Merge branch 'devel'

.meteor/packages

@@ -31,6 +31,7 @@ kenton:accounts-sandstorm
 service-configuration@1.0.11
 useraccounts:unstyled
 useraccounts:flow-routing
+salleman:accounts-oidc
 
 # Utilities
 check@1.2.5

.meteor/versions

@@ -1,5 +1,6 @@
 3stack:presence@1.1.2
 accounts-base@1.4.0
+accounts-oauth@1.1.15
 accounts-password@1.5.0
 aldeed:collection2@2.10.0
 aldeed:collection2-core@1.2.0
@@ -119,6 +120,8 @@ mquandalle:mousetrap-bindglobal@0.0.1
 mquandalle:perfect-scrollbar@0.6.5_2
 npm-bcrypt@0.9.3
 npm-mongo@2.2.33
+oauth@1.2.1
+oauth2@1.2.0
 observe-sequence@1.0.16
 ongoworks:speakingurl@1.1.0
 ordered-dict@1.0.9
@@ -140,6 +143,8 @@ reload@1.1.11
 retry@1.0.9
 routepolicy@1.0.12
 rzymek:fullcalendar@3.8.0
+salleman:accounts-oidc@1.0.9
+salleman:oidc@1.0.9
 service-configuration@1.0.11
 session@1.1.7
 sha@1.0.9

CHANGELOG.md

@@ -1,3 +1,18 @@
+# v1.36 2018-08-25 Wekan release
+
+This release adds the following new features:
+
+- [OAuth2 Login on Standalone Wekan](https://github.com/wekan/wekan/wiki/OAuth2). For example, Rocket.Chat can provide OAuth2 login to Wekan.
+  Also, if you have Rocket.Chat using LDAP/SAML/Google/etc for logging into Rocket.Chat, then same users can login to Wekan when
+  Rocket.Chat is providing OAuth2 login to Wekan.
+
+and fixes the following bugs:
+
+- [Move labels back to original place at minicard](https://github.com/wekan/wekan/issues/1842);
+- [Fix typos in security documentation](https://github.com/wekan/wekan/pull/1857).
+
+Thanks to GitHub users hever, salleman33, tlevine and xet7 for their contributions.
+
 # v1.35 2018-08-23 Wekan release
 
 This release adds the following new features:

Dockerfile

@@ -18,6 +18,12 @@ ARG MATOMO_WITH_USERNAME
 ARG BROWSER_POLICY_ENABLED
 ARG TRUSTED_URL
 ARG WEBHOOKS_ATTRIBUTES
+ARG OAUTH2_CLIENT_ID
+ARG OAUTH2_SECRET
+ARG OAUTH2_SERVER_URL
+ARG OAUTH2_AUTH_ENDPOINT
+ARG OAUTH2_USERINFO_ENDPOINT
+ARG OAUTH2_TOKEN_ENDPOINT
 
 # Set the environment variables (defaults where required)
 # DOES NOT WORK: paxctl fix for alpine linux: https://github.com/wekan/wekan/issues/1303
@@ -38,7 +44,13 @@ ENV BUILD_DEPS="apt-utils gnupg gosu wget curl bzip2 build-essential python git
     MATOMO_WITH_USERNAME=false \
     BROWSER_POLICY_ENABLED=true \
     TRUSTED_URL="" \
-    WEBHOOKS_ATTRIBUTES=""
+    WEBHOOKS_ATTRIBUTES="" \
+    OAUTH2_CLIENT_ID="" \
+    OAUTH2_SECRET="" \
+    OAUTH2_SERVER_URL="" \
+    OAUTH2_AUTH_ENDPOINT="" \
+    OAUTH2_USERINFO_ENDPOINT="" \
+    OAUTH2_TOKEN_ENDPOINT=""
 
 # Copy the app to the image
 COPY ${SRC_PATH} /home/wekan/app

SECURITY.md

@@ -1,4 +1,4 @@
-Security is very important to us. If discover any issue regarding security, please disclose
+Security is very important to us. If you discover any issue regarding security, please disclose
 the information responsibly by sending an email to security (at) wekan.team and not by
 creating a GitHub issue. We will respond swiftly to fix verifiable security issues.
 
