npm - @sync-in/server - Versions diffs - 1.6.0 → 1.7.0 - Mend

@sync-in/server 1.6.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,4 +1,20 @@
+## [1.7.0](https://github.com/Sync-in/server/compare/v1.6.1...v1.7.0) (2025-10-09)
+### Features
+* **backend:auth:** add `adminGroup` support and improve LDAP user role assignment ([9074145](https://github.com/Sync-in/server/commit/9074145c9c86e023c73e0a5522f87441356bb240))
+* **backend:auth:** enhance LDAP authentication configuration with upnSuffix and netbiosName parameters ([5a5d623](https://github.com/Sync-in/server/commit/5a5d62317198d3c1164bc6f9efe6bdb50bfe25f7))
+## [1.6.1](https://github.com/Sync-in/server/compare/v1.6.0...v1.6.1) (2025-10-09)
+### Bug Fixes
+* **backend:auth:** improve AD/LDAP authentication handling and normalization ([db1a9e3](https://github.com/Sync-in/server/commit/db1a9e3d4a02c6be5ef594b4a383e05d0bc50fc4))
+* **frontend:links:** fallback to default MIME URL when origin MIME URL is not found ([5724f3a](https://github.com/Sync-in/server/commit/5724f3a730fc8d8b51268071b0d3370bc62f6901))
 ## [1.6.0](https://github.com/Sync-in/server/compare/v1.5.2...v1.6.0) (2025-09-26)
 🔥🚀 Support for Multi-Factor Authentication (MFA) & App Passwords

package/README.md CHANGED Viewed

@@ -102,7 +102,7 @@ Before submitting your pull request, please confirm the following:
 This project is licensed under the **GNU Affero General Public License (AGPL-3.0-or-later)**.
 See [LICENSE](LICENSE) for the full text.
-Sync-in® is a registered trademark, see our [Trademark Policy](https://sync-in.com/docs/about/trademark).
+Sync-in® is a registered trademark, see our [Trademark Policy](https://sync-in.com/trademark).
 ---

package/environment/environment.dist.yaml CHANGED Viewed

@@ -115,17 +115,23 @@ auth:
   ldap:
     # e.g: [ldap://localhost:389, ldaps://localhost:636] (array required)
     servers: []
-    # baseDN: distinguished name ( e.g.ou=people,dc=ldap,dc=sync-in,dc=com)
+    # baseDN: distinguished name (e.g., ou=people,dc=ldap,dc=sync-in,dc=com)
     baseDN:
     # filter, e.g: (acl=admin)
     filter:
     attributes:
-      # login attribute (e.g. `uid` | `sAMAccountName` | `userPrincipalName`)
+      # login attribute: `uid` | `sAMAccountName` | `userPrincipalName`, used to authenticate the user
       # default: `uid`
       login: uid
       # email attribute: `mail` or `email`
       # default: `mail`
       email: mail
+    # adminGroup: The CN of a group containing Sync-in administrators (e.g., administrators)
+    adminGroup:
+    # upnSuffix: AD domain suffix used with `userPrincipalName` to build UPN-style logins (e.g., user@`sync-in.com`)
+    upnSuffix:
+    # netbiosName: NetBIOS domain name used with `sAMAccountName` to build legacy logins (e.g., `SYNC_IN`\user)
+    netbiosName:
 applications:
   files:
     # required

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sync-in/server",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "The secure, open-source platform for file storage, sharing, collaboration, and sync",
   "author": {
     "name": "Johan Legrand",
@@ -73,7 +73,7 @@
   },
   "dependencies": {
     "@fastify/cookie": "11.0.2",
-    "@fastify/helmet": "13.0.1",
+    "@fastify/helmet": "13.0.2",
     "@fastify/multipart": "9.2.1",
     "@fastify/send": "4.1.0",
     "@fastify/static": "8.2.0",
@@ -97,28 +97,28 @@
     "class-transformer": "0.5.1",
     "class-validator": "0.14.2",
     "deepmerge": "4.3.1",
-    "drizzle-kit": "0.31.4",
-    "drizzle-orm": "0.44.5",
-    "fast-xml-parser": "5.2.5",
+    "drizzle-kit": "0.31.5",
+    "drizzle-orm": "0.44.6",
+    "fast-xml-parser": "5.3.0",
     "fs-extra": "11.3.2",
     "html-to-text": "9.0.5",
     "js-yaml": "4.1.0",
     "ldapts": "8.0.9",
     "mime-types": "3.0.1",
-    "mysql2": "3.15.0",
-    "nestjs-pino": "4.4.0",
-    "nodemailer": "7.0.6",
+    "mysql2": "3.15.2",
+    "nestjs-pino": "4.4.1",
+    "nodemailer": "7.0.9",
     "passport-http": "0.3.0",
     "passport-jwt": "4.0.1",
     "passport-local": "1.0.0",
     "passport": "0.7.0",
-    "pdfjs-dist": "5.4.149",
+    "pdfjs-dist": "5.4.296",
     "pino-pretty": "13.1.1",
     "qrcode-generator": "2.0.4",
     "redis": "4.7.1",
     "sax": "1.4.1",
     "socket.io": "4.8.1",
-    "tar": "7.4.3",
+    "tar": "7.5.1",
     "time2fa": "1.4.2",
     "yauzl": "3.2.0"
   }

package/server/authentication/auth.config.js CHANGED Viewed

@@ -48,6 +48,7 @@ const _classtransformer = require("class-transformer");
 const _classvalidator = require("class-validator");
 const _appconstants = require("../app.constants");
 const _auth = require("./constants/auth");
+const _authldap = require("./constants/auth-ldap");
 function _ts_decorate(decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
     if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -180,19 +181,22 @@ _ts_decorate([
 ], AuthTokenConfig.prototype, "ws", void 0);
 let AuthMethodLdapAttributesConfig = class AuthMethodLdapAttributesConfig {
     constructor(){
-        this.login = 'uid';
-        this.email = 'mail';
+        this.login = _authldap.LDAP_LOGIN_ATTR.UID;
+        this.email = _authldap.LDAP_COMMON_ATTR.MAIL;
     }
 };
 _ts_decorate([
     (0, _classvalidator.IsOptional)(),
     (0, _classvalidator.IsString)(),
-    (0, _classtransformer.Transform)(({ value })=>value || 'uid')
+    (0, _classtransformer.Transform)(({ value })=>value || _authldap.LDAP_LOGIN_ATTR.UID),
+    (0, _classvalidator.IsEnum)(_authldap.LDAP_LOGIN_ATTR),
+    _ts_metadata("design:type", typeof _authldap.LDAP_LOGIN_ATTR === "undefined" ? Object : _authldap.LDAP_LOGIN_ATTR)
 ], AuthMethodLdapAttributesConfig.prototype, "login", void 0);
 _ts_decorate([
     (0, _classvalidator.IsOptional)(),
     (0, _classvalidator.IsString)(),
-    (0, _classtransformer.Transform)(({ value })=>value || 'mail')
+    (0, _classtransformer.Transform)(({ value })=>value || _authldap.LDAP_COMMON_ATTR.MAIL),
+    _ts_metadata("design:type", String)
 ], AuthMethodLdapAttributesConfig.prototype, "email", void 0);
 let AuthMethodLdapConfig = class AuthMethodLdapConfig {
     constructor(){
@@ -226,6 +230,21 @@ _ts_decorate([
     (0, _classtransformer.Type)(()=>AuthMethodLdapAttributesConfig),
     _ts_metadata("design:type", typeof AuthMethodLdapAttributesConfig === "undefined" ? Object : AuthMethodLdapAttributesConfig)
 ], AuthMethodLdapConfig.prototype, "attributes", void 0);
+_ts_decorate([
+    (0, _classvalidator.IsOptional)(),
+    (0, _classvalidator.IsString)(),
+    _ts_metadata("design:type", String)
+], AuthMethodLdapConfig.prototype, "adminGroup", void 0);
+_ts_decorate([
+    (0, _classvalidator.IsOptional)(),
+    (0, _classvalidator.IsString)(),
+    _ts_metadata("design:type", String)
+], AuthMethodLdapConfig.prototype, "upnSuffix", void 0);
+_ts_decorate([
+    (0, _classvalidator.IsOptional)(),
+    (0, _classvalidator.IsString)(),
+    _ts_metadata("design:type", String)
+], AuthMethodLdapConfig.prototype, "netbiosName", void 0);
 let AuthConfig = class AuthConfig {
     constructor(){
         this.method = 'mysql';

