feat(core): Add LDAP support (#3835)

2025-12-18 18:41:14 +00:00 · 2023-01-24 20:18:39 -05:00
parent 259296c5c9
commit 0c70a40317
77 changed files with 3686 additions and 192 deletions
--- a/packages/cli/src/auth/methods/ldap.ts
+++ b/packages/cli/src/auth/methods/ldap.ts
@@ -0,0 +1,69 @@
+import { InternalHooksManager } from '@/InternalHooksManager';
+import {
+	createLdapUserOnLocalDb,
+	findAndAuthenticateLdapUser,
+	getLdapConfig,
+	getLdapUserRole,
+	getUserByEmail,
+	getAuthIdentityByLdapId,
+	isLdapDisabled,
+	mapLdapAttributesToUser,
+	createLdapAuthIdentity,
+	updateLdapUserOnLocalDb,
+} from '@/Ldap/helpers';
+import type { User } from '@db/entities/User';
+
+export const handleLdapLogin = async (
+	loginId: string,
+	password: string,
+): Promise<User | undefined> => {
+	if (isLdapDisabled()) return undefined;
+
+	const ldapConfig = await getLdapConfig();
+
+	if (!ldapConfig.loginEnabled) return undefined;
+
+	const { loginIdAttribute, userFilter } = ldapConfig;
+
+	const ldapUser = await findAndAuthenticateLdapUser(
+		loginId,
+		password,
+		loginIdAttribute,
+		userFilter,
+	);
+
+	if (!ldapUser) return undefined;
+
+	const [ldapId, ldapAttributesValues] = mapLdapAttributesToUser(ldapUser, ldapConfig);
+
+	const { email: emailAttributeValue } = ldapAttributesValues;
+
+	if (!ldapId || !emailAttributeValue) return undefined;
+
+	const ldapAuthIdentity = await getAuthIdentityByLdapId(ldapId);
+	if (!ldapAuthIdentity) {
+		const emailUser = await getUserByEmail(emailAttributeValue);
+
+		// check if there is an email user with the same email as the authenticated LDAP user trying to log-in
+		if (emailUser && emailUser.email === emailAttributeValue) {
+			const identity = await createLdapAuthIdentity(emailUser, ldapId);
+			await updateLdapUserOnLocalDb(identity, ldapAttributesValues);
+		} else {
+			const role = await getLdapUserRole();
+			const user = await createLdapUserOnLocalDb(role, ldapAttributesValues, ldapId);
+			void InternalHooksManager.getInstance().onUserSignup(user, {
+				user_type: 'ldap',
+				was_disabled_ldap_user: false,
+			});
+			return user;
+		}
+	} else {
+		if (ldapAuthIdentity.user) {
+			if (ldapAuthIdentity.user.disabled) return undefined;
+			await updateLdapUserOnLocalDb(ldapAuthIdentity, ldapAttributesValues);
+		}
+	}
+
+	// Retrieve the user again as user's data might have been updated
+	return (await getAuthIdentityByLdapId(ldapId))?.user;
+};