usememos/memos
1
1
Fork 0
mirror of https://github.com/usememos/memos.git synced 2025-12-17 14:19:17 +08:00
Code Issues Projects Releases Packages Wiki Activity

Prevent leakage of client secret to low-privileged users

Browse source
This commit is contained in:
Florian Dewald 2025-11-03 08:31:38 +00:00
parent 9b72963e08
commit 93c529c03f
1 changed files with 30 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
server/router/api/v1/idp_service.go
View file

@ -38,8 +38,17 @@ func (s *APIV1Service) ListIdentityProviders(ctx context.Context, _ *v1pb.ListId
response := &v1pb.ListIdentityProvidersResponse{ response := &v1pb.ListIdentityProvidersResponse{
IdentityProviders: []*v1pb.IdentityProvider{}, IdentityProviders: []*v1pb.IdentityProvider{},
} }
// Default to lowest-privilege role, update later based on real role
currentUserRole := store.RoleUser
currentUser, err := s.GetCurrentUser(ctx)
if err == nil && currentUser != nil {
currentUserRole = currentUser.Role
}
for _, identityProvider := range identityProviders { for _, identityProvider := range identityProviders {
response.IdentityProviders = append(response.IdentityProviders, convertIdentityProviderFromStore(identityProvider)) identityProviderConverted := convertIdentityProviderFromStore(identityProvider)
response.IdentityProviders = append(response.IdentityProviders, redactIdentityProviderResponse(identityProviderConverted, currentUserRole))
} }
return response, nil return response, nil
} }
@ -58,7 +67,16 @@ func (s *APIV1Service) GetIdentityProvider(ctx context.Context, request *v1pb.Ge
if identityProvider == nil { if identityProvider == nil {
return nil, status.Errorf(codes.NotFound, "identity provider not found") return nil, status.Errorf(codes.NotFound, "identity provider not found")
} }
return convertIdentityProviderFromStore(identityProvider), nil
// Default to lowest-privilege role, update later based on real role
currentUserRole := store.RoleUser
currentUser, err := s.GetCurrentUser(ctx)
if err == nil && currentUser != nil {
currentUserRole = currentUser.Role
}
identityProviderConverted := convertIdentityProviderFromStore(identityProvider)
return redactIdentityProviderResponse(identityProviderConverted, currentUserRole), nil
} }
func (s *APIV1Service) UpdateIdentityProvider(ctx context.Context, request *v1pb.UpdateIdentityProviderRequest) (*v1pb.IdentityProvider, error) { func (s *APIV1Service) UpdateIdentityProvider(ctx context.Context, request *v1pb.UpdateIdentityProviderRequest) (*v1pb.IdentityProvider, error) {
@ -183,3 +201,13 @@ func convertIdentityProviderConfigToStore(identityProviderType v1pb.IdentityProv
} }
return nil return nil
} }
func redactIdentityProviderResponse(identityProvider *v1pb.IdentityProvider, userRole store.Role) *v1pb.IdentityProvider {
if userRole != store.RoleHost {
if identityProvider.Type == v1pb.IdentityProvider_OAUTH2 {
identityProvider.Config.GetOauth2Config().ClientSecret = ""
}
}
return identityProvider
}