package/server/authentication/auth.config.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../../backend/src/authentication/auth.config.ts"],"sourcesContent":["/\n Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in \| The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { Exclude, Transform, Type } from 'class-transformer'\nimport {\n ArrayNotEmpty,\n IsArray,\n IsBoolean,\n IsDefined,\n IsIn,\n IsNotEmpty,\n IsNotEmptyObject,\n IsObject,\n IsOptional,\n IsString,\n ValidateIf,\n ValidateNested\n} from 'class-validator'\nimport { SERVER_NAME } from '../app.constants'\nimport { ACCESS_KEY, CSRF_KEY, REFRESH_KEY, WS_KEY } from './constants/auth'\n\nexport class AuthMfaTotpConfig {\n @IsBoolean()\n enabled = true\n\n @IsString()\n issuer = SERVER_NAME\n}\n\nexport class AuthMfaConfig {\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthMfaTotpConfig)\n totp: AuthMfaTotpConfig = new AuthMfaTotpConfig()\n}\n\nexport class AuthTokenAccessConfig {\n @Exclude({ toClassOnly: true })\n // force default name\n name = ACCESS_KEY\n\n @IsString()\n @IsNotEmpty()\n secret: string\n\n @IsString()\n @IsNotEmpty()\n expiration = '30m'\n}\n\nexport class AuthTokenRefreshConfig {\n @Exclude({ toClassOnly: true })\n // force default name\n name = REFRESH_KEY\n\n @IsString()\n @IsNotEmpty()\n secret: string\n\n @IsString()\n @IsNotEmpty()\n expiration = '4h'\n}\n\nexport class AuthTokenCsrfConfig extends AuthTokenRefreshConfig {\n @IsString()\n @IsNotEmpty()\n override name: string = CSRF_KEY\n}\n\nexport class AuthTokenWSConfig extends AuthTokenRefreshConfig {\n @IsString()\n @IsNotEmpty()\n override name: string = WS_KEY\n}\n\nexport class AuthTokenConfig {\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenAccessConfig)\n access: AuthTokenAccessConfig\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenRefreshConfig)\n refresh: AuthTokenRefreshConfig\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenCsrfConfig)\n csrf: AuthTokenCsrfConfig\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenWSConfig)\n ws: AuthTokenWSConfig\n}\n\nexport class AuthMethodLdapAttributesConfig {\n @IsOptional()\n @IsString()\n @Transform(({ value }) => value \|\| ~~'uid'~~)\n login? = ~~'uid'~~\n\n @IsOptional()\n @IsString()\n @Transform(({ value }) => value \|\| ~~'mail'~~)\n email? = ~~'mail'~~\n}\n\nexport class AuthMethodLdapConfig {\n @Transform(({ value }) => (Array.isArray(value) ? value.filter((v: string) => Boolean(v)) : value))\n @ArrayNotEmpty()\n @IsArray()\n @IsString({ each: true })\n servers: string[]\n\n @IsString()\n @IsNotEmpty()\n baseDN: string\n\n @IsOptional()\n @IsString()\n filter?: string\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthMethodLdapAttributesConfig)\n attributes: AuthMethodLdapAttributesConfig = new AuthMethodLdapAttributesConfig()\n}\n\nexport class AuthConfig {\n @IsString()\n @IsIn(['mysql', 'ldap'])\n method: 'mysql' \| 'ldap' = 'mysql'\n\n @IsOptional()\n @IsString()\n encryptionKey: string\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthMfaConfig)\n mfa: AuthMfaConfig = new AuthMfaConfig()\n\n @IsString()\n @IsIn(['lax', 'strict'])\n cookieSameSite: 'lax' \| 'strict' = 'strict'\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenConfig)\n token: AuthTokenConfig\n\n @ValidateIf((o: AuthConfig) => o.method === 'ldap')\n @IsDefined()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthMethodLdapConfig)\n ldap: AuthMethodLdapConfig\n}\n"],"names":["AuthConfig","AuthMethodLdapAttributesConfig","AuthMethodLdapConfig","AuthMfaConfig","AuthMfaTotpConfig","AuthTokenAccessConfig","AuthTokenConfig","AuthTokenCsrfConfig","AuthTokenRefreshConfig","AuthTokenWSConfig","enabled","issuer","SERVER_NAME","totp","name","ACCESS_KEY","expiration","toClassOnly","REFRESH_KEY","CSRF_KEY","WS_KEY","login","email","value","attributes","Array","isArray","filter","v","Boolean","each","method","mfa","cookieSameSite","o"],"mappings":"AAAA;;;;CAIC;;;;;;;;;;;~~QA8IYA~~;eAAAA;;~~QAnCAC~~;eAAAA;;~~QAYAC~~;eAAAA;;~~QA3FAC~~;eAAAA;;QARAC;eAAAA;;QAiBAC;eAAAA;;QAwCAC;eAAAA;;QAZAC;eAAAA;;QAdAC;eAAAA;;QAoBAC;eAAAA;;;~~kCArE4B~~;~~gCAclC~~;8BACqB;sBAC8B;;;;;;;;;;~~AAEnD~~,IAAA,AAAML,oBAAN,MAAMA;;aAEXM,UAAU;aAGVC,SAASC,yBAAW;;AACtB;;;;;;;AAEO,IAAA,AAAMT,gBAAN,MAAMA;;aAMXU,OAA0B,IAAIT;;AAChC;;;;;;oCAFcA;;;AAIP,IAAA,AAAMC,wBAAN,MAAMA;;aAEX,qBAAqB;QACrBS,OAAOC,gBAAU;aAQjBC,aAAa;;AACf;;;QAXaC,aAAa;;;;;;;;;;;;AAanB,IAAA,AAAMT,yBAAN,MAAMA;;aAEX,qBAAqB;QACrBM,OAAOI,iBAAW;aAQlBF,aAAa;;AACf;;;QAXaC,aAAa;;;;;;;;;;;;AAanB,IAAA,AAAMV,sBAAN,MAAMA,4BAA4BC;;QAAlC,qBAGIM,OAAeK,cAAQ;;AAClC;;;;;;AAEO,IAAA,AAAMV,oBAAN,MAAMA,0BAA0BD;;QAAhC,qBAGIM,OAAeM,YAAM;;AAChC;;;;;;AAEO,IAAA,AAAMd,kBAAN,MAAMA;AA4Bb;;;;;;oCAvBcD;;;;;;;;oCAOAG;;;;;;;;oCAOAD;;;;;;;;oCAOAE;;;AAIP,IAAA,AAAMR,iCAAN,MAAMA;;~~aAIXoB~~,~~QAAS~~;~~aAKTC~~,~~QAAS~~;;~~AACX~~;;;;~~sCAPc~~,EAAEC,KAAK,EAAE,GAAKA,~~SAAS;;;;;sCAKvB~~,~~EAAEA~~,KAAK,EAAE,GAAKA,~~SAAS;;AAI9B~~,IAAA,~~AAAMrB~~,uBAAN,MAAMA;;~~aAoBXsB~~,aAA6C,~~IAAIvB~~;;~~AACnD~~;;~~sCApBc~~,~~EAAEsB~~,KAAK,EAAE,GAAME,MAAMC,OAAO,CAACH,SAASA,MAAMI,MAAM,CAAC,CAACC,IAAcC,QAAQD,MAAML;;;;QAGhFO,MAAM;;;;;;;;;;;;;;;;;;;~~oCAeN7B;;;AAIP~~,IAAA,AAAMD,aAAN,MAAMA;;~~aAGX+B~~,SAA2B;aAW3BC,MAAqB,~~IAAI7B~~;~~aAIzB8B~~,iBAAmC;;AAerC;;;;QA/BS;QAAS;;;;;;;;;;;;;;~~oCAWJ9B~~;;;;;;QAIL;QAAO;;;;;;;;;oCAOFG;;;;~~qCAGC4B~~,IAAkBA,EAAEH,MAAM,KAAK;;;;~~oCAIhC7B~~"}
