Merge pull request #3370 from penpot/niwinz-improvements

✨ Add some improvements to the oidc module
2025-03-15 17:21:17 -05:00 · 2023-07-04 12:36:39 +02:00 · 2023-07-04 12:36:39 +02:00 · 5d42631c7a
commit 5d42631c7a
parent 45a909f5ff 8cda8924df
5 changed files with 36 additions and 34 deletions
--- a/backend/deps.edn
+++ b/backend/deps.edn
@ -6,7 +6,7 @@
  org.clojure/clojure {:mvn/version "1.11.1"}
  org.clojure/core.async {:mvn/version "1.6.673"}

-  com.github.luben/zstd-jni {:mvn/version "1.5.2-5"}
+  com.github.luben/zstd-jni {:mvn/version "1.5.5-4"}

  io.prometheus/simpleclient {:mvn/version "0.16.0"}
  io.prometheus/simpleclient_hotspot {:mvn/version "0.16.0"}
@ -17,7 +17,7 @@

  io.prometheus/simpleclient_httpserver {:mvn/version "0.16.0"}

-  io.lettuce/lettuce-core {:mvn/version "6.2.2.RELEASE"}
+  io.lettuce/lettuce-core {:mvn/version "6.2.4.RELEASE"}
  java-http-clj/java-http-clj {:mvn/version "0.4.3"}

  funcool/yetti
@ -26,8 +26,8 @@
   :git/url "https://github.com/funcool/yetti.git"
   :exclusions [org.slf4j/slf4j-api]}

-  com.github.seancorfield/next.jdbc {:mvn/version "1.3.847"}
-  metosin/reitit-core {:mvn/version "0.5.18"}
+  com.github.seancorfield/next.jdbc {:mvn/version "1.3.883"}
+  metosin/reitit-core {:mvn/version "0.6.0"}

  org.postgresql/postgresql {:mvn/version "42.6.0"}

@ -35,12 +35,12 @@

  io.whitfin/siphash {:mvn/version "2.0.0"}

-  buddy/buddy-hashers {:mvn/version "1.8.158"}
-  buddy/buddy-sign {:mvn/version "3.4.333"}
+  buddy/buddy-hashers {:mvn/version "2.0.167"}
+  buddy/buddy-sign {:mvn/version "3.5.351"}

-  com.github.ben-manes.caffeine/caffeine {:mvn/version "3.1.5"}
+  com.github.ben-manes.caffeine/caffeine {:mvn/version "3.1.6"}

-  org.jsoup/jsoup {:mvn/version "1.15.3"}
+  org.jsoup/jsoup {:mvn/version "1.16.1"}
  org.im4java/im4java
  {:git/tag "1.4.0-penpot-2"
   :git/sha "e2b3e16"
@ -49,14 +49,14 @@
  org.lz4/lz4-java {:mvn/version "1.8.0"}

  org.clojars.pntblnk/clj-ldap {:mvn/version "0.0.17"}
-  integrant/integrant {:mvn/version "0.8.0"}
+  integrant/integrant {:mvn/version "0.8.1"}

  dawran6/emoji {:mvn/version "0.1.5"}
  markdown-clj/markdown-clj {:mvn/version "1.11.4"}

  ;; Pretty Print specs
  pretty-spec/pretty-spec {:mvn/version "0.1.4"}
-  software.amazon.awssdk/s3 {:mvn/version "2.19.29"}
+  software.amazon.awssdk/s3 {:mvn/version "2.20.96"}
  }

 :paths ["src" "resources" "target/classes"]
--- a/backend/src/app/auth.clj
+++ b/backend/src/app/auth.clj
@ -13,8 +13,8 @@

 (def default-params
  {:alg :argon2id
-   :memory (* 32768 2)
-   :iterations 5
+   :memory (* 32768 2) ;; 64 MiB
+   :iterations 7
   :parallelism (px/get-available-processors)})

 (defn derive-password
--- a/backend/src/app/auth/oidc.clj
+++ b/backend/src/app/auth/oidc.clj
@ -25,8 +25,7 @@
   [app.tokens :as tokens]
   [app.util.json :as json]
   [app.util.time :as dt]
-   [buddy.core.keys :as keys]
-   [buddy.sign.jws :as jws]
+   [buddy.sign.jwk :as jwk]
   [buddy.sign.jwt :as jwt]
   [clojure.set :as set]
   [clojure.spec.alpha :as s]
@ -109,7 +108,7 @@
 (defn- process-oidc-jwks
  [keys]
  (reduce (fn [result {:keys [kid] :as kdata}]
-            (let [pkey (ex/try! (keys/jwk->public-key kdata))]
+            (let [pkey (ex/try! (jwk/public-key kdata))]
              (if (ex/exception? pkey)
                (do
                  (l/warn :hint "unable to create public key"
@ -392,7 +391,7 @@
 (defn- get-user-info
  [{:keys [provider]} tdata]
  (try
-    (let [{:keys [kid alg] :as theader} (jws/decode-header (:token/id tdata))]
+    (let [{:keys [kid alg] :as theader} (jwt/decode-header (:token/id tdata))]
      (when-let [key (if (str/starts-with? (name alg) "hs")
                       (:client-secret provider)
                       (get-in provider [:jwks kid]))]
@ -425,8 +424,12 @@
        code   (get params :code)
        state  (tokens/verify props {:token state :iss :oauth})
        tdata  (fetch-access-token cfg code)
-        info   (or (get-user-info cfg tdata)
-                   (fetch-user-info cfg tdata))
+        info   (case (cf/get :oidc-user-info-source)
+                 :token (get-user-info cfg tdata)
+                 :userinfo (fetch-user-info cfg tdata)
+                 (or (get-user-info cfg tdata)
+                     (fetch-user-info cfg tdata)))
+
        info   (process-user-info provider tdata info)]

