Enable LDAP and SAML authentication support

patches/@node-saml+node-saml+4.0.5.patch

@@ -0,0 +1,23 @@
+diff --git a/node_modules/@node-saml/node-saml/lib/saml.js b/node_modules/@node-saml/node-saml/lib/saml.js
+index fba15b9..a5778cb 100644
+--- a/node_modules/@node-saml/node-saml/lib/saml.js
++++ b/node_modules/@node-saml/node-saml/lib/saml.js
+@@ -336,7 +336,8 @@ class SAML {
+         const requestOrResponse = request || response;
+         (0, utility_1.assertRequired)(requestOrResponse, "either request or response is required");
+         let buffer;
+-        if (this.options.skipRequestCompression) {
++       // logout requestOrResponse must be compressed anyway
++        if (this.options.skipRequestCompression && operation !== "logout") {
+             buffer = Buffer.from(requestOrResponse, "utf8");
+         }
+         else {
+@@ -495,7 +496,7 @@ class SAML {
+         try {
+             xml = Buffer.from(container.SAMLResponse, "base64").toString("utf8");
+             doc = await (0, xml_1.parseDomFromString)(xml);
+-            const inResponseToNodes = xml_1.xpath.selectAttributes(doc, "/*[local-name()='Response']/@InResponseTo");
++            const inResponseToNodes = xml_1.xpath.selectAttributes(doc, "/*[local-name()='Response' or local-name()='LogoutResponse']/@InResponseTo");
+             if (inResponseToNodes) {
+                 inResponseTo = inResponseToNodes.length ? inResponseToNodes[0].nodeValue : null;
+                 await this.validateInResponseTo(inResponseTo);

patches/ldapauth-fork+4.3.3.patch

@@ -0,0 +1,64 @@
+diff --git a/node_modules/ldapauth-fork/lib/ldapauth.js b/node_modules/ldapauth-fork/lib/ldapauth.js
+index 85ecf36a8b..a7d07e0f78 100644
+--- a/node_modules/ldapauth-fork/lib/ldapauth.js
++++ b/node_modules/ldapauth-fork/lib/ldapauth.js
+@@ -69,6 +69,7 @@ function LdapAuth(opts) {
+   this.opts.bindProperty || (this.opts.bindProperty = 'dn');
+   this.opts.groupSearchScope || (this.opts.groupSearchScope = 'sub');
+   this.opts.groupDnProperty || (this.opts.groupDnProperty = 'dn');
++  this.opts.tlsStarted = false;
+
+   EventEmitter.call(this);
+
+@@ -108,21 +109,7 @@ function LdapAuth(opts) {
+   this._userClient.on('error', this._handleError.bind(this));
+
+   var self = this;
+-  if (this.opts.starttls) {
+-    // When starttls is enabled, this callback supplants the 'connect' callback
+-    this._adminClient.starttls(this.opts.tlsOptions, this._adminClient.controls, function(err) {
+-      if (err) {
+-        self._handleError(err);
+-      } else {
+-        self._onConnectAdmin();
+-      }
+-    });
+-    this._userClient.starttls(this.opts.tlsOptions, this._userClient.controls, function(err) {
+-      if (err) {
+-        self._handleError(err);
+-      }
+-    });
+-  } else if (opts.reconnect) {
++  if (opts.reconnect && !this.opts.starttls) {
+     this.once('_installReconnectListener', function() {
+       self.log && self.log.trace('install reconnect listener');
+       self._adminClient.on('connect', function() {
+@@ -384,6 +371,28 @@ LdapAuth.prototype._findGroups = function(user, callback) {
+  */
+ LdapAuth.prototype.authenticate = function(username, password, callback) {
+   var self = this;
++  if (this.opts.starttls && !this.opts.tlsStarted) {
++    // When starttls is enabled, this callback supplants the 'connect' callback
++    this._adminClient.starttls(this.opts.tlsOptions, this._adminClient.controls, function (err) {
++      if (err) {
++        self._handleError(err);
++      } else {
++        self._onConnectAdmin(function(){self._handleAuthenticate(username, password, callback);});
++      }
++    });
++    this._userClient.starttls(this.opts.tlsOptions, this._userClient.controls, function (err) {
++      if (err) {
++        self._handleError(err);
++      }
++    });
++  } else {
++    self._handleAuthenticate(username, password, callback);
++  }
++};
++
++LdapAuth.prototype._handleAuthenticate = function (username, password, callback) {
++  this.opts.tlsStarted = true;
++  var self = this;
+
+   if (typeof password === 'undefined' || password === null || password === '') {
+     return callback(new Error('no password given'));

services/web/app/src/Features/Authentication/AuthenticationController.mjs

@@ -117,9 +117,9 @@ const AuthenticationController = {
     // so we can send back our custom `{message: {text: "", type: ""}}` responses on failure,
     // and send a `{redir: ""}` response on success
     passport.authenticate(
-      'local',
+      Settings.ldap?.enable ? ['custom-fail-ldapauth','local'] : ['local'],
       { keepSessionInfo: true },
-      async function (err, user, info) {
+      async function (err, user, infoArray) {
         if (err) {
           return next(err)
         }
@@ -141,6 +141,7 @@ const AuthenticationController = {
             return next(err)
           }
         } else {
+	  let info = infoArray[0]
           if (info.redir != null) {
             return res.json({ redir: info.redir })
           } else {

services/web/app/src/Features/PasswordReset/PasswordResetController.mjs

@@ -157,6 +157,10 @@ async function requestReset(req, res, next) {
     return res.status(404).json({
       message: req.i18n.translate('secondary_email_password_reset'),
     })
+  } else if (status === 'external') {
+    return res.status(403).json({
+      message: req.i18n.translate('password_managed_externally'),
+    })
   } else {
     return res.status(404).json({
       message: req.i18n.translate('cant_find_email'),

services/web/app/src/Features/PasswordReset/PasswordResetHandler.mjs

@@ -18,6 +18,10 @@ async function generateAndEmailResetToken(email) {
     return null
   }
 