1	+ {"version":3,"sources":["../../../backend/src/authentication/auth.config.ts"],"sourcesContent":["/\n Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in \| The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { Exclude, Transform, Type } from 'class-transformer'\nimport {\n ArrayNotEmpty,\n IsArray,\n IsBoolean,\n IsDefined,\n IsEnum,\n IsIn,\n IsNotEmpty,\n IsNotEmptyObject,\n IsObject,\n IsOptional,\n IsString,\n ValidateIf,\n ValidateNested\n} from 'class-validator'\nimport { SERVER_NAME } from '../app.constants'\nimport { ACCESS_KEY, CSRF_KEY, REFRESH_KEY, WS_KEY } from './constants/auth'\nimport { LDAP_COMMON_ATTR, LDAP_LOGIN_ATTR } from './constants/auth-ldap'\n\nexport class AuthMfaTotpConfig {\n @IsBoolean()\n enabled = true\n\n @IsString()\n issuer = SERVER_NAME\n}\n\nexport class AuthMfaConfig {\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthMfaTotpConfig)\n totp: AuthMfaTotpConfig = new AuthMfaTotpConfig()\n}\n\nexport class AuthTokenAccessConfig {\n @Exclude({ toClassOnly: true })\n // force default name\n name = ACCESS_KEY\n\n @IsString()\n @IsNotEmpty()\n secret: string\n\n @IsString()\n @IsNotEmpty()\n expiration = '30m'\n}\n\nexport class AuthTokenRefreshConfig {\n @Exclude({ toClassOnly: true })\n // force default name\n name = REFRESH_KEY\n\n @IsString()\n @IsNotEmpty()\n secret: string\n\n @IsString()\n @IsNotEmpty()\n expiration = '4h'\n}\n\nexport class AuthTokenCsrfConfig extends AuthTokenRefreshConfig {\n @IsString()\n @IsNotEmpty()\n override name: string = CSRF_KEY\n}\n\nexport class AuthTokenWSConfig extends AuthTokenRefreshConfig {\n @IsString()\n @IsNotEmpty()\n override name: string = WS_KEY\n}\n\nexport class AuthTokenConfig {\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenAccessConfig)\n access: AuthTokenAccessConfig\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenRefreshConfig)\n refresh: AuthTokenRefreshConfig\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenCsrfConfig)\n csrf: AuthTokenCsrfConfig\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenWSConfig)\n ws: AuthTokenWSConfig\n}\n\nexport class AuthMethodLdapAttributesConfig {\n @IsOptional()\n @IsString()\n @Transform(({ value }) => value \|\| LDAP_LOGIN_ATTR.UID)\n @IsEnum(LDAP_LOGIN_ATTR)\n login: LDAP_LOGIN_ATTR = LDAP_LOGIN_ATTR.UID\n\n @IsOptional()\n @IsString()\n @Transform(({ value }) => value \|\| LDAP_COMMON_ATTR.MAIL)\n email: string = LDAP_COMMON_ATTR.MAIL\n}\n\nexport class AuthMethodLdapConfig {\n @Transform(({ value }) => (Array.isArray(value) ? value.filter((v: string) => Boolean(v)) : value))\n @ArrayNotEmpty()\n @IsArray()\n @IsString({ each: true })\n servers: string[]\n\n @IsString()\n @IsNotEmpty()\n baseDN: string\n\n @IsOptional()\n @IsString()\n filter?: string\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthMethodLdapAttributesConfig)\n attributes: AuthMethodLdapAttributesConfig = new AuthMethodLdapAttributesConfig()\n\n @IsOptional()\n @IsString()\n adminGroup?: string\n\n @IsOptional()\n @IsString()\n upnSuffix?: string\n\n @IsOptional()\n @IsString()\n netbiosName?: string\n}\n\nexport class AuthConfig {\n @IsString()\n @IsIn(['mysql', 'ldap'])\n method: 'mysql' \| 'ldap' = 'mysql'\n\n @IsOptional()\n @IsString()\n encryptionKey: string\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthMfaConfig)\n mfa: AuthMfaConfig = new AuthMfaConfig()\n\n @IsString()\n @IsIn(['lax', 'strict'])\n cookieSameSite: 'lax' \| 'strict' = 'strict'\n\n @IsDefined()\n @IsNotEmptyObject()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthTokenConfig)\n token: AuthTokenConfig\n\n @ValidateIf((o: AuthConfig) => o.method === 'ldap')\n @IsDefined()\n @IsObject()\n @ValidateNested()\n @Type(() => AuthMethodLdapConfig)\n ldap: AuthMethodLdapConfig\n}\n"],"names":["AuthConfig","AuthMethodLdapAttributesConfig","AuthMethodLdapConfig","AuthMfaConfig","AuthMfaTotpConfig","AuthTokenAccessConfig","AuthTokenConfig","AuthTokenCsrfConfig","AuthTokenRefreshConfig","AuthTokenWSConfig","enabled","issuer","SERVER_NAME","totp","name","ACCESS_KEY","expiration","toClassOnly","REFRESH_KEY","CSRF_KEY","WS_KEY","login","LDAP_LOGIN_ATTR","UID","email","LDAP_COMMON_ATTR","MAIL","value","attributes","Array","isArray","filter","v","Boolean","each","method","mfa","cookieSameSite","o"],"mappings":"AAAA;;;;CAIC;;;;;;;;;;;QA6JYA;eAAAA;;QAhDAC;eAAAA;;QAaAC;eAAAA;;QA5FAC;eAAAA;;QARAC;eAAAA;;QAiBAC;eAAAA;;QAwCAC;eAAAA;;QAZAC;eAAAA;;QAdAC;eAAAA;;QAoBAC;eAAAA;;;kCAvE4B;gCAelC;8BACqB;sBAC8B;0BACR;;;;;;;;;;AAE3C,IAAA,AAAML,oBAAN,MAAMA;;aAEXM,UAAU;aAGVC,SAASC,yBAAW;;AACtB;;;;;;;AAEO,IAAA,AAAMT,gBAAN,MAAMA;;aAMXU,OAA0B,IAAIT;;AAChC;;;;;;oCAFcA;;;AAIP,IAAA,AAAMC,wBAAN,MAAMA;;aAEX,qBAAqB;QACrBS,OAAOC,gBAAU;aAQjBC,aAAa;;AACf;;;QAXaC,aAAa;;;;;;;;;;;;AAanB,IAAA,AAAMT,yBAAN,MAAMA;;aAEX,qBAAqB;QACrBM,OAAOI,iBAAW;aAQlBF,aAAa;;AACf;;;QAXaC,aAAa;;;;;;;;;;;;AAanB,IAAA,AAAMV,sBAAN,MAAMA,4BAA4BC;;QAAlC,qBAGIM,OAAeK,cAAQ;;AAClC;;;;;;AAEO,IAAA,AAAMV,oBAAN,MAAMA,0BAA0BD;;QAAhC,qBAGIM,OAAeM,YAAM;;AAChC;;;;;;AAEO,IAAA,AAAMd,kBAAN,MAAMA;AA4Bb;;;;;;oCAvBcD;;;;;;;;oCAOAG;;;;;;;;oCAOAD;;;;;;;;oCAOAE;;;AAIP,IAAA,AAAMR,iCAAN,MAAMA;;aAKXoB,QAAyBC,yBAAe,CAACC,GAAG;aAK5CC,QAAgBC,0BAAgB,CAACC,IAAI;;AACvC;;;;sCARc,EAAEC,KAAK,EAAE,GAAKA,SAASL,yBAAe,CAACC,GAAG;;;;;;;sCAM1C,EAAEI,KAAK,EAAE,GAAKA,SAASF,0BAAgB,CAACC,IAAI;;;AAInD,IAAA,AAAMxB,uBAAN,MAAMA;;aAoBX0B,aAA6C,IAAI3B;;AAanD;;sCAhCc,EAAE0B,KAAK,EAAE,GAAME,MAAMC,OAAO,CAACH,SAASA,MAAMI,MAAM,CAAC,CAACC,IAAcC,QAAQD,MAAML;;;;QAGhFO,MAAM;;;;;;;;;;;;;;;;;;;oCAeNjC;;;;;;;;;;;;;;;;;;AAgBP,IAAA,AAAMD,aAAN,MAAMA;;aAGXmC,SAA2B;aAW3BC,MAAqB,IAAIjC;aAIzBkC,iBAAmC;;AAerC;;;;QA/BS;QAAS;;;;;;;;;;;;;;oCAWJlC;;;;;;QAIL;QAAO;;;;;;;;;oCAOFG;;;;qCAGCgC,IAAkBA,EAAEH,MAAM,KAAK;;;;oCAIhCjC"}

