Implement (optional) SSO via OIDC (OpenID Connect) (#64)

This implements optional SSO via OIDC for logging in and signing up (for the first admin sign up or if sign up is allowed). The most requested feature!

Tested with Authentik and Google!

It includes a new `SimpleCache` interface (in-memory, using [`caches`](https://developer.mozilla.org/en-US/docs/Web/API/Window/caches)) for storing the state and code challenges.

Closes #13

lib/config.ts

@@ -14,6 +14,10 @@ export class AppConfig {
         enableMultiFactor: false,
         allowedCookieDomains: [],
         skipCookieDomainSecurity: false,
+        enableSingleSignOn: false,
+        singleSignOnUrl: '',
+        singleSignOnEmailAttribute: 'email',
+        singleSignOnScopes: ['openid', 'email'],
       },
       files: {
         rootPath: 'data-files',
@@ -200,6 +204,12 @@ export class AppConfig {
     return this.config.auth.enableMultiFactor;
   }
 
+  static async isSingleSignOnEnabled(): Promise<boolean> {
+    await this.loadConfig();
+
+    return this.config.auth.enableSingleSignOn;
+  }
+
   static async getFilesRootPath(): Promise<string> {
     await this.loadConfig();
 

lib/interfaces/simple-cache.ts

@@ -0,0 +1,69 @@
+const CACHE_NAME_PREFIX = 'bewcloud-v1-';
+
+const CURRENT_CACHES: Set<string> = new Set();
+
+const FALLBACK_CACHE: Map<string, string> = new Map();
+
+export default class SimpleCache {
+  protected cacheName = `${CACHE_NAME_PREFIX}default`;
+
+  constructor(cacheName = 'default') {
+    this.cacheName = `${CACHE_NAME_PREFIX}${cacheName}`;
+  }
+
+  public async get() {
+    if (!CURRENT_CACHES.has(this.cacheName)) {
+      return '';
+    }
+
+    try {
+      const request = new Request(`https://fake.cache/${this.cacheName}`);
+      const cache = await caches.open(this.cacheName);
+      const response = await cache.match(request);
+
+      if (response) {
+        return response.text();
+      }
+    } catch (error) {
+      console.error(error);
+
+      return FALLBACK_CACHE.get(this.cacheName) || '';
+    }
+
+    return '';
+  }
+
+  public async set(value: string) {
+    if (!CURRENT_CACHES.has(this.cacheName)) {
+      CURRENT_CACHES.add(this.cacheName);
+    }
+
+    try {
+      await this.clear();
+
+      const request = new Request(`https://fake.cache/${this.cacheName}`);
+      const cache = await caches.open(this.cacheName);
+      const response = new Response(value, { headers: { 'Content-Type': 'text/plain; charset=utf-8' } });
+
+      await cache.put(request, response.clone());
+    } catch (error) {
+      console.error(error);
+
+      FALLBACK_CACHE.set(this.cacheName, value);
+    }
+  }
+
+  public async clear() {
+    if (!CURRENT_CACHES.has(this.cacheName)) {
+      return null;
+    }
+
+    try {
+      await caches.delete(this.cacheName);
+    } catch (error) {
+      console.error(error);
+
+      FALLBACK_CACHE.delete(this.cacheName);
+    }
+  }
+}

