jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
44ae48baf5a7069d9a780c4a28a0e6d06ab362e7
cloudron-box/src/user-directory.js
T
Johannes Zellner 846986987d the oidc module expect accountId and sub to be the same 
in our case sub is the username exposed to the app, not the userId
internal to Cloudron

Upstream behavior change https://github.com/panva/node-oidc-provider/commit/9b89153c0ea2f2280a26e35f3b66d1900aed7c79
2025-07-02 00:38:11 +02:00

50 lines
1.8 KiB
JavaScript
Raw Blame History

'use strict';
exports = module.exports = {
getProfileConfig,
setProfileConfig
};
const assert = require('assert'),
BoxError = require('./boxerror.js'),
constants = require('./constants.js'),
debug = require('debug')('box:user-directory'),
eventlog = require('./eventlog.js'),
oidcClients = require('./oidcclients.js'),
oidcServer = require('./oidcserver.js'),
settings = require('./settings.js'),
tokens = require('./tokens.js'),
users = require('./users.js');
async function getProfileConfig() {
const value = await settings.getJson(settings.PROFILE_CONFIG_KEY);
return value || { lockUserProfiles: false, mandatory2FA: false };
}
async function setProfileConfig(profileConfig, options, auditSource) {
assert.strictEqual(typeof profileConfig, 'object');
assert.strictEqual(typeof options, 'object');
assert(auditSource && typeof auditSource === 'object');
if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
const oldConfig = await getProfileConfig();
await settings.setJson(settings.PROFILE_CONFIG_KEY, profileConfig);
await eventlog.add(eventlog.ACTION_USER_DIRECTORY_PROFILE_CONFIG_UPDATE, auditSource, { oldConfig, config: profileConfig });
if (profileConfig.mandatory2FA && !oldConfig.mandatory2FA) {
debug('setProfileConfig: logging out non-2FA users to enforce 2FA');
const allUsers = await users.list();
for (const user of allUsers) {
if (user.twoFactorAuthenticationEnabled) continue;
if (options.persistUserIdSessions === user.id) continue; // do not logout the API caller
await tokens.delByUserIdAndType(user.id, oidcClients.ID_WEBADMIN);
await oidcServer.revokeByUsername(user.username);
}
}
}
Reference in New Issue View Git Blame Copy Permalink