+  if (!user.hashedPassword) {
+    return 'external'
+  }
+
   if (user.email !== email) {
     return 'secondary'
   }

services/web/app/src/Features/User/UserController.mjs

@@ -413,7 +413,7 @@ async function updateUserSettings(req, res, next) {
   if (
     newEmail == null ||
     newEmail === user.email ||
-    req.externalAuthenticationSystemUsed()
+    (req.externalAuthenticationSystemUsed() && !user.hashedPassword)
   ) {
     // end here, don't update email
     SessionManager.setInSessionUser(req.session, {
@@ -490,6 +490,7 @@ async function doLogout(req) {
 }
 
 async function logout(req, res, next) {
+  if (req?.session.saml_extce) return res.redirect(308, '/saml/logout')
   const requestedRedirect = req.body.redirect
     ? UrlHelper.getSafeRedirectPath(req.body.redirect)
     : undefined

services/web/app/views/user/login.pug

@@ -25,8 +25,9 @@ block content
 									label(for='email') #{translate("email")}
 									input#email.form-control(
 										name='email'
-										type='email'
+										type=(settings.ldap && settings.ldap.enable) ? 'text' : 'email'
 										required
+										placeholder=(settings.ldap && settings.ldap.enable) ? settings.ldap.placeholder : 'email@example.com'
 										autofocus='true'
 										autocomplete='username'
 									)
@@ -46,3 +47,12 @@ block content
 								if login_support_text
 									hr
 									p.text-center !{login_support_text}
+							if settings.saml && settings.saml.enable
+								form(data-ol-async-form, name="samlLoginForm")
+									.actions(style='margin-top: 30px;')
+										a.btn.btn-secondary.btn-block(
+											href='/saml/login',
+											data-ol-disabled-inflight
+										)
+											span(data-ol-inflight="idle") #{settings.saml.identityServiceName}
+											span(hidden data-ol-inflight="pending") #{translate("logging_in")}…

services/web/app/views/user/settings.pug

@@ -11,7 +11,7 @@ block append meta
 	meta(
 		name='ol-shouldAllowEditingDetails'
 		data-type='boolean'
-		content=shouldAllowEditingDetails
+		content=shouldAllowEditingDetails || hasPassword
 	)
 	meta(name='ol-oauthProviders' data-type='json' content=oauthProviders)
 	meta(name='ol-institutionLinked' data-type='json' content=institutionLinked)
@@ -34,7 +34,7 @@ block append meta
 	meta(
 		name='ol-isExternalAuthenticationSystemUsed'
 		data-type='boolean'
-		content=externalAuthenticationSystemUsed()
+		content=externalAuthenticationSystemUsed() && !hasPassword
 	)
 	meta(name='ol-user' data-type='json' content=user)
 	meta(name='ol-labsExperiments' data-type='json' content=labsExperiments)

services/web/config/settings.defaults.js

@@ -1046,6 +1046,8 @@ module.exports = {
     'launchpad',
     'server-ce-scripts',
     'user-activate',
+    'ldap-authentication',
+    'saml-authentication',
     'symbol-palette',
     'track-changes',
   ],

services/web/locales/en.json

@@ -166,6 +166,7 @@
   "already_have_sl_account": "Already have an __appName__ account?",
   "also": "Also",
   "alternatively_create_new_institution_account": "Alternatively, you can create a <b>new account</b> with your institution email (<b>__email__</b>) by clicking <b>__clickText__</b>.",
+  "alternatively_create_local_admin_account": "Alternatively, you can create __appName__ local admin account.",
   "an_email_has_already_been_sent_to": "An email has already been sent to <0>__email__</0>. Please wait and try again later.",
   "an_error_occured_while_restoring_project": "An error occured while restoring the project",
   "an_error_occurred_when_verifying_the_coupon_code": "An error occurred when verifying the coupon code",
@@ -1289,6 +1290,7 @@
   "loading_github_repositories": "Loading your GitHub repositories",
   "loading_prices": "loading prices",
   "loading_recent_github_commits": "Loading recent commits",
+  "local_account": "Local account",
   "log_entry_description": "Log entry with level: __level__",
   "log_entry_maximum_entries": "Maximum log entries limit hit",
   "log_entry_maximum_entries_enable_stop_on_first_error": "Try to fix the first error and recompile. Often one error causes many later error messages. You can <0>Enable “Stop on first error”</0> to focus on fixing errors. We recommend fixing errors as soon as possible; letting them accumulate may lead to hard-to-debug and fatal errors. <1>Learn more</1>",

services/web/modules/launchpad/app/src/LaunchpadController.mjs

@@ -153,7 +153,8 @@ function registerExternalAuthAdmin(authMethod) {
       await User.updateOne(
         { _id: user._id },
         {
-          $set: { isAdmin: true, emails: [{ email, reversedHostname }] },
+          $set: { isAdmin: true, emails: [{ email, reversedHostname, 'confirmedAt' : Date.now() }] },
+          $unset: { 'hashedPassword': "" }, // external-auth user must not have a hashedPassword
         }
       ).exec()
     } catch (err) {

services/web/modules/launchpad/app/views/launchpad.pug

@@ -129,6 +129,41 @@ block content
 																span(data-ol-inflight='idle') #{translate("register")}
 																span(hidden data-ol-inflight='pending') #{translate("registering")}…
 
