Merge pull request #1 from chutch1122/FEAT/open-id-connect-authentication

Add Cypress tests and documentation

.version

@@ -1 +1 @@
-2.12.2
+2.12.1

Jenkinsfile

@@ -167,44 +167,6 @@ pipeline {
 				}
 			}
 		}
-		stage('Test Postgres') {
-			environment {
-				COMPOSE_PROJECT_NAME = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}_postgres"
-				COMPOSE_FILE         = 'docker/docker-compose.ci.yml:docker/docker-compose.ci.postgres.yml'
-			}
-			when {
-				not {
-					equals expected: 'UNSTABLE', actual: currentBuild.result
-				}
-			}
-			steps {
-				sh 'rm -rf ./test/results/junit/*'
-				sh './scripts/ci/fulltest-cypress'
-			}
-			post {
-				always {
-					// Dumps to analyze later
-					sh 'mkdir -p debug/postgres'
-					sh 'docker logs $(docker-compose ps --all -q fullstack) > debug/postgres/docker_fullstack.log 2>&1'
-					sh 'docker logs $(docker-compose ps --all -q stepca) > debug/postgres/docker_stepca.log 2>&1'
-					sh 'docker logs $(docker-compose ps --all -q pdns) > debug/postgres/docker_pdns.log 2>&1'
-					sh 'docker logs $(docker-compose ps --all -q pdns-db) > debug/postgres/docker_pdns-db.log 2>&1'
-					sh 'docker logs $(docker-compose ps --all -q dnsrouter) > debug/postgres/docker_dnsrouter.log 2>&1'
-					sh 'docker logs $(docker-compose ps --all -q db-postgres) > debug/postgres/docker_db-postgres.log 2>&1'
-					sh 'docker logs $(docker-compose ps --all -q authentik) > debug/postgres/docker_authentik.log 2>&1'
-					sh 'docker logs $(docker-compose ps --all -q authentik-redis) > debug/postgres/docker_authentik-redis.log 2>&1'
-					sh 'docker logs $(docker-compose ps --all -q authentik-ldap) > debug/postgres/docker_authentik-ldap.log 2>&1'
-
-					junit 'test/results/junit/*'
-					sh 'docker-compose down --remove-orphans --volumes -t 30 || true'
-				}
-				unstable {
-					dir(path: 'testing/results') {
-						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
-					}
-				}
-			}
-		}
 		stage('MultiArch Build') {
 			when {
 				not {

README.md

@@ -1,7 +1,7 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.12.2-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.12.1-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>

backend/internal/access-list.js

@@ -81,7 +81,7 @@ const internalAccessList = {
 
 				return internalAccessList.build(row)
 					.then(() => {
-						if (parseInt(row.proxy_host_count, 10)) {
+						if (row.proxy_host_count) {
 							return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
 						}
 					})
@@ -223,7 +223,7 @@ const internalAccessList = {
 			.then((row) => {
 				return internalAccessList.build(row)
 					.then(() => {
-						if (parseInt(row.proxy_host_count, 10)) {
+						if (row.proxy_host_count) {
 							return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
 						}
 					}).then(internalNginx.reload)
@@ -252,10 +252,7 @@ const internalAccessList = {
 				let query = accessListModel
 					.query()
 					.select('access_list.*', accessListModel.raw('COUNT(proxy_host.id) as proxy_host_count'))
-					.leftJoin('proxy_host', function() {
-						this.on('proxy_host.access_list_id', '=', 'access_list.id')
-							.andOn('proxy_host.is_deleted', '=', 0);
-					})
+					.joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0')
 					.where('access_list.is_deleted', 0)
 					.andWhere('access_list.id', data.id)
 					.allowGraph('[owner,items,clients,proxy_hosts.[certificate,access_list.[clients,items]]]')
@@ -376,10 +373,7 @@ const internalAccessList = {
 				let query = accessListModel
 					.query()
 					.select('access_list.*', accessListModel.raw('COUNT(proxy_host.id) as proxy_host_count'))
-					.leftJoin('proxy_host', function() {
-						this.on('proxy_host.access_list_id', '=', 'access_list.id')
-							.andOn('proxy_host.is_deleted', '=', 0);
-					})
+					.joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0')
 					.where('access_list.is_deleted', 0)
 					.groupBy('access_list.id')
 					.allowGraph('[owner,items,clients]')

backend/internal/audit-log.js

@@ -1,6 +1,5 @@
 const error         = require('../lib/error');
 const auditLogModel = require('../models/audit-log');
-const {castJsonIfNeed} = require('../lib/helpers');
 
 const internalAuditLog = {
 
@@ -23,9 +22,9 @@ const internalAuditLog = {
 					.allowGraph('[user]');
 
 				// Query is used for searching
-				if (typeof search_query === 'string' && search_query.length > 0) {
+				if (typeof search_query === 'string') {
 					query.where(function () {
-						this.where(castJsonIfNeed('meta'), 'like', '%' + search_query + '%');
+						this.where('meta', 'like', '%' + search_query + '%');
 					});
 				}
 

backend/internal/dead-host.js

@@ -6,7 +6,6 @@ const internalHost        = require('./host');
 const internalNginx       = require('./nginx');
 const internalAuditLog    = require('./audit-log');
 const internalCertificate = require('./certificate');
-const {castJsonIfNeed}    = require('../lib/helpers');
 
 function omissions () {
 	return ['is_deleted'];
@@ -410,16 +409,16 @@ const internalDeadHost = {
 					.where('is_deleted', 0)
 					.groupBy('id')
 					.allowGraph('[owner,certificate]')
-					.orderBy(castJsonIfNeed('domain_names'), 'ASC');
+					.orderBy('domain_names', 'ASC');
 
 				if (access_data.permission_visibility !== 'all') {
 					query.andWhere('owner_user_id', access.token.getUserId(1));
 				}
 
 				// Query is used for searching
-				if (typeof search_query === 'string' && search_query.length > 0) {
+				if (typeof search_query === 'string') {
 					query.where(function () {
-						this.where(castJsonIfNeed('domain_names'), 'like', '%' + search_query + '%');
+						this.where('domain_names', 'like', '%' + search_query + '%');
 					});
 				}
 

backend/internal/host.js

@@ -2,7 +2,6 @@ const _                    = require('lodash');
 const proxyHostModel       = require('../models/proxy_host');
 const redirectionHostModel = require('../models/redirection_host');
 const deadHostModel        = require('../models/dead_host');
-const {castJsonIfNeed}     = require('../lib/helpers');
 
 const internalHost = {
 
@@ -18,7 +17,7 @@ const internalHost = {
 	cleanSslHstsData: function (data, existing_data) {
 		existing_data = existing_data === undefined ? {} : existing_data;
 
-		const combined_data = _.assign({}, existing_data, data);
+		let combined_data = _.assign({}, existing_data, data);
 
 		if (!combined_data.certificate_id) {
 			combined_data.ssl_forced    = false;
@@ -74,7 +73,7 @@ const internalHost = {
 	 * @returns {Promise}
 	 */
 	getHostsWithDomains: function (domain_names) {
-		const promises = [
+		let promises = [
 			proxyHostModel
 				.query()
 				.where('is_deleted', 0),
@@ -126,19 +125,19 @@ const internalHost = {
 	 * @returns {Promise}
 	 */
 	isHostnameTaken: function (hostname, ignore_type, ignore_id) {
-		const promises = [
+		let promises = [
 			proxyHostModel
 				.query()
 				.where('is_deleted', 0)
-				.andWhere(castJsonIfNeed('domain_names'), 'like', '%' + hostname + '%'),
+				.andWhere('domain_names', 'like', '%' + hostname + '%'),
 			redirectionHostModel
 				.query()
 				.where('is_deleted', 0)
-				.andWhere(castJsonIfNeed('domain_names'), 'like', '%' + hostname + '%'),
+				.andWhere('domain_names', 'like', '%' + hostname + '%'),
 			deadHostModel
 				.query()
 				.where('is_deleted', 0)
-				.andWhere(castJsonIfNeed('domain_names'), 'like', '%' + hostname + '%')
+				.andWhere('domain_names', 'like', '%' + hostname + '%')
 		];
 
 		return Promise.all(promises)

backend/internal/proxy-host.js

@@ -6,7 +6,6 @@ const internalHost        = require('./host');
 const internalNginx       = require('./nginx');
 const internalAuditLog    = require('./audit-log');
 const internalCertificate = require('./certificate');
-const {castJsonIfNeed}    = require('../lib/helpers');
 
 function omissions () {
 	return ['is_deleted', 'owner.is_deleted'];
@@ -417,16 +416,16 @@ const internalProxyHost = {
 					.where('is_deleted', 0)
 					.groupBy('id')
 					.allowGraph('[owner,access_list,certificate]')
-					.orderBy(castJsonIfNeed('domain_names'), 'ASC');
+					.orderBy('domain_names', 'ASC');
 
 				if (access_data.permission_visibility !== 'all') {
 					query.andWhere('owner_user_id', access.token.getUserId(1));
 				}
 
 				// Query is used for searching
-				if (typeof search_query === 'string' && search_query.length > 0) {
+				if (typeof search_query === 'string') {
 					query.where(function () {
-						this.where(castJsonIfNeed('domain_names'), 'like', `%${search_query}%`);
+						this.where('domain_names', 'like', '%' + search_query + '%');
 					});
 				}
 

backend/internal/redirection-host.js

@@ -6,7 +6,6 @@ const internalHost         = require('./host');
 const internalNginx        = require('./nginx');
 const internalAuditLog     = require('./audit-log');
 const internalCertificate  = require('./certificate');
-const {castJsonIfNeed}     = require('../lib/helpers');
 
 function omissions () {
 	return ['is_deleted'];
@@ -410,16 +409,16 @@ const internalRedirectionHost = {
 					.where('is_deleted', 0)
 					.groupBy('id')
 					.allowGraph('[owner,certificate]')
-					.orderBy(castJsonIfNeed('domain_names'), 'ASC');
+					.orderBy('domain_names', 'ASC');
 
 				if (access_data.permission_visibility !== 'all') {
 					query.andWhere('owner_user_id', access.token.getUserId(1));
 				}
 
 				// Query is used for searching
-				if (typeof search_query === 'string' && search_query.length > 0) {
+				if (typeof search_query === 'string') {
 					query.where(function () {
-						this.where(castJsonIfNeed('domain_names'), 'like', `%${search_query}%`);
+						this.where('domain_names', 'like', '%' + search_query + '%');
 					});
 				}
 

backend/internal/stream.js

@@ -4,7 +4,6 @@ const utils            = require('../lib/utils');
 const streamModel      = require('../models/stream');
 const internalNginx    = require('./nginx');
 const internalAuditLog = require('./audit-log');
-const {castJsonIfNeed} = require('../lib/helpers');
 
 function omissions () {
 	return ['is_deleted'];
@@ -294,21 +293,21 @@ const internalStream = {
 	getAll: (access, expand, search_query) => {
 		return access.can('streams:list')
 			.then((access_data) => {
-				const query = streamModel
+				let query = streamModel
 					.query()
 					.where('is_deleted', 0)
 					.groupBy('id')
 					.allowGraph('[owner]')
-					.orderByRaw('CAST(incoming_port AS INTEGER) ASC');
+					.orderBy('incoming_port', 'ASC');
 
 				if (access_data.permission_visibility !== 'all') {
 					query.andWhere('owner_user_id', access.token.getUserId(1));
 				}
 
