ff52fde8a5
This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token. Fixes https://www.pivotaltracker.com/story/show/135803615
132 lines
No EOL
3.3 KiB
JavaScript
132 lines
No EOL
3.3 KiB
JavaScript
/**
|
|
* Service which exposes the supported external logins.
|
|
*/
|
|
angular.module('quay').factory('ExternalLoginService', ['KeyService', 'Features', 'Config',
|
|
function(KeyService, Features, Config) {
|
|
var externalLoginService = {};
|
|
|
|
externalLoginService.getLoginUrl = function(service, action) {
|
|
var serviceInfo = externalLoginService.getProvider(service);
|
|
if (!serviceInfo) { return ''; }
|
|
|
|
var loginUrl = KeyService.getConfiguration(serviceInfo.key, 'AUTHORIZE_ENDPOINT');
|
|
var clientId = KeyService.getConfiguration(serviceInfo.key, 'CLIENT_ID');
|
|
|
|
var scope = serviceInfo.scopes();
|
|
var redirectUri = Config.getUrl('/oauth2/' + service + '/callback');
|
|
|
|
if (action == 'attach') {
|
|
redirectUri += '/attach';
|
|
}
|
|
|
|
var url = loginUrl + 'client_id=' + clientId + '&scope=' + scope + '&redirect_uri=' +
|
|
redirectUri;
|
|
return url;
|
|
};
|
|
|
|
var DEX = {
|
|
id: 'dex',
|
|
key: 'DEX_LOGIN_CONFIG',
|
|
|
|
title: function() {
|
|
return KeyService.getConfiguration('DEX_LOGIN_CONFIG', 'OIDC_TITLE');
|
|
},
|
|
|
|
icon: function() {
|
|
return {'url': KeyService.getConfiguration('DEX_LOGIN_CONFIG', 'OIDC_LOGO') };
|
|
},
|
|
|
|
scopes: function() {
|
|
return 'openid email profile'
|
|
},
|
|
|
|
enabled: Features.DEX_LOGIN
|
|
};
|
|
|
|
var GITHUB = {
|
|
id: 'github',
|
|
key: 'GITHUB_LOGIN_CONFIG',
|
|
|
|
title: function() {
|
|
return KeyService.isEnterprise('github') ? 'GitHub Enterprise' : 'GitHub';
|
|
},
|
|
|
|
icon: function() {
|
|
return {'icon': 'fa-github'};
|
|
},
|
|
|
|
hasUserInfo: true,
|
|
getUserInfo: function(service_info) {
|
|
username = service_info['metadata']['service_username'];
|
|
return {
|
|
'username': username,
|
|
'endpoint': KeyService['githubEndpoint'] + username
|
|
}
|
|
},
|
|
|
|
scopes: function() {
|
|
var scopes = 'user:email';
|
|
if (KeyService.getConfiguration('GITHUB_LOGIN_CONFIG', 'ORG_RESTRICT')) {
|
|
scopes += ' read:org';
|
|
}
|
|
|
|
return scopes;
|
|
},
|
|
|
|
enabled: Features.GITHUB_LOGIN
|
|
};
|
|
|
|
var GOOGLE = {
|
|
id: 'google',
|
|
key: 'GOOGLE_LOGIN_CONFIG',
|
|
|
|
title: function() {
|
|
return 'Google';
|
|
},
|
|
|
|
icon: function() {
|
|
return {'icon': 'fa-google'};
|
|
},
|
|
|
|
scopes: function() {
|
|
return 'openid email';
|
|
},
|
|
|
|
enabled: Features.GOOGLE_LOGIN
|
|
};
|
|
|
|
externalLoginService.ALL_EXTERNAL_LOGINS = [
|
|
DEX, GITHUB, GOOGLE
|
|
];
|
|
|
|
externalLoginService.EXTERNAL_LOGINS = externalLoginService.ALL_EXTERNAL_LOGINS.filter(function(el) {
|
|
return el.enabled;
|
|
});
|
|
|
|
externalLoginService.getProvider = function(providerId) {
|
|
for (var i = 0; i < externalLoginService.EXTERNAL_LOGINS.length; ++i) {
|
|
var current = externalLoginService.EXTERNAL_LOGINS[i];
|
|
if (current.id == providerId) {
|
|
return current;
|
|
}
|
|
}
|
|
|
|
return null;
|
|
};
|
|
|
|
externalLoginService.hasSingleSignin = function() {
|
|
return externalLoginService.EXTERNAL_LOGINS.length == 1 && !Features.DIRECT_LOGIN;
|
|
};
|
|
|
|
externalLoginService.getSingleSigninUrl = function() {
|
|
// If there is a single external login service and direct login is disabled,
|
|
// then redirect to the external login directly.
|
|
if (externalLoginService.hasSingleSignin()) {
|
|
return externalLoginService.getLoginUrl(externalLoginService.EXTERNAL_LOGINS[0].id);
|
|
}
|
|
|
|
return null;
|
|
};
|
|
|
|
return externalLoginService;
|
|
}]); |