@@ -28,8 +28,8 @@ added to the Wekan Hall of Fame.
 
 ## Which domains are in scope?
 
-No any public domains, because all those are donated to Wekan Open Source project,
-and we don't have any permissions to do security scans on those donated servers.
+No public domains, because all those are donated to Wekan Open Source project,
+and we don't have any permissions to do security scans on those donated servers
 
 Please don't perform research that could impact other users. Secondly, please keep
 the reports short and succinct. If we fail to understand the logics of your bug, we will tell you.
@@ -39,7 +39,7 @@ and scan it's vulnerabilities there.
 
 ## About Wekan versions
 
-There is only 2 versions of Wekan: Standalone Wekan, and Sandstorm Wekan.
+There are only 2 versions of Wekan: Standalone Wekan, and Sandstorm Wekan.
 
 ### Standalone Wekan Security
 

client/components/cards/minicard.jade

@@ -4,6 +4,10 @@ template(name="minicard")
     class="{{#if isLinkedBoard}}linked-board{{/if}}")
     if cover
       .minicard-cover(style="background-image: url('{{cover.url}}');")
+    if labels
+      .minicard-labels
+        each labels
+          .minicard-label(class="card-label-{{color}}" title="{{name}}")
     .minicard-title
       if $eq 'prefix-with-full-path' currentBoard.presentParentTask
         .parent-prefix
@@ -76,8 +80,3 @@ template(name="minicard")
         .badge(class="{{#if checklistFinished}}is-finished{{/if}}")
           span.badge-icon.fa.fa-check-square-o
           span.badge-text.check-list-text {{checklistFinishedCount}}/{{checklistItemCount}}
-
-    if labels
-      .minicard-labels
-        each labels
-          .minicard-label(class="card-label-{{color}}" title="{{name}}")

docker-compose.yml

@@ -63,6 +63,25 @@ services:
       # What to send to Outgoing Webhook, or leave out. Example, that includes all that are default: cardId,listId,oldListId,boardId,comment,user,card,commentId .
       # example: WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
       - WEBHOOKS_ATTRIBUTES=''
+      # OAuth2 docs: https://github.com/wekan/wekan/wiki/OAuth2
+      # OAuth2 Client ID, for example from Rocket.Chat. Example: abcde12345
+      # example: OAUTH2_CLIENT_ID=abcde12345
+      - OAUTH2_CLIENT_ID=''
+      # OAuth2 Secret, for example from Rocket.Chat: Example: 54321abcde
+      # example: OAUTH2_SECRET=54321abcde
+      - OAUTH2_SECRET=''
+      # OAuth2 Server URL, for example Rocket.Chat. Example: https://chat.example.com
+      # example: OAUTH2_SERVER_URL=https://chat.example.com
+      - OAUTH2_SERVER_URL=''
+      # OAuth2 Authorization Endpoint. Example: /oauth/authorize
+      # example: OAUTH2_AUTH_ENDPOINT=/oauth/authorize
+      - OAUTH2_AUTH_ENDPOINT=''
+      # OAuth2 Userinfo Endpoint. Example: /oauth/userinfo
+      # example: OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo
+      - OAUTH2_USERINFO_ENDPOINT=''
+      # OAuth2 Token Endpoint. Example: /oauth/token
+      # example: OAUTH2_TOKEN_ENDPOINT=/oauth/token
+      - OAUTH2_TOKEN_ENDPOINT=''
     depends_on:
       - wekandb
 

models/users.js

@@ -478,6 +478,30 @@ if (Meteor.isServer) {
       return user;
     }
 
+    if (user.services.oidc) {
+      const email = user.services.oidc.email.toLowerCase();
+
+      user.username = user.services.oidc.username;
+      user.emails = [{ address: email, verified: true }];
+      const initials = user.services.oidc.fullname.match(/\b[a-zA-Z]/g).join('').toUpperCase();
+      user.profile = { initials, fullname: user.services.oidc.fullname };
+
+      // see if any existing user has this email address or username, otherwise create new
+      const existingUser = Meteor.users.findOne({$or: [{'emails.address': email}, {'username':user.username}]});
+      if (!existingUser)
+        return user;
+
+      // copy across new service info
+      const service = _.keys(user.services)[0];
+      existingUser.services[service] = user.services[service];
+      existingUser.emails = user.emails;
+      existingUser.username = user.username;
+      existingUser.profile = user.profile;
+
+      Meteor.users.remove({_id: existingUser._id}); // remove existing record
+      return existingUser;
+    }
+
     if (options.from === 'admin') {
       user.createdThroughApi = true;
       return user;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "wekan",
-  "version": "1.35.0",
+  "version": "1.36.0",
   "description": "The open-source kanban",
   "private": true,
   "scripts": {