 				// Query is used for searching
-				if (typeof search_query === 'string' && search_query.length > 0) {
+				if (typeof search_query === 'string') {
 					query.where(function () {
-						this.where(castJsonIfNeed('incoming_port'), 'like', `%${search_query}%`);
+						this.where('incoming_port', 'like', '%' + search_query + '%');
 					});
 				}
 
@@ -328,9 +327,9 @@ const internalStream = {
 	 * @returns {Promise}
 	 */
 	getCount: (user_id, visibility) => {
-		const query = streamModel
+		let query = streamModel
 			.query()
-			.count('id AS count')
+			.count('id as count')
 			.where('is_deleted', 0);
 
 		if (visibility !== 'all') {

backend/internal/token.js

@@ -5,8 +5,6 @@ const authModel  = require('../models/auth');
 const helpers    = require('../lib/helpers');
 const TokenModel = require('../models/token');
 
-const ERROR_MESSAGE_INVALID_AUTH = 'Invalid email or password';
-
 module.exports = {
 
 	/**
@@ -71,19 +69,60 @@ module.exports = {
 													};
 												});
 										} else {
-											throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
+											throw new error.AuthError('Invalid password');
 										}
 									});
 							} else {
-								throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
+								throw new error.AuthError('No password auth for user');
 							}
 						});
 				} else {
-					throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
+					throw new error.AuthError('No relevant user found');
 				}
 			});
 	},
 
+	/**
+	 * @param   {Object} data
+	 * @param   {String} data.identity
+	 * @param   {String} [issuer]
+	 * @returns {Promise}
+	 */
+	getTokenFromOAuthClaim: (data) => {
+		let Token = new TokenModel();
+
+		data.scope  = 'user';
+		data.expiry = '1d';
+
+		return userModel
+			.query()
+			.where('email', data.identity)
+			.andWhere('is_deleted', 0)
+			.andWhere('is_disabled', 0)
+			.first()
+			.then((user) => {
+				if (!user) {
+					throw new error.AuthError(`A user with the email ${data.identity} does not exist. Please contact your administrator.`);
+				}
+
+				// Create a moment of the expiry expression
+				let expiry = helpers.parseDatePeriod(data.expiry);
+				if (expiry === null) {
+					throw new error.AuthError('Invalid expiry time: ' + data.expiry);
+				}
+
+				let iss = 'api',
+					attrs = { id: user.id },
+					scope = [ data.scope ],
+					expiresIn = data.expiry;
+
+				return Token.create({ iss, attrs, scope, expiresIn })
+					.then((signed) => {
+						return { token: signed.token, expires: expiry.toISOString() };
+					});
+			});
+	},
+
 	/**
 	 * @param {Access} access
 	 * @param {Object} [data]

backend/lib/config.js

@@ -3,9 +3,6 @@ const NodeRSA = require('node-rsa');
 const logger  = require('../logger').global;
 
 const keysFile = '/data/keys.json';
-const mysqlEngine      = 'mysql2';
-const postgresEngine   = 'pg';
-const sqliteClientName = 'sqlite3';
 
 let instance = null;
 
@@ -17,7 +14,7 @@ const configure = () => {
 		let configData;
 		try {
 			configData = require(filename);
-		} catch (_) {
+		} catch (err) {
 			// do nothing
 		}
 
@@ -37,7 +34,7 @@ const configure = () => {
 		logger.info('Using MySQL configuration');
 		instance = {
 			database: {
-				engine:   mysqlEngine,
+				engine:   'mysql2',
 				host:     envMysqlHost,
 				port:     process.env.DB_MYSQL_PORT || 3306,
 				user:     envMysqlUser,
@@ -49,33 +46,13 @@ const configure = () => {
 		return;
 	}
 
-	const envPostgresHost = process.env.DB_POSTGRES_HOST || null;
-	const envPostgresUser = process.env.DB_POSTGRES_USER || null;
-	const envPostgresName = process.env.DB_POSTGRES_NAME || null;
-	if (envPostgresHost && envPostgresUser && envPostgresName) {
-		// we have enough postgres creds to go with postgres
-		logger.info('Using Postgres configuration');
-		instance = {
-			database: {
-				engine:   postgresEngine,
-				host:     envPostgresHost,
-				port:     process.env.DB_POSTGRES_PORT || 5432,
-				user:     envPostgresUser,
-				password: process.env.DB_POSTGRES_PASSWORD,
-				name:     envPostgresName,
-			},
-			keys: getKeys(),
-		};
-		return;
-	}
-
 	const envSqliteFile = process.env.DB_SQLITE_FILE || '/data/database.sqlite';
 	logger.info(`Using Sqlite: ${envSqliteFile}`);
 	instance = {
 		database: {
 			engine: 'knex-native',
 			knex:   {
-				client:     sqliteClientName,
+				client:     'sqlite3',
 				connection: {
 					filename: envSqliteFile
 				},
@@ -166,27 +143,7 @@ module.exports = {
 	 */
 	isSqlite: function () {
 		instance === null && configure();
-		return instance.database.knex && instance.database.knex.client === sqliteClientName;
-	},
-
-	/**
-	 * Is this a mysql configuration?
-	 *
-	 * @returns {boolean}
-	 */
-	isMysql: function () {
-		instance === null && configure();
-		return instance.database.engine === mysqlEngine;
-	},
-	
-	/**
-		 * Is this a postgres configuration?
-		 *
-		 * @returns {boolean}
-		 */
-	isPostgres: function () {
-		instance === null && configure();
-		return instance.database.engine === postgresEngine;
+		return instance.database.knex && instance.database.knex.client === 'sqlite3';
 	},
 
 	/**

backend/lib/express/jwt-decode.js

@@ -4,7 +4,14 @@ module.exports = () => {
 	return function (req, res, next) {
 		res.locals.access = null;
 		let access        = new Access(res.locals.token || null);
-		access.load()
+
+		// Allow unauthenticated access to get the oidc configuration
+		let oidc_access =
+			req.url === '/oidc-config' &&
+			req.method === 'GET' &&
+			!access.token.getUserId();
+
+		access.load(oidc_access)
 			.then(() => {
 				res.locals.access = access;
 				next();

backend/lib/helpers.js

@@ -1,6 +1,4 @@
 const moment = require('moment');
-const {isPostgres} = require('./config');
-const {ref}        = require('objection');
 
 module.exports = {
 
@@ -47,16 +45,6 @@ module.exports = {
 			}
 		});
 		return obj;
-	},
-
-	/**
-	 * Casts a column to json if using postgres
-	 *
-	 * @param {string} colName
-	 * @returns {string|Objection.ReferenceBuilder}
-	 */
-	castJsonIfNeed: function (colName) {
-		return isPostgres() ? ref(colName).castText() : colName;
 	}
 
 };

backend/logger.js

@@ -10,5 +10,6 @@ module.exports = {
 	certbot:   new Signale({scope: 'Certbot  '}),
 	import:    new Signale({scope: 'Importer '}),
 	setup:     new Signale({scope: 'Setup    '}),
-	ip_ranges: new Signale({scope: 'IP Ranges'})
+	ip_ranges: new Signale({scope: 'IP Ranges'}),
+	oidc:      new Signale({scope: 'OIDC     '})
 };

backend/models/redirection_host.js

@@ -17,9 +17,6 @@ const boolFields = [
 	'preserve_path',
 	'ssl_forced',
 	'block_exploits',
-	'hsts_enabled',
-	'hsts_subdomains',
-	'http2_support',
 ];
 
 class RedirectionHost extends Model {

backend/package.json

@@ -21,9 +21,9 @@
 		"moment": "^2.29.4",
 		"mysql2": "^3.11.1",
 		"node-rsa": "^1.0.8",
+		"openid-client": "^5.4.0",
 		"objection": "3.0.1",
 		"path": "^0.12.7",
-		"pg": "^8.13.1",
 		"signale": "1.4.0",
 		"sqlite3": "5.1.6",
 		"temp-write": "^4.0.0"

backend/routes/main.js

@@ -27,6 +27,7 @@ router.get('/', (req, res/*, next*/) => {
 
 router.use('/schema', require('./schema'));
 router.use('/tokens', require('./tokens'));
+router.use('/oidc', require('./oidc'));
 router.use('/users', require('./users'));
 router.use('/audit-log', require('./audit-log'));
 router.use('/reports', require('./reports'));