package/server/authentication/constants/auth-ldap.js ADDED Viewed

@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>
+ * This file is part of Sync-in | The open source file sync and share solution
+ * See the LICENSE file for licensing details
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get ALL_LDAP_ATTRIBUTES () {
+        return ALL_LDAP_ATTRIBUTES;
+    },
+    get LDAP_COMMON_ATTR () {
+        return LDAP_COMMON_ATTR;
+    },
+    get LDAP_LOGIN_ATTR () {
+        return LDAP_LOGIN_ATTR;
+    }
+});
+var LDAP_LOGIN_ATTR = /*#__PURE__*/ function(LDAP_LOGIN_ATTR) {
+    LDAP_LOGIN_ATTR["UID"] = "uid";
+    LDAP_LOGIN_ATTR["SAM"] = "sAMAccountName";
+    LDAP_LOGIN_ATTR["UPN"] = "userPrincipalName";
+    return LDAP_LOGIN_ATTR;
+}({});
+const LDAP_COMMON_ATTR = {
+    MAIL: 'mail',
+    GIVEN_NAME: 'givenName',
+    SN: 'sn',
+    CN: 'cn',
+    DISPLAY_NAME: 'displayName',
+    MEMBER_OF: 'memberOf'
+};
+const ALL_LDAP_ATTRIBUTES = [
+    ...Object.values(LDAP_LOGIN_ATTR),
+    ...Object.values(LDAP_COMMON_ATTR)
+];
+//# sourceMappingURL=auth-ldap.js.map

package/server/authentication/constants/auth-ldap.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../backend/src/authentication/constants/auth-ldap.ts"],"sourcesContent":["/*\n * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in | The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nexport enum LDAP_LOGIN_ATTR {\n UID = 'uid',\n SAM = 'sAMAccountName',\n UPN = 'userPrincipalName'\n}\n\nexport const LDAP_COMMON_ATTR = {\n MAIL: 'mail',\n GIVEN_NAME: 'givenName',\n SN: 'sn',\n CN: 'cn',\n DISPLAY_NAME: 'displayName',\n MEMBER_OF: 'memberOf'\n} as const\n\nexport const ALL_LDAP_ATTRIBUTES = [...Object.values(LDAP_LOGIN_ATTR), ...Object.values(LDAP_COMMON_ATTR)]\n"],"names":["ALL_LDAP_ATTRIBUTES","LDAP_COMMON_ATTR","LDAP_LOGIN_ATTR","MAIL","GIVEN_NAME","SN","CN","DISPLAY_NAME","MEMBER_OF","Object","values"],"mappings":"AAAA;;;;CAIC;;;;;;;;;;;QAiBYA;eAAAA;;QATAC;eAAAA;;QANDC;eAAAA;;;AAAL,IAAA,AAAKA,yCAAAA;;;;WAAAA;;AAML,MAAMD,mBAAmB;IAC9BE,MAAM;IACNC,YAAY;IACZC,IAAI;IACJC,IAAI;IACJC,cAAc;IACdC,WAAW;AACb;AAEO,MAAMR,sBAAsB;OAAIS,OAAOC,MAAM,CAACR;OAAqBO,OAAOC,MAAM,CAACT;CAAkB"}

package/server/authentication/guards/auth-basic.strategy.js CHANGED Viewed

@@ -33,6 +33,8 @@ function _ts_metadata(k, v) {
 }
 let AuthBasicStrategy = class AuthBasicStrategy extends (0, _passport.PassportStrategy)(_passporthttp.BasicStrategy, 'basic') {
     async validate(req, loginOrEmail, password) {
+        loginOrEmail = loginOrEmail.trim();
+        password = password.trim();
         this.logger.assign({
             user: loginOrEmail
         });

