feat(oauth): Add option to logout from OpenID Connect provider

* Fixes #598 Signed-off-by: Marvin A. Ruder <signed@mruder.dev>
2024-10-14 18:16:47 +02:00
parent 104cc06145
commit 2b3ce3ffd2
15 changed files with 88 additions and 15 deletions
--- a/backend/src/oauth/dto/oauthSignIn.dto.ts
+++ b/backend/src/oauth/dto/oauthSignIn.dto.ts
@@ -4,4 +4,5 @@ export interface OAuthSignInDto {
  providerUsername: string;
  email: string;
  isAdmin?: boolean;
+  idToken?: string;
 }
--- a/backend/src/oauth/oauth.module.ts
+++ b/backend/src/oauth/oauth.module.ts
@@ -1,4 +1,4 @@
-import { Module } from "@nestjs/common";
+import { forwardRef, Module } from "@nestjs/common";
 import { OAuthController } from "./oauth.controller";
 import { OAuthService } from "./oauth.service";
 import { AuthModule } from "../auth/auth.module";
@@ -51,6 +51,7 @@ import { MicrosoftProvider } from "./provider/microsoft.provider";
      inject: ["OAUTH_PROVIDERS"],
    },
  ],
-  imports: [AuthModule],
+  imports: [forwardRef(() => AuthModule)],
+  exports: [OAuthService],
 })
 export class OAuthModule {}
--- a/backend/src/oauth/oauth.service.ts
+++ b/backend/src/oauth/oauth.service.ts
@@ -1,4 +1,4 @@
-import { Inject, Injectable, Logger } from "@nestjs/common";
+import { forwardRef, Inject, Injectable, Logger } from "@nestjs/common";
 import { User } from "@prisma/client";
 import { nanoid } from "nanoid";
 import { AuthService } from "../auth/auth.service";
@@ -6,14 +6,16 @@ import { ConfigService } from "../config/config.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { OAuthSignInDto } from "./dto/oauthSignIn.dto";
 import { ErrorPageException } from "./exceptions/errorPage.exception";
+import { OAuthProvider } from "./provider/oauthProvider.interface";

@Injectable()
 export class OAuthService {
  constructor(
    private prisma: PrismaService,
    private config: ConfigService,
-    private auth: AuthService,
+    @Inject(forwardRef(() => AuthService)) private auth: AuthService,
    @Inject("OAUTH_PLATFORMS") private platforms: string[],
+    @Inject("OAUTH_PROVIDERS") private oAuthProviders: Record<string, OAuthProvider<unknown>>,
  ) {}
  private readonly logger = new Logger(OAuthService.name);

@@ -27,6 +29,16 @@ export class OAuthService {
      .map(([platform, _]) => platform);
  }

+  availableProviders(): Record<string, OAuthProvider<unknown>> {
+    return Object.fromEntries(Object.entries(this.oAuthProviders)
+      .map(([providerName, provider]) => [
+        [providerName, provider],
+        this.config.get(`oauth.${providerName}-enabled`),
+      ])
+      .filter(([_, enabled]) => enabled)
+      .map(([provider, _]) => provider));
+  }
+
  async status(user: User) {
    const oauthUsers = await this.prisma.oAuthUser.findMany({
      select: {
@@ -55,7 +67,7 @@ export class OAuthService {
        },
      });
      this.logger.log(`Successful login for user ${user.email} from IP ${ip}`);
-      return this.auth.generateToken(updatedUser, true);
+      return this.auth.generateToken(updatedUser, { idToken: user.idToken });
    }

    return this.signUp(user, ip);
@@ -156,7 +168,7 @@ export class OAuthService {
        },
      });
      await this.updateIsAdmin(user);
-      return this.auth.generateToken(existingUser, true);
+      return this.auth.generateToken(existingUser, { idToken: user.idToken });
    }

    const result = await this.auth.signUp(
--- a/backend/src/oauth/provider/discord.provider.ts
+++ b/backend/src/oauth/provider/discord.provider.ts
@@ -91,6 +91,7 @@ export class DiscordProvider implements OAuthProvider<DiscordToken> {
      providerId: user.id,
      providerUsername: user.global_name ?? user.username,
      email: user.email,
+      idToken: `discord:${token.idToken}`,
    };
  }

--- a/backend/src/oauth/provider/genericOidc.provider.ts
+++ b/backend/src/oauth/provider/genericOidc.provider.ts
@@ -197,6 +197,7 @@ export abstract class GenericOidcProvider implements OAuthProvider<OidcToken> {
      providerId: idTokenData.sub,
      providerUsername: username,
      ...(isAdmin !== undefined && { isAdmin }),
+      idToken: `${this.name}:${token.idToken}`,
    };
  }

@@ -251,6 +252,8 @@ export interface OidcConfiguration {
  id_token_signing_alg_values_supported: string[];
  scopes_supported?: string[];
  claims_supported?: string[];
+  frontchannel_logout_supported?: boolean;
+  end_session_endpoint?: string;
 }

 export interface OidcJwk {
--- a/backend/src/oauth/provider/github.provider.ts
+++ b/backend/src/oauth/provider/github.provider.ts
@@ -61,6 +61,7 @@ export class GitHubProvider implements OAuthProvider<GitHubToken> {
      providerId: user.id.toString(),
      providerUsername: user.name ?? user.login,
      email,
+      idToken: `github:${token.idToken}`,
    };
  }