backend/routes/oidc.js

@@ -0,0 +1,168 @@
+const crypto        = require('crypto');
+const error         = require('../lib/error');
+const express       = require('express');
+const jwtdecode     = require('../lib/express/jwt-decode');
+const logger        = require('../logger').oidc;
+const oidc          = require('openid-client');
+const settingModel  = require('../models/setting');
+const internalToken = require('../internal/token');
+
+let router = express.Router({
+	caseSensitive: true,
+	strict:        true,
+	mergeParams:   true
+});
+
+router
+	.route('/')
+	.options((req, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/oidc
+	 *
+	 * OAuth Authorization Code flow initialisation
+	 */
+	.get(jwtdecode(), async (req, res) => {
+		logger.info('Initializing OAuth flow');
+		settingModel
+			.query()
+			.where({id: 'oidc-config'})
+			.first()
+			.then((row) => getInitParams(req, row))
+			.then((params) => redirectToAuthorizationURL(res, params))
+			.catch((err) => redirectWithError(res, err));
+	});
+
+
+router
+	.route('/callback')
+	.options((req, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/oidc/callback
+	 *
+	 * Oauth Authorization Code flow callback
+	 */
+	.get(jwtdecode(), async (req, res) => {
+		logger.info('Processing callback');
+		settingModel
+			.query()
+			.where({id: 'oidc-config'})
+			.first()
+			.then((settings) => validateCallback(req, settings))
+			.then((token) => redirectWithJwtToken(res, token))
+			.catch((err) => redirectWithError(res, err));
+	});
+
+/**
+ * Executes discovery and returns the configured `openid-client` client
+ *
+ * @param {Setting} row
+ * */
+let getClient = async (row) => {
+	let issuer;
+	try {
+		issuer = await oidc.Issuer.discover(row.meta.issuerURL);
+	} catch (err) {
+		throw new error.AuthError(`Discovery failed for the specified URL with message: ${err.message}`);
+	}
+
+	return new issuer.Client({
+		client_id:      row.meta.clientID,
+		client_secret:  row.meta.clientSecret,
+		redirect_uris:  [row.meta.redirectURL],
+		response_types: ['code'],
+	});
+};
+
+/**
+ * Generates state, nonce and authorization url.
+ *
+ * @param {Request} req
+ * @param {Setting} row
+ * @return { {String}, {String}, {String} } state, nonce and url
+ * */
+let getInitParams = async (req, row) => {
+	let client = await getClient(row),
+		state  = crypto.randomUUID(),
+		nonce  = crypto.randomUUID(),
+		url    = client.authorizationUrl({
+			scope:    'openid email profile',
+			resource: `${req.protocol}://${req.get('host')}${req.originalUrl}`,
+			state,
+			nonce,
+		});
+
+	return { state, nonce, url };
+};
+
+/**
+ * Parses state and nonce from cookie during the callback phase.
+ *
+ * @param {Request} req
+ * @return { {String}, {String} } state and nonce
+ * */
+let parseStateFromCookie = (req) => {
+	let state, nonce;
+	let cookies = req.headers.cookie.split(';');
+	for (let cookie of cookies) {
+		if (cookie.split('=')[0].trim() === 'npm_oidc') {
+			let raw = cookie.split('=')[1],
+				val = raw.split('--');
+			state   = val[0].trim();
+			nonce   = val[1].trim();
+			break;
+		}
+	}
+
+	return { state, nonce };
+};
+
+/**
+ * Executes validation of callback parameters.
+ *
+ * @param {Request} req
+ * @param {Setting} settings
+ * @return {Promise} a promise resolving to a jwt token
+ * */
+let validateCallback = async (req, settings) => {
+	let client 	         = await getClient(settings);
+	let { state, nonce } = parseStateFromCookie(req);
+
+	const params   = client.callbackParams(req);
+	const tokenSet = await client.callback(settings.meta.redirectURL, params, { state, nonce });
+	let claims     = tokenSet.claims();
+
+	if (!claims.email) {
+		throw new error.AuthError('The Identity Provider didn\'t send the \'email\' claim');
+	} else {
+		logger.info('Successful authentication for email ' + claims.email);
+	}
+
+	return internalToken.getTokenFromOAuthClaim({ identity: claims.email });
+};
+
+let redirectToAuthorizationURL = (res, params) => {
+	logger.info('Authorization URL: ' + params.url);
+	res.cookie('npm_oidc', params.state + '--' + params.nonce);
+	res.redirect(params.url);
+};
+
+let redirectWithJwtToken = (res, token) => {
+	res.cookie('npm_oidc', token.token + '---' + token.expires);
+	res.redirect('/login');
+};
+
+let redirectWithError = (res, error) => {
+	logger.error('Callback error: ' + error.message);
+	res.cookie('npm_oidc_error', error.message);
+	res.redirect('/login');
+};
+
+module.exports = router;

backend/routes/settings.js

@@ -71,6 +71,18 @@ router
 				});
 			})
 			.then((row) => {
+				if (row.id === 'oidc-config') {
+					// Redact oidc configuration via api (unauthenticated get call)
+					let m    = row.meta;
+					row.meta = {
+						name:    m.name,
+						enabled: m.enabled === true && !!(m.clientID && m.clientSecret && m.issuerURL && m.redirectURL && m.name)
+					};
+
+					// Remove these temporary cookies used during oidc authentication
+					res.clearCookie('npm_oidc');
+					res.clearCookie('npm_oidc_error');
+				}
 				res.status(200)
 					.send(row);
 			})

backend/routes/tokens.js

@@ -29,6 +29,8 @@ router
 			scope:  (typeof req.query.scope !== 'undefined' ? req.query.scope : null)
 		})
 			.then((data) => {
+				// clear this temporary cookie following a successful oidc authentication
+				res.clearCookie('npm_oidc');
 				res.status(200)
 					.send(data);
 			})

backend/schema/components/stream-object.json

@@ -19,9 +19,7 @@
 		"incoming_port": {
 			"type": "integer",
 			"minimum": 1,
-			"maximum": 65535,
-			"if": {"properties": {"tcp_forwarding": {"const": true}}},
-			"then": {"not": {"oneOf": [{"const": 80}, {"const": 443}]}}
+			"maximum": 65535
 		},
 		"forwarding_host": {
 			"anyOf": [

backend/schema/paths/settings/settingID/put.json

@@ -14,7 +14,7 @@
 			"schema": {
 				"type": "string",
 				"minLength": 1,
-				"enum": ["default-site"]
+				"enum": ["default-site", "oidc-config"]
 			},
 			"required": true,
 			"description": "Setting ID",
@@ -27,6 +27,8 @@
 		"content": {
 			"application/json": {
 				"schema": {
+					"oneOf": [
+						{
 							"type": "object",
 							"additionalProperties": false,
 							"minProperties": 1,
@@ -34,7 +36,13 @@
 								"value": {
 									"type": "string",
 									"minLength": 1,
-							"enum": ["congratulations", "404", "444", "redirect", "html"]
+									"enum": [
+										"congratulations",
+										"404",
+										"444",
+										"redirect",
+										"html"
+									]
 								},
 								"meta": {
 									"type": "object",
@@ -49,6 +57,39 @@
 									}
 								}
 							}
+						},
+						{
+							"type": "object",
+							"additionalProperties": false,
+							"minProperties": 1,
+							"properties": {
+								"meta": {
+									"type": "object",
+									"additionalProperties": false,
+									"properties": {
+										"clientID": {
+											"type": "string"
+										},
+										"clientSecret": {
+											"type": "string"
+										},
+										"enabled": {
+											"type": "boolean"
+										},
+										"issuerURL": {
+											"type": "string"
+										},
+										"name": {
+											"type": "string"
+										},
+										"redirectURL": {
+											"type": "string"
+										}
+									}
+								}
+							}
+						}
+					]
 				}
 			}
 		}

backend/setup.js

@@ -15,18 +15,18 @@ const certbot             = require('./lib/certbot');
 const setupDefaultUser = () => {
 	return userModel
 		.query()
-		.select('id', )
+		.select(userModel.raw('COUNT(`id`) as `count`'))
 		.where('is_deleted', 0)
 		.first()
 		.then((row) => {
-			if (!row || !row.id) {
+			if (!row.count) {
 				// Create a new user and set password
-				const email    = process.env.INITIAL_ADMIN_EMAIL || 'admin@example.com';
-				const password = process.env.INITIAL_ADMIN_PASSWORD || 'changeme';
+				let email    = process.env.INITIAL_ADMIN_EMAIL || 'admin@example.com';
+				let password = process.env.INITIAL_ADMIN_PASSWORD || 'changeme';
 				
 				logger.info('Creating a new user: ' + email + ' with password: ' + password);
 
-				const data = {
+				let data = {
 					is_deleted: 0,
 					email:      email,
 					name:       'Administrator',
@@ -75,13 +75,14 @@ const setupDefaultUser = () => {
  * @returns {Promise}
  */
 const setupDefaultSettings = () => {
-	return settingModel
+	return Promise.all([
+		settingModel
 			.query()
-		.select('id')
+			.select(settingModel.raw('COUNT(`id`) as `count`'))
 			.where({id: 'default-site'})
 			.first()
 			.then((row) => {
-			if (!row || !row.id) {
+				if (!row.count) {
 					settingModel
 						.query()
 						.insert({
@@ -92,13 +93,38 @@ const setupDefaultSettings = () => {
 							meta:        {},
 						})
 						.then(() => {
-						logger.info('Default settings added');
+							logger.info('Added default-site setting');
 						});
 				}
 				if (config.debug()) {
 					logger.info('Default setting setup not required');
 				}
+			}),
+		settingModel
+			.query()
+			.select(settingModel.raw('COUNT(`id`) as `count`'))
+			.where({id: 'oidc-config'})
+			.first()
+			.then((row) => {
+				if (!row.count) {
+					settingModel
+						.query()
+						.insert({
+							id:          'oidc-config',
+							name:        'Open ID Connect',
+							description: 'Sign in to Nginx Proxy Manager with an external Identity Provider',
+							value:       'metadata',
+							meta:        {},
+						})
+						.then(() => {
+							logger.info('Added oidc-config setting');
 						});
+				}
+				if (config.debug()) {
+					logger.info('Default setting setup not required');
+				}
+			})
+	]);
 };
 
 /**

backend/templates/dead_host.conf

@@ -22,7 +22,5 @@ server {
   }
 {% endif %}
 
-  # Custom
-  include /data/nginx/custom/server_dead[.]conf;
 }
 {% endif %}

docker/ci.env

@@ -1,8 +0,0 @@
-AUTHENTIK_SECRET_KEY=gl8woZe8L6IIX8SC0c5Ocsj0xPkX5uJo5DVZCFl+L/QGbzuplfutYuua2ODNLEiDD3aFd9H2ylJmrke0
-AUTHENTIK_REDIS__HOST=authentik-redis
-AUTHENTIK_POSTGRESQL__HOST=db-postgres
-AUTHENTIK_POSTGRESQL__USER=authentik
-AUTHENTIK_POSTGRESQL__NAME=authentik
-AUTHENTIK_POSTGRESQL__PASSWORD=07EKS5NLI6Tpv68tbdvrxfvj
-AUTHENTIK_BOOTSTRAP_PASSWORD=admin
-AUTHENTIK_BOOTSTRAP_EMAIL=admin@example.com

docker/dev/Dockerfile

@@ -29,8 +29,7 @@ COPY scripts/install-s6 /tmp/install-s6
 RUN rm -f /etc/nginx/conf.d/production.conf \
 	&& chmod 644 /etc/logrotate.d/nginx-proxy-manager \
 	&& /tmp/install-s6 "${TARGETPLATFORM}" \
-	&& rm -f /tmp/install-s6 \
-	&& chmod 644 -R /root/.cache
+	&& rm -f /tmp/install-s6
 