package/server/authentication/guards/auth-basic.strategy.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../../../backend/src/authentication/guards/auth-basic.strategy.ts"],"sourcesContent":["/\n Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in \| The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { Injectable } from '@nestjs/common'\nimport { AbstractStrategy, PassportStrategy } from '@nestjs/passport'\nimport { instanceToPlain, plainToInstance } from 'class-transformer'\nimport { FastifyRequest } from 'fastify'\nimport { PinoLogger } from 'nestjs-pino'\nimport { BasicStrategy } from 'passport-http'\nimport { SERVER_NAME } from '../../app.constants'\nimport { UserModel } from '../../applications/users/models/user.model'\nimport { Cache } from '../../infrastructure/cache/services/cache.service'\nimport { AUTH_SCOPE } from '../constants/scope'\nimport { AuthMethod } from '../models/auth-method'\n\n@Injectable()\nexport class AuthBasicStrategy extends PassportStrategy(BasicStrategy, 'basic') implements AbstractStrategy {\n private readonly CACHE_TTL = 900\n private readonly CACHE_KEY_PREFIX = 'auth-webdav'\n\n constructor(\n private readonly authMethod: AuthMethod,\n private readonly cache: Cache,\n private readonly logger: PinoLogger\n ) {\n super({ passReqToCallback: true, realm: SERVER_NAME })\n }\n\n async validate(req: FastifyRequest, loginOrEmail: string, password: string): Promise<Omit<UserModel, 'password'> \| null> {\n this.logger.assign({ user: loginOrEmail })\n const authBasicUser = `${this.CACHE_KEY_PREFIX}-${req.headers['authorization'].split(' ').at(-1).toLowerCase()}`\n const userFromCache: any = await this.cache.get(authBasicUser)\n if (userFromCache === null) {\n // not authorized\n return null\n }\n if (userFromCache !== undefined) {\n // cached\n // warning: plainToInstance do not use constructor to instantiate class\n return plainToInstance(UserModel, userFromCache)\n }\n const userFromDB: UserModel = await this.authMethod.validateUser(loginOrEmail, password, req.ip, AUTH_SCOPE.WEBDAV)\n if (userFromDB !== null) {\n userFromDB.removePassword()\n }\n const userToCache: Record<string, any> \| null = userFromDB ? instanceToPlain(userFromDB, { excludePrefixes: ['_'] }) : null\n this.cache.set(authBasicUser, userToCache, this.CACHE_TTL).catch((e: Error) => this.logger.error(`${this.validate.name} - ${e}`))\n return userFromDB\n }\n}\n"],"names":["AuthBasicStrategy","PassportStrategy","BasicStrategy","validate","req","loginOrEmail","password","logger","assign","user","authBasicUser","CACHE_KEY_PREFIX","headers","split","at","toLowerCase","userFromCache","cache","get","undefined","plainToInstance","UserModel","userFromDB","authMethod","validateUser","ip","AUTH_SCOPE","WEBDAV","removePassword","userToCache","instanceToPlain","excludePrefixes","set","CACHE_TTL","catch","e","error","name","passReqToCallback","realm","SERVER_NAME"],"mappings":"AAAA;;;;CAIC;;;;+BAeYA;;;eAAAA;;;wBAbc;0BACwB;kCACF;4BAEtB;8BACG;8BACF;2BACF;8BACJ;uBACK;4BACA;;;;;;;;;;AAGpB,IAAA,AAAMA,oBAAN,MAAMA,0BAA0BC,IAAAA,0BAAgB,EAACC,2BAAa,EAAE;IAYrE,MAAMC,SAASC,GAAmB,EAAEC,YAAoB,EAAEC,QAAgB,EAA+C;~~QACvH~~,IAAI,CAACC,MAAM,CAACC,MAAM,CAAC;YAAEC,~~MAAMJ~~;QAAa;QACxC,~~MAAMK~~,gBAAgB,GAAG,IAAI,CAACC,gBAAgB,CAAC,CAAC,~~EAAEP~~,~~IAAIQ~~,OAAO,CAAC,gBAAgB,CAACC,KAAK,CAAC,KAAKC,EAAE,CAAC,CAAC,GAAGC,WAAW,IAAI;QAChH,MAAMC,gBAAqB,MAAM,IAAI,CAACC,KAAK,CAACC,GAAG,CAACR;QAChD,IAAIM,kBAAkB,MAAM;YAC1B,iBAAiB;YACjB,OAAO;QACT;QACA,IAAIA,kBAAkBG,WAAW;YAC/B,SAAS;YACT,uEAAuE;YACvE,OAAOC,IAAAA,iCAAe,EAACC,oBAAS,EAAEL;QACpC;QACA,MAAMM,aAAwB,MAAM,IAAI,CAACC,UAAU,CAACC,YAAY,~~CAACnB~~,cAAcC,UAAUF,~~IAAIqB~~,EAAE,EAAEC,iBAAU,CAACC,MAAM;QAClH,IAAIL,eAAe,MAAM;YACvBA,WAAWM,cAAc;QAC3B;QACA,MAAMC,cAA0CP,aAAaQ,IAAAA,iCAAe,EAACR,YAAY;YAAES,iBAAiB;gBAAC;aAAI;QAAC,KAAK;QACvH,IAAI,CAACd,KAAK,CAACe,GAAG,CAACtB,eAAemB,aAAa,IAAI,CAACI,SAAS,EAAEC,KAAK,CAAC,CAACC,IAAa,IAAI,CAAC5B,MAAM,CAAC6B,KAAK,CAAC,GAAG,IAAI,~~CAACjC~~,QAAQ,~~CAACkC~~,IAAI,CAAC,GAAG,EAAEF,GAAG;QAC/H,OAAOb;IACT;~~IA5BA~~,YACE,AAAiBC,UAAsB,EACvC,AAAiBN,KAAY,EAC7B,AAAiBV,MAAkB,CACnC;QACA,KAAK,CAAC;YAAE+B,mBAAmB;YAAMC,OAAOC,yBAAW;QAAC,SAJnCjB,aAAAA,iBACAN,QAAAA,YACAV,SAAAA,aANF0B,YAAY,UACZtB,mBAAmB;IAQpC;~~AAuBF~~"}
1	+ {"version":3,"sources":["../../../../backend/src/authentication/guards/auth-basic.strategy.ts"],"sourcesContent":["/\n Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in \| The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { Injectable } from '@nestjs/common'\nimport { AbstractStrategy, PassportStrategy } from '@nestjs/passport'\nimport { instanceToPlain, plainToInstance } from 'class-transformer'\nimport { FastifyRequest } from 'fastify'\nimport { PinoLogger } from 'nestjs-pino'\nimport { BasicStrategy } from 'passport-http'\nimport { SERVER_NAME } from '../../app.constants'\nimport { UserModel } from '../../applications/users/models/user.model'\nimport { Cache } from '../../infrastructure/cache/services/cache.service'\nimport { AUTH_SCOPE } from '../constants/scope'\nimport { AuthMethod } from '../models/auth-method'\n\n@Injectable()\nexport class AuthBasicStrategy extends PassportStrategy(BasicStrategy, 'basic') implements AbstractStrategy {\n private readonly CACHE_TTL = 900\n private readonly CACHE_KEY_PREFIX = 'auth-webdav'\n\n constructor(\n private readonly authMethod: AuthMethod,\n private readonly cache: Cache,\n private readonly logger: PinoLogger\n ) {\n super({ passReqToCallback: true, realm: SERVER_NAME })\n }\n\n async validate(req: FastifyRequest, loginOrEmail: string, password: string): Promise<Omit<UserModel, 'password'> \| null> {\n loginOrEmail = loginOrEmail.trim()\n password = password.trim()\n this.logger.assign({ user: loginOrEmail })\n const authBasicUser = `${this.CACHE_KEY_PREFIX}-${req.headers['authorization'].split(' ').at(-1).toLowerCase()}`\n const userFromCache: any = await this.cache.get(authBasicUser)\n if (userFromCache === null) {\n // not authorized\n return null\n }\n if (userFromCache !== undefined) {\n // cached\n // warning: plainToInstance do not use constructor to instantiate class\n return plainToInstance(UserModel, userFromCache)\n }\n const userFromDB: UserModel = await this.authMethod.validateUser(loginOrEmail, password, req.ip, AUTH_SCOPE.WEBDAV)\n if (userFromDB !== null) {\n userFromDB.removePassword()\n }\n const userToCache: Record<string, any> \| null = userFromDB ? instanceToPlain(userFromDB, { excludePrefixes: ['_'] }) : null\n this.cache.set(authBasicUser, userToCache, this.CACHE_TTL).catch((e: Error) => this.logger.error(`${this.validate.name} - ${e}`))\n return userFromDB\n }\n}\n"],"names":["AuthBasicStrategy","PassportStrategy","BasicStrategy","validate","req","loginOrEmail","password","trim","logger","assign","user","authBasicUser","CACHE_KEY_PREFIX","headers","split","at","toLowerCase","userFromCache","cache","get","undefined","plainToInstance","UserModel","userFromDB","authMethod","validateUser","ip","AUTH_SCOPE","WEBDAV","removePassword","userToCache","instanceToPlain","excludePrefixes","set","CACHE_TTL","catch","e","error","name","passReqToCallback","realm","SERVER_NAME"],"mappings":"AAAA;;;;CAIC;;;;+BAeYA;;;eAAAA;;;wBAbc;0BACwB;kCACF;4BAEtB;8BACG;8BACF;2BACF;8BACJ;uBACK;4BACA;;;;;;;;;;AAGpB,IAAA,AAAMA,oBAAN,MAAMA,0BAA0BC,IAAAA,0BAAgB,EAACC,2BAAa,EAAE;IAYrE,MAAMC,SAASC,GAAmB,EAAEC,YAAoB,EAAEC,QAAgB,EAA+C;QACvHD,eAAeA,aAAaE,IAAI;QAChCD,WAAWA,SAASC,IAAI;QACxB,IAAI,CAACC,MAAM,CAACC,MAAM,CAAC;YAAEC,MAAML;QAAa;QACxC,MAAMM,gBAAgB,GAAG,IAAI,CAACC,gBAAgB,CAAC,CAAC,EAAER,IAAIS,OAAO,CAAC,gBAAgB,CAACC,KAAK,CAAC,KAAKC,EAAE,CAAC,CAAC,GAAGC,WAAW,IAAI;QAChH,MAAMC,gBAAqB,MAAM,IAAI,CAACC,KAAK,CAACC,GAAG,CAACR;QAChD,IAAIM,kBAAkB,MAAM;YAC1B,iBAAiB;YACjB,OAAO;QACT;QACA,IAAIA,kBAAkBG,WAAW;YAC/B,SAAS;YACT,uEAAuE;YACvE,OAAOC,IAAAA,iCAAe,EAACC,oBAAS,EAAEL;QACpC;QACA,MAAMM,aAAwB,MAAM,IAAI,CAACC,UAAU,CAACC,YAAY,CAACpB,cAAcC,UAAUF,IAAIsB,EAAE,EAAEC,iBAAU,CAACC,MAAM;QAClH,IAAIL,eAAe,MAAM;YACvBA,WAAWM,cAAc;QAC3B;QACA,MAAMC,cAA0CP,aAAaQ,IAAAA,iCAAe,EAACR,YAAY;YAAES,iBAAiB;gBAAC;aAAI;QAAC,KAAK;QACvH,IAAI,CAACd,KAAK,CAACe,GAAG,CAACtB,eAAemB,aAAa,IAAI,CAACI,SAAS,EAAEC,KAAK,CAAC,CAACC,IAAa,IAAI,CAAC5B,MAAM,CAAC6B,KAAK,CAAC,GAAG,IAAI,CAAClC,QAAQ,CAACmC,IAAI,CAAC,GAAG,EAAEF,GAAG;QAC/H,OAAOb;IACT;IA9BA,YACE,AAAiBC,UAAsB,EACvC,AAAiBN,KAAY,EAC7B,AAAiBV,MAAkB,CACnC;QACA,KAAK,CAAC;YAAE+B,mBAAmB;YAAMC,OAAOC,yBAAW;QAAC,SAJnCjB,aAAAA,iBACAN,QAAAA,YACAV,SAAAA,aANF0B,YAAY,UACZtB,mBAAmB;IAQpC;AAyBF"}