+													h3 #{translate('local_account')}
+													p
+														| #{translate('alternatively_create_local_admin_account')}
+
+													form(
+														data-ol-async-form
+														data-ol-register-admin
+														action='/launchpad/register_admin'
+														method='POST'
+													)
+														input(name='_csrf' type='hidden' value=csrfToken)
+														+formMessages
+														.form-group
+															label.form-label(for='email') #{translate("email")}
+															input.form-control(
+																name='email'
+																type='email'
+																id='email-local'
+																autocomplete='username'
+																required
+																autofocus='true'
+															)
+														.form-group
+															label.form-label(for='passwordField') #{translate("password")}
+															input#passwordField.form-control(
+																name='password'
+																type='password'
+																autocomplete='new-password'
+																required
+															)
+														.actions
+															button.btn-primary.btn(type='submit' data-ol-disabled-inflight)
+																span(data-ol-inflight='idle') #{translate("register")}
+																span(hidden data-ol-inflight='pending') #{translate("registering")}…
+
 												// Saml Form
 												if authMethod === 'saml'
 													h3 #{translate('saml')}
@@ -158,6 +193,41 @@ block content
 																span(data-ol-inflight='idle') #{translate("register")}
 																span(hidden data-ol-inflight='pending') #{translate("registering")}…
 
+													h3 #{translate('local_account')}
+													p
+														| #{translate('alternatively_create_local_admin_account')}
+
+													form(
+														data-ol-async-form
+														data-ol-register-admin
+														action='/launchpad/register_admin'
+														method='POST'
+													)
+														input(name='_csrf' type='hidden' value=csrfToken)
+														+formMessages
+														.form-group
+															label.form-label(for='email-local') #{translate("email")}
+															input.form-control(
+																name='email'
+																type='email'
+																id='email-local'
+																autocomplete='username'
+																required
+																autofocus='true'
+															)
+														.form-group
+															label.form-label(for='passwordField') #{translate("password")}
+															input#passwordField.form-control(
+																name='password'
+																type='password'
+																autocomplete='new-password'
+																required
+															)
+														.actions
+															button.btn-primary.btn(type='submit' data-ol-disabled-inflight)
+																span(data-ol-inflight='idle') #{translate("register")}
+																span(hidden data-ol-inflight='pending') #{translate("registering")}…
+
 										br
 
 									<!-- status indicators -->

services/web/modules/ldap-authentication/app/src/AuthenticationControllerLdap.mjs

@@ -0,0 +1,64 @@
+import logger from '@overleaf/logger'
+import LoginRateLimiter from '../../../../app/src/Features/Security/LoginRateLimiter.js'
+import { handleAuthenticateErrors } from '../../../../app/src/Features/Authentication/AuthenticationErrors.js'
+import AuthenticationController from '../../../../app/src/Features/Authentication/AuthenticationController.js'
+import AuthenticationManagerLdap from './AuthenticationManagerLdap.mjs'
+
+const AuthenticationControllerLdap = {
+  async doPassportLdapLogin(req, ldapUser, done) {
+    let user, info
+    try {
+      ;({ user, info } = await AuthenticationControllerLdap._doPassportLdapLogin(
+        req,
+        ldapUser
+      ))
+    } catch (error) {
+      return done(error)
+    }
+    return done(undefined, user, info)
+  },
+  async _doPassportLdapLogin(req, ldapUser) {
+    const { fromKnownDevice } = AuthenticationController.getAuditInfo(req)
+    const auditLog = {
+      ipAddress: req.ip,
+      info: { method: 'LDAP password login', fromKnownDevice },
+    }
+
+    let user, isPasswordReused
+    try {
+      user = await AuthenticationManagerLdap.promises.findOrCreateLdapUser(ldapUser, auditLog)
+    } catch (error) {
+      return {
+        user: false,
+        info: handleAuthenticateErrors(error, req),
+      }
+    }
+    if (user && AuthenticationController.captchaRequiredForLogin(req, user)) {
+      return {
+        user: false,
+        info: {
+          text: req.i18n.translate('cannot_verify_user_not_robot'),
+          type: 'error',
+          errorReason: 'cannot_verify_user_not_robot',
+          status: 400,
+        },
+      }
+    } else if (user) {
+      // async actions
+      return { user, info: undefined }
+    } else { //something wrong
+      logger.debug({ email : ldapUser.mail }, 'failed LDAP log in')
+      return {
+        user: false,
+        info: {
+          type: 'error',
+          status: 500,
+        },
+      }
+    }
+  },
+}
+
+export const {
+  doPassportLdapLogin,
+} = AuthenticationControllerLdap

services/web/modules/ldap-authentication/app/src/AuthenticationManagerLdap.mjs

@@ -0,0 +1,80 @@
+import Settings from '@overleaf/settings'
+import { callbackify } from '@overleaf/promise-utils'
+import UserCreator from '../../../../app/src/Features/User/UserCreator.js'
+import { User } from '../../../../app/src/models/User.js'
+
+const AuthenticationManagerLdap = {
+  splitFullName(fullName) {
+    fullName = fullName.trim();
+    let lastSpaceIndex = fullName.lastIndexOf(' ');
+    let firstNames = fullName.substring(0, lastSpaceIndex).trim();
+    let lastName = fullName.substring(lastSpaceIndex + 1).trim();
+    return [firstNames, lastName];
+  },
+  async findOrCreateLdapUser(profile, auditLog) {
+    //user is already authenticated in Ldap
+    const {
+      attEmail,
+      attFirstName,
+      attLastName,
+      attName,
+      attAdmin,
+      valAdmin,
+      updateUserDetailsOnLogin,
+    } = Settings.ldap
+
+    const email = Array.isArray(profile[attEmail])
+                    ? profile[attEmail][0].toLowerCase()
+                    : profile[attEmail].toLowerCase()
+    let nameParts = ["",""]
+    if ((!attFirstName || !attLastName) && attName) {
+      nameParts = this.splitFullName(profile[attName] || "")
+    }
+    const firstName = attFirstName ? (profile[attFirstName] || "") : nameParts[0]
+    let   lastName  = attLastName  ? (profile[attLastName]  || "") : nameParts[1]
+    if (!firstName && !lastName) lastName = email
+    let isAdmin = false
+    if( attAdmin && valAdmin ) {
+      isAdmin = (profile._groups?.length > 0) ||
+                (Array.isArray(profile[attAdmin]) ? profile[attAdmin].includes(valAdmin) :
+                                                    profile[attAdmin] === valAdmin)
+    }
+    let user = await User.findOne({ 'email': email }).exec()
+    if( !user ) {
+      user = await UserCreator.promises.createNewUser(
+        {
+          email: email,
+          first_name: firstName,
+          last_name: lastName,
+          isAdmin: isAdmin,
+          holdingAccount: false,
+        }
+      )
+      await User.updateOne(
+        { _id: user._id },
+        { $set : { 'emails.0.confirmedAt' : Date.now() } }
+      ).exec() //email of ldap user is confirmed
+    }
+    let userDetails = updateUserDetailsOnLogin ? { first_name : firstName, last_name: lastName } : {}
+    if( attAdmin && valAdmin ) {
+      user.isAdmin = isAdmin
+      userDetails.isAdmin = isAdmin
+    }
+    const result = await User.updateOne(
+      { _id: user._id, loginEpoch: user.loginEpoch }, { $inc: { loginEpoch: 1 }, $set: userDetails },
+      {}
+    ).exec()
+    if (result.modifiedCount !== 1) {
+      throw new ParallelLoginError()
+    }
+    return user
+  },
+}
+
+export default {
+  findOrCreateLdapUser: callbackify(AuthenticationManagerLdap.findOrCreateLdapUser),
+  promises: AuthenticationManagerLdap,
+}
+export const {
+  splitFullName,
+} = AuthenticationManagerLdap