 # Certs for testing purposes
 COPY --from=pebbleca /test/certs/pebble.minica.pem /etc/ssl/certs/pebble.minica.pem

docker/docker-compose.ci.postgres.yml

@@ -1,78 +0,0 @@
-# WARNING: This is a CI docker-compose file used for building and testing of the entire app, it should not be used for production.
-services:
-
-  cypress:
-    environment:
-      CYPRESS_stack: 'postgres'
-
-  fullstack:
-    environment:
-      DB_POSTGRES_HOST: 'db-postgres'
-      DB_POSTGRES_PORT: '5432'
-      DB_POSTGRES_USER: 'npm'
-      DB_POSTGRES_PASSWORD: 'npmpass'
-      DB_POSTGRES_NAME: 'npm'
-    depends_on:
-      - db-postgres
-      - authentik
-      - authentik-worker
-      - authentik-ldap
-
-  db-postgres:
-    image: postgres:latest
-    environment:
-      POSTGRES_USER: 'npm'
-      POSTGRES_PASSWORD: 'npmpass'
-      POSTGRES_DB: 'npm'
-    volumes:
-      - psql_vol:/var/lib/postgresql/data
-      - ./ci/postgres:/docker-entrypoint-initdb.d
-    networks:
-      - fulltest
-
-  authentik-redis:
-    image: 'redis:alpine'
-    command: --save 60 1 --loglevel warning
-    restart: unless-stopped
-    healthcheck:
-      test: ['CMD-SHELL', 'redis-cli ping | grep PONG']
-      start_period: 20s
-      interval: 30s
-      retries: 5
-      timeout: 3s
-    volumes:
-      - redis_vol:/data
-
-  authentik:
-    image: ghcr.io/goauthentik/server:2024.10.1
-    restart: unless-stopped
-    command: server
-    env_file:
-      - ci.env
-    depends_on:
-      - authentik-redis
-      - db-postgres
-
-  authentik-worker:
-    image: ghcr.io/goauthentik/server:2024.10.1
-    restart: unless-stopped
-    command: worker
-    env_file:
-      - ci.env
-    depends_on:
-      - authentik-redis
-      - db-postgres
-
-  authentik-ldap:
-    image: ghcr.io/goauthentik/ldap:2024.10.1
-    environment:
-      AUTHENTIK_HOST: 'http://authentik:9000'
-      AUTHENTIK_INSECURE: 'true'
-      AUTHENTIK_TOKEN: 'wKYZuRcI0ETtb8vWzMCr04oNbhrQUUICy89hSpDln1OEKLjiNEuQ51044Vkp'
-    restart: unless-stopped
-    depends_on:
-      - authentik
-
-volumes:
-  psql_vol:
-  redis_vol:

docker/docker-compose.dev.yml

@@ -2,8 +2,8 @@
 services:
 
   fullstack:
-    image: npm2dev:core
-    container_name: npm2dev.core
+    image: nginxproxymanager:dev
+    container_name: npm_core
     build:
       context: ./
       dockerfile: ./dev/Dockerfile
@@ -26,17 +26,11 @@ services:
       DEVELOPMENT: 'true'
       LE_STAGING: 'true'
       # db:
-      # DB_MYSQL_HOST: 'db'
-      # DB_MYSQL_PORT: '3306'
-      # DB_MYSQL_USER: 'npm'
-      # DB_MYSQL_PASSWORD: 'npm'
-      # DB_MYSQL_NAME: 'npm'
-      # db-postgres:
-      DB_POSTGRES_HOST: 'db-postgres'
-      DB_POSTGRES_PORT: '5432'
-      DB_POSTGRES_USER: 'npm'
-      DB_POSTGRES_PASSWORD: 'npmpass'
-      DB_POSTGRES_NAME: 'npm'
+      DB_MYSQL_HOST: 'db'
+      DB_MYSQL_PORT: '3306'
+      DB_MYSQL_USER: 'npm'
+      DB_MYSQL_PASSWORD: 'npm'
+      DB_MYSQL_NAME: 'npm'
       # DB_SQLITE_FILE: "/data/database.sqlite"
       # DISABLE_IPV6: "true"
       # Required for DNS Certificate provisioning testing:
@@ -55,15 +49,11 @@ services:
       timeout: 3s
     depends_on:
       - db
-      - db-postgres
-      - authentik
-      - authentik-worker
-      - authentik-ldap
     working_dir: /app
 
   db:
     image: jc21/mariadb-aria
-    container_name: npm2dev.db
+    container_name: npm_db
     ports:
       - 33306:3306
     networks:
@@ -76,22 +66,8 @@ services:
     volumes:
       - db_data:/var/lib/mysql
 
-  db-postgres:
-    image: postgres:latest
-    container_name: npm2dev.db-postgres
-    networks:
-      - nginx_proxy_manager
-    environment:
-      POSTGRES_USER: 'npm'
-      POSTGRES_PASSWORD: 'npmpass'
-      POSTGRES_DB: 'npm'
-    volumes:
-      - psql_data:/var/lib/postgresql/data
-      - ./ci/postgres:/docker-entrypoint-initdb.d
-
   stepca:
     image: jc21/testca
-    container_name: npm2dev.stepca
     volumes:
       - './dev/resolv.conf:/etc/resolv.conf:ro'
       - '/etc/localtime:/etc/localtime:ro'
@@ -102,7 +78,6 @@ services:
 
   dnsrouter:
     image: jc21/dnsrouter
-    container_name: npm2dev.dnsrouter
     volumes:
       - ./dev/dnsrouter-config.json.tmp:/dnsrouter-config.json:ro
     networks:
@@ -110,7 +85,7 @@ services:
 
   swagger:
     image: swaggerapi/swagger-ui:latest
-    container_name: npm2dev.swagger
+    container_name: npm_swagger
     ports:
       - 3082:80
     environment:
@@ -121,7 +96,7 @@ services:
 
   squid:
     image: ubuntu/squid
-    container_name: npm2dev.squid
+    container_name: npm_squid
     volumes:
       - './dev/squid.conf:/etc/squid/squid.conf:ro'
       - './dev/resolv.conf:/etc/resolv.conf:ro'
@@ -133,7 +108,6 @@ services:
 
   pdns:
     image: pschiffe/pdns-mysql
-    container_name: npm2dev.pdns
     volumes:
       - '/etc/localtime:/etc/localtime:ro'
     environment:
@@ -162,7 +136,6 @@ services:
 
   pdns-db:
     image: mariadb
-    container_name: npm2dev.pdns-db
     environment:
       MYSQL_ROOT_PASSWORD: 'pdns'
       MYSQL_DATABASE: 'pdns'
@@ -176,8 +149,7 @@ services:
       - nginx_proxy_manager
 
   cypress:
-    image: npm2dev:cypress
-    container_name: npm2dev.cypress
+    image: "npm_dev_cypress"
     build:
       context: ../
       dockerfile: test/cypress/Dockerfile
@@ -192,77 +164,16 @@ services:
     networks:
       - nginx_proxy_manager
 
-  authentik-redis:
-    image: 'redis:alpine'
-    container_name: npm2dev.authentik-redis
-    command: --save 60 1 --loglevel warning
-    networks:
-      - nginx_proxy_manager
-    restart: unless-stopped
-    healthcheck:
-      test: ['CMD-SHELL', 'redis-cli ping | grep PONG']
-      start_period: 20s
-      interval: 30s
-      retries: 5
-      timeout: 3s
-    volumes:
-      - redis_data:/data
-
-  authentik:
-    image: ghcr.io/goauthentik/server:2024.10.1
-    container_name: npm2dev.authentik
-    restart: unless-stopped
-    command: server
-    networks:
-      - nginx_proxy_manager
-    env_file:
-      - ci.env
-    ports:
-      - 9000:9000 
-    depends_on:
-      - authentik-redis
-      - db-postgres
-
-  authentik-worker:
-    image: ghcr.io/goauthentik/server:2024.10.1
-    container_name: npm2dev.authentik-worker
-    restart: unless-stopped
-    command: worker
-    networks:
-      - nginx_proxy_manager
-    env_file:
-      - ci.env
-    depends_on:
-      - authentik-redis
-      - db-postgres
-
-  authentik-ldap:
-    image: ghcr.io/goauthentik/ldap:2024.10.1
-    container_name: npm2dev.authentik-ldap
-    networks:
-      - nginx_proxy_manager
-    environment:
-      AUTHENTIK_HOST: 'http://authentik:9000'
-      AUTHENTIK_INSECURE: 'true'
-      AUTHENTIK_TOKEN: 'wKYZuRcI0ETtb8vWzMCr04oNbhrQUUICy89hSpDln1OEKLjiNEuQ51044Vkp'
-    restart: unless-stopped
-    depends_on:
-      - authentik
-
 volumes:
   npm_data:
-    name: npm2dev_core_data
+    name: npm_core_data
   le_data:
-    name: npm2dev_le_data
+    name: npm_le_data
   db_data:
-    name: npm2dev_db_data
+    name: npm_db_data
   pdns_mysql:
-    name: npnpm2dev_pdns_mysql
-  psql_data:
-    name: npm2dev_psql_data
-  redis_data:
-    name: npm2dev_redis_data
+    name: npm_pdns_mysql
 
 networks:
   nginx_proxy_manager:
-    name: npm2dev_network
+    name: npm_network

docker/rootfs/etc/nginx/conf.d/include/assets.conf

@@ -1,4 +1,4 @@
-location ~* ^.*\.(css|js|jpe?g|gif|png|webp|woff|woff2|eot|ttf|svg|ico|css\.map|js\.map)$ {
+location ~* ^.*\.(css|js|jpe?g|gif|png|webp|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
 	if_modified_since off;
 
 	# use the public cache

docs/src/advanced-config/index.md

@@ -50,6 +50,7 @@ networks:
 Let's look at a Portainer example:
 
 ```yml
+version: '3.8'
 services:
 
   portainer:
@@ -91,6 +92,8 @@ This image supports the use of Docker secrets to import from files and keep sens
 You can set any environment variable from a file by appending `__FILE` (double-underscore FILE) to the environmental variable name.
 
 ```yml
+version: '3.8'
+
 secrets:
   # Secrets are single-line text files where the sole content is the secret
   # Paths in this example assume that secrets are kept in local folder called ".secrets"
@@ -181,7 +184,6 @@ You can add your custom configuration snippet files at `/data/nginx/custom` as f
  - `/data/nginx/custom/server_stream.conf`: Included at the end of every stream server block
  - `/data/nginx/custom/server_stream_tcp.conf`: Included at the end of every TCP stream server block
  - `/data/nginx/custom/server_stream_udp.conf`: Included at the end of every UDP stream server block
- - `/data/nginx/custom/server_dead.conf`: Included at the end of every 404 server block
 
 Every file is optional.
 

docs/src/setup/index.md

@@ -9,6 +9,7 @@ outline: deep
 Create a `docker-compose.yml` file:
 
 ```yml
+version: '3.8'
 services:
   app:
     image: 'jc21/nginx-proxy-manager:latest'
@@ -21,7 +22,8 @@ services:
       # Add any other Stream port you want to expose
       # - '21:21' # FTP
 
-    environment:
+    # Uncomment the next line if you uncomment anything in the section
+    # environment:
       # Uncomment this if you want to change the location of
       # the SQLite DB file within the container
       # DB_SQLITE_FILE: "/data/database.sqlite"
@@ -53,6 +55,7 @@ are going to use.
 Here is an example of what your `docker-compose.yml` will look like when using a MariaDB container:
 
 ```yml
+version: '3.8'
 services:
   app:
     image: 'jc21/nginx-proxy-manager:latest'
@@ -98,53 +101,6 @@ Please note, that `DB_MYSQL_*` environment variables will take precedent over `D
 
 :::
 
