Merge branch 'frontend-next' into t216-refactor-common

Author: Yukaii

README.md

@@ -130,8 +130,18 @@ Environment variables (will overwrite other server configs)
 | HMD_DROPBOX_CLIENTSECRET | no example | Dropbox API client secret |
 | HMD_GOOGLE_CLIENTID | no example | Google API client id |
 | HMD_GOOGLE_CLIENTSECRET | no example | Google API client secret |
+| HMD_LDAP_URL | ldap://example.com | url of LDAP server |
+| HMD_LDAP_BINDDN | no example | bindDn for LDAP access |
+| HMD_LDAP_BINDCREDENTIALS | no example | bindCredentials for LDAP access |
+| HMD_LDAP_TOKENSECRET | supersecretkey | secret used for generating access/refresh tokens |
+| HMD_LDAP_SEARCHBASE | o=users,dc=example,dc=com | LDAP directory to begin search from |
+| HMD_LDAP_SEARCHFILTER | (uid={{username}}) | LDAP filter to search with |
+| HMD_LDAP_SEARCHATTRIBUTES | no example | LDAP attributes to search with |
+| HMD_LDAP_TLS_CA | no example | Root CA for LDAP TLS in PEM format |
+| HMD_LDAP_PROVIDERNAME | My institution | Optional name to be displayed at login form indicating the LDAP provider | 
 | HMD_IMGUR_CLIENTID | no example | Imgur API client id |
-| HMD_EMAIL | `true` or `false` | set to allow email register and signin |
+| HMD_EMAIL | `true` or `false` | set to allow email signin |
+| HMD_ALLOW_EMAIL_REGISTER | `true` or `false` | set to allow email register (only applied when email is set, default is `true`) |
 | HMD_IMAGE_UPLOAD_TYPE | `imgur`, `s3` or `filesystem` | Where to upload image. For S3, see our [S3 Image Upload Guide](docs/guides/s3-image-upload.md) |
 | HMD_S3_ACCESS_KEY_ID | no example | AWS access key id |
 | HMD_S3_SECRET_ACCESS_KEY | no example | AWS secret key |
@@ -175,7 +185,8 @@ Application settings `config.json`
 | heartbeatinterval | `5000` | socket.io heartbeat interval |
 | heartbeattimeout | `10000` | socket.io heartbeat timeout |
 | documentmaxlength | `100000` | note max length |
-| email | `true` or `false` | set to allow email register and signin |
+| email | `true` or `false` | set to allow email signin |
+| allowemailregister  | `true` or `false` | set to allow email register (only applied when email is set, default is `true`) |
 | imageUploadType | `imgur`(default), `s3` or `filesystem` | Where to upload image
 | s3 | `{ "accessKeyId": "YOUR_S3_ACCESS_KEY_ID", "secretAccessKey": "YOUR_S3_ACCESS_KEY", "region": "YOUR_S3_REGION", "bucket": "YOUR_S3_BUCKET_NAME" }` | When `imageUploadType` be setted to `s3`, you would also need to setup this key, check our [S3 Image Upload Guide](docs/guides/s3-image-upload.md) |
 
@@ -184,7 +195,7 @@ Third-party integration api key settings
 
 | service | settings location | description |
 | ------- | --------- | ----------- |
-| facebook, twitter, github, gitlab, dropbox, google | environment variables or `config.json` | for signin |
+| facebook, twitter, github, gitlab, dropbox, google, ldap | environment variables or `config.json` | for signin |
 | imgur | environment variables or `config.json` | for image upload |
 | google drive(`google/apiKey`, `google/clientID`), dropbox(`dropbox/appKey`) | `config.json` | for export and import |
 