services/web/modules/ldap-authentication/app/src/InitLdapSettings.mjs

@@ -0,0 +1,17 @@
+import Settings from '@overleaf/settings'
+
+function initLdapSettings() {
+  Settings.ldap = {
+    enable: true,
+    placeholder:  process.env.OVERLEAF_LDAP_PLACEHOLDER || 'Username',
+    attEmail:     process.env.OVERLEAF_LDAP_EMAIL_ATT || 'mail',
+    attFirstName: process.env.OVERLEAF_LDAP_FIRST_NAME_ATT,
+    attLastName:  process.env.OVERLEAF_LDAP_LAST_NAME_ATT,
+    attName:      process.env.OVERLEAF_LDAP_NAME_ATT,
+    attAdmin:     process.env.OVERLEAF_LDAP_IS_ADMIN_ATT,
+    valAdmin:     process.env.OVERLEAF_LDAP_IS_ADMIN_ATT_VALUE,
+    updateUserDetailsOnLogin: String(process.env.OVERLEAF_LDAP_UPDATE_USER_DETAILS_ON_LOGIN ).toLowerCase() === 'true',
+  }
+}
+
+export default initLdapSettings

services/web/modules/ldap-authentication/app/src/LdapContacts.mjs

@@ -0,0 +1,136 @@
+import Settings from '@overleaf/settings'
+import logger from '@overleaf/logger'
+import passport from 'passport'
+import ldapjs from 'ldapauth-fork/node_modules/ldapjs/lib/index.js'
+import UserGetter from '../../../../app/src/Features/User/UserGetter.js'
+import { splitFullName } from './AuthenticationManagerLdap.mjs'
+
+async function fetchLdapContacts(userId, contacts) {
+  if (!Settings.ldap?.enable || !process.env.OVERLEAF_LDAP_CONTACTS_FILTER) {
+    return []
+  }
+
+  const ldapOpts = passport._strategy('custom-fail-ldapauth').options.server
+  const { attEmail, attFirstName = "", attLastName = "", attName = "" } = Settings.ldap
+  const {
+    url,
+    timeout,
+    connectTimeout,
+    tlsOptions,
+    starttls,
+    bindDN,
+    bindCredentials,
+  } = ldapOpts
+  const searchBase = process.env.OVERLEAF_LDAP_CONTACTS_SEARCH_BASE || ldapOpts.searchBase
+  const searchScope = process.env.OVERLEAF_LDAP_CONTACTS_SEARCH_SCOPE || 'sub'
+  const ldapConfig = { url, timeout, connectTimeout, tlsOptions }
+
+  let ldapUsers
+  const client = ldapjs.createClient(ldapConfig)
+  try {
+    if (starttls) {
+      await _upgradeToTLS(client, tlsOptions)
+    }
+    await _bindLdap(client, bindDN, bindCredentials)
+
+    const filter = await _formContactsSearchFilter(client, ldapOpts, userId, process.env.OVERLEAF_LDAP_CONTACTS_FILTER)
+    const searchOptions = { scope: searchScope, attributes: [attEmail, attFirstName, attLastName, attName], filter }
+
+    ldapUsers = await _searchLdap(client, searchBase, searchOptions)
+  } catch (err) {
+    logger.warn({ err }, 'error in fetchLdapContacts')
+    return []
+  } finally {
+    client.unbind()
+  }
+
+  const newLdapContacts = ldapUsers.reduce((acc, ldapUser) => {
+    const email = Array.isArray(ldapUser[attEmail])
+                    ? ldapUser[attEmail][0]?.toLowerCase()
+                    : ldapUser[attEmail]?.toLowerCase()
+    if (!email) return acc
+    if (!contacts.some(contact => contact.email === email)) {
+      let nameParts = ["",""]
+      if ((!attFirstName || !attLastName) && attName) {
+        nameParts = splitFullName(ldapUser[attName] || "")
+      }
+      const firstName = attFirstName ? (ldapUser[attFirstName] || "") : nameParts[0]
+      const lastName  = attLastName  ? (ldapUser[attLastName]  || "") : nameParts[1]
+      acc.push({
+        first_name: firstName,
+        last_name: lastName,
+        email: email,
+        type: 'user',
+      })
+    }
+    return acc
+  }, [])
+
+  return newLdapContacts.sort((a, b) =>
+    a.last_name.localeCompare(b.last_name) ||
+    a.first_name.localeCompare(a.first_name) ||
+    a.email.localeCompare(b.email)
+  )
+}
+
+function _upgradeToTLS(client, tlsOptions) {
+  return new Promise((resolve, reject) => {
+    client.on('error', error => reject(new Error(`LDAP client error: ${error}`)))
+    client.on('connect', () => {
+      client.starttls(tlsOptions, null, error => {
+        if (error) {
+          reject(new Error(`StartTLS error: ${error}`))
+        } else {
+          resolve()
+        }
+      })
+    })
+  })
+}
+
+function _bindLdap(client, bindDN, bindCredentials) {
+  return new Promise((resolve, reject) => {
+    client.bind(bindDN, bindCredentials, error => {
+      if (error) {
+        reject(error)
+      } else {
+        resolve()
+      }
+    })
+  })
+}
+
+function _searchLdap(client, baseDN, options) {
+  return new Promise((resolve, reject) => {
+    const searchEntries = []
+    client.search(baseDN, options, (error, res) => {
+      if (error) {
+        reject(error)
+      } else {
+        res.on('searchEntry', entry => searchEntries.push(entry.object))
+        res.on('error', reject)
+        res.on('end', () => resolve(searchEntries))
+      }
+    })
+  })
+}
+
+async function _formContactsSearchFilter(client, ldapOpts, userId, contactsFilter) {
+  const searchProperty = process.env.OVERLEAF_LDAP_CONTACTS_PROPERTY
+  if (!searchProperty) {
+    return contactsFilter
+  }
+  const email = await UserGetter.promises.getUserEmail(userId)
+  const searchOptions = {
+    scope: ldapOpts.searchScope,
+    attributes: [searchProperty],
+    filter: `(${Settings.ldap.attEmail}=${email})`,
+  }
+  const searchBase = ldapOpts.searchBase
+  const ldapUser = (await _searchLdap(client, searchBase, searchOptions))[0]
+  const searchPropertyValue = ldapUser ? ldapUser[searchProperty]
+                                       : process.env.OVERLEAF_LDAP_CONTACTS_NON_LDAP_VALUE || 'IMATCHNOTHING'
+  return contactsFilter.replace(/{{userProperty}}/g, searchPropertyValue)
+}
+
+export default fetchLdapContacts

