From 22e398d2bf2b2e8674baf7bfd086813b9ee3166e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=BE=E3=81=A3=E3=81=A1=E3=82=83=E3=81=A8=E3=83=BC?= =?UTF-8?q?=E3=81=AB=E3=82=85?= <17376330+u1-liquid@users.noreply.github.com> Date: Sat, 13 Apr 2024 15:56:54 +0900 Subject: [PATCH] =?UTF-8?q?spec(SSO):=20=E3=83=A1=E3=83=BC=E3=83=AB?= =?UTF-8?q?=E3=82=A2=E3=83=89=E3=83=AC=E3=82=B9=E3=81=8C=E7=99=BB=E9=8C=B2?= =?UTF-8?q?=E3=81=95=E3=82=8C=E3=81=A6=E3=81=84=E3=81=AA=E3=81=84=E5=A0=B4?= =?UTF-8?q?=E5=90=88=E3=80=81=E3=83=A1=E3=82=A2=E3=83=89=E3=83=95=E3=82=A3?= =?UTF-8?q?=E3=83=BC=E3=83=AB=E3=83=89=E3=81=AE=E5=80=A4=E3=81=ABaact?= =?UTF-8?q?=E3=82=92=E5=85=A5=E3=82=8C=E3=82=8B=20(MisskeyIO#607)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/server/oauth/OAuth2ProviderService.ts | 29 ++++++++++++------- .../server/sso/JWTIdentifyProviderService.ts | 2 +- .../server/sso/SAMLIdentifyProviderService.ts | 13 +++++---- 3 files changed, 26 insertions(+), 18 deletions(-) diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts index 5350e7cf37..ac88c40844 100644 --- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts +++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts @@ -44,6 +44,7 @@ import type { MiLocalUser } from '@/models/User.js'; import { LoggerService } from '@/core/LoggerService.js'; import Logger from '@/logger.js'; import { StatusError } from '@/misc/status-error.js'; +import { normalizeEmailAddress } from '@/misc/normalize-email-address.js'; import type { ServerResponse } from 'node:http'; import type { FastifyInstance } from 'fastify'; @@ -508,25 +509,31 @@ export class OAuth2ProviderService { return; } - const accessToken = await this.accessTokensRepository.findOne({ where: { token }, relations: ['user'] }); + const accessToken = await this.accessTokensRepository.findOneBy({ token }); if (!accessToken) { reply.code(401); return; } - const user = await this.userProfilesRepository.findOneBy({ userId: accessToken.userId }); + const user = await this.usersRepository.findOneBy({ id: accessToken.userId }); + if (!user) { + reply.code(401); + return; + } + + const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id }); reply.code(200); return { - sub: accessToken.userId, - name: accessToken.user?.name, - preferred_username: accessToken.user?.username, - profile: accessToken.user ? `${this.config.url}/@${accessToken.user.username}` : undefined, - picture: accessToken.user?.avatarUrl, - email: user?.email, - email_verified: user?.emailVerified, - mfa_enabled: user?.twoFactorEnabled, - updated_at: Math.floor((accessToken.user?.updatedAt?.getTime() ?? accessToken.user?.createdAt.getTime() ?? 0) / 1000), + sub: user.id, + name: user.name ? `${user.name} (@${user.username})` : `@${user.username}`, + preferred_username: user.username, + profile: `${this.config.url}/@${user.username}`, + picture: user.avatarUrl ?? undefined, + email: profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`, + email_verified: profile.emailVerified, + mfa_enabled: profile.twoFactorEnabled, + updated_at: Math.floor((user.updatedAt?.getTime() ?? user.createdAt.getTime()) / 1000), }; }); } diff --git a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts index 2671a7fcb4..f73966d5b5 100644 --- a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts +++ b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts @@ -178,7 +178,7 @@ export class JWTIdentifyProviderService { preferred_username: user.username, profile: `${this.config.url}/@${user.username}`, picture: user.avatarUrl ?? undefined, - email: profile.emailVerified ? normalizeEmailAddress(profile.email) : undefined, + email: profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`, email_verified: profile.emailVerified, mfa_enabled: profile.twoFactorEnabled, updated_at: Math.floor((user.updatedAt?.getTime() ?? user.createdAt.getTime()) / 1000), diff --git a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts index 15ca1eecc7..2412f03576 100644 --- a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts +++ b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts @@ -440,9 +440,10 @@ export class SAMLIdentifyProviderService { '#text': `${this.config.url}/sso/saml/${ssoServiceProvider.id}/metadata`, }, 'saml:Subject': { - 'saml:NameID': profile.emailVerified - ? { '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', '#text': normalizeEmailAddress(profile.email) } - : { '@Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', '#text': user.id }, + 'saml:NameID': { + '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', + '#text': profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`, + }, 'saml:SubjectConfirmation': { '@Method': 'urn:oasis:names:tc:SAML:2.0:cm:bearer', 'saml:SubjectConfirmationData': { @@ -540,14 +541,14 @@ export class SAMLIdentifyProviderService { '#text': user.avatarUrl, }, }] : []), - ...(profile.emailVerified ? [{ + { '@Name': 'email', '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'saml:AttributeValue': { '@xsi:type': 'xs:string', - '#text': normalizeEmailAddress(profile.email), + '#text': profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`, }, - }] : []), + }, { '@Name': 'email_verified', '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',