    (l/trace :hint "user info" :info info)
--- a/backend/src/app/config.clj
+++ b/backend/src/app/config.clj
@ -146,6 +146,7 @@
 (s/def ::google-client-id ::us/string)
 (s/def ::google-client-secret ::us/string)
 (s/def ::oidc-client-id ::us/string)
+(s/def ::oidc-user-info-source ::us/keyword)
 (s/def ::oidc-client-secret ::us/string)
 (s/def ::oidc-base-uri ::us/string)
 (s/def ::oidc-token-uri ::us/string)
@ -242,6 +243,7 @@
                   ::google-client-secret
                   ::oidc-client-id
                   ::oidc-client-secret
+                   ::oidc-user-info-source
                   ::oidc-base-uri
                   ::oidc-token-uri
                   ::oidc-auth-uri
--- a/common/deps.edn
+++ b/common/deps.edn
@ -1,40 +1,37 @@
 {:deps
 {org.clojure/clojure {:mvn/version "1.11.1"}
  org.clojure/data.json {:mvn/version "2.4.0"}
-  org.clojure/tools.cli {:mvn/version "1.0.214"}
+  org.clojure/tools.cli {:mvn/version "1.0.219"}
  org.clojure/clojurescript {:mvn/version "1.11.60"}
  org.clojure/test.check {:mvn/version "1.1.1"}
  org.clojure/data.fressian {:mvn/version "1.0.0"}

  ;; Logging
-  org.apache.logging.log4j/log4j-api {:mvn/version "2.19.0"}
-  org.apache.logging.log4j/log4j-core {:mvn/version "2.19.0"}
-  org.apache.logging.log4j/log4j-web {:mvn/version "2.19.0"}
-  org.apache.logging.log4j/log4j-jul {:mvn/version "2.19.0"}
-  org.apache.logging.log4j/log4j-slf4j2-impl {:mvn/version "2.19.0"}
-  org.slf4j/slf4j-api {:mvn/version "2.0.6"}
-  pl.tkowalcz.tjahzi/log4j2-appender {:mvn/version "0.9.26"}
+  org.apache.logging.log4j/log4j-api {:mvn/version "2.20.0"}
+  org.apache.logging.log4j/log4j-core {:mvn/version "2.20.0"}
+  org.apache.logging.log4j/log4j-web {:mvn/version "2.20.0"}
+  org.apache.logging.log4j/log4j-jul {:mvn/version "2.20.0"}
+  org.apache.logging.log4j/log4j-slf4j2-impl {:mvn/version "2.20.0"}
+  org.slf4j/slf4j-api {:mvn/version "2.0.7"}
+  pl.tkowalcz.tjahzi/log4j2-appender {:mvn/version "0.9.30"}

-  selmer/selmer {:mvn/version "1.12.55"}
+  selmer/selmer {:mvn/version "1.12.58"}
  criterium/criterium {:mvn/version "0.4.6"}

  metosin/jsonista {:mvn/version "0.3.7"}
  metosin/malli {:mvn/version "0.11.0"}

  expound/expound {:mvn/version "0.9.0"}
-  com.cognitect/transit-clj {:mvn/version "1.0.329"}
+  com.cognitect/transit-clj {:mvn/version "1.0.333"}
  com.cognitect/transit-cljs {:mvn/version "0.8.280"}
  java-http-clj/java-http-clj {:mvn/version "0.4.3"}

  funcool/cuerdas {:mvn/version "2022.06.16-403"}
-  funcool/promesa
-  {:git/tag "11.0-alpha13"
-   :git/sha "f6cab38"
-   :git/url "https://github.com/funcool/promesa.git"}
+  funcool/promesa {:mvn/version "11.0.671"}
  funcool/datoteka {:mvn/version "3.0.66"
                    :exclusions [funcool/promesa]}

-  lambdaisland/uri {:mvn/version "1.13.95"
+  lambdaisland/uri {:mvn/version "1.15.125"
                    :exclusions [org.clojure/data.json]}

  frankiesardo/linked {:mvn/version "1.3.0"}
@ -44,7 +41,7 @@

  ;; exception printing
  fipp/fipp {:mvn/version "0.6.26"}
-  io.aviso/pretty {:mvn/version "1.3"}
+  io.aviso/pretty {:mvn/version "1.4.4"}
  environ/environ {:mvn/version "1.2.0"}}
 :paths ["src" "target/classes"]
 :aliases