services/web/modules/ldap-authentication/app/src/LdapStrategy.mjs

@@ -0,0 +1,78 @@
+import fs from 'fs'
+import passport from 'passport'
+import Settings from '@overleaf/settings'
+import { doPassportLdapLogin } from './AuthenticationControllerLdap.mjs'
+import { Strategy as LdapStrategy } from 'passport-ldapauth'
+
+function _readFilesContentFromEnv(envVar) {
+// envVar is either a file name: 'file.pem', or string with array: '["file.pem", "file2.pem"]'
+  if (!envVar) return undefined
+  try {
+    const parsedFileNames = JSON.parse(envVar)
+    return parsedFileNames.map(filename => fs.readFileSync(filename, 'utf8'))
+  } catch (error) {
+    if (error instanceof SyntaxError) { // failed to parse, envVar must be a file name
+      return fs.readFileSync(envVar, 'utf8')
+    } else {
+      throw error
+    }
+  }
+}
+
+//  custom responses on authentication failure
+class CustomFailLdapStrategy extends LdapStrategy {
+  constructor(options, validate) {
+    super(options, validate);
+    this.name = 'custom-fail-ldapauth'
+  }
+  authenticate(req, options) {
+    const defaultFail = this.fail.bind(this)
+    this.fail = function(info, status) {
+      info.type = 'error'
+      info.key = 'invalid-password-retry-or-reset'
+      info.status = 401
+      return defaultFail(info, status)
+    }.bind(this)
+    super.authenticate(req, options)
+  }
+}
+
+const ldapServerOpts = {
+  url: process.env.OVERLEAF_LDAP_URL,
+  bindDN: process.env.OVERLEAF_LDAP_BIND_DN || "",
+  bindCredentials: process.env.OVERLEAF_LDAP_BIND_CREDENTIALS || "",
+  bindProperty: process.env.OVERLEAF_LDAP_BIND_PROPERTY,
+  searchBase: process.env.OVERLEAF_LDAP_SEARCH_BASE,
+  searchFilter: process.env.OVERLEAF_LDAP_SEARCH_FILTER,
+  searchScope: process.env.OVERLEAF_LDAP_SEARCH_SCOPE || 'sub',
+  searchAttributes: JSON.parse(process.env.OVERLEAF_LDAP_SEARCH_ATTRIBUTES || '[]'),
+  groupSearchBase: process.env.OVERLEAF_LDAP_ADMIN_SEARCH_BASE,
+  groupSearchFilter: process.env.OVERLEAF_LDAP_ADMIN_SEARCH_FILTER,
+  groupSearchScope: process.env.OVERLEAF_LDAP_ADMIN_SEARCH_SCOPE || 'sub',
+  groupSearchAttributes: ["dn"],
+  groupDnProperty: process.env.OVERLEAF_LDAP_ADMIN_DN_PROPERTY,
+  cache: String(process.env.OVERLEAF_LDAP_CACHE).toLowerCase() === 'true',
+  timeout: process.env.OVERLEAF_LDAP_TIMEOUT ? Number(process.env.OVERLEAF_LDAP_TIMEOUT) : undefined,
+  connectTimeout: process.env.OVERLEAF_LDAP_CONNECT_TIMEOUT ? Number(process.env.OVERLEAF_LDAP_CONNECT_TIMEOUT) : undefined,
+  starttls: String(process.env.OVERLEAF_LDAP_STARTTLS).toLowerCase() === 'true',
+  tlsOptions: {
+    ca: _readFilesContentFromEnv(process.env.OVERLEAF_LDAP_TLS_OPTS_CA_PATH),
+    rejectUnauthorized: String(process.env.OVERLEAF_LDAP_TLS_OPTS_REJECT_UNAUTH).toLowerCase() === 'true',
+  }
+}
+
+function addLdapStrategy(passport) {
+  passport.use(
+    new CustomFailLdapStrategy(
+      {
+        server: ldapServerOpts,
+        passReqToCallback: true,
+        usernameField: 'email',
+        passwordField: 'password',
+      },
+      doPassportLdapLogin
+    )
+  )
+}
+
+export default addLdapStrategy