app.js

@@ -381,36 +381,50 @@ if (config.google) {
             failureRedirect: config.serverurl + '/'
         }));
 }
+// ldap auth
+if (config.ldap) {
+    app.post('/auth/ldap', urlencodedParser, function (req, res, next) {
+        if (!req.body.username || !req.body.password) return response.errorBadRequest(res);
+        setReturnToFromReferer(req);
+        passport.authenticate('ldapauth', {
+            successReturnToOrRedirect: config.serverurl + '/',
+            failureRedirect: config.serverurl + '/',
+            failureFlash: true
+        })(req, res, next);
+    });
+}
 // email auth
 if (config.email) {
-    app.post('/register', urlencodedParser, function (req, res, next) {
-        if (!req.body.email || !req.body.password) return response.errorBadRequest(res);
-        if (!validator.isEmail(req.body.email)) return response.errorBadRequest(res);
-        models.User.findOrCreate({
-            where: {
-                email: req.body.email
-            },
-            defaults: {
-                password: req.body.password
-            }
-        }).spread(function (user, created) {
-            if (user) {
-                if (created) {
-                    if (config.debug) logger.info('user registered: ' + user.id);
-                    req.flash('info', "You've successfully registered, please signin.");
-                } else {
-                    if (config.debug) logger.info('user found: ' + user.id);
-                    req.flash('error', "This email has been used, please try another one.");
+    if (config.allowemailregister)
+        app.post('/register', urlencodedParser, function (req, res, next) {
+            if (!req.body.email || !req.body.password) return response.errorBadRequest(res);
+            if (!validator.isEmail(req.body.email)) return response.errorBadRequest(res);
+            models.User.findOrCreate({
+                where: {
+                    email: req.body.email
+                },
+                defaults: {
+                    password: req.body.password
+                }
+            }).spread(function (user, created) {
+                if (user) {
+                    if (created) {
+                        if (config.debug) logger.info('user registered: ' + user.id);
+                        req.flash('info', "You've successfully registered, please signin.");
+                    } else {
+                        if (config.debug) logger.info('user found: ' + user.id);
+                        req.flash('error', "This email has been used, please try another one.");
+                    }
+                    return res.redirect(config.serverurl + '/');
                 }
+                req.flash('error', "Failed to register your account, please try again.");
                 return res.redirect(config.serverurl + '/');
-            }
-            req.flash('error', "Failed to register your account, please try again.");
-            return res.redirect(config.serverurl + '/');
-        }).catch(function (err) {
-            logger.error('auth callback failed: ' + err);
-            return response.errorInternalError(res);
+            }).catch(function (err) {
+                logger.error('auth callback failed: ' + err);
+                return response.errorInternalError(res);
+            });
         });
-    });
+
     app.post('/login', urlencodedParser, function (req, res, next) {
         if (!req.body.email || !req.body.password) return response.errorBadRequest(res);
         if (!validator.isEmail(req.body.email)) return response.errorBadRequest(res);
@@ -627,7 +641,7 @@ process.on('SIGINT', function () {
     var checkCleanTimer = setInterval(function () {
         if (history.isReady() && realtime.isReady()) {
             models.Revision.checkAllNotesRevision(function (err, notes) {
-                if (err) throw new Error(err);
+                if (err) return logger.error(err);
                 if (!notes || notes.length <= 0) {
                     clearInterval(checkCleanTimer);
                     return process.exit(0);

config.json.example

@@ -53,6 +53,18 @@
             "clientSecret": "change this",
             "apiKey": "change this"
         },
+        "ldap": {
+            "url": "ldap://change_this",
+            "bindDn": null,
+            "bindCredentials": null,
+            "tokenSecret": "change this",
+            "searchBase": "change this",
+            "searchFilter": "change this",
+            "searchAttributes": "change this",
+            "tlsOptions": {
+                "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback"
+            }
+        },
         "imgur": {
             "clientID": "change this"
         }

lib/auth.js

@@ -7,6 +7,7 @@ var GithubStrategy = require('passport-github').Strategy;
 var GitlabStrategy = require('passport-gitlab2').Strategy;
 var DropboxStrategy = require('passport-dropbox-oauth2').Strategy;
 var GoogleStrategy = require('passport-google-oauth20').Strategy;
+var LdapStrategy = require('passport-ldapauth');
 var LocalStrategy = require('passport-local').Strategy;
 var validator = require('validator');
 
