diff --git a/docs/config-login-to-view.md b/docs/config-login-to-view.md new file mode 100644 index 0000000..ea87925 --- /dev/null +++ b/docs/config-login-to-view.md @@ -0,0 +1,63 @@ +# Federated Wiki - Security Plug-in: Passport +## (Configuring "Login to View") + +Before attempting to configure Login to View, make sure you have already taken the steps to configure your identity provider as explained [earlier in the documentation](./configuration.md) + +Where you put your configuration for the Login to View system depends on which sites on your farm you want to be restricted. If you want the whole farm to be restricted then you would add the key-value pairs into the top level of your wiki's `config.json`. If you only want to restrict specific sites on your farm, then you need to restrict them individually within a wikiDomains section of your config. + +The properties we need to add for Login to View are: `restricted`, `details`, and either `allowed_domains` (Google) or `allowed_ids` (GitHub, Twitter, OAuth2) depending on your identity provider. When using Google auth, `allowed_domains` allows you to specify which domains your user's emails are allowed to be from. Only users with email domains included in this array will be allowed to view the restricted sites. When using GitHub, Twitter, or OAuth2, `allowed_ids` allows you to specify an array of user IDs that are allowed to view the restricted sites. If you set `allowed_ids` equal to `[*]` then any user in your identity provider's system will be allowed to view the restricted sites. + +**Examples:** + +If your identity provider is **Google**: +```json +{ + "admin": {"google":"105396921212328672315"}, + "farm": true, + "cookieSecret": "0ebf86563b4sdfsdfcc8788e666702", + "secure_cookie": true, + "security_type": "passportjs", + "security_useHttps": true, + "allowed": "*", + "wikiDomains": { + "private.example.com": { + "admin": {"google":"105396921212328672315"}, + "google_clientID": "10030fghfgh7443-gcemshdl37j67mgpm99eu5dh43li5vrs.apps.googleusercontent.com", + "google_clientSecret": "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", + "restricted": true, + "details": "http://path.ward.asia.wiki.org/login-to-view.html", + "allowed_domains": [ + "example1.com", + "example2.com" + ] + } + } +} +``` + +If your identity provider is **GitHub**, **Twitter**, or generic **OAuth2**: +```json +{ + "admin": {"oauth2": "admin"}, + "farm": true, + "cookieSecret": "FDpmzFT2FQZsdfsdfFr4WwZFGuwuVSQ", + "secure_cookie": true, + "security_type": "passportjs", + "security_useHttps": true, + "allowed": "*", + "wikiDomains": { + "wiki.example.com": { + "oauth2_DisplayNameField": "token.preferred_username", + "oauth2_IdField": "token.preferred_username", + "oauth2_clientID": "wiki", + "oauth2_clientSecret": "3Df5D3jNfsdfsdfsdfNvc08iJOL3uSCg", + "oauth2_AuthorizationURL": "https://auth.example.com/realms/wiki-cafe-test-server/protocol/openid-connect/auth", + "oauth2_TokenURL": "https://auth.example.com/realms/wiki-cafe-test-server/protocol/openid-connect/token", + "oauth2_UsernameField": "token.preferred_username", + "restricted": true, + "details": "http://path.ward.asia.wiki.org/login-to-view.html", + "allowed_ids": ["*"] + } + } + } + ``` diff --git a/docs/configuration.md b/docs/configuration.md index 5c1b41b..134e419 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -18,3 +18,6 @@ See, depending on which identity provider you choose to use: * [Google](./config-google.md) * [Twitter](./config-twitter.md) * [Generic OAuth](./config-oauth2.md) + +With all of the providers above you are also able to configure sites on your farm to be [Login to View](http://ward.asia.wiki.org/login-to-view.html). This means only specified visitors are allowed to view the site's content, rather than it being public on the web. The following page explains how to configure the login-to-view system: +* [Configure Login to View](./config-login-to-view.md) \ No newline at end of file diff --git a/server/social.coffee b/server/social.coffee index a47fe1c..9498a44 100644 --- a/server/social.coffee +++ b/server/social.coffee @@ -385,24 +385,31 @@ module.exports = exports = (log, loga, argv) -> # see http://ward.asia.wiki.org/login-to-view.html if argv.restricted? - allowedToView = (req) -> - allowed = [] if argv.allowed_domains? - if Array.isArray(argv.allowed_domains) - allowed = argv.allowed_domains - else - # accommodate copy bug to be fixed soon - # https://github.com/fedwiki/wiki/blob/4c6eee69e78c1ba3f3fc8d61f4450f70afb78f10/farm.coffee#L98-L103 - for k, v of argv.allowed_domains - allowed.push v - # emails = [ { value: 'ward.cunningham@gmail.com', type: 'account' } ] - emails = req.session?.passport?.user?.google?.emails - return false unless emails - for entry in emails - have = entry.value.split('@')[1] - for want in allowed - return true if want == have + try + allowed_domains = argv.allowed_domains + emails = req.session.passport.user.google.emails + for entry in emails + have = entry.value.split('@')[1] + for want in allowed_domains + return true if want == have + catch error + if emails? + console.log "argv.allowed_domains exists, but there was an error. Make sure it's value is an array in your config." + if argv.allowed_ids? + try + allowed_ids = argv.allowed_ids + idProvider = _.head(_.keys(req.session.passport.user)) + switch idProvider + when 'github', 'twitter', 'oauth2' + id = req.session.passport.user[idProvider].id + return true if (allowed_ids.length == 1 and allowed_ids[0] == "*") + for want in allowed_ids + return true if want == id + catch error + if idProvider? + console.log "argv.allowed_ids exists, but there was an error. Make sure it's value is an array in your config." false app.all '*', (req, res, next) ->