services/web/modules/ldap-authentication/index.mjs

@@ -0,0 +1,30 @@
+import initLdapSettings from './app/src/InitLdapSettings.mjs'
+import addLdapStrategy from './app/src/LdapStrategy.mjs'
+import fetchLdapContacts from './app/src/LdapContacts.mjs'
+
+let ldapModule = {};
+if (process.env.EXTERNAL_AUTH === 'ldap') {
+  initLdapSettings()
+  ldapModule = {
+    name: 'ldap-authentication',
+    hooks: {
+      passportSetup: function (passport, callback) {
+        try {
+          addLdapStrategy(passport)
+          callback(null)
+        } catch (error) {
+          callback(error)
+        }
+      },
+      getContacts: async function (userId, contacts, callback) {
+        try {
+          const newLdapContacts = await fetchLdapContacts(userId, contacts)
+          callback(null, newLdapContacts)
+        } catch (error) {
+          callback(error)
+        }
+      },
+    }
+  }
+}
+export default ldapModule

services/web/modules/saml-authentication/app/src/AuthenticationControllerSaml.mjs

@@ -0,0 +1,160 @@
+import Settings from '@overleaf/settings'
+import logger from '@overleaf/logger'
+import passport from 'passport'
+import AuthenticationController from '../../../../app/src/Features/Authentication/AuthenticationController.js'
+import AuthenticationManagerSaml from './AuthenticationManagerSaml.mjs'
+import UserController from '../../../../app/src/Features/User/UserController.js'
+import UserSessionsManager from '../../../../app/src/Features/User/UserSessionsManager.js'
+import { handleAuthenticateErrors } from '../../../../app/src/Features/Authentication/AuthenticationErrors.js'
+import { xmlResponse } from '../../../../app/src/infrastructure/Response.js'
+
+const AuthenticationControllerSaml = {
+  passportSamlAuthWithIdP(req, res, next) {
+    if ( passport._strategy('saml')._saml.options.authnRequestBinding === 'HTTP-POST') {
+      const csp = res.getHeader('Content-Security-Policy')
+      if (csp) {
+        res.setHeader(
+          'Content-Security-Policy',
+          csp.replace(/(?:^|\s)(default-src|form-action)[^;]*;?/g, '')
+        )
+      }
+    }
+    passport.authenticate('saml')(req, res, next)
+  },
+  passportSamlLogin(req, res, next) {
+    // This function is middleware which wraps the passport.authenticate middleware,
+    // so we can send back our custom `{message: {text: "", type: ""}}` responses on failure,
+    // and send a `{redir: ""}` response on success
+    passport.authenticate(
+      'saml',
+      { keepSessionInfo: true },
+      async function (err, user, info) {
+        if (err) {
+          return next(err)
+        }
+        if (user) {
+          // `user` is either a user object or false
+          AuthenticationController.setAuditInfo(req, {
+            method: 'SAML login',
+          })
+          try {
+            await AuthenticationController.promises.finishLogin(user, req, res)
+          } catch (err) {
+            return next(err)
+          }
+        } else {
+          if (info.redir != null) {
+            return res.json({ redir: info.redir })
+          } else {
+            res.status(info.status || 200)
+            delete info.status
+            const body = { message: info }
+            const { errorReason } = info
+            if (errorReason) {
+              body.errorReason = errorReason
+              delete info.errorReason
+            }
+            return res.json(body)
+          }
+        }
+      }
+    )(req, res, next)
+  },
+  async doPassportSamlLogin(req, profile, done) {
+    let user, info
+    try {
+      ;({ user, info } = await AuthenticationControllerSaml._doPassportSamlLogin(
+        req,
+        profile
+      ))
+    } catch (error) {
+      return done(error)
+    }
+    return done(undefined, user, info)
+  },
+  async _doPassportSamlLogin(req, profile) {
+    const { fromKnownDevice } = AuthenticationController.getAuditInfo(req)
+    const auditLog = {
+      ipAddress: req.ip,
+      info: { method: 'SAML login', fromKnownDevice },
+    }
+
+    let user
+    try {
+      user = await AuthenticationManagerSaml.promises.findOrCreateSamlUser(profile, auditLog)
+    } catch (error) {
+      return {
+        user: false,
+        info: handleAuthenticateErrors(error, req),
+      }
+    }
+    if (user) {
+      req.session.saml_extce = {nameID : profile.nameID, sessionIndex : profile.sessionIndex}
+      return { user, info: undefined }
+    } else { //something wrong
+      logger.debug({ email : profile.mail }, 'failed SAML log in')
+      return {
+        user: false,
+        info: {
+          type: 'error',
+          text: 'Unknown error',
+          status: 500,
+        },
+      }
+    }
+  },
+  async passportSamlSPLogout(req, res, next) {
+    passport._strategy('saml').logout(req, async (err, url) => {
+      if (err) logger.error({ err }, 'can not generate logout url')
+      await UserController.promises.doLogout(req)
+      res.redirect(url)
+    })
+  },
+  passportSamlIdPLogout(req, res, next) {
+    passport.authenticate('saml')(req, res, (err) => {
+      if (err) return next(err)
+      res.redirect('/login');
+    })
+  },
+  async doPassportSamlLogout(req, profile, done) {
+    let user, info
+    try {
+      ;({ user, info } = await AuthenticationControllerSaml._doPassportSamlLogout(
+        req,
+        profile
+      ))
+    } catch (error) {
+      return done(error)
+    }
+    return done(undefined, user, info)
+  },
+  async _doPassportSamlLogout(req, profile) {
+    if (req?.session?.saml_extce?.nameID === profile.nameID &&
+        req?.session?.saml_extce?.sessionIndex === profile.sessionIndex) {
+      profile = req.user
+    }
+    await UserSessionsManager.promises.untrackSession(req.user, req.sessionID).catch(err => {
+      logger.warn({ err, userId: req.user._id }, 'failed to untrack session')
+    })
+    return { user: profile, info: undefined }
+  },
+  passportSamlMetadata(req, res) {
+    const samlStratery = passport._strategy('saml')
+    res.setHeader('Content-Disposition', `attachment; filename="${samlStratery._saml.options.issuer}-meta.xml"`)
+    xmlResponse(res,
+      samlStratery.generateServiceProviderMetadata(
+        samlStratery._saml.options.decryptionCert,
+        samlStratery._saml.options.signingCert
+      )
+    )
+  },
+}
+export const {
+  passportSamlAuthWithIdP,
+  passportSamlLogin,
+  passportSamlSPLogout,
+  passportSamlIdPLogout,
+  doPassportSamlLogin,
+  doPassportSamlLogout,
+  passportSamlMetadata,
+} = AuthenticationControllerSaml

