diff --git a/dashboard/src/views/oidc.js b/dashboard/src/views/oidc.js index 0b713a23a..69d6087e0 100644 --- a/dashboard/src/views/oidc.js +++ b/dashboard/src/views/oidc.js @@ -14,7 +14,7 @@ angular.module('Application').controller('OidcController', ['$scope', '$location Client.getOidcClients(function (error, result) { if (error) return console.error('Failed to load oidc clients', error); - $scope.clients = result.filter(function (c) { return !c.appId; }); + $scope.clients = result; }); }; diff --git a/src/routes/oidc.js b/src/routes/oidc.js index 51556ae48..030f902fe 100644 --- a/src/routes/oidc.js +++ b/src/routes/oidc.js @@ -29,6 +29,9 @@ async function add(req, res, next) { if (req.body.tokenSignatureAlgorithm !== 'EdDSA' && req.body.tokenSignatureAlgorithm !== 'RS256') return next(new HttpError(400, 'tokenSignatureAlgorithm must be either EdDSA or RS256')); if ('logoutRedirectUri' in req.body && (typeof req.body.logoutRedirectUri !== 'string' || !req.body.logoutRedirectUri)) return next(new HttpError(400, 'logoutRedirectUri must be non-empty string if provided')); + // clients with appId are internal only + if (req.body.appId) return next(new HttpError(400, 'appId cannot be specified')); + const data = { secret: req.body.secret, name: req.body.name, @@ -50,6 +53,7 @@ async function get(req, res, next) { const [error, client] = await safe(oidc.clients.get(req.params.clientId)); if (error) return next(BoxError.toHttpError(error)); if (!client) return next(new HttpError(404, 'OpenID connect client not found')); + if (client.appId) return next(new HttpError(422, 'OpenID connect client from an internal app')); next(new HttpSuccess(200, client)); } @@ -64,6 +68,11 @@ async function update(req, res, next) { if (req.body.tokenSignatureAlgorithm !== 'EdDSA' && req.body.tokenSignatureAlgorithm !== 'RS256') return next(new HttpError(400, 'tokenSignatureAlgorithm must be either EdDSA or RS256')); if ('logoutRedirectUri' in req.body && (typeof req.body.logoutRedirectUri !== 'string' || !req.body.logoutRedirectUri)) return next(new HttpError(400, 'logoutRedirectUri must be non-empty string if provided')); + const [error, client] = await safe(oidc.clients.get(req.params.clientId)); + if (error) return next(BoxError.toHttpError(error)); + if (!client) return next(new HttpError(404, 'OpenID connect client not found')); + if (client.appId) return next(new HttpError(422, 'OpenID connect client from an internal app')); + const data = { secret: req.body.secret, name: req.body.name, @@ -73,8 +82,8 @@ async function update(req, res, next) { logoutRedirectUri: req.body.logoutRedirectUri || '' }; - const [error] = await safe(oidc.clients.update(req.params.clientId, data)); - if (error) return next(BoxError.toHttpError(error)); + const [updateError] = await safe(oidc.clients.update(req.params.clientId, data)); + if (updateError) return next(BoxError.toHttpError(updateError)); next(new HttpSuccess(201, {})); } @@ -83,14 +92,19 @@ async function list(req, res, next) { const [error, result] = await safe(oidc.clients.list()); if (error) return next(BoxError.toHttpError(error)); - next(new HttpSuccess(200, { clients: result })); + next(new HttpSuccess(200, { clients: result.filter(client => !client.appId) })); } async function del(req, res, next) { assert.strictEqual(typeof req.params.clientId, 'string'); - const [error] = await safe(oidc.clients.del(req.params.clientId)); + const [error, client] = await safe(oidc.clients.get(req.params.clientId)); if (error) return next(BoxError.toHttpError(error)); + if (!client) return next(new HttpError(404, 'OpenID connect client not found')); + if (client.appId) return next(new HttpError(422, 'OpenID connect client from an internal app')); + + const [delError] = await safe(oidc.clients.del(req.params.clientId)); + if (delError) return next(BoxError.toHttpError(delError)); next(new HttpSuccess(204)); }