-## Using Postgres database
-
-Similar to the MySQL server setup:
-
-```yml
-services:
-  app:
-    image: 'jc21/nginx-proxy-manager:latest'
-    restart: unless-stopped
-    ports:
-      # These ports are in format <host-port>:<container-port>
-      - '80:80' # Public HTTP Port
-      - '443:443' # Public HTTPS Port
-      - '81:81' # Admin Web Port
-      # Add any other Stream port you want to expose
-      # - '21:21' # FTP
-    environment:
-      # Postgres parameters:
-      DB_POSTGRES_HOST: 'db'
-      DB_POSTGRES_PORT: '5432'
-      DB_POSTGRES_USER: 'npm'
-      DB_POSTGRES_PASSWORD: 'npmpass'
-      DB_POSTGRES_NAME: 'npm'
-      # Uncomment this if IPv6 is not enabled on your host
-      # DISABLE_IPV6: 'true'
-    volumes:
-      - ./data:/data
-      - ./letsencrypt:/etc/letsencrypt
-    depends_on:
-      - db
-
-  db:
-    image: postgres:latest
-    environment:
-      POSTGRES_USER: 'npm'
-      POSTGRES_PASSWORD: 'npmpass'
-      POSTGRES_DB: 'npm'
-    volumes:
-      - ./postgres:/var/lib/postgresql/data
-```
-
-::: warning
-
-Custom Postgres schema is not supported, as such `public` will be used.
-
-:::
-
 ## Running on Raspberry PI / ARM devices
 