services/web/modules/saml-authentication/app/src/AuthenticationManagerSaml.mjs

@@ -0,0 +1,60 @@
+import Settings from '@overleaf/settings'
+import UserCreator from '../../../../app/src/Features/User/UserCreator.js'
+import { User } from '../../../../app/src/models/User.js'
+
+const AuthenticationManagerSaml = {
+  async findOrCreateSamlUser(profile, auditLog) {
+    const {
+      attEmail,
+      attFirstName,
+      attLastName,
+      attAdmin,
+      valAdmin,
+      updateUserDetailsOnLogin,
+    } = Settings.saml
+    const email = Array.isArray(profile[attEmail])
+                    ? profile[attEmail][0].toLowerCase()
+                    : profile[attEmail].toLowerCase()
+    const firstName = attFirstName ? profile[attFirstName] : ""
+    const lastName  = attLastName  ? profile[attLastName] : email
+    let isAdmin = false
+    if( attAdmin && valAdmin ) {
+      isAdmin = (Array.isArray(profile[attAdmin]) ? profile[attAdmin].includes(valAdmin) :
+                                                    profile[attAdmin] === valAdmin)
+    }
+    let user = await User.findOne({ 'email': email }).exec()
+    if( !user ) {
+      user = await UserCreator.promises.createNewUser(
+        {
+          email: email,
+          first_name: firstName,
+          last_name: lastName,
+          isAdmin: isAdmin,
+          holdingAccount: false,
+        }
+      )
+      await User.updateOne(
+        { _id: user._id },
+        { $set : { 'emails.0.confirmedAt' : Date.now() } }
+      ).exec() //email of saml user is confirmed
+    }
+    let userDetails = updateUserDetailsOnLogin ? { first_name : firstName, last_name: lastName } : {}
+    if( attAdmin && valAdmin ) {
+      user.isAdmin = isAdmin
+      userDetails.isAdmin = isAdmin
+    }
+    const result = await User.updateOne(
+      { _id: user._id, loginEpoch: user.loginEpoch }, { $inc: { loginEpoch: 1 }, $set: userDetails },
+      {}
+    ).exec()
+
+    if (result.modifiedCount !== 1) {
+      throw new ParallelLoginError()
+    }
+    return user
+  },
+}
+
+export default {
+  promises: AuthenticationManagerSaml,
+}

services/web/modules/saml-authentication/app/src/InitSamlSettings.mjs

@@ -0,0 +1,16 @@
+import Settings from '@overleaf/settings'
+
+function initSamlSettings() {
+  Settings.saml = {
+    enable: true,
+    identityServiceName: process.env.OVERLEAF_SAML_IDENTITY_SERVICE_NAME || 'Login with SAML IdP',
+    attEmail:     process.env.OVERLEAF_SAML_EMAIL_FIELD || 'nameID',
+    attFirstName: process.env.OVERLEAF_SAML_FIRST_NAME_FIELD || 'givenName',
+    attLastName:  process.env.OVERLEAF_SAML_LAST_NAME_FIELD || 'lastName',
+    attAdmin:     process.env.OVERLEAF_SAML_IS_ADMIN_FIELD,
+    valAdmin:     process.env.OVERLEAF_SAML_IS_ADMIN_FIELD_VALUE,
+    updateUserDetailsOnLogin: String(process.env.OVERLEAF_SAML_UPDATE_USER_DETAILS_ON_LOGIN).toLowerCase() === 'true',
+  }
+}
+
+export default initSamlSettings

services/web/modules/saml-authentication/app/src/SamlNonCsrfRouter.mjs

@@ -0,0 +1,12 @@
+import logger from '@overleaf/logger'
+import { passportSamlLogin, passportSamlIdPLogout } from './AuthenticationControllerSaml.mjs'
+
+export default {
+  apply(webRouter) {
+    logger.debug({}, 'Init SAML NonCsrfRouter')
+    webRouter.get('/saml/login/callback', passportSamlLogin)
+    webRouter.post('/saml/login/callback', passportSamlLogin)
+    webRouter.get('/saml/logout/callback', passportSamlIdPLogout)
+    webRouter.post('/saml/logout/callback', passportSamlIdPLogout)
+  },
+}

services/web/modules/saml-authentication/app/src/SamlRouter.mjs

@@ -0,0 +1,14 @@
+import logger from '@overleaf/logger'
+import AuthenticationController from '../../../../app/src/Features/Authentication/AuthenticationController.js'
+import { passportSamlAuthWithIdP, passportSamlSPLogout, passportSamlMetadata} from './AuthenticationControllerSaml.mjs'
+
+export default {
+  apply(webRouter) {
+    logger.debug({}, 'Init SAML router')
+    webRouter.get('/saml/login', passportSamlAuthWithIdP)
+    AuthenticationController.addEndpointToLoginWhitelist('/saml/login')
+    webRouter.post('/saml/logout', AuthenticationController.requireLogin(), passportSamlSPLogout)
+    webRouter.get('/saml/meta', passportSamlMetadata)
+    AuthenticationController.addEndpointToLoginWhitelist('/saml/meta')
+  },
+}

