ep_oauth 11.0.11 → 11.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,14 +1,25 @@
1
- ![Publish Status](https://github.com/ether/ep_oauth/workflows/Node.js%20Package/badge.svg) [![Backend Tests Status](https://github.com/ether/ep_oauth/actions/workflows/test-and-release.yml/badge.svg)](https://github.com/ether/ep_oauth/actions/workflows/test-and-release.yml)
1
+ # ep_oauth
2
+
3
+ OAuth2 authentication for Etherpad via GitHub.
4
+
5
+ ## Install
2
6
 
3
- Example config to be placed in settings.json
4
7
  ```
5
- "ep_oauth":{
6
- "clientID": "9829038409234fuckingnumbersandl1e1tt1er1s111yo",
7
- "clientSecret": "herpderp22",
8
- "callbackURL": "http://etherpoop.com:9001/auth/callback"
9
- }
8
+ pnpm run plugins i ep_oauth
10
9
  ```
11
10
 
12
- Note that we currently only support Github, we need better logic for events to fire after succesful Auth IE what user data to grab
11
+ ## Settings
12
+
13
+ Add to your `settings.json`:
14
+
15
+ ```json
16
+ "ep_oauth": {
17
+ "clientID": "your_github_client_id",
18
+ "clientSecret": "your_github_client_secret",
19
+ "callbackURL": "https://your-etherpad.example.com/auth/callback"
20
+ }
21
+ ```
13
22
 
23
+ ## License
14
24
 
25
+ Apache-2.0
package/auth.js CHANGED
@@ -93,15 +93,13 @@ exports.expressConfigure = (hookName, args, cb) => {
93
93
  // FIRST STEP
94
94
  exports.authorize = (hookName, args, cb) => {
95
95
  // Never lands here for url /auth/callback
96
- if (args.req.url.indexOf('/auth') === 0) return cb.true;
96
+ if (args.req.url.indexOf('/auth') === 0) return cb([true]);
97
97
 
98
- let userIsAuthedAlready = false;
99
98
  console.debug(`Database lookup -> oauth:${args.req.sessionID}`);
100
99
  db.get(`oauth:${args.req.sessionID}`, (k, user) => {
101
100
  console.debug(`Oauth session found ->${args.req.sessionID}`, 'has user data of ', user);
102
- if (user) userIsAuthedAlready = true;
101
+ return cb([!!user]);
103
102
  });
104
- return cb([userIsAuthedAlready]);
105
103
  };
106
104
 
107
105
  // SECOND STEP
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "ep_oauth",
3
3
  "description": "Oauth2 authentication for Etherpad",
4
- "version": "11.0.11",
4
+ "version": "11.0.13",
5
5
  "author": {
6
6
  "name": "John McLear",
7
7
  "email": "john@mclear.co.uk",
@@ -0,0 +1,38 @@
1
+ 'use strict';
2
+
3
+ import {strict as assert} from 'assert';
4
+ import {init} from 'ep_etherpad-lite/tests/backend/common';
5
+ import {generateJWTToken} from 'ep_etherpad-lite/tests/backend/common';
6
+
7
+ let agent: any;
8
+
9
+ describe('ep_oauth authorize hook', () => {
10
+ before(async () => {
11
+ agent = await init();
12
+ });
13
+
14
+ it('allows access to /auth paths without authentication', async () => {
15
+ // The authorize hook should return true for /auth/* paths,
16
+ // allowing the OAuth flow to proceed without prior auth.
17
+ // We test this by verifying the server doesn't reject /auth/callback
18
+ // with a 401 (it will 302 or handle it via the OAuth flow).
19
+ const res = await agent
20
+ .get('/auth/callback')
21
+ .set('Authorization', await generateJWTToken())
22
+ .redirects(0);
23
+ // Should not be 401 (unauthorized) — the authorize hook allows /auth paths
24
+ assert.notStrictEqual(res.status, 401);
25
+ });
26
+
27
+ it('rejects unauthenticated requests to pad paths', async () => {
28
+ // Without an OAuth session, accessing a pad should not be authorized.
29
+ // The exact behavior depends on etherpad config, but we verify the
30
+ // authorize hook is being called (server doesn't crash).
31
+ const res = await agent
32
+ .get('/p/test-oauth-pad')
33
+ .redirects(0);
34
+ // Should get some response (redirect to auth, or 200/302) but not crash
35
+ assert.ok([200, 302, 401, 403].includes(res.status),
36
+ `Expected 200/302/401/403, got ${res.status}`);
37
+ });
38
+ });