feat(auth): Add external authentication (OAuth/OIDC & LDAP) with admin management, UI, and encryption support

2025-12-03 22:09:35 +00:00
parent 44e92d48f2
commit d3fd40ce2f
27 changed files with 4512 additions and 61 deletions
--- a/ts/services/auth/strategies/oauth.strategy.ts
+++ b/ts/services/auth/strategies/oauth.strategy.ts
@@ -0,0 +1,263 @@
+/**
+ * OAuth/OIDC Authentication Strategy
+ * Handles OAuth 2.0 and OpenID Connect flows
+ */
+
+import type { AuthProvider } from '../../../models/auth.provider.ts';
+import type { CryptoService } from '../../crypto.service.ts';
+import type {
+  IExternalUserInfo,
+  IConnectionTestResult,
+} from '../../../interfaces/auth.interfaces.ts';
+import type { IAuthStrategy, IOAuthCallbackData } from './auth.strategy.interface.ts';
+
+interface ITokenResponse {
+  access_token: string;
+  token_type: string;
+  expires_in?: number;
+  refresh_token?: string;
+  id_token?: string;
+  scope?: string;
+}
+
+interface IOIDCDiscovery {
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  userinfo_endpoint?: string;
+  jwks_uri?: string;
+  scopes_supported?: string[];
+}
+
+export class OAuthStrategy implements IAuthStrategy {
+  private discoveryCache: IOIDCDiscovery | null = null;
+
+  constructor(
+    private provider: AuthProvider,
+    private cryptoService: CryptoService
+  ) {}
+
+  /**
+   * Get the authorization URL for initiating OAuth flow
+   */
+  public async getAuthorizationUrl(state: string, nonce?: string): Promise<string> {
+    const config = this.provider.oauthConfig;
+    if (!config) {
+      throw new Error('OAuth config not found');
+    }
+
+    // Get authorization URL from config or discovery
+    let authorizationUrl = config.authorizationUrl;
+    if (!authorizationUrl) {
+      const discovery = await this.getDiscovery();
+      authorizationUrl = discovery.authorization_endpoint;
+    }
+
+    const params = new URLSearchParams({
+      client_id: config.clientId,
+      redirect_uri: config.callbackUrl,
+      response_type: 'code',
+      scope: config.scopes.join(' '),
+      state,
+    });
+
+    // Add nonce for OIDC
+    if (nonce) {
+      params.set('nonce', nonce);
+    }
+
+    return `${authorizationUrl}?${params.toString()}`;
+  }
+
+  /**
+   * Handle OAuth callback - exchange code for tokens and get user info
+   */
+  public async handleCallback(data: IOAuthCallbackData): Promise<IExternalUserInfo> {
+    if (data.error) {
+      throw new Error(`OAuth error: ${data.error} - ${data.errorDescription || ''}`);
+    }
+
+    const config = this.provider.oauthConfig;
+    if (!config) {
+      throw new Error('OAuth config not found');
+    }
+
+    // Exchange code for tokens
+    const tokens = await this.exchangeCodeForTokens(data.code);
+
+    // Get user info
+    const userInfo = await this.fetchUserInfo(tokens.access_token);
+
+    // Map attributes according to provider config
+    return this.mapAttributes(userInfo);
+  }
+
+  /**
+   * Test connection by fetching OIDC discovery document
+   */
+  public async testConnection(): Promise<IConnectionTestResult> {
+    const start = Date.now();
+    const config = this.provider.oauthConfig;
+
+    if (!config) {
+      return {
+        success: false,
+        latencyMs: Date.now() - start,
+        error: 'OAuth config not found',
+      };
+    }
+
+    try {
+      const discovery = await this.getDiscovery();
+
+      return {
+        success: true,
+        latencyMs: Date.now() - start,
+        serverInfo: {
+          issuer: discovery.issuer,
+          scopes_supported: discovery.scopes_supported,
+          has_userinfo: !!discovery.userinfo_endpoint,
+        },
+      };
+    } catch (error) {
+      return {
+        success: false,
+        latencyMs: Date.now() - start,
+        error: error instanceof Error ? error.message : String(error),
