Support mailclient oidc claim
Only apps with addon email have access to the claims' scopes
This commit is contained in:
Johannes Zellner
+30
@@ -6,6 +6,7 @@ import debugModule from 'debug';
|
||||
import dig from './dig.js';
|
||||
import dns from './dns.js';
|
||||
import eventlog from './eventlog.js';
|
||||
import groups from './groups.js';
|
||||
import mailer from './mailer.js';
|
||||
import mailServer from './mailserver.js';
|
||||
import net from 'node:net';
|
||||
@@ -829,6 +830,34 @@ async function listMailboxes(page, perPage) {
|
||||
return results;
|
||||
}
|
||||
|
||||
async function listMailboxesByUserId(userId) {
|
||||
assert.strictEqual(typeof userId, 'string');
|
||||
|
||||
const groupIds = await groups._getMembership(userId);
|
||||
|
||||
const baseQuery = 'SELECT m1.name AS name, m1.domain AS domain, m1.ownerId AS ownerId, m1.ownerType as ownerType, m1.active as active, JSON_ARRAYAGG(m2.name) AS aliasNames, JSON_ARRAYAGG(m2.domain) AS aliasDomains, m1.enablePop3 AS enablePop3, m1.storageQuota AS storageQuota, m1.messagesQuota AS messagesQuota '
|
||||
+ ` FROM (SELECT * FROM mailboxes WHERE type='${TYPE_MAILBOX}') AS m1`
|
||||
+ ` LEFT JOIN (SELECT * FROM mailboxes WHERE type='${TYPE_ALIAS}') AS m2`
|
||||
+ ' ON m1.name=m2.aliasName AND m1.domain=m2.aliasDomain AND m1.ownerId=m2.ownerId';
|
||||
|
||||
let whereClause = " WHERE (m1.ownerType = 'user' AND m1.ownerId = ?)";
|
||||
const args = [ userId ];
|
||||
if (groupIds.length > 0) {
|
||||
const placeholders = groupIds.map(() => '?').join(',');
|
||||
whereClause += ` OR (m1.ownerType = '${OWNERTYPE_GROUP}' AND m1.ownerId IN (${placeholders}))`;
|
||||
args.push(...groupIds);
|
||||
}
|
||||
|
||||
const query = baseQuery + whereClause + ' GROUP BY m1.name, m1.domain, m1.ownerId ORDER BY name';
|
||||
|
||||
const results = await database.query(query, args);
|
||||
|
||||
results.forEach(postProcessMailbox);
|
||||
results.forEach(postProcessAliases);
|
||||
|
||||
return results;
|
||||
}
|
||||
|
||||
async function delByDomain(domain) {
|
||||
assert.strictEqual(typeof domain, 'string');
|
||||
|
||||
@@ -1214,6 +1243,7 @@ export default {
|
||||
sendTestMail,
|
||||
listMailboxesByDomain,
|
||||
listMailboxes,
|
||||
listMailboxesByUserId,
|
||||
getMailbox,
|
||||
addMailbox,
|
||||
updateMailbox,
|
||||
|
||||
+19
-2
@@ -13,6 +13,7 @@ import ejs from 'ejs';
|
||||
import express from 'express';
|
||||
import eventlog from './eventlog.js';
|
||||
import fs from 'node:fs';
|
||||
import mail from './mail.js';
|
||||
import * as marked from 'marked';
|
||||
import middleware from './middleware/index.js';
|
||||
import oidcClients from './oidcclients.js';
|
||||
@@ -467,6 +468,15 @@ async function interactionConfirm(req, res, next) {
|
||||
|
||||
return await gOidcProvider.interactionFinished(req, res, result, { mergeWithLastSubmission: false });
|
||||
}
|
||||
|
||||
if (!app.manifest.addons.email && params.scope.indexOf('mailclient')) {
|
||||
const result = {
|
||||
error: 'access_denied',
|
||||
error_description: 'App has no access to mailclient claims',
|
||||
};
|
||||
|
||||
return await gOidcProvider.interactionFinished(req, res, result, { mergeWithLastSubmission: false });
|
||||
}
|
||||
}
|
||||
|
||||
let grant;
|
||||
@@ -522,6 +532,9 @@ async function getClaims(username/*, use, scope*/) {
|
||||
const [groupsError, allGroups] = await safe(groups.listWithMembers());
|
||||
if (groupsError) return { error: groupsError.message };
|
||||
|
||||
const [mailboxesError, mailboxes] = await safe(mail.listMailboxesByUserId(user.id));
|
||||
if (mailboxesError) return { error: mailboxesError.message };
|
||||
|
||||
const displayName = user.displayName || user.username || ''; // displayName can be empty and username can be null
|
||||
const { firstName, lastName, middleName } = users.parseDisplayName(displayName);
|
||||
|
||||
@@ -539,7 +552,10 @@ async function getClaims(username/*, use, scope*/) {
|
||||
name: user.displayName,
|
||||
picture: `https://${dashboardFqdn}/api/v1/profile/avatar/${user.id}`, // we always store as png
|
||||
preferred_username: user.username,
|
||||
groups: allGroups.filter(function (g) { return g.userIds.indexOf(user.id) !== -1; }).map(function (g) { return `${g.name}`; })
|
||||
groups: allGroups.filter(function (g) { return g.userIds.indexOf(user.id) !== -1; }).map(function (g) { return `${g.name}`; }),
|
||||
mailclient: {
|
||||
mailboxes,
|
||||
},
|
||||
};
|
||||
|
||||
return claims;
|
||||
@@ -609,7 +625,8 @@ async function start() {
|
||||
claims: {
|
||||
email: ['email', 'email_verified'],
|
||||
profile: [ 'family_name', 'given_name', 'locale', 'name', 'preferred_username', 'picture' ],
|
||||
groups: [ 'groups' ]
|
||||
groups: [ 'groups' ],
|
||||
mailboxes: [ 'mailboxes' ]
|
||||
},
|
||||
features: {
|
||||
rpInitiatedLogout: { enabled: false },
|
||||
|
||||
Reference in New Issue
Block a user