lib/models/oidc.ts

@@ -0,0 +1,203 @@
+import { decodeBase64Url } from 'std/encoding/base64url.ts';
+import * as openIdClient from 'openid-client';
+import 'std/dotenv/load.ts';
+
+import { createSessionResponse, dataToText } from '/lib/auth.ts';
+import { UserModel } from '/lib/models/user.ts';
+import { generateRandomCode } from '/lib/utils/misc.ts';
+import { AppConfig } from '/lib/config.ts';
+import SimpleCache from '/lib/interfaces/simple-cache.ts';
+
+const OIDC_CLIENT_ID = Deno.env.get('OIDC_CLIENT_ID') || '';
+const OIDC_CLIENT_SECRET = Deno.env.get('OIDC_CLIENT_SECRET') || '';
+
+interface OidcExtraState {
+  redirectTo?: string;
+}
+
+interface OidcJwtIdToken extends Record<string, string | undefined> {
+  email?: string;
+  name?: string;
+  sub?: string;
+}
+
+export class OidcModel {
+  static async getSignInUrl(
+    {
+      requestPermissions,
+      redirectUrlPath = '/oidc/callback',
+      extraState = {},
+    }: {
+      requestPermissions: string[];
+      redirectUrlPath?: string;
+      extraState?: OidcExtraState;
+    },
+  ): Promise<string> {
+    const state = {
+      ...extraState,
+      random: generateRandomCode(8),
+    };
+
+    const config = await AppConfig.getConfig();
+
+    const baseUrl = config.auth.baseUrl;
+    const oidcBaseUrl = config.auth.singleSignOnUrl;
+    const oidcOptions = oidcBaseUrl.startsWith('http://')
+      ? { execute: [openIdClient.allowInsecureRequests] }
+      : undefined;
+
+    try {
+      const oidcConfig = await openIdClient.discovery(
+        new URL(oidcBaseUrl),
+        OIDC_CLIENT_ID,
+        OIDC_CLIENT_SECRET,
+        undefined,
+        oidcOptions,
+      );
+
+      const redirectUrl = `${baseUrl}${redirectUrlPath}`;
+
+      const codeVerifier = openIdClient.randomPKCECodeVerifier();
+
+      const params = {
+        client_id: OIDC_CLIENT_ID,
+        redirect_uri: redirectUrl,
+        state: btoa(JSON.stringify(state)),
+        scope: requestPermissions.join(' '),
+        code_challenge: await openIdClient.calculatePKCECodeChallenge(codeVerifier),
+        code_challenge_method: 'S256',
+      };
+
+      const oidcStateCache = new SimpleCache(`oidc:state:${params.state}`);
+
+      await oidcStateCache.set(JSON.stringify({ state, codeVerifier }));
+
+      const oidcUrl = openIdClient.buildAuthorizationUrl(oidcConfig, params);
+
+      return oidcUrl.href;
+    } catch (error) {
+      console.log(`Failed to get OIDC sign in URL: ${error}`);
+      console.error(error);
+
+      return '';
+    }
+  }
+
+  private static decodeJwt(jwt: string): OidcJwtIdToken {
+    const jwtParts = jwt.split('.');
+    if (jwtParts.length !== 3) {
+      throw new Error('Malformed JWT');
+    }
+
+    return JSON.parse(dataToText(decodeBase64Url(jwtParts[1]))) as OidcJwtIdToken;
+  }
+
+  private static parseState(state: string): OidcExtraState {
+    let stateParams: OidcExtraState = {};
+
+    try {
+      stateParams = JSON.parse(atob(state));
+    } catch (error) {
+      console.log(`Failed to parse OIDC state: ${error}`);
+      console.error(error);
+    }
+
+    return stateParams;
+  }
+
+  static async validateAndCreateSession(request: Request) {
+    const urlSearchParams = new URL(request.url).searchParams;
+    const state = urlSearchParams.get('state');
+
+    if (!state) {
+      throw new Error('Missing OIDC "state" parameter');
+    }
+
+    const oidcStateCache = new SimpleCache(`oidc:state:${state}`);
+
+    let expectedState: string;
+    let expectedCodeVerifier: string;
+
+    try {
+      const cacheValue = await oidcStateCache.get();
+
+      const { state, codeVerifier } = JSON.parse(cacheValue) as {
+        state: OidcExtraState;
+        codeVerifier: string;
+      };
+
+      expectedState = btoa(JSON.stringify(state));
+      expectedCodeVerifier = codeVerifier;
+    } catch (error) {
+      console.log(`Failed to verify/parse OIDC code: ${error}`);
+      console.error(error);
+
+      throw new Error('Invalid OIDC code');
+    }
+
+    const config = await AppConfig.getConfig();
+
+    const oidcBaseUrl = config.auth.singleSignOnUrl;
+    const emailAttribute = config.auth.singleSignOnEmailAttribute;
+    const oidcOptions = oidcBaseUrl.startsWith('http://')
+      ? { execute: [openIdClient.allowInsecureRequests] }
+      : undefined;
+
+    const oidcConfig = await openIdClient.discovery(
+      new URL(oidcBaseUrl),
+      OIDC_CLIENT_ID,
+      OIDC_CLIENT_SECRET,
+      undefined,
+      oidcOptions,
+    );
+
+    const tokens = await openIdClient.authorizationCodeGrant(
+      oidcConfig,
+      new URL(request.url),
+      {
+        pkceCodeVerifier: expectedCodeVerifier,
+        expectedState,
+      },
+    );
+
+    const oidcParams = this.decodeJwt(tokens.id_token!);
+
+    const email = oidcParams[emailAttribute];
+
+    if (!email) {
+      throw new Error(`Missing user/${emailAttribute}`);
+    }
+
+    const isSignupAllowed = await AppConfig.isSignupAllowed();
+    const isThereAnAdmin = await UserModel.isThereAnAdmin();
+
+    // Confirm the user exists (or signup if allowed)
+    let user = await UserModel.getByEmail(email);
+
+    if (!user && (isSignupAllowed || !isThereAnAdmin)) {
+      // An empty password will always be impossible to login with
+      user = await UserModel.create(email, '');
+    }
+
+    if (!user) {
+      throw new Error('There was a problem signing up or logging in!');
+    }
+
+    let urlToRedirectTo = '/dashboard';
+
+    if (urlSearchParams.has('state')) {
+      const state = this.parseState(urlSearchParams.get('state')!);
+
+      if (state.redirectTo) {
+        urlToRedirectTo = state.redirectTo;
+      }
+    }
+
+    const response = await createSessionResponse(request, user, { urlToRedirectTo });
+
+    return {
+      response,
+      user,
+    };
+  }
+}

lib/types.ts

@@ -163,6 +163,14 @@ export interface Config {
     allowedCookieDomains: string[];
     /** If true, the cookie domain will not be strictly set and checked against. This skipping slightly reduces security, but is usually necessary for reverse proxies like Cloudflare Tunnel. */
     skipCookieDomainSecurity: boolean;
+    /** If true, single sign-on will be enabled */
+    enableSingleSignOn: boolean;
+    /** The Discovery URL (AKA Issuer) of the identity/single sign-on provider */
+    singleSignOnUrl: string;
+    /** The attribute to prefer as email of the identity/single sign-on provider */
+    singleSignOnEmailAttribute: string;
+    /** The scopes to request from the identity/single sign-on provider */
+    singleSignOnScopes: string[];
   };
   files: {
     /** The root-relative root path for files, i.e. "data-files" */

lib/utils/misc.ts

@@ -58,6 +58,17 @@ export function generateRandomCode(length = 6) {
   return codeDigits.join('');
 }
 
+/** This generates a random string, including unicode characters. */
+export function generateRandomString(length = 10) {
+  const array = new Uint8Array(length * 2);
+  crypto.getRandomValues(array);
+
+  return Array.from(array)
+    .map((byte) => String.fromCharCode(byte))
+    .join('')
+    .slice(0, length);
+}
+
 export async function generateHash(value: string, algorithm: AlgorithmIdentifier) {
   const hashedValueData = await crypto.subtle.digest(
     algorithm,