 The docker images support the following architectures:
@@ -190,4 +146,43 @@ Immediately after logging in with this default user you will be asked to modify
       INITIAL_ADMIN_PASSWORD: mypassword1
 ```
 
+## OpenID Connect - Single Sign-On (SSO)
+
+Nginx Proxy Manager supports single sign-on (SSO) with OpenID Connect. This feature allows you to use an external OpenID Connect provider log in.
+
+::: warning
+
+Please note, that this feature requires a user to have an existing account to have been created via the "Users" page in the admin interface.
+
+:::
+
+### Provider Configuration
+However, before you configure this feature, you need to have an OpenID Connect provider.
+If you don't have one, you can use Authentik, which is an open-source OpenID Connect provider. Auth0 is another popular OpenID Connect provider that offers a free tier.
+
+Each provider is a little different, so you will need to refer to the provider's documentation to get the necessary information to configure a new application.
+You will need the `Client ID`, `Client Secret`, and `Issuer URL` from the provider. When you create the application in the provider, you will also need to include the `Redirect URL` in the list of allowed redirect URLs for the application.
+Nginx Proxy Manager uses the `/api/oidc/callback` endpoint for the redirect URL.
+The scopes requested by Nginx Proxy Manager are `openid`, `email`, and `profile` - make sure your auth provider supports these scopes.
+
+We have confirmed that the following providers work with Nginx Proxy Manager. If you have success with another provider, make a pull request to add it to the list!
+- Authentik
+- Authelia
+- Auth0
+
+### Nginx Proxy Manager Configuration
+To enable SSO, log into the management interface as an Administrator and navigate to the "Settings" page.
+The setting to configure OpenID Connect is named "OpenID Connect Configuration".
+Click the 3 dots on the far right side of the table and then click "Edit".
+In the modal that appears, you will see a form with the following fields:
+
+| Field         | Description                                               | Example Value                               | Notes                                                               |
+|---------------|-----------------------------------------------------------|---------------------------------------------|---------------------------------------------------------------------|
+| Name          | The name of the OpenID Connect provider                   | Authentik                                   | This will be shown on the login page (eg: "Sign in with Authentik") |
+| Client ID     | The client ID provided by the OpenID Connect provider     | `xyz...456`                                 |                                                                     |
+| Client Secret | The client secret provided by the OpenID Connect provider | `abc...123`                                 |
+| Issuer URL    | The issuer URL provided by the OpenID Connect provider    | `https://authentik.example.com`             | This is the URL that the provider uses to identify itself           |
+| Redirect URL  | The redirect URL to use for the OpenID Connect provider   | `https://npm.example.com/api/oidc/callback` |                                                                     |
+
+After filling in the fields, click "Save" to save the settings. You can now use the "Sign in with Authentik" button on the login page to sign in with your OpenID Connect provider.
 

docs/src/third-party/index.md

@@ -12,7 +12,6 @@ Known integrations:
 - [HomeAssistant Hass.io plugin](https://github.com/hassio-addons/addon-nginx-proxy-manager)
 - [UnRaid / Synology](https://github.com/jlesage/docker-nginx-proxy-manager)
 - [Proxmox Scripts](https://github.com/ej52/proxmox-scripts/tree/main/apps/nginx-proxy-manager)
-- [Proxmox VE Helper-Scripts](https://community-scripts.github.io/ProxmoxVE/scripts?id=nginxproxymanager)
 - [nginxproxymanagerGraf](https://github.com/ma-karai/nginxproxymanagerGraf)
 
 

docs/yarn.lock

@@ -873,9 +873,9 @@ mitt@^3.0.1:
   integrity sha512-vKivATfr97l2/QBCYAkXYDbrIWPM2IIKEl7YPhjCvKlG3kE2gm+uBo6nEXK3M5/Ffh/FLpKExzOQ3JJoJGFKBw==
 
 nanoid@^3.3.7:
-  version "3.3.8"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf"
-  integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==
+  version "3.3.7"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.7.tgz#d0c301a691bc8d54efa0a2226ccf3fe2fd656bd8"
+  integrity sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==
 
 oniguruma-to-js@0.4.3:
   version "0.4.3"

frontend/js/app/api.js

@@ -59,6 +59,11 @@ function fetch(verb, path, data, options) {
             },
 
             beforeSend: function (xhr) {
+                // Allow unauthenticated access to get the oidc configuration
+                if (path === 'settings/oidc-config' && verb === "get") {
+                    return;
+                }
+
                 xhr.setRequestHeader('Authorization', 'Bearer ' + (token ? token.t : null));
             },
 

frontend/js/app/controller.js

@@ -434,6 +434,11 @@ module.exports = {
                     App.UI.showModalDialog(new View({model: model}));
                 });
             }
+            if (model.get('id') === 'oidc-config') {
+                require(['./main', './settings/oidc-config/main'], function (App, View) {
+                    App.UI.showModalDialog(new View({model: model}));
+                });
+            }
         }
     },
 

frontend/js/app/dashboard/main.ejs

@@ -1,5 +1,5 @@
 <div class="page-header">
-    <h1 class="page-title"><%- i18n('dashboard', 'title', {name: getUserName()}) %></h1>
+    <h1 class="page-title" data-cy="page-title"><%- i18n('dashboard', 'title', {name: getUserName()}) %></h1>
 </div>
 
 <% if (columns) { %>

frontend/js/app/nginx/access/list/item.ejs

@@ -1,6 +1,6 @@
 <td class="text-center">
-    <div class="avatar d-block" style="background-image: url(<%- (owner && owner.avatar) || '/images/default-avatar.jpg' %>)" title="Owned by <%- (owner && owner.name) || 'a deleted user' %>">
-        <span class="avatar-status <%- owner && !owner.is_disabled ? 'bg-green' : 'bg-red' %>"></span>
+    <div class="avatar d-block" style="background-image: url(<%- owner.avatar || '/images/default-avatar.jpg' %>)" title="Owned by <%- owner.name %>">
+        <span class="avatar-status <%- owner.is_disabled ? 'bg-red' : 'bg-green' %>"></span>
     </div>
 </td>
 <td>

frontend/js/app/nginx/certificates/list/item.ejs

@@ -1,6 +1,6 @@
 <td class="text-center">
-    <div class="avatar d-block" style="background-image: url(<%- (owner && owner.avatar) || '/images/default-avatar.jpg' %>)" title="Owned by <%- (owner && owner.name) || 'a deleted user' %>">
-        <span class="avatar-status <%- owner && !owner.is_disabled ? 'bg-green' : 'bg-red' %>"></span>
+    <div class="avatar d-block" style="background-image: url(<%- owner.avatar || '/images/default-avatar.jpg' %>)" title="Owned by <%- owner.name %>">
+        <span class="avatar-status <%- owner.is_disabled ? 'bg-red' : 'bg-green' %>"></span>
     </div>
 </td>
 <td>

frontend/js/app/nginx/dead/list/item.ejs

@@ -1,6 +1,6 @@
 <td class="text-center">
-    <div class="avatar d-block" style="background-image: url(<%- (owner && owner.avatar) || '/images/default-avatar.jpg' %>)" title="Owned by <%- (owner && owner.name) || 'a deleted user' %>">
-        <span class="avatar-status <%- owner && !owner.is_disabled ? 'bg-green' : 'bg-red' %>"></span>
+    <div class="avatar d-block" style="background-image: url(<%- owner.avatar || '/images/default-avatar.jpg' %>)" title="Owned by <%- owner.name %>">
+        <span class="avatar-status <%- owner.is_disabled ? 'bg-red' : 'bg-green' %>"></span>
     </div>
 </td>
 <td>

frontend/js/app/nginx/proxy/list/item.ejs

@@ -1,6 +1,6 @@
 <td class="text-center">
-    <div class="avatar d-block" style="background-image: url(<%- (owner && owner.avatar) || '/images/default-avatar.jpg' %>)" title="Owned by <%- (owner && owner.name) || 'a deleted user' %>">
-        <span class="avatar-status <%- owner && !owner.is_disabled ? 'bg-green' : 'bg-red' %>"></span>
+    <div class="avatar d-block" style="background-image: url(<%- owner.avatar || '/images/default-avatar.jpg' %>)" title="Owned by <%- owner.name %>">
+        <span class="avatar-status <%- owner.is_disabled ? 'bg-red' : 'bg-green' %>"></span>
     </div>
 </td>
 <td>

frontend/js/app/nginx/redirection/list/item.ejs

@@ -1,6 +1,6 @@
 <td class="text-center">
-    <div class="avatar d-block" style="background-image: url(<%- (owner && owner.avatar) || '/images/default-avatar.jpg' %>)" title="Owned by <%- (owner && owner.name) || 'a deleted user' %>">
-        <span class="avatar-status <%- owner && !owner.is_disabled ? 'bg-green' : 'bg-red' %>"></span>
+    <div class="avatar d-block" style="background-image: url(<%- owner.avatar || '/images/default-avatar.jpg' %>)" title="Owned by <%- owner.name %>">
+        <span class="avatar-status <%- owner.is_disabled ? 'bg-red' : 'bg-green' %>"></span>
     </div>
 </td>
 <td>

frontend/js/app/nginx/stream/list/item.ejs

@@ -1,6 +1,6 @@
 <td class="text-center">
-    <div class="avatar d-block" style="background-image: url(<%- (owner && owner.avatar) || '/images/default-avatar.jpg' %>)" title="Owned by <%- (owner && owner.name) || 'a deleted user' %>">
-        <span class="avatar-status <%- owner && !owner.is_disabled ? 'bg-green' : 'bg-red' %>"></span>
+    <div class="avatar d-block" style="background-image: url(<%- owner.avatar || '/images/default-avatar.jpg' %>)" title="Owned by <%- owner.name %>">
+        <span class="avatar-status <%- owner.is_disabled ? 'bg-red' : 'bg-green' %>"></span>
     </div>
 </td>
 <td>

frontend/js/app/settings/list/item.ejs

@@ -1,7 +1,19 @@
 <td>
-    <div><%- i18n('settings', 'default-site') %></div>
+    <div>
+        <% if (id === 'default-site') { %>
+            <%- i18n('settings', 'default-site') %>
+        <% } %>
+        <% if (id === 'oidc-config') { %>
+            <%- i18n('settings', 'oidc-config') %>
+        <% } %>
+    </div>
     <div class="small text-muted">
+        <% if (id === 'default-site') { %>
             <%- i18n('settings', 'default-site-description') %>
+        <% } %>
+        <% if (id === 'oidc-config') { %>
+            <%- i18n('settings', 'oidc-config-description') %>
+        <% } %>
     </div>
 </td>
 <td>
@@ -9,6 +21,14 @@
         <% if (id === 'default-site') { %>
             <%- i18n('settings', 'default-site-' + value) %>
         <% } %>
+        <% if (id === 'oidc-config' && meta && meta.name && meta.clientID && meta.clientSecret && meta.issuerURL && meta.redirectURL) { %>
+            <%- meta.name %>
+            <% if (!meta.enabled) { %>
+               (<%- i18n('str', 'disabled') %>)
+            <% } %>
+        <% } else if (id === 'oidc-config') { %>
+            <%- i18n('settings', 'oidc-not-configured') %>
+        <% } %>
     </div>
 </td>
 <td class="text-right">

frontend/js/app/settings/oidc-config/main.ejs

@@ -0,0 +1,56 @@
+<div class="modal-content">
+    <div class="modal-header">
+        <h5 class="modal-title"><%- i18n('settings', id) %></h5>
+        <button type="button" class="close cancel" aria-label="Close" data-dismiss="modal">&nbsp;</button>
+    </div>
+    <div class="modal-body">
+        <form>
+            <div class="row">
+                <div class="col-sm-12 col-md-12">
+                    <div class="form-group">
+                        <div class="form-label"><%- description %></div>
+                        <div>
+                            <p><%- i18n('settings', 'oidc-config-hint-1') %></p>
+                            <p><%- i18n('settings', 'oidc-config-hint-2') %></p>
+                        </div>
+                        <div class="custom-controls-stacked">
+                            <div class="form-group">
+                                <label class="form-label"><%- i18n('str', 'name') %> <span class="form-required">*</span>
+                                    <input class="form-control name-input" name="meta[name]" required type="text" value="<%- meta && typeof meta.name !== 'undefined' ? meta.name : '' %>">
+                                </label>
+                            </div>
+                            <div class="form-group">
+                                <label class="form-label">Client ID <span class="form-required">*</span>
+                                    <input class="form-control id-input" name="meta[clientID]" required type="text" value="<%- meta && typeof meta.clientID !== 'undefined' ? meta.clientID : '' %>">
+                                </label>
+                            </div>
+                            <div class="form-group">
+                                <label class="form-label">Client Secret <span class="form-required">*</span>
+                                    <input class="form-control secret-input" name="meta[clientSecret]" required type="text" value="<%- meta && typeof meta.clientSecret !== 'undefined' ? meta.clientSecret : '' %>">
+                                </label>
+                            </div>
+                            <div class="form-group">
+                                <label class="form-label">Issuer URL <span class="form-required">*</span>
+                                    <input class="form-control issuer-input" name="meta[issuerURL]" required placeholder="https://" type="url" value="<%- meta && typeof meta.issuerURL !== 'undefined' ? meta.issuerURL : '' %>">
+                                </label>
+                            </div>
+                            <div class="form-group">
+                                <label class="form-label">Redirect URL <span class="form-required">*</span>
+                                    <input class="form-control redirect-url-input" name="meta[redirectURL]" required placeholder="https://" type="url" value="<%- meta && typeof meta.redirectURL !== 'undefined' ? meta.redirectURL : document.location.origin + '/api/oidc/callback' %>">