package/server/authentication/guards/auth-local.strategy.js CHANGED Viewed

@@ -28,6 +28,8 @@ function _ts_metadata(k, v) {
 }
 let AuthLocalStrategy = class AuthLocalStrategy extends (0, _passport.PassportStrategy)(_passportlocal.Strategy, 'local') {
     async validate(req, loginOrEmail, password) {
+        loginOrEmail = loginOrEmail.trim();
+        password = password.trim();
         this.logger.assign({
             user: loginOrEmail
         });

package/server/authentication/guards/auth-local.strategy.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../../../backend/src/authentication/guards/auth-local.strategy.ts"],"sourcesContent":["/\n Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in \| The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { Injectable, UnauthorizedException } from '@nestjs/common'\nimport { ~~PassportStrategy~~, ~~AbstractStrategy~~ } from '@nestjs/passport'\nimport type { FastifyRequest } from 'fastify'\nimport { PinoLogger } from 'nestjs-pino'\nimport { Strategy } from 'passport-local'\nimport type { UserModel } from '../../applications/users/models/user.model'\nimport { AuthMethod } from '../models/auth-method'\n\n@Injectable()\nexport class AuthLocalStrategy extends PassportStrategy(Strategy, 'local') implements AbstractStrategy {\n constructor(\n private readonly authMethod: AuthMethod,\n private readonly logger: PinoLogger\n ) {\n super({ usernameField: 'login', passwordField: 'password', passReqToCallback: true })\n }\n\n async validate(req: FastifyRequest, loginOrEmail: string, password: string): Promise<UserModel> {\n this.logger.assign({ user: loginOrEmail })\n const user: UserModel = await this.authMethod.validateUser(loginOrEmail, password, req.ip)\n if (user) {\n user.removePassword()\n return user\n }\n throw new UnauthorizedException('Wrong login or password')\n }\n}\n"],"names":["AuthLocalStrategy","PassportStrategy","Strategy","validate","req","loginOrEmail","password","logger","assign","user","authMethod","validateUser","ip","removePassword","UnauthorizedException","usernameField","passwordField","passReqToCallback"],"mappings":"AAAA;;;;CAIC;;;;+BAWYA;;;eAAAA;;;wBATqC;0BACC;4BAExB;+BACF;4BAEE;;;;;;;;;;AAGpB,IAAA,AAAMA,oBAAN,MAAMA,0BAA0BC,IAAAA,0BAAgB,EAACC,uBAAQ,EAAE;IAQhE,MAAMC,SAASC,GAAmB,EAAEC,YAAoB,EAAEC,QAAgB,EAAsB;~~QAC9F~~,IAAI,CAACC,MAAM,CAACC,MAAM,CAAC;YAAEC,~~MAAMJ~~;QAAa;QACxC,~~MAAMI~~,OAAkB,MAAM,IAAI,CAACC,UAAU,CAACC,YAAY,~~CAACN~~,cAAcC,UAAUF,~~IAAIQ~~,EAAE;QACzF,IAAIH,MAAM;YACRA,KAAKI,cAAc;YACnB,OAAOJ;QACT;QACA,MAAM,IAAIK,6BAAqB,CAAC;IAClC;~~IAfA~~,YACE,AAAiBJ,UAAsB,EACvC,AAAiBH,MAAkB,CACnC;QACA,KAAK,CAAC;YAAEQ,eAAe;YAASC,eAAe;YAAYC,mBAAmB;QAAK,SAHlEP,aAAAA,iBACAH,SAAAA;IAGnB;~~AAWF~~"}
1	+ {"version":3,"sources":["../../../../backend/src/authentication/guards/auth-local.strategy.ts"],"sourcesContent":["/\n Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>\n * This file is part of Sync-in \| The open source file sync and share solution\n * See the LICENSE file for licensing details\n */\n\nimport { Injectable, UnauthorizedException } from '@nestjs/common'\nimport { AbstractStrategy, PassportStrategy } from '@nestjs/passport'\nimport type { FastifyRequest } from 'fastify'\nimport { PinoLogger } from 'nestjs-pino'\nimport { Strategy } from 'passport-local'\nimport type { UserModel } from '../../applications/users/models/user.model'\nimport { AuthMethod } from '../models/auth-method'\n\n@Injectable()\nexport class AuthLocalStrategy extends PassportStrategy(Strategy, 'local') implements AbstractStrategy {\n constructor(\n private readonly authMethod: AuthMethod,\n private readonly logger: PinoLogger\n ) {\n super({ usernameField: 'login', passwordField: 'password', passReqToCallback: true })\n }\n\n async validate(req: FastifyRequest, loginOrEmail: string, password: string): Promise<UserModel> {\n loginOrEmail = loginOrEmail.trim()\n password = password.trim()\n this.logger.assign({ user: loginOrEmail })\n const user: UserModel = await this.authMethod.validateUser(loginOrEmail, password, req.ip)\n if (user) {\n user.removePassword()\n return user\n }\n throw new UnauthorizedException('Wrong login or password')\n }\n}\n"],"names":["AuthLocalStrategy","PassportStrategy","Strategy","validate","req","loginOrEmail","password","trim","logger","assign","user","authMethod","validateUser","ip","removePassword","UnauthorizedException","usernameField","passwordField","passReqToCallback"],"mappings":"AAAA;;;;CAIC;;;;+BAWYA;;;eAAAA;;;wBATqC;0BACC;4BAExB;+BACF;4BAEE;;;;;;;;;;AAGpB,IAAA,AAAMA,oBAAN,MAAMA,0BAA0BC,IAAAA,0BAAgB,EAACC,uBAAQ,EAAE;IAQhE,MAAMC,SAASC,GAAmB,EAAEC,YAAoB,EAAEC,QAAgB,EAAsB;QAC9FD,eAAeA,aAAaE,IAAI;QAChCD,WAAWA,SAASC,IAAI;QACxB,IAAI,CAACC,MAAM,CAACC,MAAM,CAAC;YAAEC,MAAML;QAAa;QACxC,MAAMK,OAAkB,MAAM,IAAI,CAACC,UAAU,CAACC,YAAY,CAACP,cAAcC,UAAUF,IAAIS,EAAE;QACzF,IAAIH,MAAM;YACRA,KAAKI,cAAc;YACnB,OAAOJ;QACT;QACA,MAAM,IAAIK,6BAAqB,CAAC;IAClC;IAjBA,YACE,AAAiBJ,UAAsB,EACvC,AAAiBH,MAAkB,CACnC;QACA,KAAK,CAAC;YAAEQ,eAAe;YAASC,eAAe;YAAYC,mBAAmB;QAAK,SAHlEP,aAAAA,iBACAH,SAAAA;IAGnB;AAaF"}

package/server/authentication/services/auth-methods/auth-method-ldap.service.js CHANGED Viewed

