wiki-security-passportjs 0.12.0 → 0.14.0

package/client/security.js

@@ -53,7 +53,7 @@ update_footer = function(ownerName, isAuthenticated) {
   // we update the owner and the login state in the footer, and
   // populate the security dialog
   if (ownerName) {
-    $('footer > #site-owner').html(`Site Owned by: <span id='site-owner' style='text-transform:capitalize;'>${ownerName}</span>`);
+    $('footer > #site-owner').html(`Wiki by: <span id='site-owner'>${ownerName}</span>`);
   }
   $('footer > #security').empty();
   if (isAuthenticated) {

package/docs/config-login-to-view.md

@@ -0,0 +1,63 @@
+# Federated Wiki - Security Plug-in: Passport
+## (Configuring "Login to View")
+
+Before attempting to configure Login to View, make sure you have already taken the steps to configure your identity provider as explained [earlier in the documentation](./configuration.md)
+
+Where you put your configuration for the Login to View system depends on which sites on your farm you want to be restricted.  If you want the whole farm to be restricted then you would add the key-value pairs into the top level of your wiki's `config.json`. If you only want to restrict specific sites on your farm, then you need to restrict them individually within a wikiDomains section of your config.
+
+The properties we need to add for Login to View are: `restricted`, `details`, and either `allowed_domains` (Google) or `allowed_ids`  (GitHub, Twitter, OAuth2) depending on your identity provider. When using Google auth, `allowed_domains` allows you to specify which domains your user's emails are allowed to be from. Only users with email domains included in this array will be allowed to view the restricted sites. When using GitHub, Twitter, or OAuth2, `allowed_ids` allows you to specify an array of user IDs that are allowed to view the restricted sites. If you set `allowed_ids` equal to `[*]` then any user in your identity provider's system will be allowed to view the restricted sites.
+
+**Examples:**
+
+If your identity provider is **Google**:
+```json
+{
+  "admin": {"google":"105396921212328672315"},
+  "farm": true,
+  "cookieSecret": "0ebf86563b4sdfsdfcc8788e666702",
+  "secure_cookie": true,
+  "security_type": "passportjs",
+  "security_useHttps": true,
+  "allowed": "*",
+  "wikiDomains": {
+    "private.example.com": {
+      "admin": {"google":"105396921212328672315"},
+      "google_clientID": "10030fghfgh7443-gcemshdl37j67mgpm99eu5dh43li5vrs.apps.googleusercontent.com",
+      "google_clientSecret": "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",
+      "restricted": true,
+      "details": "http://path.ward.asia.wiki.org/login-to-view.html",
+      "allowed_domains": [
+        "example1.com",
+        "example2.com"
+      ]
+    }
+  }
+}
+```
+
+If your identity provider is **GitHub**, **Twitter**, or generic **OAuth2**:
+```json
+{
+    "admin": {"oauth2": "admin"},
+    "farm": true,
+    "cookieSecret": "FDpmzFT2FQZsdfsdfFr4WwZFGuwuVSQ",
+    "secure_cookie": true,
+    "security_type": "passportjs",
+    "security_useHttps": true,
+    "allowed": "*",
+    "wikiDomains": {
+      "wiki.example.com": {
+        "oauth2_DisplayNameField": "token.preferred_username",
+        "oauth2_IdField": "token.preferred_username",
+        "oauth2_clientID": "wiki",
+        "oauth2_clientSecret": "3Df5D3jNfsdfsdfsdfNvc08iJOL3uSCg",
+        "oauth2_AuthorizationURL": "https://auth.example.com/realms/wiki-cafe-test-server/protocol/openid-connect/auth",
+        "oauth2_TokenURL": "https://auth.example.com/realms/wiki-cafe-test-server/protocol/openid-connect/token",
+        "oauth2_UsernameField": "token.preferred_username",
+        "restricted": true,
+        "details": "http://path.ward.asia.wiki.org/login-to-view.html",
+        "allowed_ids": ["*"]
+      }
+    }
+  }
+  ```

package/docs/configuration.md

@@ -18,3 +18,6 @@ See, depending on which identity provider you choose to use:
 * [Google](./config-google.md)
 * [Twitter](./config-twitter.md)
 * [Generic OAuth](./config-oauth2.md)
+
+With all of the providers above you are also able to configure sites on your farm to be [Login to View](http://ward.asia.wiki.org/login-to-view.html). This means only specified visitors are allowed to view the site's content, rather than it being public on the web. The following page explains how to configure the login-to-view system:
+* [Configure Login to View](./config-login-to-view.md)

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "wiki-security-passportjs",
-  "version": "0.12.0",
+  "version": "0.14.0",
   "description": "Security plugin for Federated Wiki, using passport.js",
   "author": "Paul Rodwell <paul.rodwell@btinternet.com> (http://rodwell.me)",
   "license": "MIT",
   "dependencies": {
     "@passport-js/passport-twitter": "^1.0.8",
     "coffeescript": "^2.4.1",
+    "express-handlebars": "^9.0.1",
     "jwt-decode": "^4.0.0",
     "lodash": "^4.17.19",
     "passport": "^0.3.2",

package/server/social.coffee

@@ -20,6 +20,8 @@ _ = require 'lodash'
 
 passport = require('passport')
 
+{ create } = require('express-handlebars')
+
 # Export a function that generates security handler
 # when called with options object.
 module.exports = exports = (log, loga, argv) ->
@@ -64,7 +66,11 @@ module.exports = exports = (log, loga, argv) ->
       if exists
         fs.readFile(idFile, (err, data) ->
           if err then return cb err
-          owner = JSON.parse(data)
+          try
+            owner = JSON.parse(data)
+          catch error
+            console.error "Error parsing owner file #{idFile}", error.message
+            owner = { name: 'unparsable' }
           cb())
       else
         owner = ''
@@ -150,6 +156,10 @@ module.exports = exports = (log, loga, argv) ->
 
   security.defineRoutes = (app, cors, updateOwner) ->
 
+    hbs = create({
+      extname: '.html'
+      layoutsDir: path.join(__dirname, '..', 'views')
+      defaultLayout: 'securityDialog'})
     passport.serializeUser = (user, req, done) ->
       done(null, user)
 
@@ -366,7 +376,7 @@ module.exports = exports = (log, loga, argv) ->
         loginText: "Sign in to"
         schemes: schemeButtons
       }
-      res.render(path.join(__dirname, '..', 'views', 'securityDialog.html'), info)
+      hbs.render(path.join(__dirname, '..', 'views', 'securityDialog.html'), info).then((rendered) => res.send(rendered))
 
     app.get '/auth/loginDone', (req, res) ->
       cookies = req.cookies
@@ -384,7 +394,7 @@ module.exports = exports = (log, loga, argv) ->
         owner: getOwner
         authMessage: "You are now logged in<br>If this window hasn't closed, you can close it."
       }
-      res.render(path.join(__dirname, '..', 'views', 'done.html'), info)
+      hbs.render(path.join(__dirname, '..', 'views', 'done.html'), info).then((rendered) => res.send(rendered))
 
 
     # if configured, enforce restricted access to json
@@ -418,7 +428,7 @@ module.exports = exports = (log, loga, argv) ->
               console.log "argv.allowed_ids exists, but there was an error. Make sure it's value is an array in your config."
         false
 
-      app.all '*', (req, res, next) ->
+      app.all '*splat', (req, res, next) ->
         # don't protect site flag,
         return next() if req.url is '/favicon.png'
         return next() unless /\.(json|html)$/.test req.url
@@ -475,7 +485,7 @@ module.exports = exports = (log, loga, argv) ->
           title: "Federated Wiki: Add Alternative Authentication Scheme"
           schemes: schemeButtons
         }
-        res.render(path.join(__dirname, '..', 'views', 'addAlternativeDialog.html'), info)
+        hbs.render(path.join(__dirname, '..', 'views', 'addAlternativeDialog.html'), info).then((rendered) => res.send(rendered))
 
       else
         # user is not authenticated