GitHub/outline
1
0
Fork 0
mirror of https://github.com/outline/outline.git synced 2026-06-13 11:25:03 +03:00
Code Issues Packages Projects Releases Wiki Activity
9,455 Commits 660 Branches 247 Tags
f50bb00b29059a4656a398df9b35562ccdc743af
Commit Graph

37 Commits

Author SHA1 Message Date
Tom Moor f50bb00b29 Refactor of OAuth account linking flows (#12246) 
* Refactor of OAuth account linking flows

* PR feedback
 2026-05-02 18:54:38 -04:00
Tom Moor d4dec42bc5 fix: Validate host parameter stored in OAuth state on failure redirect (#11956) 
* fix: Validate host parameter stored in OAuth state on auth failure path

* fix: Validate OAuth state host to prevent open redirect

Sanitize the host parameter from OAuth state before using it in error
redirects. Adds userinfo stripping to parseDomain's normalizeUrl to
prevent bypasses like "subdomain.base@evil.com", validates custom
domains against registered teams, and introduces Team.findByDomain
with input normalization for consistent domain lookups.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-04 16:13:54 -04:00
Tom Moor 1a893b0e45 Group sync framework (#11684) 
Adds group sync from external authentication providers, allowing team group memberships to be automatically managed based on provider data on sign-in in the future.
 2026-03-14 23:02:20 -04:00
Tom Moor 00fb4d1af7 chore: Update node style imports (#11277) 
- crypto → node:crypto
  - fs → node:fs
  - fs/promises → node:fs/promises
  - path → node:path
  - http → node:http
  - https → node:https
  - stream → node:stream
  - buffer → node:buffer
  - url → node:url
  - os → node:os
  - net → node:net
  - dns → node:dns
  - events → node:events
  - readline → node:readline
  - querystring → node:querystring
  - util → node:util
 2026-01-26 20:51:50 -05:00
Tom Moor d9aec40313 chore: Store service in JWT (#11136) 
* chore: Store service in JWT

* docs

* fix: Remove early return
 2026-01-10 12:28:00 -05:00
Tom Moor fbd4ded5b4 feat: Add authentication provider management (#10997) 
* Gemini first-pass

* Prevent post-connect login

* stash

* stash

* Add OIDC logo

* Separate security page

* test

* Update icon

* test

* ui

* Add extra guards for disabling auth provider

* refactor

* test
 2025-12-24 09:09:24 -05:00
Tom Moor bf45e97641 chore: Enforce type import consistency (#10968) 
* Update types

* fix circular dep

* type imports

* lint type imports and --fix
 2025-12-19 23:07:02 -05:00
Tom Moor 2f2e7c3556 fix: One last spot that needs to allow private requests (#10069) 2025-09-01 11:03:25 -04:00
Tom Moor ba8ade0244 chore: Add some additional debugging around auth failures (#9924) 2025-08-13 22:44:53 -04:00
Tom Moor 8dc6bcba22 fix: Add option as to whether state cookie is considered for team context (#9831) 
* fix: Do not consider host in cookies state unless its a workspace subdomain

* fix: Add option as to whether state cookie is considered in team context
 2025-08-04 19:50:32 -04:00
Tom Moor f6f831f3f6 fix: Enable PKCE if OIDC discovery endpoint supports it (#9478) 
* fix: Enable PKCE if OIDC discovery endpoint supports it

* fix: Ensure code_verifier is passed through state

* facepalm
 2025-06-27 11:06:45 -04:00
codegen-sh[bot] 758d4edbb9 Upgrade @typescript-eslint dependencies to v8.33.0 (#9363) 
* Upgrade @typescript-eslint dependencies from v6.21.0 to v8.33.0

- Updated @typescript-eslint/eslint-plugin from ^6.21.0 to ^8.33.0
- Updated @typescript-eslint/parser from ^6.21.0 to ^8.33.0
- Tested linting functionality to ensure compatibility
- This brings the latest TypeScript ESLint features and bug fixes

* lint

* tsc

---------

Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
 2025-06-01 11:01:15 -04:00
Tom Moor c12b257098 fix: Use configured proxy for OIDC server-to-server requests (#8776) 2025-03-25 04:31:16 -07:00
Tom Moor 1749ffe20d feat: Redirect to previous subdomains (#8477) 
* Migration