sandstorm-pkgdef.capnp

@@ -22,10 +22,10 @@ const pkgdef :Spk.PackageDefinition = (
     appTitle = (defaultText = "Wekan"),
     # The name of the app as it is displayed to the user.
 
-    appVersion = 120,
+    appVersion = 121,
     # Increment this for every release.
 
-    appMarketingVersion = (defaultText = "1.35.0~2018-08-23"),
+    appMarketingVersion = (defaultText = "1.36.0~2018-08-25"),
     # Human-readable presentation of the app version.
 
     minUpgradableAppVersion = 0,
@@ -245,6 +245,12 @@ const myCommand :Spk.Manifest.Command = (
     (key = "BROWSER_POLICY_ENABLED", value="true"),
     (key = "TRUSTED_URL", value=""),
     (key = "WEBHOOKS_ATTRIBUTES", value=""),
+    (key = "OAUTH2_CLIENT_ID", value=""),
+    (key = "OAUTH2_SECRET", value=""),
+    (key = "OAUTH2_SERVER_URL", value=""),
+    (key = "OAUTH2_AUTH_ENDPOINT", value=""),
+    (key = "OAUTH2_USERINFO_ENDPOINT", value=""),
+    (key = "OAUTH2_TOKEN_ENDPOINT", value=""),
     (key = "SANDSTORM", value = "1"),
     (key = "METEOR_SETTINGS", value = "{\"public\": {\"sandstorm\": true}}")
   ]

server/authentication.js

@@ -62,5 +62,28 @@ Meteor.startup(() => {
     Authentication.checkAdminOrCondition(userId, normalAccess);
   };
 
+  if (Meteor.isServer) {
+
+    if(process.env.OAUTH2_CLIENT_ID !== '') {
+
+      ServiceConfiguration.configurations.upsert( // eslint-disable-line no-undef
+        { service: 'oidc' },
+        {
+          $set: {
+            loginStyle: 'redirect',
+            clientId: process.env.OAUTH2_CLIENT_ID,
+            secret: process.env.OAUTH2_SECRET,
+            serverUrl: process.env.OAUTH2_SERVER_URL,
+            authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT,
+            userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT,
+            tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT,
+            idTokenWhitelistFields: [],
+            requestPermissions: ['openid'],
+          },
+        }
+      );
+    }
+  }
+
 });
 

snap-src/bin/config

@@ -3,7 +3,7 @@
 # All supported keys are defined here together with descriptions and default values
 
 # list of supported keys
-keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES"
+keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT"
 
