louislam · zhangweiqaz · May 10, 2024 · May 11, 2024 · May 11, 2024 · May 11, 2024
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -111,6 +111,7 @@
         "jwt-decode": "~3.1.2",
         "kafkajs": "^2.2.4",
         "knex": "^2.4.2",
+        "ldapjs": "^3.0.7",
         "limiter": "~2.1.0",
         "liquidjs": "^10.7.0",
         "mitt": "~3.0.1",

diff --git a/server/auth.js b/server/auth.js
@@ -6,6 +6,7 @@ const { log } = require("../src/util");
 const { loginRateLimiter, apiRateLimiter } = require("./rate-limiter");
 const { Settings } = require("./settings");
 const dayjs = require("dayjs");
+const ldap = require("ldapjs");
 
 /**
  * Login to web app
@@ -14,26 +15,71 @@ const dayjs = require("dayjs");
  * @returns {Promise<(Bean|null)>} User or null if login failed
  */
 exports.login = async function (username, password) {
+
     if (typeof username !== "string" || typeof password !== "string") {
         return null;
     }
-
-    let user = await R.findOne("user", " username = ? AND active = 1 ", [
-        username,
-    ]);
-
-    if (user && passwordHash.verify(password, user.password)) {
-        // Upgrade the hash to bcrypt
-        if (passwordHash.needRehash(user.password)) {
-            await R.exec("UPDATE `user` SET password = ? WHERE id = ? ", [
-                passwordHash.generate(password),
-                user.id,
-            ]);
+    if (process.env.AUTH_METHOD === "LDAP") {
+        let ldapAuthSuccess = false;
+        await new Promise((resolve, reject) => {
+            const client = ldap.createClient({
+                url: [ process.env.LDAP_ADDRESS ]
+            });
+            client.on("connectError", (err) => {
+                log.error("auth", "connecting ldap server failed");
+                resolve();
+            });
+            client.bind(process.env.LDAP_UID + "=" + username + "," + process.env.LDAP_BASE_DN,
+                password, (err) => {
+                    if (err) {
+                        log.warn("auth", "ldap authentication failed for user: " + username);
+                    } else {
+                        log.info("auth", "ldap authentication succeeded for user: " + username);
-                        log.warn("auth", "ldap authentication failed for user: " + username);
-                    } else {
-                        log.info("auth", "ldap authentication succeeded for user: " + username);
+                        log.info("auth", `ldap failed for ${username} because ${err}`);
+                    } else {
+                        log.info("auth", `${username} successfully logged in via ldap`);
-                        log.warn("auth", "ldap authentication failed for user: " + username);
-                    } else {
-                        log.info("auth", "ldap authentication succeeded for user: " + username);
+                        log.info("auth", `ldap failed for ${username} because ${err}`);
+                    } else {
+                        log.info("auth", `${username} successfully logged in via ldap`);
+                        ldapAuthSuccess = true;
+                    }
+                    resolve();
+                });
+        });
+        if (!ldapAuthSuccess) {
+            return null;
+        }
+        let user = await R.findOne("user", " username = ? AND active = 1 ", [
+            username,
+        ]);
+        if (user) {
+            if (passwordHash.needRehash(user.password)) {
+                await R.exec("UPDATE `user` SET password = ? WHERE id = ? ", [
+                    passwordHash.generate(password),
+                    user.id,
+                ]);
+            }
+            return user;
+        } else {
+            log.info("auth", "user: " + username + "not exists in db, create it");
+            let user = R.dispense("user");
+            user.username = username;
+            user.password = passwordHash.generate(password);
+            await R.store(user);
+            return await R.findOne("user", " username = ? AND active = 1 ", [ username ]);
+        }
+    } else {
+        let user = await R.findOne("user", " username = ? AND active = 1 ", [
+            username,
+        ]);
+
+        if (user && passwordHash.verify(password, user.password)) {
+            // Upgrade the hash to bcrypt
+            if (passwordHash.needRehash(user.password)) {
+                await R.exec("UPDATE `user` SET password = ? WHERE id = ? ", [
+                    passwordHash.generate(password),
+                    user.id,
+                ]);
+            }
+            return user;
         }
-        return user;
-    }
 
-    return null;
+        return null;
+    }
 };
 
 /**