keligrubb/kestrelos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
e61e6bc7e32103b2c40d1fbf51ef7466c2d9f095
kestrelos/server/utils/oidc.js
Keli Grubb e61e6bc7e3
All checks were successful
ci/woodpecker/push/push Pipeline was successful
Details
major: kestrel is now a tak server (#6) 
## Added

- CoT (Cursor on Target) server on port 8089 enabling ATAK/iTAK device connectivity
- Support for TAK stream protocol and traditional XML CoT messages
- TLS/SSL support with automatic fallback to plain TCP
- Username/password authentication for CoT connections
- Real-time device position tracking with TTL-based expiration (90s default)
- API endpoints: `/api/cot/config`, `/api/cot/server-package`, `/api/cot/truststore`, `/api/me/cot-password`
- TAK Server section in Settings with QR code for iTAK setup
- ATAK password management in Account page for OIDC users
- CoT device markers on map showing real-time positions
- Comprehensive documentation in `docs/` directory
- Environment variables: `COT_PORT`, `COT_TTL_MS`, `COT_REQUIRE_AUTH`, `COT_SSL_CERT`, `COT_SSL_KEY`, `COT_DEBUG`
- Dependencies: `fast-xml-parser`, `jszip`, `qrcode`

## Changed

- Authentication system supports CoT password management for OIDC users
- Database schema includes `cot_password_hash` field
- Test suite refactored to follow functional design principles

## Removed

- Consolidated utility modules: `authConfig.js`, `authSkipPaths.js`, `bootstrap.js`, `poiConstants.js`, `session.js`

## Security

- XML entity expansion protection in CoT parser
- Enhanced input validation and SQL injection prevention
- Authentication timeout to prevent hanging connections

## Breaking Changes

- Port 8089 must be exposed for CoT server. Update firewall rules and Docker/Kubernetes configurations.

## Migration Notes

- OIDC users must set ATAK password via Account settings before connecting
- Docker: expose port 8089 (`-p 8089:8089`)
- Kubernetes: update Helm values to expose port 8089

Co-authored-by: Madison Grubb <madison@elastiflow.com>
Reviewed-on: #6
2026-02-17 16:41:41 +00:00

82 lines
2.6 KiB
JavaScript
Raw Blame History

import * as oidc from 'openid-client'
const CACHE_TTL_MS = 60 * 60 * 1000
const configCache = new Map()
// Auth configuration
export function getAuthConfig() {
const hasOidc = !!(process.env.OIDC_ISSUER && process.env.OIDC_CLIENT_ID && process.env.OIDC_CLIENT_SECRET)
const label = process.env.OIDC_LABEL?.trim() || (hasOidc ? 'Sign in with OIDC' : '')
return Object.freeze({ oidc: { enabled: hasOidc, label } })
}
function getRedirectUri() {
const explicit
= process.env.OIDC_REDIRECT_URI ?? process.env.OPENID_REDIRECT_URI ?? ''
if (explicit.trim()) return explicit.trim()
const base = process.env.NUXT_APP_URL || process.env.APP_URL || ''
if (base) return `${base.replace(/\/$/, '')}/api/auth/oidc/callback`
const host = process.env.HOST || 'localhost'
const port = process.env.PORT || '3000'
const protocol = process.env.NODE_ENV === 'production' ? 'https' : 'http'
return `${protocol}://${host}:${port}/api/auth/oidc/callback`
}
export async function getOidcConfig() {
const issuer = process.env.OIDC_ISSUER
const clientId = process.env.OIDC_CLIENT_ID
const clientSecret = process.env.OIDC_CLIENT_SECRET
if (!issuer || !clientId || !clientSecret) return null
const key = issuer
const cached = configCache.get(key)
if (cached && Date.now() < cached.expires) return cached.config
const server = new URL(issuer)
const config = await oidc.discovery(
server,
clientId,
undefined,
oidc.ClientSecretPost(clientSecret),
{ timeout: 5000 },
)
configCache.set(key, { config, expires: Date.now() + CACHE_TTL_MS })
return config
}
export function getOidcRedirectUri() {
return getRedirectUri()
}
export function constantTimeCompare(a, b) {
if (typeof a !== 'string' || typeof b !== 'string' || a.length !== b.length) return false
let out = 0
for (let i = 0; i < a.length; i++) out |= a.charCodeAt(i) ^ b.charCodeAt(i)
return out === 0
}
export function createOidcParams() {
return {
state: oidc.randomState(),
nonce: oidc.randomNonce(),
codeVerifier: oidc.randomPKCECodeVerifier(),
}
}
export async function getCodeChallenge(verifier) {
return oidc.calculatePKCECodeChallenge(verifier)
}
export function validateRedirectPath(redirect) {
if (typeof redirect !== 'string' || !redirect.startsWith('/') || redirect.startsWith('//')) return '/'
const path = redirect.split('?')[0]
if (path.includes('//')) return '/'
return redirect
}
export function buildAuthorizeUrl(config, params) {
return oidc.buildAuthorizationUrl(config, params)
}
export async function exchangeCode(config, currentUrl, checks) {
return oidc.authorizationCodeGrant(config, currentUrl, checks)
}
Reference in New Issue View Git Blame Copy Permalink