+                                </label>
+                            </div>
+                            <div class="form-group">
+                                <div class="form-label"><%- i18n('str', 'enable') %></div>
+                                <input class="form-check enabled-input" name="meta[enabled]" placeholder="" type="checkbox" <%- meta && (typeof meta.enabled !== 'undefined' && meta.enabled === true) || (JSON.stringify(meta) === '{}') ? 'checked="checked"' : '' %> >
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </form>
+    </div>
+    <div class="modal-footer">
+        <button type="button" class="btn btn-secondary cancel" data-dismiss="modal"><%- i18n('str', 'cancel') %></button>
+        <button type="button" class="btn btn-teal save"><%- i18n('str', 'save') %></button>
+    </div>
+</div>

frontend/js/app/settings/oidc-config/main.js

@@ -0,0 +1,46 @@
+const Mn       = require('backbone.marionette');
+const App      = require('../../main');
+const template = require('./main.ejs');
+
+require('jquery-serializejson');
+
+module.exports = Mn.View.extend({
+    template:  template,
+    className: 'modal-dialog wide',
+
+    ui: {
+        form:    'form',
+        buttons: '.modal-footer button',
+        cancel:  'button.cancel',
+        save:    'button.save',
+    },
+
+    events: {
+        'click @ui.save': function (e) {
+            e.preventDefault();
+
+            if (!this.ui.form[0].checkValidity()) {
+                $('<input type="submit">').hide().appendTo(this.ui.form).click().remove();
+                return;
+            }
+
+            let view = this;
+            let data = this.ui.form.serializeJSON();
+            data.id  = this.model.get('id');
+            if (data.meta.enabled) {
+                data.meta.enabled = data.meta.enabled === 'on' || data.meta.enabled === 'true';
+            }
+
+            this.ui.buttons.prop('disabled', true).addClass('btn-disabled');
+            App.Api.Settings.update(data)
+                .then((result) => {
+                    view.model.set(result);
+                    App.UI.closeModal();
+                })
+                .catch((err) => {
+                    alert(err.message);
+                    this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
+                });
+        }
+    }
+});

frontend/js/app/user/form.ejs

@@ -1,10 +1,10 @@
 <div class="modal-content">
-    <form>
     <div class="modal-header">
         <h5 class="modal-title"><%- i18n('users', 'form-title', {id: id}) %></h5>
         <button type="button" class="close cancel" aria-label="Close" data-dismiss="modal">&nbsp;</button>
     </div>
     <div class="modal-body">
+        <form>
             <div class="row">
                 <div class="col-sm-6 col-md-6">
                     <div class="form-group">
@@ -49,10 +49,10 @@
                 </div>
                 <% } %>
             </div>
+        </form>
     </div>
     <div class="modal-footer">
         <button type="button" class="btn btn-secondary cancel" data-dismiss="modal"><%- i18n('str', 'cancel') %></button>
-            <button type="submit" class="btn btn-teal save"><%- i18n('str', 'save') %></button>
+        <button type="button" class="btn btn-teal save"><%- i18n('str', 'save') %></button>
     </div>
-    </form>
 </div>

frontend/js/app/user/form.js

@@ -19,7 +19,7 @@ module.exports = Mn.View.extend({
 
     events: {
 
-        'submit @ui.form': function (e) {
+        'click @ui.save': function (e) {
             e.preventDefault();
             this.ui.error.hide();
             let view = this;

frontend/js/i18n/messages.json

@@ -5,6 +5,7 @@
       "username": "Username",
       "password": "Password",
       "sign-in": "Sign in",
+      "sign-in-with": "Sign in with",
       "sign-out": "Sign out",
       "try-again": "Try again",
       "name": "Name",
@@ -290,7 +291,12 @@
       "default-site-404": "404 Page",
       "default-site-444": "No Response (444)",
       "default-site-html": "Custom Page",
-      "default-site-redirect": "Redirect"
+      "default-site-redirect": "Redirect",
+      "oidc-config": "Open ID Conncect Configuration",
+      "oidc-config-description": "Sign in to Nginx Proxy Manager with an external Identity Provider",
+      "oidc-not-configured": "Not configured",
+      "oidc-config-hint-1": "Provide configuration for an IdP that supports Open ID Connect Discovery.",
+      "oidc-config-hint-2": "The 'Redirect URL' must be set to '[base URL]/api/oidc/callback', the IdP must send the 'email' claim and a user with matching email address must exist in Nginx Proxy Manager."
     }
   }
 }

frontend/js/login/ui/login.ejs

@@ -5,7 +5,7 @@
                 <div class="card-body p-6">
                     <div class="container">
                         <div class="row">
-                            <div class="col-sm-12 col-md-6">
+                            <div class="col-sm-12 col-md-6 margin-auto">
                                 <div class="text-center p-6">
                                     <img src="/images/logo-text-vertical-grey.png" alt="Logo" />
                                     <div class="text-center text-muted mt-5">
@@ -17,15 +17,22 @@
                                 <div class="card-title"><%- i18n('login', 'title') %></div>
                                 <div class="form-group">
                                     <label class="form-label"><%- i18n('str', 'email-address') %></label>
-                                    <input name="identity" type="email" class="form-control" placeholder="<%- i18n('str', 'email-address') %>" required autofocus>
+                                    <input name="identity" type="email" class="form-control" placeholder="<%- i18n('str', 'email-address') %>" data-cy="identity" required autofocus>
                                 </div>
                                 <div class="form-group">
                                     <label class="form-label"><%- i18n('str', 'password') %></label>
-                                    <input name="secret" type="password" class="form-control" placeholder="<%- i18n('str', 'password') %>" required>
-                                    <div class="invalid-feedback secret-error"></div>
+                                    <input name="secret" type="password" class="form-control" placeholder="<%- i18n('str', 'password') %>" data-cy="password" required>
+                                    <div class="invalid-feedback secret-error" data-cy="password-error"></div>
                                 </div>
                                 <div class="form-footer">
-                                    <button type="submit" class="btn btn-teal btn-block"><%- i18n('str', 'sign-in') %></button>
+                                    <button type="submit" class="btn btn-teal btn-block" data-cy="sign-in"><%- i18n('str', 'sign-in') %></button>
+                                </div>
+                                <div class="form-footer login-oidc">
+                                    <div class="separator"><slot>OR</slot></div>
+                                    <button type="button" id="login-oidc" class="btn btn-teal btn-block" data-cy="oidc-login">
+                                        <%- i18n('str', 'sign-in-with') %> <span class="oidc-provider"></span>
+                                    </button>
+                                    <div class="invalid-feedback oidc-error"></div>
                                 </div>
                             </div>
                         </div>

frontend/js/login/ui/login.js

@@ -3,6 +3,7 @@ const Mn       = require('backbone.marionette');
 const template = require('./login.ejs');
 const Api      = require('../../app/api');
 const i18n     = require('../../app/i18n');
+const Tokens   = require('../../app/tokens');
 
 module.exports = Mn.View.extend({
     template:  template,
@@ -13,7 +14,11 @@ module.exports = Mn.View.extend({
         identity:     'input[name="identity"]',
         secret:       'input[name="secret"]',
         error:        '.secret-error',
-        button:   'button'
+        button:       'button[type=submit]',
+        oidcLogin:    'div.login-oidc',
+        oidcButton:   'button#login-oidc',
+        oidcError:    '.oidc-error',
+        oidcProvider: 'span.oidc-provider'
     },
 
     events: {
@@ -26,10 +31,56 @@ module.exports = Mn.View.extend({
                 .then(() => {
                     window.location = '/';
                 })
-                .catch(err => {
+                .catch((err) => {
                     this.ui.error.text(err.message).show();
                     this.ui.button.removeClass('btn-loading').prop('disabled', false);
                 });
+        },
+        'click @ui.oidcButton': function() {
+            this.ui.identity.prop('disabled', true);
+            this.ui.secret.prop('disabled', true);
+            this.ui.button.prop('disabled', true);
+            this.ui.oidcButton.addClass('btn-loading').prop('disabled', true);
+            // redirect to initiate oauth flow
+            document.location.replace('/api/oidc/');
+        },
+    },
+
+    async onRender() {
+        // read oauth callback state cookies
+        let cookies = document.cookie.split(';'),
+            token, expiry, error;
+        for (cookie of cookies) {
+            let   raw = cookie.split('='),
+                 name = raw[0].trim(),
+                value = raw[1];
+            if (name === 'npm_oidc') {
+                let v  = value.split('---');
+                token  = v[0];
+                expiry = v[1];
+            }
+            if (name === 'npm_oidc_error') {
+                error = decodeURIComponent(value);
+            }
+        }
+
+        // register a newly acquired jwt token following successful oidc authentication
+        if (token && expiry && (new Date(Date.parse(decodeURIComponent(expiry)))) > new Date() ) {
+            Tokens.addToken(token);
+            document.location.replace('/');
+        }
+
+        // show error message following a failed oidc authentication
+        if (error) {
+            this.ui.oidcError.html(error);
+        }
+
+        // fetch oidc configuration and show alternative action button if enabled
+        let response = await Api.Settings.getById('oidc-config');
+        if (response && response.meta && response.meta.enabled === true) {
+            this.ui.oidcProvider.html(response.meta.name);
+            this.ui.oidcLogin.show();
+            this.ui.oidcError.show();
         }
     },
 

frontend/scss/custom.scss

@@ -40,3 +40,33 @@ a:hover {
 .col-login {
     max-width: 48rem;
 }
+
+.margin-auto {
+    margin: auto;
+}
+
+.separator {
+    display: flex;
+    align-items: center;
+    text-align: center;
+    margin-bottom: 1em;
+}
+
+.separator::before, .separator::after {
+    content: "";
+    flex: 1 1 0%;
+    border-bottom: 1px solid #ccc;
+}
+
+.separator:not(:empty)::before {
+    margin-right: 0.5em;
+}
+
+.separator:not(:empty)::after {
+    margin-left: 0.5em;
+}
+
+.login-oidc {
+    display: none;
+    margin-top: 1em;
+}

frontend/yarn.lock

@@ -2648,9 +2648,9 @@ electron-to-chromium@^1.3.47:
   integrity sha512-67V62Z4CFOiAtox+o+tosGfVk0QX4DJgH609tjT8QymbJZVAI/jWnAthnr8c5hnRNziIRwkc9EMQYejiVz3/9Q==
 
 elliptic@^6.5.3, elliptic@^6.5.4:
-  version "6.6.0"
-  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.6.0.tgz#5919ec723286c1edf28685aa89261d4761afa210"
-  integrity sha512-dpwoQcLc/2WLQvJvLRHKZ+f9FgOdjnq11rurqwekGQygGPsYSK29OMMD2WalatiqQ+XGFDglTNixpPfI+lpaAA==
+  version "6.5.7"
+  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.7.tgz#8ec4da2cb2939926a1b9a73619d768207e647c8b"
+  integrity sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q==
   dependencies:
     bn.js "^4.11.9"
     brorand "^1.1.0"

global/certbot-dns-plugins.json

@@ -18,7 +18,7 @@
 	"aliyun": {
 		"name": "Aliyun",
 		"package_name": "certbot-dns-aliyun",
-		"version": "~=2.0.0",
+		"version": "~=0.38.1",
 		"dependencies": "",
 		"credentials": "dns_aliyun_access_key = 12345678\ndns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef",
 		"full_plugin_name": "dns-aliyun"
@@ -31,14 +31,6 @@
 		"credentials": "# This plugin supported API authentication using either Service Principals or utilizing a Managed Identity assigned to the virtual machine.\n# Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it.\n# As multiple Azure DNS Zones in multiple resource groups can exist, the config file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings can be listed by using the key dns_azure_zoneX where X is a unique number. At least 1 zone mapping is required.\n\n# Using a service principal (option 1)\ndns_azure_sp_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\ndns_azure_sp_client_secret = E-xqXU83Y-jzTI6xe9fs2YC~mck3ZzUih9\ndns_azure_tenant_id = ed1090f3-ab18-4b12-816c-599af8a88cf7\n\n# Using used assigned MSI (option 2)\n# dns_azure_msi_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\n\n# Using system assigned MSI (option 3)\n# dns_azure_msi_system_assigned = true\n\n# Zones (at least one always required)\ndns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1\ndns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2",
 		"full_plugin_name": "dns-azure"
 	},
-	"beget": {
-		"name":"Beget",
-		"package_name": "certbot-beget-plugin",
-		"version": "~=1.0.0.dev9",
-		"dependencies": "",
-		"credentials": "# Beget API credentials used by Certbot\nbeget_plugin_username = username\nbeget_plugin_password = password",
-		"full_plugin_name": "beget-plugin"
-	},
 	"bunny": {
 		"name": "bunny.net",
 		"package_name": "certbot-dns-bunny",
@@ -255,14 +247,6 @@
 		"credentials": "dns_hetzner_api_token = 0123456789abcdef0123456789abcdef",
 		"full_plugin_name": "dns-hetzner"
 	},
-	"hostingnl": {
-		"name": "Hosting.nl",