+      };
+    }
+  }
+
+  /**
+   * Exchange authorization code for tokens
+   */
+  private async exchangeCodeForTokens(code: string): Promise<ITokenResponse> {
+    const config = this.provider.oauthConfig!;
+
+    // Get token URL from config or discovery
+    let tokenUrl = config.tokenUrl;
+    if (!tokenUrl) {
+      const discovery = await this.getDiscovery();
+      tokenUrl = discovery.token_endpoint;
+    }
+
+    // Decrypt client secret
+    const clientSecret = await this.cryptoService.decrypt(config.clientSecretEncrypted);
+
+    const response = await fetch(tokenUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        Accept: 'application/json',
+      },
+      body: new URLSearchParams({
+        grant_type: 'authorization_code',
+        code,
+        redirect_uri: config.callbackUrl,
+        client_id: config.clientId,
+        client_secret: clientSecret,
+      }),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`Token exchange failed: ${response.status} - ${errorText}`);
+    }
+
+    return await response.json();
+  }
+
+  /**
+   * Fetch user info from the provider
+   */
+  private async fetchUserInfo(accessToken: string): Promise<Record<string, unknown>> {
+    const config = this.provider.oauthConfig!;
+
+    // Get userinfo URL from config or discovery
+    let userInfoUrl = config.userInfoUrl;
+    if (!userInfoUrl) {
+      const discovery = await this.getDiscovery();
+      userInfoUrl = discovery.userinfo_endpoint;
+    }
+
+    if (!userInfoUrl) {
+      throw new Error('UserInfo endpoint not found');
+    }
+
+    const response = await fetch(userInfoUrl, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: 'application/json',
+      },
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`UserInfo fetch failed: ${response.status} - ${errorText}`);
+    }
+
+    return await response.json();
+  }
+
+  /**
+   * Get OIDC discovery document
+   */
+  private async getDiscovery(): Promise<IOIDCDiscovery> {
+    if (this.discoveryCache) {
+      return this.discoveryCache;
+    }
+
+    const config = this.provider.oauthConfig!;
+    const discoveryUrl = `${config.issuer}/.well-known/openid-configuration`;
+
+    const response = await fetch(discoveryUrl, {
+      headers: { Accept: 'application/json' },
+    });
+
+    if (!response.ok) {
+      throw new Error(`OIDC discovery failed: ${response.status}`);
+    }
+
+    this.discoveryCache = await response.json();
+    return this.discoveryCache!;
+  }
+
+  /**
+   * Map provider attributes to standard user info
+   */
+  private mapAttributes(rawInfo: Record<string, unknown>): IExternalUserInfo {
+    const mapping = this.provider.attributeMapping;
+
+    // Get external ID (sub for OIDC, or id for OAuth2)
+    const externalId = String(rawInfo.sub || rawInfo.id || '');
+    if (!externalId) {
+      throw new Error('External ID not found in user info');
+    }
+
+    // Get email
+    const email = rawInfo[mapping.email];
+    if (!email || typeof email !== 'string') {
+      throw new Error('Email not found in user info');
+    }
+
+    return {
+      externalId,
+      email,
+      username: rawInfo[mapping.username]
+        ? String(rawInfo[mapping.username])
+        : undefined,
+      displayName: rawInfo[mapping.displayName]
+        ? String(rawInfo[mapping.displayName])
+        : undefined,
+      avatarUrl: mapping.avatarUrl && rawInfo[mapping.avatarUrl]
+        ? String(rawInfo[mapping.avatarUrl])
+        : (rawInfo.picture ? String(rawInfo.picture) : undefined),
+      groups: mapping.groups && rawInfo[mapping.groups]
+        ? (Array.isArray(rawInfo[mapping.groups])
+            ? (rawInfo[mapping.groups] as string[])
+            : [String(rawInfo[mapping.groups])])
+        : undefined,
+      rawAttributes: rawInfo,
+    };
+  }
+}