@@ -20,6 +20,7 @@ const _adminusersmanagerservice = require("../../../applications/users/services/
 const _usersmanagerservice = require("../../../applications/users/services/users-manager.service");
 const _functions = require("../../../common/functions");
 const _configenvironment = require("../../../configuration/config.environment");
+const _authldap = require("../../constants/auth-ldap");
 function _ts_decorate(decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
     if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -29,31 +30,9 @@ function _ts_decorate(decorators, target, key, desc) {
 function _ts_metadata(k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
-const LDAP_ATTRIBUTES = {
-    AD: {
-        SAM_ACCOUNT: 'sAMAccountName',
-        USER_NAME: 'userPrincipalName'
-    },
-    LDAP: {
-        UID: 'uid'
-    },
-    COMMON: {
-        MAIL: 'mail',
-        GIVEN_NAME: 'givenName',
-        SN: 'sn',
-        CN: 'cn',
-        DISPLAY_NAME: 'displayName'
-    }
-};
-const ALL_ATTRIBUTES = [
-    ...Object.values(LDAP_ATTRIBUTES.COMMON),
-    ...Object.values(LDAP_ATTRIBUTES.LDAP),
-    ...Object.values(LDAP_ATTRIBUTES.AD)
-];
 let AuthMethodLdapService = class AuthMethodLdapService {
     async validateUser(login, password, ip, scope) {
-        login = this.getUserLogin(login);
-        let user = await this.usersManager.findUser(login, false);
+        let user = await this.usersManager.findUser(this.dbLogin(login), false);
         if (user) {
             if (user.isGuest) {
                 // allow guests to be authenticated from db and check if the current user is defined as active
@@ -80,9 +59,9 @@ let AuthMethodLdapService = class AuthMethodLdapService {
                 }
             }
             return null;
-        } else if (!entry[_configenvironment.configuration.auth.ldap.attributes.login] || !entry[_configenvironment.configuration.auth.ldap.attributes.email]) {
+        } else if (!entry[this.ldapConfig.attributes.login] || !entry[this.ldapConfig.attributes.email]) {
             this.logger.error(`${this.validateUser.name} - required ldap fields are missing :
-      [${_configenvironment.configuration.auth.ldap.attributes.login}, ${_configenvironment.configuration.auth.ldap.attributes.email}] =>
+      [${this.ldapConfig.attributes.login}, ${this.ldapConfig.attributes.email}] =>
       (${JSON.stringify(entry)})`);
             return null;
         }
@@ -91,30 +70,31 @@ let AuthMethodLdapService = class AuthMethodLdapService {
         this.usersManager.updateAccesses(user, ip, true).catch((e)=>this.logger.error(`${this.validateUser.name} : ${e}`));
         return user;
     }
-    async checkAuth(uid, password) {
-        const servers = _configenvironment.configuration.auth.ldap.servers;
-        const loginAttr = _configenvironment.configuration.auth.ldap.attributes.login;
-        const baseDN = _configenvironment.configuration.auth.ldap.baseDN;
-        const bindUserDN = Object.values(LDAP_ATTRIBUTES.AD).indexOf(loginAttr) > -1 ? loginAttr : `${loginAttr}=${uid},${baseDN}`;
+    async checkAuth(login, password) {
+        const ldapLogin = this.buildLdapLogin(login);
+        const isAD = this.ldapConfig.attributes.login === _authldap.LDAP_LOGIN_ATTR.SAM || this.ldapConfig.attributes.login === _authldap.LDAP_LOGIN_ATTR.UPN;
+        // AD: bind directly with the user input (UPN or DOMAIN\user)
+        // Generic LDAP: build DN from login attribute + baseDN
+        const bindUserDN = isAD ? ldapLogin : `${this.ldapConfig.attributes.login}=${ldapLogin},${this.ldapConfig.baseDN}`;
         let client;
         let error;
-        for (const s of servers){
+        for (const s of this.ldapConfig.servers){
             client = new _ldapts.Client({
                 ...this.clientOptions,
                 url: s
             });
             try {
                 await client.bind(bindUserDN, password);
-                return await this.checkAccess(client, uid);
+                return await this.checkAccess(ldapLogin, client);
             } catch (e) {
                 if (e.errors?.length) {
                     for (const err of e.errors){
-                        this.logger.warn(`${this.checkAuth.name} - ${uid} : ${err}`);
+                        this.logger.warn(`${this.checkAuth.name} - ${ldapLogin} : ${err}`);
                         error = err;
                     }
                 } else {
                     error = e;
-                    this.logger.warn(`${this.checkAuth.name} - ${uid} : ${e}`);
+                    this.logger.warn(`${this.checkAuth.name} - ${ldapLogin} : ${e}`);
                 }
                 if (error instanceof _ldapts.InvalidCredentialsError) {
                     return false;
@@ -128,80 +108,106 @@ let AuthMethodLdapService = class AuthMethodLdapService {
         }
         return false;
     }
-    async checkAccess(client, uid) {
-        const searchFilter = `(&(${_configenvironment.configuration.auth.ldap.attributes.login}=${uid})${_configenvironment.configuration.auth.ldap.filter || ''})`;
+    async checkAccess(login, client) {
+        const searchFilter = this.buildUserFilter(login, this.ldapConfig.filter);
         try {
-            const { searchEntries } = await client.search(_configenvironment.configuration.auth.ldap.baseDN, {
+            const { searchEntries } = await client.search(this.ldapConfig.baseDN, {
                 scope: 'sub',
                 filter: searchFilter,
-                attributes: ALL_ATTRIBUTES
+                attributes: _authldap.ALL_LDAP_ATTRIBUTES
             });
-            for (const entry of searchEntries){
-                if (entry[_configenvironment.configuration.auth.ldap.attributes.login] === uid) {
-                    return this.convertToLdapUserEntry(entry);
-                }
+            if (searchEntries.length === 0) {
+                this.logger.debug(`${this.checkAccess.name} - search filter : ${searchFilter}`);
+                this.logger.warn(`${this.checkAccess.name} - no LDAP entry found for : ${login}`);
+                return false;
             }
-            this.logger.warn(`${this.checkAuth.name} - unable to find user id : ${uid}`);
-            return false;
+            if (searchEntries.length > 1) {
+                this.logger.warn(`${this.checkAccess.name} - multiple LDAP entries found for : ${login}, using first one`);
+            }
+            // Always return the first valid entry
+            return this.convertToLdapUserEntry(searchEntries[0]);
         } catch (e) {
-            this.logger.error(`${this.checkAccess.name} - ${uid} : ${e}`);
+            this.logger.debug(`${this.checkAccess.name} - search filter : ${searchFilter}`);
+            this.logger.error(`${this.checkAccess.name} - ${login} : ${e}`);
             return false;
         }
     }
     async updateOrCreateUser(identity, user) {
         if (user === null) {
-            return this.adminUsersManager.createUserOrGuest(identity, _user.USER_ROLE.USER);
-        } else {
-            if (identity.login !== user.login) {
-                this.logger.error(`${this.updateOrCreateUser.name} - user id mismatch : ${identity.login} !== ${user.login}`);
-                throw new _common.HttpException('Account matching error', _common.HttpStatus.FORBIDDEN);
+            // create
+            const createdUser = await this.adminUsersManager.createUserOrGuest(identity, identity.role);
+            const freshUser = await this.usersManager.fromUserId(createdUser.id);
+            if (!freshUser) {
+                this.logger.error(`${this.updateOrCreateUser.name} - user was not found : ${createdUser.login} (${createdUser.id})`);
+                throw new _common.HttpException('User not found', _common.HttpStatus.NOT_FOUND);
             }
-            // check if user information has changed
-            const identityHasChanged = Object.fromEntries((await Promise.all(Object.keys(identity).map(async (key)=>{
-                if (key === 'password') {