 # default values
 DESCRIPTION_MONGODB_BIND_UNIX_SOCKET="mongodb binding unix socket:\n"\
@@ -81,3 +81,28 @@ KEY_TRUSTED_URL="trusted-url"
 DESCRIPTION_WEBHOOKS_ATTRIBUTES="What to send to Outgoing Webhook, or leave out. Example, that includes all that are default: cardId,listId,oldListId,boardId,comment,user,card,commentId ."
 DEFAULT_WEBHOOKS_ATTRIBUTES=""
 KEY_WEBHOOKS_ATTRIBUTES="webhooks-attributes"
+
+DESCRIPTION_OAUTH2_CLIENT_ID="OAuth2 Client ID, for example from Rocket.Chat. Example: abcde12345"
+DEFAULT_OAUTH2_CLIENT_ID=""
+KEY_OAUTH2_CLIENT_ID="oauth2-client-id"
+
+DESCRIPTION_OAUTH2_SECRET="OAuth2 Secret, for example from Rocket.Chat: Example: 54321abcde"
+DEFAULT_OAUTH2_SECRET=""
+KEY_OAUTH2_SECRET="oauth2-secret"
+
+DESCRIPTION_OAUTH2_SERVER_URL="OAuth2 Server URL, for example Rocket.Chat. Example: https://chat.example.com"
+DEFAULT_OAUTH2_SERVER_URL=""
+KEY_OAUTH2_SERVER_URL="oauth2-server-url"
+
+DESCRIPTION_OAUTH2_AUTH_ENDPOINT="OAuth2 authorization endpoint. Example: /oauth/authorize"
+DEFAULT_OAUTH2_AUTH_ENDPOINT=""
+KEY_OAUTH2_AUTH_ENDPOINT="oauth2-auth-endpoint"
+
+DESCRIPTION_OAUTH2_USERINFO_ENDPOINT="OAuth2 userinfo endpoint. Example: /oauth/userinfo"
+DEFAULT_OAUTH2_USERINFO_ENDPOINT=""
+KEY_OAUTH2_USERINFO_ENDPOINT="oauth2-userinfo-endpoint"
+
+DESCRIPTION_OAUTH2_TOKEN_ENDPOINT="OAuth2 token endpoint. Example: /oauth/token"
+DEFAULT_OAUTH2_TOKEN_ENDPOINT=""
+KEY_OAUTH2_TOKEN_ENDPOINT="oauth2-token-endpoint"
+

snap-src/bin/wekan-help

@@ -53,6 +53,48 @@ echo -e "\t$ snap set $SNAP_NAME WEBHOOKS_ATTRIBUTES='cardId,listId,oldListId,bo
 echo -e "\t-Disable the Webhooks Attributes of Wekan to send all default ones:"
 echo -e "\t$ snap set $SNAP_NAME WEBHOOKS_ATTRIBUTES=''"
 echo -e "\n"
+echo -e "OAuth2 Client ID, for example from Rocket.Chat. Example: abcde12345"
+echo -e "To enable the OAuth2 Client ID of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_CLIENT_ID='54321abcde'"
+echo -e "\t-Disable the OAuth2 Client ID of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_CLIENT_ID=''"
+echo -e "\n"
+echo -e "OAuth2 Secret, for example from Rocket.Chat. Example: 54321abcde"
+echo -e "To enable the OAuth2 Secret of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_SECRET='54321abcde'"
+echo -e "\t-Disable the OAuth2 Secret of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_SECRET=''"
+echo -e "\n"
+echo -e "OAuth2 Server URL, for example Rocket.Chat. Example: https://chat.example.com"
+echo -e "To enable the OAuth2 Server URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_SERVER_URL='https://chat.example.com'"
+echo -e "\t-Disable the OAuth2 Server URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_SERVER_URL=''"
+echo -e "\n"
+echo -e "OAuth2 Server URL, for example Rocket.Chat. Example: https://chat.example.com"
+echo -e "To enable the OAuth2 Server URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_SERVER_URL='https://chat.example.com'"
+echo -e "\t-Disable the OAuth2 Server URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_SERVER_URL=''"
+echo -e "\n"
+echo -e "OAuth2 Authorization Endpoint. Example: /oauth/authorize""
+echo -e "To enable the OAuth2 Authorization Endpoint of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_AUTH_ENDPOINT='/oauth/authorize'"
+echo -e "\t-Disable the OAuth2 Authorization Endpoint of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_AUTH_ENDPOINT=''"
+echo -e "\n"
+echo -e "OAuth2 Userinfo Endpoint. Example: /oauth/userinfo""
+echo -e "To enable the OAuth2 Userinfo Endpoint of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_USERINFO_ENDPOINT='/oauth/authorize'"
+echo -e "\t-Disable the OAuth2 Userinfo Endpoint of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_USERINFO_ENDPOINT=''"
+echo -e "\n"
+echo -e "OAuth2 Token Endpoint. Example: /oauth/token""
+echo -e "To enable the OAuth2 Token Endpoint of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_TOKEN_ENDPOINT='/oauth/token'"
+echo -e "\t-Disable the OAuth2 Token Endpoint of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME OAUTH2_TOKEN_ENDPOINT=''"
+echo -e "\n"
 # parse config file for supported settings keys
 echo -e "wekan supports settings keys"
 echo -e "values can be changed by calling\n$ snap set $SNAP_NAME <key name>='<key value>'"