Commit graph

23 commits

Author SHA1 Message Date
Boris Rybalkin
e8b845e43c Sync user permissions to the new type on OIDC group mapping
A user promoted via the group claim had its type changed but kept the
permissions of its previous type (e.g. a new user mapped to admin could
not upload). Update permissions from the new type's defaults when the
type changes, and cover it in the setUserGroup tests.
2026-06-06 23:57:56 +01:00
Boris Rybalkin
d6cfdd3bec Add configurable OIDC group-to-role mapping
Currently OIDC group-based role assignment only recognizes groups named
'admin', 'user', or 'guest' (case-insensitive), and denies login when a
user's groups match none of them. This makes group-based roles unusable
with identity providers whose group names differ, and offers no way to
admit such users with a default role.

Add two optional server settings:
- authOpenIDAdminGroups: comma-separated group names mapped to the admin
  role, in addition to the built-in names.
- authOpenIDGroupDefaultRole: role assigned when no group matches,
  instead of denying login.

Both default to empty, preserving current behavior. Includes the auth
settings UI fields, en-us strings, and unit tests for setUserGroup.
2026-06-06 19:02:17 +01:00
Nicholas Wallace
e944b2a2f5 Add unique UUID to access and refresh tokens 2026-05-21 17:08:39 -07:00
advplyr
cac74f3477
Merge pull request #5004 from nichwall/token_refresh_race_condition
Access token refresh grace period
2026-05-17 14:16:58 -05:00
advplyr
eee377e081 Cleanup TokenManager logs
Some checks failed
CodeQL / Analyze (push) Has been cancelled
Build and Push Docker Image / build (push) Has been cancelled
Integration Test / build and test (push) Has been cancelled
Run Unit Tests / Run Unit Tests (push) Has been cancelled
2026-05-13 16:23:26 -05:00
advplyr
3942805129 Cleanup rotateTokensForSession 2026-04-30 16:25:43 -05:00
advplyr
379f6c716a Merge branch 'master' into token_refresh_race_condition 2026-04-30 15:59:22 -05:00
advplyr
874e9e1856 Update API Key jwtAuthCheck to check user active status 2026-03-18 16:17:45 -05:00
Nicholas Wallace
cfeb6bd502 Fix: grace period enable statement 2026-01-24 18:57:40 -07:00
Nicholas Wallace
077b523bd6 Fix JS Doc deletion 2026-01-24 18:42:50 -07:00
Nicholas Wallace
b8a2d113f0 Allow rotation without grace period for invalidating all user sessions 2026-01-24 18:26:11 -07:00
Nicholas Wallace
e1ae4f2d31 Fix: race condition in rotation 2026-01-24 18:10:38 -07:00
Nicholas Wallace
7aa2f84daa Revert default token expiry 2026-01-24 17:00:07 -07:00
Nicholas Wallace
da0a64daed Add: 10 second grace period to access token cycle 2026-01-24 16:57:25 -07:00
Finn Dittmar
0a4de61eff
Chnage Auth Expiry 2025-10-19 09:22:12 +02:00
Vito0912
50e2fe7fd2
Fix http/https error 2025-08-30 17:47:21 +02:00
advplyr
4018be6330 Fix oidc auto-register not cleaning up new user on errors #4563 2025-08-10 17:26:15 -05:00
advplyr
99a3867ce9 Update callback url check
Co-authored-by: Denis Arnst <git@sapd.eu>
2025-08-10 17:08:25 -05:00
advplyr
f7b94a4b6d Fix OIDC auto register user #4485 2025-07-13 17:04:02 -05:00
advplyr
7d6d3e6687 Move invalidate refresh token to TokenManager 2025-07-11 14:43:07 -05:00
advplyr
8775e55762 Update jwt secret handling
Some checks are pending
Run Component Tests / Run Component Tests (push) Waiting to run
Integration Test / build and test (push) Waiting to run
Run Unit Tests / Run Unit Tests (push) Waiting to run
2025-07-08 16:39:50 -05:00
advplyr
9c8900560c Seperate out auth strategies, update change password to return error status codes 2025-07-07 15:04:40 -05:00
advplyr
97afd22f81 Refactor Auth to breakout functions in TokenManager, handle token generation for OIDC
Some checks are pending
Run Component Tests / Run Component Tests (push) Waiting to run
Integration Test / build and test (push) Waiting to run
Run Unit Tests / Run Unit Tests (push) Waiting to run
2025-07-06 16:43:03 -05:00