OAuth: add ALLOWED_LDAP_GROUPS
parent
f6faa73bb7
commit
c22a2eb4af
|
@ -1,6 +1,9 @@
|
|||
# to use a normal user, put `uid=username,ou=People,dc=hackerspace,dc=pl` as DN
|
||||
LDAP_USER_DN=ldap_service_user_full_dn
|
||||
LDAP_USER_PW=ldap_service_user_password
|
||||
# to be authorized, user must be in one of these groups
|
||||
# hint: for debug, add group with the same name as your username
|
||||
ALLOWED_LDAP_GROUPS=radex,walne-users,zarzad,staff
|
||||
# create test client on sso.hackerspace.pl, with these options:
|
||||
# - client uri: (anything)
|
||||
# - redirect uri: http://localhost:5173/auth/callback/hswaw
|
||||
|
|
|
@ -83,6 +83,21 @@ export const handle = ({ event, resolve }) => {
|
|||
}
|
||||
return SvelteKitAuth({
|
||||
providers: [getHswawOauthConfig()],
|
||||
callbacks: {
|
||||
async signIn({ user, account, profile, email, credentials }) {
|
||||
// ldap groups authorized to use `walne`
|
||||
const allowedGroups = (env.ALLOWED_LDAP_GROUPS || '').split(',');
|
||||
if (!allowedGroups.length) {
|
||||
throw new Error('No allowed groups defined');
|
||||
}
|
||||
|
||||
// user's ldap groups
|
||||
const groups = (profile?.groups ?? []) as string[];
|
||||
|
||||
const isAuthorized = allowedGroups.some((allowedGroup) => groups.includes(allowedGroup));
|
||||
return isAuthorized;
|
||||
}
|
||||
},
|
||||
// debug: true,
|
||||
trustHost: true,
|
||||
redirectProxyUrl: env.REDIRECT_PROXY_URL
|
||||
|
|
Loading…
Reference in New Issue