* Store previous subdomains

* Redirect previous subdomains at service layer

* refactor

* refactor

* change index

* Guard logic to hosted only
 2025-02-18 16:53:18 -08:00
Tom Moor b666d8f13d fix: Dropbox OIDC requires POST to userinfo endpoint (#8282) 2025-01-28 17:54:04 -08:00
Tom Moor 5c56714bc8 test: Remove table truncation as it causes sporadic test failures 2024-09-18 20:13:52 -04:00
Tom Moor bc0b73e7a7 fix: OIDC signin to prevent duplicate auth providers (#7598) 
* Refactor OIDC signin to prevent duplicate auth providers

* refactor
 2024-09-16 17:21:41 -07:00
Tom Moor 0f072acfd9 fix: Guard undefined ctx.state 2023-11-01 23:14:45 -04:00
Tom Moor 2838503273 Backend of public sharing at root (#6103) 2023-11-01 19:10:00 -07:00
Tom Moor 5402731ec3 fix: Do not prevent local IP connections to OIDC server 
ref #6064
 2023-10-25 20:54:26 -04:00
Tom Moor 2261514138 Improve debugging when OIDC userinfo endpoint does not return JSON 2023-09-26 23:46:56 -04:00
Tom Moor 80ef0a38d6 chore: More flakey test improvements (#5801) 2023-09-09 15:30:19 -07:00
Tom Moor 30a4303a8e chore: Remove DEPLOYMENT and SUBDOMAINS_ENABLED (#5742) 2023-08-28 17:39:58 -07:00
Tom Moor 5c07694f6b Refactor 'uploadFromUrl' to base storage implementation 
Add safety around using fetch implementation
 2023-08-20 13:13:17 -04:00
Tom Moor 39e12cef65 chore: Use httpOnly authentication cookie (#5552) 2023-07-15 13:56:32 -07:00
Tom Moor 075555a867 fix: Do not show actively disabled auth providers in self-hosted install (#4794) 
* fix: Do not show actively disabled auth providers in self-hosted installation

* self review

* Refactor for easier mocking
 2023-01-28 10:02:25 -08:00
Tom Moor cc333637dd Desktop support (#4484) 
* Remove home link on desktop app

* Spellcheck, installation toasts, background styling, …

* Add email,slack, auth support

* More desktop style tweaks

* Move redirect to client

* cleanup

* Record desktop usage

* docs

* fix: Selection state in search input when double clicking header
 2022-11-27 15:07:48 -08:00
Nan Yu 74d9409cc3 fix: refactor auth flow to explicitly pass in a host (#3909) 
* fix: refactor auth flow to explicitly pass in a host

* add new error handler to all SSO providers

* refactor passport error into middleware
 2022-08-04 02:00:52 -07:00
Nan Yu c3f5563e7f feat: scope login attempts to specific subdomains if available - do not switch subdomains (#3741) 
* make the user lookup in user creator sensitive to team
* add team specific logic to oidc strat
* factor out slugifyDomain
* change type of req during auth to Koa.Context
 2022-07-19 06:50:55 -07:00
Tom Moor c6fdffba77 chore: Internal request filtering 2022-07-05 11:06:47 +02:00
Tom Moor 51230a55e5 fix: Post-auth subdomain redirect 2022-06-22 19:51:37 +02:00
Nan Yu e0d2b6cace feat: allow personal gmail accounts to be used to sign into teams with an existing invite (#3652) 
* feat: allow personal gmail accounts to be used to sign into teams with an existing invite

* address comments

* add comment for appDomain

* address comments
 2022-06-20 01:33:16 -07:00
Nan Yu 41e425756d chore: refactor domain parsing to be more general (#3448) 
* change the api of domain parsing to just parseDomain and getCookieDomain
* adds getBaseDomain as the method to get the domain after any official subdomains
 2022-05-31 18:48:23 -07:00
Tom Moor bb074edb0d perf: Improve speed of Azure login (parallelize two slow API requests) 
chore: Improved types around passport
 2022-04-30 16:57:58 -07:00
Tom Moor 6e371f0d03 fix: HoverPreview not showing on collaborative editing teams 
types
 2021-12-05 19:31:08 -08:00
Tom Moor ce2a58e83b fix: Math.random -> crypto.randomBytes 
closes #2818
 2021-12-05 18:42:03 -08:00
Tom Moor 15b1069bcc chore: Move to Typescript (#2783) 
This PR moves the entire project to Typescript. Due to the ~1000 ignores this will lead to a messy codebase for a while, but the churn is worth it – all of those ignore comments are places that were never type-safe previously.

closes #1282
 2021-11-29 06:40:55 -08:00