@@ -110,6 +111,62 @@ if (config.google) {
         callbackURL: config.serverurl + '/auth/google/callback'
     }, callback));
 }
+// ldap
+if (config.ldap) {
+    passport.use(new LdapStrategy({
+        server: {
+            url: config.ldap.url || null,
+            bindDn: config.ldap.bindDn || null,
+            bindCredentials: config.ldap.bindCredentials || null,
+            searchBase: config.ldap.searchBase || null,
+            searchFilter: config.ldap.searchFilter || null,
+            searchAttributes: config.ldap.searchAttributes || null,
+            tlsOptions: config.ldap.tlsOptions || null
+        },
+    },
+    function(user, done) {
+        var profile = {
+            id: 'LDAP-' + user.uidNumber,
+            username: user.uid,
+            displayName: user.displayName,
+            emails: user.mail ? [user.mail] : [],
+            avatarUrl: null,
+            profileUrl: null,
+            provider: 'ldap',
+        }
+        var stringifiedProfile = JSON.stringify(profile);
+        models.User.findOrCreate({
+            where: {
+                profileid: profile.id.toString()
+            },
+            defaults: {
+                profile: stringifiedProfile,
+            }
+        }).spread(function (user, created) {
+            if (user) {
+                var needSave = false;
+                if (user.profile != stringifiedProfile) {
+                    user.profile = stringifiedProfile;
+                    needSave = true;
+                }
+                if (needSave) {
+                    user.save().then(function () {
+                        if (config.debug)
+                            logger.info('user login: ' + user.id);
+                        return done(null, user);
+                    });
+                } else {
+                    if (config.debug)
+                        logger.info('user login: ' + user.id);
+                    return done(null, user);
+                }
+            }
+        }).catch(function (err) {
+            logger.error('ldap auth failed: ' + err);
+            return done(err, null);
+        });
+    }));
+}
 // email
 if (config.email) {
     passport.use(new LocalStrategy({
@@ -130,4 +187,4 @@ if (config.email) {
             return done(err);
         });
     }));
-}
+}

lib/config.js

@@ -95,8 +95,44 @@ var google = (process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSE
     clientID: process.env.HMD_GOOGLE_CLIENTID,
     clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
 } : (config.google && config.google.clientID && config.google.clientSecret) || false;
+var ldap = config.ldap || (
+    process.env.HMD_LDAP_URL ||
+    process.env.HMD_LDAP_BINDDN ||
+    process.env.HMD_LDAP_BINDCREDENTIALS ||
+    process.env.HMD_LDAP_TOKENSECRET ||
+    process.env.HMD_LDAP_SEARCHBASE ||
+    process.env.HMD_LDAP_SEARCHFILTER ||
+    process.env.HMD_LDAP_SEARCHATTRIBUTES ||
+    process.env.HMD_LDAP_PROVIDERNAME
+) || false;
+if (ldap == true)
+    ldap = {};
+if (process.env.HMD_LDAP_URL)
+    ldap.url = process.env.HMD_LDAP_URL;
+if (process.env.HMD_LDAP_BINDDN)
+    ldap.bindDn = process.env.HMD_LDAP_BINDDN;
+if (process.env.HMD_LDAP_BINDCREDENTIALS)
+    ldap.bindCredentials = process.env.HMD_LDAP_BINDCREDENTIALS;
+if (process.env.HMD_LDAP_TOKENSECRET)
+    ldap.tokenSecret = process.env.HMD_LDAP_TOKENSECRET;
+if (process.env.HMD_LDAP_SEARCHBASE)
+    ldap.searchBase = process.env.HMD_LDAP_SEARCHBASE;
+if (process.env.HMD_LDAP_SEARCHFILTER)
+    ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER;
+if (process.env.HMD_LDAP_SEARCHATTRIBUTES)
+    ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES;
+if (process.env.HMD_LDAP_TLS_CA) {
+    var ca = {
+        ca: process.env.HMD_LDAP_TLS_CA
+    }
+    ldap.tlsOptions = ldap.tlsOptions ? Object.assign(ldap.tlsOptions, ca) : ca
+}
+if (process.env.HMD_LDAP_PROVIDERNAME) {
+    ldap.providerName = process.env.HMD_LDAP_PROVIDERNAME;
+}
 var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false;
 var email = process.env.HMD_EMAIL ? (process.env.HMD_EMAIL === 'true') : !!config.email;
+var allowemailregister = process.env.HMD_ALLOW_EMAIL_REGISTER ? (process.env.HMD_ALLOW_EMAIL_REGISTER === 'true') : ((typeof config.allowemailregister === 'boolean') ? config.allowemailregister : true);
 