-                    const isSame = await (0, _functions.comparePassword)(identity[key], user.password);
-                    return isSame ? null : [
-                        key,
-                        identity[key]
-                    ];
-                }
-                return identity[key] !== user[key] ? [
+            return freshUser;
+        }
+        if (identity.login !== user.login) {
+            this.logger.error(`${this.updateOrCreateUser.name} - user login mismatch : ${identity.login} !== ${user.login}`);
+            throw new _common.HttpException('Account matching error', _common.HttpStatus.FORBIDDEN);
+        }
+        // update: check if user information has changed
+        const identityHasChanged = Object.fromEntries((await Promise.all(Object.keys(identity).map(async (key)=>{
+            if (key === 'password') {
+                const isSame = await (0, _functions.comparePassword)(identity[key], user.password);
+                return isSame ? null : [
                     key,
                     identity[key]
-                ] : null;
-            }))).filter(Boolean));
-            if (Object.keys(identityHasChanged).length > 0) {
-                try {
-                    await this.adminUsersManager.updateUserOrGuest(user.id, identityHasChanged);
-                    if (identityHasChanged?.password) {
-                        delete identityHasChanged.password;
-                    }
-                    Object.assign(user, identityHasChanged);
-                    if ('lastName' in identityHasChanged || 'firstName' in identityHasChanged) {
-                        // force fullName update
-                        user.setFullName(true);
+                ];
+            }
+            return identity[key] !== user[key] ? [
+                key,
+                identity[key]
+            ] : null;
+        }))).filter(Boolean));
+        if (Object.keys(identityHasChanged).length > 0) {
+            try {
+                if (identityHasChanged?.role != null) {
+                    if (user.role === _user.USER_ROLE.ADMINISTRATOR && !this.ldapConfig.adminGroup) {
+                        // Prevent removing admin role when adminGroup was removed or not defined
+                        delete identityHasChanged.role;
                     }
-                } catch (e) {
-                    this.logger.warn(`${this.updateOrCreateUser.name} - unable to update user *${user.login}* : ${e}`);
                 }
+                // Update user properties
+                await this.adminUsersManager.updateUserOrGuest(user.id, identityHasChanged);
+                // Extra stuff
+                if (identityHasChanged?.password) {
+                    delete identityHasChanged.password;
+                }
+                Object.assign(user, identityHasChanged);
+                if ('lastName' in identityHasChanged || 'firstName' in identityHasChanged) {
+                    // force fullName update in current user model
+                    user.setFullName(true);
+                }
+            } catch (e) {
+                this.logger.warn(`${this.updateOrCreateUser.name} - unable to update user *${user.login}* : ${e}`);
             }
-            await user.makePaths();
-            return user;
         }
+        return user;
     }
     convertToLdapUserEntry(entry) {
-        for (const attr of ALL_ATTRIBUTES){
+        for (const attr of _authldap.ALL_LDAP_ATTRIBUTES){
+            if (attr === _authldap.LDAP_COMMON_ATTR.MEMBER_OF && entry[attr]) {
+                entry[attr] = (Array.isArray(entry[attr]) ? entry[attr] : entry[attr] ? [
+                    entry[attr]
+                ] : []).filter((v)=>typeof v === 'string').map((v)=>v.match(/cn\s*=\s*([^,]+)/i)?.[1]?.trim()).filter(Boolean);
+                continue;
+            }
             if (Array.isArray(entry[attr])) {
+                // Keep only the first value for all other attributes (e.g., email)
                 entry[attr] = entry[attr].length > 0 ? entry[attr][0] : null;
             }
         }
         return entry;
     }
     createIdentity(entry, password) {
+        const isAdmin = typeof this.ldapConfig.adminGroup === 'string' && this.ldapConfig.adminGroup && entry[_authldap.LDAP_COMMON_ATTR.MEMBER_OF]?.includes(this.ldapConfig.adminGroup);
         return {
-            login: this.getUserLogin(entry[_configenvironment.configuration.auth.ldap.attributes.login]),
-            email: entry[_configenvironment.configuration.auth.ldap.attributes.email],
+            login: this.dbLogin(entry[this.ldapConfig.attributes.login]),
+            email: entry[this.ldapConfig.attributes.email],
             password: password,
+            role: isAdmin ? _user.USER_ROLE.ADMINISTRATOR : _user.USER_ROLE.USER,
             ...this.getFirstNameAndLastName(entry)
         };
     }
@@ -227,18 +233,67 @@ let AuthMethodLdapService = class AuthMethodLdapService {
             lastName: ''
         };
     }
-    getUserLogin(login) {
-        if (_configenvironment.configuration.auth.ldap.attributes.login === LDAP_ATTRIBUTES.AD.USER_NAME) {
+    dbLogin(login) {
+        if (login.includes('@')) {
             return login.split('@')[0];
-        } else if (_configenvironment.configuration.auth.ldap.attributes.login === LDAP_ATTRIBUTES.AD.SAM_ACCOUNT) {
-            return login.split('\\')[0];
+        } else if (login.includes('\\')) {
+            return login.split('\\').slice(-1)[0];
         }
         return login;
     }
+    buildLdapLogin(login) {
+        if (this.ldapConfig.attributes.login === _authldap.LDAP_LOGIN_ATTR.UPN) {
+            if (this.ldapConfig.upnSuffix && !login.includes('@')) {
+                return `${login}@${this.ldapConfig.upnSuffix}`;
+            }
+        } else if (this.ldapConfig.attributes.login === _authldap.LDAP_LOGIN_ATTR.SAM) {
+            if (this.ldapConfig.netbiosName && !login.includes('\\')) {
+                return `${this.ldapConfig.netbiosName}\\${login}`;
+            }
+        }
+        return login;
+    }
+    buildUserFilter(login, extraFilter) {
+        // Build a safe LDAP filter to search for a user.
+        // Important: - Values passed to EqualityFilter are auto-escaped by ldapts
+        //            - extraFilter is appended as-is (assumed trusted configuration)
+        // Output: (&(|(userPrincipalName=john.doe@sync-in.com)(sAMAccountName=john.doe)(uid=john.doe))(*extraFilter*))
+        // Handle the case where the sAMAccountName is provided in domain-qualified format (e.g., SYNC_IN\\user)
+        // Note: sAMAccountName is always stored without the domain in Active Directory.
+        const uid = this.dbLogin(login);
+        const or = new _ldapts.OrFilter({
+            filters: [
+                new _ldapts.EqualityFilter({
+                    attribute: _authldap.LDAP_LOGIN_ATTR.UPN,
+                    value: login
+                }),
+                new _ldapts.EqualityFilter({
+                    attribute: _authldap.LDAP_LOGIN_ATTR.SAM,
+                    value: uid
+                }),
+                new _ldapts.EqualityFilter({
+                    attribute: _authldap.LDAP_LOGIN_ATTR.UID,
+                    value: uid
+                })
+            ]
+        });
+        // Convert to LDAP filter string
+        let filterString = new _ldapts.AndFilter({
+            filters: [
+                or
+            ]
+        }).toString();
+        // Optionally append an extra filter from config (trusted source)
+        if (extraFilter && extraFilter.trim()) {
+            filterString = `(&${filterString}${extraFilter})`;
+        }
+        return filterString;
+    }
     constructor(usersManager, adminUsersManager){
         this.usersManager = usersManager;
         this.adminUsersManager = adminUsersManager;
         this.logger = new _common.Logger(AuthMethodLdapService.name);
+        this.ldapConfig = _configenvironment.configuration.auth.ldap;
         this.clientOptions = {
             timeout: 6000,
             connectTimeout: 6000,