From b39f31677c5d5be24653d53c4f5e056d8f99bf94 Mon Sep 17 00:00:00 2001
From: yu-i-i <kla9555@gmail.com>
Date: Fri, 27 Feb 2026 00:03:05 +0100
Subject: [PATCH] Authentication: update passport-ldapauth to 3.0.1; fix minor
 issues

---
 ...+4.3.3.patch => ldapauth-fork+5.0.5.patch} | 35 ++++++++++++-------
 .../app/src/LDAPAuthenticationManager.mjs     |  1 -
 .../ldap/app/src/LDAPContacts.mjs             |  2 +-
 .../app/src/OIDCAuthenticationController.mjs  | 14 ++------
 .../oidc/app/src/OIDCModuleManager.mjs        |  3 +-
 .../saml/app/src/SAMLModuleManager.mjs        |  1 -
 services/web/package.json                     |  2 +-
 7 files changed, 28 insertions(+), 30 deletions(-)
 rename .yarn/patches/{ldapauth-fork+4.3.3.patch => ldapauth-fork+5.0.5.patch} (73%)

diff --git a/.yarn/patches/ldapauth-fork+4.3.3.patch b/.yarn/patches/ldapauth-fork+5.0.5.patch
similarity index 73%
rename from .yarn/patches/ldapauth-fork+4.3.3.patch
rename to .yarn/patches/ldapauth-fork+5.0.5.patch
index 4d31210c9d..3fe729f581 100644
--- a/.yarn/patches/ldapauth-fork+4.3.3.patch
+++ b/.yarn/patches/ldapauth-fork+5.0.5.patch
@@ -1,41 +1,41 @@
 diff --git a/node_modules/ldapauth-fork/lib/ldapauth.js b/node_modules/ldapauth-fork/lib/ldapauth.js
-index 85ecf36a8b..a7d07e0f78 100644
+index 88398ed..0334177 100644
 --- a/node_modules/ldapauth-fork/lib/ldapauth.js
 +++ b/node_modules/ldapauth-fork/lib/ldapauth.js
-@@ -69,6 +69,7 @@ function LdapAuth(opts) {
+@@ -87,6 +87,7 @@ function LdapAuth(opts) {
    this.opts.bindProperty || (this.opts.bindProperty = 'dn');
    this.opts.groupSearchScope || (this.opts.groupSearchScope = 'sub');
    this.opts.groupDnProperty || (this.opts.groupDnProperty = 'dn');
 +  this.opts.tlsStarted = false;
-
+ 
    EventEmitter.call(this);
-
-@@ -108,21 +109,7 @@ function LdapAuth(opts) {
+ 
+@@ -126,21 +127,7 @@ function LdapAuth(opts) {
    this._userClient.on('error', this._handleError.bind(this));
-
+ 
    var self = this;
 -  if (this.opts.starttls) {
 -    // When starttls is enabled, this callback supplants the 'connect' callback
--    this._adminClient.starttls(this.opts.tlsOptions, this._adminClient.controls, function(err) {
+-    this._adminClient.starttls(this.opts.tlsOptions, this._adminClient.controls, function (err) {
 -      if (err) {
 -        self._handleError(err);
 -      } else {
 -        self._onConnectAdmin();
 -      }
 -    });
--    this._userClient.starttls(this.opts.tlsOptions, this._userClient.controls, function(err) {
+-    this._userClient.starttls(this.opts.tlsOptions, this._userClient.controls, function (err) {
 -      if (err) {
 -        self._handleError(err);
 -      }
 -    });
 -  } else if (opts.reconnect) {
 +  if (opts.reconnect && !this.opts.starttls) {
-     this.once('_installReconnectListener', function() {
+     this.once('_installReconnectListener', function () {
        self.log && self.log.trace('install reconnect listener');
-       self._adminClient.on('connect', function() {
-@@ -384,6 +371,28 @@ LdapAuth.prototype._findGroups = function(user, callback) {
+       self._adminClient.on('connect', function () {
+@@ -401,6 +388,37 @@ LdapAuth.prototype._findGroups = function (user, callback) {
   */
- LdapAuth.prototype.authenticate = function(username, password, callback) {
+ LdapAuth.prototype.authenticate = function (username, password, callback) {
    var self = this;
 +  if (this.opts.starttls && !this.opts.tlsStarted) {
 +    // When starttls is enabled, this callback supplants the 'connect' callback
@@ -56,9 +56,18 @@ index 85ecf36a8b..a7d07e0f78 100644
 +  }
 +};
 +
++/**
++ * Authenticate given credentials against LDAP server
++ * 
++ * @private
++ * @param {string} username - The username to authenticate
++ * @param {string} password - The password to verify
++ * @param {resultCallback} callback - Result handling callback
++ * @returns {undefined}
++ */
 +LdapAuth.prototype._handleAuthenticate = function (username, password, callback) {
 +  this.opts.tlsStarted = true;
 +  var self = this;
-
+ 
    if (typeof password === 'undefined' || password === null || password === '') {
      return callback(new Error('no password given'));
diff --git a/services/web/modules/authentication/ldap/app/src/LDAPAuthenticationManager.mjs b/services/web/modules/authentication/ldap/app/src/LDAPAuthenticationManager.mjs
index 6ec31fcdea..25947de148 100644
--- a/services/web/modules/authentication/ldap/app/src/LDAPAuthenticationManager.mjs
+++ b/services/web/modules/authentication/ldap/app/src/LDAPAuthenticationManager.mjs
@@ -1,5 +1,4 @@
 import Settings from '@overleaf/settings'
-import { callbackify } from '@overleaf/promise-utils'
 import UserCreator from '../../../../../app/src/Features/User/UserCreator.mjs'
 import { ParallelLoginError } from '../../../../../app/src/Features/Authentication/AuthenticationErrors.mjs'
 import { User } from '../../../../../app/src/models/User.mjs'
diff --git a/services/web/modules/authentication/ldap/app/src/LDAPContacts.mjs b/services/web/modules/authentication/ldap/app/src/LDAPContacts.mjs
index 101716aefe..28f4928ee9 100644
--- a/services/web/modules/authentication/ldap/app/src/LDAPContacts.mjs
+++ b/services/web/modules/authentication/ldap/app/src/LDAPContacts.mjs
@@ -2,7 +2,7 @@ import Settings from '@overleaf/settings'
 import logger from '@overleaf/logger'
 import { promisify } from 'util'
 import passport from 'passport'
-import ldapjs from 'ldapauth-fork/node_modules/ldapjs/lib/index.js'
+import ldapjs from 'ldapjs'
 import UserGetter from '../../../../../app/src/Features/User/UserGetter.mjs'
 import { splitFullName } from '../../../utils.mjs'
 