services/web/modules/saml-authentication/app/src/SamlStrategy.mjs

@@ -0,0 +1,62 @@
+import fs from 'fs'
+import passport from 'passport'
+import Settings from '@overleaf/settings'
+import { doPassportSamlLogin, doPassportSamlLogout } from './AuthenticationControllerSaml.mjs'
+import { Strategy as SamlStrategy } from '@node-saml/passport-saml'
+
+function _readFilesContentFromEnv(envVar) {
+// envVar is either a file name: 'file.pem', or string with array: '["file.pem", "file2.pem"]'
+  if (!envVar) return undefined
+  try {
+    const parsedFileNames = JSON.parse(envVar)
+    return parsedFileNames.map(filename => fs.readFileSync(filename, 'utf8'))
+  } catch (error) {
+    if (error instanceof SyntaxError) { // failed to parse, envVar must be a file name
+      return fs.readFileSync(envVar, 'utf8')
+    } else {
+      throw error
+    }
+  }
+}
+
+const samlOptions = {
+  entryPoint: process.env.OVERLEAF_SAML_ENTRYPOINT,
+  callbackUrl: process.env.OVERLEAF_SAML_CALLBACK_URL,
+  issuer: process.env.OVERLEAF_SAML_ISSUER,
+  audience: process.env.OVERLEAF_SAML_AUDIENCE,
+  cert: _readFilesContentFromEnv(process.env.OVERLEAF_SAML_IDP_CERT),
+  signingCert: _readFilesContentFromEnv(process.env.OVERLEAF_SAML_PUBLIC_CERT),
+  privateKey:  _readFilesContentFromEnv(process.env.OVERLEAF_SAML_PRIVATE_KEY),
+  decryptionCert: _readFilesContentFromEnv(process.env.OVERLEAF_SAML_DECRYPTION_CERT),
+  decryptionPvk:  _readFilesContentFromEnv(process.env.OVERLEAF_SAML_DECRYPTION_PVK),
+  signatureAlgorithm: process.env.OVERLEAF_SAML_SIGNATURE_ALGORITHM,
+  additionalParams: JSON.parse(process.env.OVERLEAF_SAML_ADDITIONAL_PARAMS || '{}'),
+  additionalAuthorizeParams: JSON.parse(process.env.OVERLEAF_SAML_ADDITIONAL_AUTHORIZE_PARAMS || '{}'),
+  identifierFormat: process.env.OVERLEAF_SAML_IDENTIFIER_FORMAT,
+  acceptedClockSkewMs: process.env.OVERLEAF_SAML_ACCEPTED_CLOCK_SKEW_MS ? Number(process.env.OVERLEAF_SAML_ACCEPTED_CLOCK_SKEW_MS) : undefined,
+  attributeConsumingServiceIndex: process.env.OVERLEAF_SAML_ATTRIBUTE_CONSUMING_SERVICE_INDEX,
+  authnContext: process.env.OVERLEAF_SAML_AUTHN_CONTEXT ? JSON.parse(process.env.OVERLEAF_SAML_AUTHN_CONTEXT) : undefined,
+  forceAuthn: String(process.env.OVERLEAF_SAML_FORCE_AUTHN).toLowerCase() === 'true',
+  disableRequestedAuthnContext: String(process.env.OVERLEAF_SAML_DISABLE_REQUESTED_AUTHN_CONTEXT).toLowerCase() === 'true',
+  skipRequestCompression: process.env.OVERLEAF_SAML_AUTHN_REQUEST_BINDING === 'HTTP-POST',  // compression should be skipped iff authnRequestBinding is POST
+  authnRequestBinding: process.env.OVERLEAF_SAML_AUTHN_REQUEST_BINDING,
+  validateInResponseTo: process.env.OVERLEAF_SAML_VALIDATE_IN_RESPONSE_TO,
+  requestIdExpirationPeriodMs: process.env.OVERLEAF_SAML_REQUEST_ID_EXPIRATION_PERIOD_MS ? Number(process.env.OVERLEAF_SAML_REQUEST_ID_EXPIRATION_PERIOD_MS) : undefined,
+//  cacheProvider: process.env.OVERLEAF_SAML_CACHE_PROVIDER,
+  logoutUrl: process.env.OVERLEAF_SAML_LOGOUT_URL,
+  logoutCallbackUrl: process.env.OVERLEAF_SAML_LOGOUT_CALLBACK_URL,
+  additionalLogoutParams: JSON.parse(process.env.OVERLEAF_SAML_ADDITIONAL_LOGOUT_PARAMS || '{}'),
+  passReqToCallback: true,
+}
+
+function addSamlStrategy(passport) {
+  passport.use(
+    new SamlStrategy(
+      samlOptions,
+      doPassportSamlLogin,
+      doPassportSamlLogout
+    )
+  )
+}
+
+export default addSamlStrategy

services/web/modules/saml-authentication/index.mjs

@@ -0,0 +1,26 @@
+import initSamlSettings from './app/src/InitSamlSettings.mjs'
+import addSamlStrategy from './app/src/SamlStrategy.mjs'
+import SamlRouter from './app/src/SamlRouter.mjs'
+import SamlNonCsrfRouter from './app/src/SamlNonCsrfRouter.mjs'
+
+let samlModule = {};
+
+if (process.env.EXTERNAL_AUTH === 'saml') {
+  initSamlSettings()
+  samlModule = {
+    name: 'saml-authentication',
+    hooks: {
+      passportSetup: function (passport, callback) {
+        try {
+          addSamlStrategy(passport)
+          callback(null)
+        } catch (error) {
+          callback(error)
+        }
+      },
+    },
+    router: SamlRouter,
+    nonCsrfRouter: SamlNonCsrfRouter,
+  }
+}
+export default samlModule