test"`,
|
||||
`"facebook":{"enabled":false,"clientId":"facebook_test"`,
|
||||
`"github":{"enabled":false,"clientId":"github_test"`,
|
||||
`"gitlab":{"enabled":true,"clientId":"gitlab_test"`,
|
||||
`"google":{"enabled":false,"clientId":"google_test"`,
|
||||
`"microsoft":{"enabled":false,"clientId":"microsoft_test"`,
|
||||
`"spotify":{"enabled":false,"clientId":"spotify_test"`,
|
||||
`"twitter":{"enabled":false,"clientId":"twitter_test"`,
|
||||
`"kakao":{"enabled":false,"clientId":"kakao_test"`,
|
||||
`"twitch":{"enabled":false,"clientId":"twitch_test"`,
|
||||
`"strava":{"enabled":false,"clientId":"strava_test"`,
|
||||
`"gitee":{"enabled":false,"clientId":"gitee_test"`,
|
||||
`"livechat":{"enabled":false,"clientId":"livechat_test"`,
|
||||
`"gitea":{"enabled":false,"clientId":"gitea_test"`,
|
||||
`"oidc":{"enabled":false,"clientId":"oidc_test"`,
|
||||
`"oidc2":{"enabled":false,"clientId":"oidc2_test"`,
|
||||
`"oidc3":{"enabled":false,"clientId":"oidc3_test"`,
|
||||
}
|
||||
for _, p := range expectedParts {
|
||||
if !strings.Contains(encodedStr, p) {
|
||||
|
||||
Reference in New Issue
Block a user