Enforce token auth for odic config PUT call

Author: oechsler

backend/lib/express/jwt-decode.js

@@ -4,9 +4,14 @@ module.exports = () => {
 	return function (req, res, next) {
 		res.locals.access = null;
 		let access        = new Access(res.locals.token || null);
-		// allow unauthenticated access to OIDC configuration
-		let anon_access = req.url === '/oidc-config' && !access.token.getUserId();
-		access.load(anon_access)
+
+		// Allow unauthenticated access to get the oidc configuration
+		let oidc_access =
+			req.url === '/oidc-config' &&
+			req.method === 'GET' &&
+			!access.token.getUserId();
+
+		access.load(oidc_access)
 			.then(() => {
 				res.locals.access = access;
 				next();

backend/routes/oidc.js

@@ -1,11 +1,11 @@
 const crypto        = require('crypto');
-const error         = require('../../lib/error');
+const error         = require('../lib/error');
 const express       = require('express');
-const jwtdecode     = require('../../lib/express/jwt-decode');
-const logger        = require('../../logger').oidc;
+const jwtdecode     = require('../lib/express/jwt-decode');
+const logger        = require('../logger').oidc;
 const oidc          = require('openid-client');
-const settingModel  = require('../../models/setting');
-const internalToken = require('../../internal/token');
+const settingModel  = require('../models/setting');
+const internalToken = require('../internal/token');
 
 let router = express.Router({
 	caseSensitive: true,

backend/routes/settings.js

@@ -72,13 +72,14 @@ router
 			})
 			.then((row) => {
 				if (row.id === 'oidc-config') {
-					// redact oidc configuration via api
+					// Redact oidc configuration via api (unauthenticated get call)
 					let m    = row.meta;
 					row.meta = {
 						name:    m.name,
 						enabled: m.enabled === true && !!(m.clientID && m.clientSecret && m.issuerURL && m.redirectURL && m.name)
 					};
-					// remove these temporary cookies used during oidc authentication
+
+					// Remove these temporary cookies used during oidc authentication
 					res.clearCookie('npm_oidc');
 					res.clearCookie('npm_oidc_error');
 				}

frontend/js/app/api.js

@@ -59,8 +59,11 @@ function fetch(verb, path, data, options) {
             },
 
             beforeSend: function (xhr) {
-                // allow unauthenticated access to OIDC configuration
-                if (path === 'settings/oidc-config') return;
+                // Allow unauthenticated access to get the oidc configuration
+                if (path === 'settings/oidc-config' && verb === "get") {
+                    return;
+                }
+
                 xhr.setRequestHeader('Authorization', 'Bearer ' + (token ? token.t : null));
             },