 function getserverurl() {
     var url = '';
@@ -156,8 +192,10 @@ module.exports = {
     gitlab: gitlab,
     dropbox: dropbox,
     google: google,
+    ldap: ldap,
     imgur: imgur,
     email: email,
+    allowemailregister: allowemailregister,
     imageUploadType: imageUploadType,
     s3: s3,
     s3bucket: s3bucket

lib/letter-avatars.js

@@ -0,0 +1,25 @@
+"use strict";
+
+// external modules
+var randomcolor = require('randomcolor');
+
+// core
+module.exports = function(name) {
+    var color = randomcolor({
+        seed: name,
+        luminosity: 'dark'
+    });
+    var letter = name.substring(0, 1).toUpperCase();
+
+    var svg = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
+    svg += '<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" height="96" width="96" version="1.1" viewBox="0 0 96 96">';
+    svg += '<g>';
+    svg += '<rect width="96" height="96" fill="' + color + '" />';
+    svg += '<text font-size="64px" font-family="sans-serif" text-anchor="middle" fill="#ffffff">';
+    svg += '<tspan x="48" y="72" stroke-width=".26458px" fill="#ffffff">' + letter + '</tspan>';
+    svg += '</text>';
+    svg += '</g>';
+    svg += '</svg>';
+
+    return 'data:image/svg+xml;base64,' + new Buffer(svg).toString('base64');
+};

lib/models/note.js

@@ -23,7 +23,7 @@ var logger = require("../logger.js");
 var ot = require("../ot/index.js");
 
 // permission types
-var permissionTypes = ["freely", "editable", "locked", "private"];
+var permissionTypes = ["freely", "editable", "limited", "locked", "protected", "private"];
 
 module.exports = function (sequelize, DataTypes) {
     var Note = sequelize.define("Note", {
@@ -333,7 +333,7 @@ module.exports = function (sequelize, DataTypes) {
                     if (meta.slideOptions && (typeof meta.slideOptions == "object"))
                         _meta.slideOptions = meta.slideOptions;
                 }
-                return _meta; 
+                return _meta;
             },
             updateAuthorshipByOperation: function (operation, userId, authorships) {
                 var index = 0;
@@ -532,4 +532,4 @@ module.exports = function (sequelize, DataTypes) {
     });
 
     return Note;
-};
+};

lib/models/user.js

@@ -7,6 +7,7 @@ var scrypt = require('scrypt');
 
 // core
 var logger = require("../logger.js");
+var letterAvatars = require('../letter-avatars.js');
 
 module.exports = function (sequelize, DataTypes) {
     var User = sequelize.define("User", {
@@ -105,6 +106,16 @@ module.exports = function (sequelize, DataTypes) {
                     case "google":
                         photo = profile.photos[0].value.replace(/(\?sz=)\d*$/i, '$196');
                         break;
+                    case "ldap":
+                        //no image api provided,
+                        //use gravatar if email exists,
+                        //otherwise generate a letter avatar
+                        if (profile.emails[0]) {
+                            photo = 'https://www.gravatar.com/avatar/' + md5(profile.emails[0]) + '?s=96';
+                        } else {
+                            photo = letterAvatars(profile.username);
+                        }
+                        break;
                 }
                 return photo;
             },