1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
import Fiber from 'fibers';
Meteor.startup(() => {
// Node Fibers 100% CPU usage issue
// https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-381453161
// https://github.com/meteor/meteor/issues/9796#issuecomment-381676326
// https://github.com/sandstorm-io/sandstorm/blob/0f1fec013fe7208ed0fd97eb88b31b77e3c61f42/shell/server/00-startup.js#L99-L129
Fiber.poolSize = 1e9;
Accounts.validateLoginAttempt(function(options) {
const user = options.user || {};
return !user.loginDisabled;
});
Authentication = {};
Authentication.checkUserId = function(userId) {
if (userId === undefined) {
const error = new Meteor.Error('Unauthorized', 'Unauthorized');
error.statusCode = 401;
throw error;
}
const admin = Users.findOne({ _id: userId, isAdmin: true });
if (admin === undefined) {
const error = new Meteor.Error('Forbidden', 'Forbidden');
error.statusCode = 403;
throw error;
}
};
// This will only check if the user is logged in.
// The authorization checks for the user will have to be done inside each API endpoint
Authentication.checkLoggedIn = function(userId) {
if (userId === undefined) {
const error = new Meteor.Error('Unauthorized', 'Unauthorized');
error.statusCode = 401;
throw error;
}
};
// An admin should be authorized to access everything, so we use a separate check for admins
// This throws an error if otherReq is false and the user is not an admin
Authentication.checkAdminOrCondition = function(userId, otherReq) {
if (otherReq) return;
const admin = Users.findOne({ _id: userId, isAdmin: true });
if (admin === undefined) {
const error = new Meteor.Error('Forbidden', 'Forbidden');
error.statusCode = 403;
throw error;
}
};
// Helper function. Will throw an error if the user does not have read only access to the given board
Authentication.checkBoardAccess = function(userId, boardId) {
Authentication.checkLoggedIn(userId);
const board = Boards.findOne({ _id: boardId });
const normalAccess =
board.permission === 'public' ||
board.members.some(e => e.userId === userId && e.isActive);
Authentication.checkAdminOrCondition(userId, normalAccess);
};
if (Meteor.isServer) {
if (process.env.OAUTH2_CLIENT_ID !== '') {
ServiceConfiguration.configurations.upsert(
// eslint-disable-line no-undef
{ service: 'oidc' },
{
$set: {
loginStyle: process.env.OAUTH2_LOGIN_STYLE,
clientId: process.env.OAUTH2_CLIENT_ID,
secret: process.env.OAUTH2_SECRET,
serverUrl: process.env.OAUTH2_SERVER_URL,
authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT,
userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT,
tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT,
idTokenWhitelistFields:
process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [],
requestPermissions: process.env.OAUTH2_REQUEST_PERMISSIONS,
},
// OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [],
// OAUTH2_REQUEST_PERMISSIONS || 'openid profile email',
},
);
}
}
});
|