diff --git a/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationController.mjs b/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationController.mjs
index cc4238e327..1309184608 100644
--- a/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationController.mjs
+++ b/services/web/modules/authentication/oidc/app/src/OIDCAuthenticationController.mjs
@@ -5,7 +5,6 @@ import AuthenticationController from '../../../../../app/src/Features/Authentica
 import UserController from '../../../../../app/src/Features/User/UserController.mjs'
 import ThirdPartyIdentityManager from '../../../../../app/src/Features/User/ThirdPartyIdentityManager.mjs'
 import OIDCAuthenticationManager from './OIDCAuthenticationManager.mjs'
-import { acceptsJson } from '../../../../../app/src/infrastructure/RequestContentTypeDetection.mjs'
 
 const OIDCAuthenticationController = {
   passportLogin(req, res, next) {
@@ -142,17 +141,10 @@ const OIDCAuthenticationController = {
         initiatorId: userId,
       }
       await ThirdPartyIdentityManager.promises.unlink(userId, providerId, auditLog)
-      return res.status(200).end()
+      return res.status(204).end()
     } catch (error) {
-      logger.error(error.info, error.message)
-      return {
-        user: false,
-        info: {
-          type: 'error',
-          text: 'Can not unlink account',
-          status: 200,
-	}
-      }
+      logger.error('Unexpected error in uninkAccount')
+      return next({ stack: error.stack, info: {userId: req.user?._id} })
     }
   },
   async passportLogout(req, res, next) {
diff --git a/services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs b/services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs
index 8b922ea612..861ac17d1c 100644
--- a/services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs
+++ b/services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs
@@ -1,7 +1,6 @@
 import logger from '@overleaf/logger'
-import passport from 'passport'
 import Settings from '@overleaf/settings'
-import { readFilesContentFromEnv, numFromEnv, boolFromEnv } from '../../../utils.mjs'
+import { boolFromEnv } from '../../../utils.mjs'
 import PermissionsManager from '../../../../../app/src/Features/Authorization/PermissionsManager.mjs'
 import OIDCAuthenticationController from './OIDCAuthenticationController.mjs'
 import { Strategy as OIDCStrategy } from 'passport-openidconnect'
diff --git a/services/web/modules/authentication/saml/app/src/SAMLModuleManager.mjs b/services/web/modules/authentication/saml/app/src/SAMLModuleManager.mjs
index dd6f5cf5af..305afccfd8 100644
--- a/services/web/modules/authentication/saml/app/src/SAMLModuleManager.mjs
+++ b/services/web/modules/authentication/saml/app/src/SAMLModuleManager.mjs
@@ -1,5 +1,4 @@
 import logger from '@overleaf/logger'
-import passport from 'passport'
 import Settings from '@overleaf/settings'
 import { readFilesContentFromEnv, numFromEnv, boolFromEnv } from '../../../utils.mjs'
 import PermissionsManager from '../../../../../app/src/Features/Authorization/PermissionsManager.mjs'
diff --git a/services/web/package.json b/services/web/package.json
index 09f8d8e9d9..1a8957c909 100644
--- a/services/web/package.json
+++ b/services/web/package.json
@@ -169,7 +169,7 @@
     "parse-data-url": "^2.0.0",
     "passport": "^0.6.0",
     "passport-google-oauth20": "^2.0.0",
-    "passport-ldapauth": "^2.1.4",
+    "passport-ldapauth": "^3.0.1",
     "passport-local": "^1.0.0",
     "passport-oauth2": "^1.5.0",
     "passport-openidconnect": "^0.1.2",