From 3a2db34111d60c35c7cd4a01489e8132837f43a8 Mon Sep 17 00:00:00 2001
From: Thomas Kaul <4159106+dtslvr@users.noreply.github.com>
Date: Sun, 7 Dec 2025 09:47:21 +0100
Subject: [PATCH] Refactoring
---
apps/api/src/app/auth/auth.module.ts | 11 ++++++-----
apps/api/src/app/auth/oidc-state.store.ts | 2 +-
.../services/configuration/configuration.service.ts | 12 +++++++++---
.../src/services/interfaces/environment.interface.ts | 6 +++---
.../login-with-access-token-dialog.html | 2 +-
.../20251103162035_add_oidc_provider/migration.sql | 7 -------
.../migration.sql | 3 +++
7 files changed, 23 insertions(+), 20 deletions(-)
delete mode 100644 prisma/migrations/20251103162035_add_oidc_provider/migration.sql
create mode 100644 prisma/migrations/20251103162035_added_oidc_to_provider/migration.sql
diff --git a/apps/api/src/app/auth/auth.module.ts b/apps/api/src/app/auth/auth.module.ts
index 7e9e103ad..9fc5d0925 100644
--- a/apps/api/src/app/auth/auth.module.ts
+++ b/apps/api/src/app/auth/auth.module.ts
@@ -73,12 +73,13 @@ import { OidcStrategy } from './oidc.strategy';
let tokenURL: string;
let userInfoURL: string;
- // If all manual URLs are provided, use them; otherwise fetch from discovery
if (manualAuthorizationUrl && manualTokenUrl && manualUserInfoUrl) {
+ // Use manual URLs
authorizationURL = manualAuthorizationUrl;
tokenURL = manualTokenUrl;
userInfoURL = manualUserInfoUrl;
} else {
+ // Fetch OIDC configuration from discovery endpoint
try {
const response = await fetch(
`${issuer}/.well-known/openid-configuration`
@@ -102,14 +103,14 @@ import { OidcStrategy } from './oidc.strategy';
}
const options: StrategyOptions = {
+ authorizationURL,
issuer,
scope,
- authorizationURL,
+ tokenURL,
+ userInfoURL,
callbackURL: callbackUrl,
clientID: configurationService.get('OIDC_CLIENT_ID'),
- clientSecret: configurationService.get('OIDC_CLIENT_SECRET'),
- tokenURL,
- userInfoURL
+ clientSecret: configurationService.get('OIDC_CLIENT_SECRET')
};
return new OidcStrategy(authService, options);
diff --git a/apps/api/src/app/auth/oidc-state.store.ts b/apps/api/src/app/auth/oidc-state.store.ts
index 0d9bb5f0f..653451166 100644
--- a/apps/api/src/app/auth/oidc-state.store.ts
+++ b/apps/api/src/app/auth/oidc-state.store.ts
@@ -68,8 +68,8 @@ export class OidcStateStore {
return callback(null, undefined, undefined);
}
- // Check if state has expired
if (Date.now() - data.timestamp > this.STATE_EXPIRY_MS) {
+ // State has expired
this.stateMap.delete(handle);
return callback(null, undefined, undefined);
}
diff --git a/apps/api/src/services/configuration/configuration.service.ts b/apps/api/src/services/configuration/configuration.service.ts
index 00029af8f..a91aa6e69 100644
--- a/apps/api/src/services/configuration/configuration.service.ts
+++ b/apps/api/src/services/configuration/configuration.service.ts
@@ -62,15 +62,21 @@ export class ConfigurationService {
OIDC_CALLBACK_URL: str({ default: '' }),
OIDC_CLIENT_ID: str({
default: undefined,
- requiredWhen: (env) => env.ENABLE_FEATURE_AUTH_OIDC === true
+ requiredWhen: (env) => {
+ return env.ENABLE_FEATURE_AUTH_OIDC === true;
+ }
}),
OIDC_CLIENT_SECRET: str({
default: undefined,
- requiredWhen: (env) => env.ENABLE_FEATURE_AUTH_OIDC === true
+ requiredWhen: (env) => {
+ return env.ENABLE_FEATURE_AUTH_OIDC === true;
+ }
}),
OIDC_ISSUER: str({
default: undefined,
- requiredWhen: (env) => env.ENABLE_FEATURE_AUTH_OIDC === true
+ requiredWhen: (env) => {
+ return env.ENABLE_FEATURE_AUTH_OIDC === true;
+ }
}),
OIDC_SCOPE: json({ default: ['openid'] }),
OIDC_TOKEN_URL: str({ default: '' }),
diff --git a/apps/api/src/services/interfaces/environment.interface.ts b/apps/api/src/services/interfaces/environment.interface.ts
index 733e62b61..3c03744f1 100644
--- a/apps/api/src/services/interfaces/environment.interface.ts
+++ b/apps/api/src/services/interfaces/environment.interface.ts
@@ -35,9 +35,9 @@ export interface Environment extends CleanedEnvAccessors {
MAX_CHART_ITEMS: number;
OIDC_AUTHORIZATION_URL: string;
OIDC_CALLBACK_URL: string;
- OIDC_CLIENT_ID: string | undefined;
- OIDC_CLIENT_SECRET: string | undefined;
- OIDC_ISSUER: string | undefined;
+ OIDC_CLIENT_ID: string;
+ OIDC_CLIENT_SECRET: string;
+ OIDC_ISSUER: string;
OIDC_SCOPE: string[];
OIDC_TOKEN_URL: string;
OIDC_USER_INFO_URL: string;
diff --git a/apps/client/src/app/components/login-with-access-token-dialog/login-with-access-token-dialog.html b/apps/client/src/app/components/login-with-access-token-dialog/login-with-access-token-dialog.html
index d345c4df5..cf5611ef7 100644
--- a/apps/client/src/app/components/login-with-access-token-dialog/login-with-access-token-dialog.html
+++ b/apps/client/src/app/components/login-with-access-token-dialog/login-with-access-token-dialog.html
@@ -41,7 +41,7 @@
class="mr-2"
src="../assets/icons/google.svg"
style="height: 1rem"
- />Sign in with GoogleSign in with Google
}
diff --git a/prisma/migrations/20251103162035_add_oidc_provider/migration.sql b/prisma/migrations/20251103162035_add_oidc_provider/migration.sql
deleted file mode 100644
index 220c54d9d..000000000
--- a/prisma/migrations/20251103162035_add_oidc_provider/migration.sql
+++ /dev/null
@@ -1,7 +0,0 @@
--- AlterEnum (idempotent - only add if not exists)
-DO $$
-BEGIN
- IF NOT EXISTS (SELECT 1 FROM pg_enum WHERE enumlabel = 'OIDC' AND enumtypid = (SELECT oid FROM pg_type WHERE typname = 'Provider')) THEN
- ALTER TYPE "Provider" ADD VALUE 'OIDC';
- END IF;
-END $$;
diff --git a/prisma/migrations/20251103162035_added_oidc_to_provider/migration.sql b/prisma/migrations/20251103162035_added_oidc_to_provider/migration.sql
new file mode 100644
index 000000000..37dec82c2
--- /dev/null
+++ b/prisma/migrations/20251103162035_added_oidc_to_provider/migration.sql
@@ -0,0 +1,3 @@
+-- AlterEnum
+ALTER TYPE "Provider" ADD VALUE 'OIDC';
+