-		"package_name": "certbot-dns-hostingnl",
-		"version": "~=0.1.5",
-		"dependencies": "",
-		"credentials": "dns_hostingnl_api_key = 0123456789abcdef0123456789abcdef",
-		"full_plugin_name": "dns-hostingnl"
-	},
 	"hover": {
 		"name": "Hover",
 		"package_name": "certbot-dns-hover",
@@ -418,7 +402,7 @@
 	"porkbun": {
 		"name": "Porkbun",
 		"package_name": "certbot-dns-porkbun",
-		"version": "~=0.9",
+		"version": "~=0.2",
 		"dependencies": "",
 		"credentials": "dns_porkbun_key=your-porkbun-api-key\ndns_porkbun_secret=your-porkbun-api-secret",
 		"full_plugin_name": "dns-porkbun"

scripts/.common.sh

@@ -11,7 +11,7 @@ YELLOW='\E[1;33m'
 export BLUE CYAN GREEN RED RESET YELLOW
 
 # Docker Compose
-COMPOSE_PROJECT_NAME="npm2dev"
+COMPOSE_PROJECT_NAME="npmdev"
 COMPOSE_FILE="docker/docker-compose.dev.yml"
 
 export COMPOSE_FILE COMPOSE_PROJECT_NAME

scripts/ci/fulltest-cypress

@@ -67,8 +67,6 @@ printf "nameserver %s\noptions ndots:0" "${DNSROUTER_IP}" > "${LOCAL_RESOLVE}"
 # bring up all remaining containers, except cypress!
 docker-compose up -d --remove-orphans stepca squid
 docker-compose pull db-mysql || true # ok to fail
-docker-compose pull db-postgres || true # ok to fail
-docker-compose pull authentik authentik-redis authentik-ldap || true # ok to fail
 docker-compose up -d --remove-orphans --pull=never fullstack
 
 # wait for main container to be healthy

scripts/start-dev

@@ -36,11 +36,12 @@ if hash docker-compose 2>/dev/null; then
 
 	# bring up all remaining containers, except cypress!
 	docker-compose up -d --remove-orphans stepca squid
-	docker-compose pull db db-postgres authentik-redis authentik authentik-worker authentik-ldap
-	docker-compose build --pull --parallel fullstack
-	docker-compose up -d --remove-orphans fullstack
+	docker-compose pull db
+	docker-compose up -d --remove-orphans --pull=never fullstack
 	docker-compose up -d --remove-orphans swagger
 
+	# docker-compose up -d --remove-orphans --force-recreate --build
+
 	# wait for main container to be healthy
 	bash "$DIR/wait-healthy" "$(docker-compose ps --all -q fullstack)" 120
 
@@ -52,10 +53,10 @@ if hash docker-compose 2>/dev/null; then
 
 	if [ "$1" == "-f" ]; then
 		echo -e "${BLUE}❯ ${YELLOW}Following Backend Container:${RESET}"
-		docker logs -f npm2dev.core
+		docker logs -f npm_core
 	else
 		echo -e "${YELLOW}Hint:${RESET} You can follow the output of some of the containers with:"
-		echo "  docker logs -f npm2dev.core"
+		echo "  docker logs -f npm_core"
 	fi
 else
 	echo -e "${RED}❯ docker-compose command is not available${RESET}"

test/cypress/e2e/api/Ldap.cy.js

@@ -1,64 +0,0 @@
-/// <reference types="cypress" />
-
-describe('LDAP with Authentik', () => {
-	let token;
-	if (Cypress.env('skipStackCheck') === 'true' || Cypress.env('stack') === 'postgres') {
-
-		before(() => {
-			cy.getToken().then((tok) => {
-				token = tok;
-
-				// cy.task('backendApiPut', {
-				// 	token: token,
-				// 	path:  '/api/settings/ldap-auth',
-				// 	data:  {
-				// 		value: {
-				// 			host: 'authentik-ldap:3389',
-				// 			base_dn: 'ou=users,DC=ldap,DC=goauthentik,DC=io',
-				// 			user_dn: 'cn={{USERNAME}},ou=users,DC=ldap,DC=goauthentik,DC=io',
-				// 			email_property: 'mail',
-				// 			name_property: 'sn',
-				// 			self_filter: '(&(cn={{USERNAME}})(ak-active=TRUE))',
-				// 			auto_create_user: true
-				// 		}
-				// 	}
-				// }).then((data) => {
-				// 	cy.validateSwaggerSchema('put', 200, '/settings/{name}', data);
-				// 	expect(data.result).to.have.property('id');
-				// 	expect(data.result.id).to.be.greaterThan(0);
-				// });
-
-				// cy.task('backendApiPut', {
-				// 	token: token,
-				// 	path:  '/api/settings/auth-methods',
-				// 	data:  {
-				// 		value: [
-				// 			'local',
-				// 			'ldap'
-				// 		]
-				// 	}
-				// }).then((data) => {
-				// 	cy.validateSwaggerSchema('put', 200, '/settings/{name}', data);
-				// 	expect(data.result).to.have.property('id');
-				// 	expect(data.result.id).to.be.greaterThan(0);
-				// });
-			});
-		});
-
-		it.skip('Should log in with LDAP', function() {
-			// cy.task('backendApiPost', {
-			// 	token: token,
-			// 	path:  '/api/auth',
-			// 	data:  {
-			// 		// Authentik LDAP creds:
-			// 		type: 'ldap',
-			// 		identity: 'cypress',
-			// 		secret: 'fqXBfUYqHvYqiwBHWW7f'
-			// 	}
-			// }).then((data) => {
-			// 	cy.validateSwaggerSchema('post', 200, '/auth', data);
-			// 	expect(data.result).to.have.property('token');
-			// });
-		});
-	}
-});

test/cypress/e2e/api/OAuth.cy.js

@@ -1,97 +0,0 @@
-/// <reference types="cypress" />
-
-describe('OAuth with Authentik', () => {
-	let token;
-	if (Cypress.env('skipStackCheck') === 'true' || Cypress.env('stack') === 'postgres') {
-
-		before(() => {
-			cy.getToken().then((tok) => {
-				token = tok;
-
-				// cy.task('backendApiPut', {
-				// 	token: token,
-				// 	path:  '/api/settings/oauth-auth',
-				// 	data:  {
-				// 		value: {
-				// 			client_id: '7iO2AvuUp9JxiSVkCcjiIbQn4mHmUMBj7yU8EjqU',
-				// 			client_secret: 'VUMZzaGTrmXJ8PLksyqzyZ6lrtz04VvejFhPMBP9hGZNCMrn2LLBanySs4ta7XGrDr05xexPyZT1XThaf4ubg00WqvHRVvlu4Naa1aMootNmSRx3VAk6RSslUJmGyHzq',
-				// 			authorization_url: 'http://authentik:9000/application/o/authorize/',
-				// 			resource_url: 'http://authentik:9000/application/o/userinfo/',
-				// 			token_url: 'http://authentik:9000/application/o/token/',
-				// 			logout_url: 'http://authentik:9000/application/o/npm/end-session/',
-				// 			identifier: 'preferred_username',
-				// 			scopes: [],
-				// 			auto_create_user: true
-				// 		}
-				// 	}
-				// }).then((data) => {
-				// 	cy.validateSwaggerSchema('put', 200, '/settings/{name}', data);
-				// 	expect(data.result).to.have.property('id');
-				// 	expect(data.result.id).to.be.greaterThan(0);
-				// });
-
-				// cy.task('backendApiPut', {
-				// 	token: token,
-				// 	path:  '/api/settings/auth-methods',
-				// 	data:  {
-				// 		value: [
-				// 			'local',
-				// 			'oauth'
-				// 		]
-				// 	}
-				// }).then((data) => {
-				// 	cy.validateSwaggerSchema('put', 200, '/settings/{name}', data);
-				// 	expect(data.result).to.have.property('id');
-				// 	expect(data.result.id).to.be.greaterThan(0);
-				// });
-			});
-		});
-
-		it.skip('Should log in with OAuth', function() {
-			// cy.task('backendApiGet', {
-			// 	path:  '/oauth/login?redirect_base=' + encodeURI(Cypress.config('baseUrl')),
-			// }).then((data) => {
-			// 	expect(data).to.have.property('result');
-
-			// 	cy.origin('http://authentik:9000', {args: data.result}, (url) => {
-			// 		cy.visit(url);
-			// 		cy.get('ak-flow-executor')
-			// 		.shadow()
-			// 		.find('ak-stage-identification')
-			// 		.shadow()
-			// 		.find('input[name="uidField"]', { visible: true })
-			// 		.type('cypress');
-
-			// 	cy.get('ak-flow-executor')
-			// 		.shadow()
-			// 		.find('ak-stage-identification')
-			// 		.shadow()
-			// 		.find('button[type="submit"]', { visible: true })
-			// 		.click();
-
-			// 	cy.get('ak-flow-executor')
-			// 		.shadow()
-			// 		.find('ak-stage-password')
-			// 		.shadow()
-			// 		.find('input[name="password"]', { visible: true })
-			// 		.type('fqXBfUYqHvYqiwBHWW7f');
-
-			// 	cy.get('ak-flow-executor')
-			// 		.shadow()
-			// 		.find('ak-stage-password')
-			// 		.shadow()
-			// 		.find('button[type="submit"]', { visible: true })
-			// 		.click();
-			// 	})
-
-			// 	// we should be logged in
-			// 	cy.get('#root p.chakra-text')
-			// 		.first()
-			// 		.should('have.text', 'Nginx Proxy Manager');
-
-			// 	// logout:
-			// 	cy.clearLocalStorage();
-			// });
-		});
-	}
-});

test/cypress/e2e/api/Settings.cy.js

@@ -19,6 +19,51 @@ describe('Settings endpoints', () => {
 		});
 	});
 
+	it('Get oidc-config setting', function() {
+		cy.task('backendApiGet', {
+			token: token,
+			path:  '/api/settings/oidc-config',
+		}).then((data) => {
+			cy.validateSwaggerSchema('get', 200, '/settings/{settingID}', data);
+			expect(data).to.have.property('id');
+			expect(data.id).to.be.equal('oidc-config');
+		});
+	});
+
+	it('OIDC settings can be updated', function() {
+		cy.task('backendApiPut', {
+			token: token,
+			path:  '/api/settings/oidc-config',
+			data: {
+				meta: {
+					name: 'Some OIDC Provider',
+					clientID: 'clientID',
+					clientSecret: 'clientSecret',
+					issuerURL: 'https://oidc.example.com',
+					redirectURL: 'https://redirect.example.com/api/oidc/callback',
+					enabled: true,
+				}
+			},
+		}).then((data) => {
+			cy.validateSwaggerSchema('put', 200, '/settings/{settingID}', data);
+			expect(data).to.have.property('id');
+			expect(data.id).to.be.equal('oidc-config');
+			expect(data).to.have.property('meta');
+			expect(data.meta).to.have.property('name');
+			expect(data.meta.name).to.be.equal('Some OIDC Provider');
+			expect(data.meta).to.have.property('clientID');
+			expect(data.meta.clientID).to.be.equal('clientID');
+			expect(data.meta).to.have.property('clientSecret');
+			expect(data.meta.clientSecret).to.be.equal('clientSecret');
+			expect(data.meta).to.have.property('issuerURL');
+			expect(data.meta.issuerURL).to.be.equal('https://oidc.example.com');
+			expect(data.meta).to.have.property('redirectURL');
+			expect(data.meta.redirectURL).to.be.equal('https://redirect.example.com/api/oidc/callback');
+			expect(data.meta).to.have.property('enabled');
+			expect(data.meta.enabled).to.be.true;
+		});
+	});
+
 	it('Get default-site setting', function() {
 		cy.task('backendApiGet', {
 			token: token,

test/cypress/e2e/ui/Login.cy.js

@@ -0,0 +1,185 @@
+/// <reference types="cypress" />
+
+import {TEST_USER_EMAIL, TEST_USER_NICKNAME, TEST_USER_PASSWORD} from "../../support/constants";
+
+describe('Login', () => {
+    beforeEach(() => {
+        // Clear all cookies and local storage so we start fresh
+        cy.clearCookies();
+        cy.clearLocalStorage();
+    });
+
+    describe('when OIDC is not enabled', () => {
+        beforeEach(() => {
+            cy.configureOidc(false);
+            cy.visit('/');
+        })
+
+        it('should show the login form', () => {
+            cy.get('input[data-cy="identity"]').should('exist');
+            cy.get('input[data-cy="password"]').should('exist');
+            cy.get('button[data-cy="sign-in"]').should('exist');
+        });
+
+        it('should NOT show the button to sign in with an identity provider', () => {
+            cy.get('button[data-cy="oidc-login"]').should('not.exist');
+        });
+
+        describe('logging in with a username and password', () => {
+            // These tests are duplicated below. The difference is that OIDC is disabled here.
+            beforeEach(() => {
+                // Delete and recreate the test user
+                cy.deleteTestUser();
+                cy.createTestUser();
+            });
+
+            it('should log the user in when the credentials are correct', () => {
+                // Fill in the form with the test user's email and the correct password
+                cy.get('input[data-cy="identity"]').type(TEST_USER_EMAIL);
+                cy.get('input[data-cy="password"]').type(TEST_USER_PASSWORD);
+
+                // Intercept the POST request to /api/tokens, so we can wait for it to complete before proceeding
+                cy.intercept('POST', '/api/tokens').as('login');
+
+                // Click the sign-in button
+                cy.get('button[data-cy="sign-in"]').click();
+                cy.wait('@login');
+
+                // Expect a 200 from the backend
+                cy.get('@login').its('response.statusCode').should('eq', 200);
+
+                // Expect the user to be redirected to the dashboard with a welcome message
+                cy.get('h1[data-cy="page-title"]').should('contain.text', `Hi ${TEST_USER_NICKNAME}`);
+            });
+
+            it('should show an error message if the password is incorrect', () => {
+                // Fill in the form with the test user's email and an incorrect password
+                cy.get('input[data-cy="identity"]').type(TEST_USER_EMAIL);
+                cy.get('input[data-cy="password"]').type(`${TEST_USER_PASSWORD}_obviously_not_correct`);
+
+                // Intercept the POST request to /api/tokens, so we can wait for it to complete before checking the error message
+                cy.intercept('POST', '/api/tokens').as('login');
+
+                // Click the sign-in button
+                cy.get('button[data-cy="sign-in"]').click();
+                cy.wait('@login');
+
+                // Expect a 401 from the backend
+                cy.get('@login').its('response.statusCode').should('eq', 401);
+                // Expect an error message on the UI
+                cy.get('div[data-cy="password-error"]').should('contain.text', 'Invalid password');
+            });
+
+            it('should show an error message if the email is incorrect', () => {
+                // Fill in the form with the test user's email and an incorrect password
+                cy.get('input[data-cy="identity"]').type(`definitely_not_${TEST_USER_EMAIL}`);
+                cy.get('input[data-cy="password"]').type(TEST_USER_PASSWORD);
+
+                // Intercept the POST request to /api/tokens, so we can wait for it to complete before checking the error message
+                cy.intercept('POST', '/api/tokens').as('login');
+
+                // Click the sign-in button
+                cy.get('button[data-cy="sign-in"]').click();
+                cy.wait('@login');
+
+                // Expect a 401 from the backend
+                cy.get('@login').its('response.statusCode').should('eq', 401);
+                // Expect an error message on the UI
+                cy.get('div[data-cy="password-error"]').should('contain.text', 'No relevant user found');
+            });
+        });
+    });
+
+    describe('when OIDC is enabled', () => {
+        beforeEach(() => {
+            cy.configureOidc(true);
+            cy.visit('/');
+        });
+
+        it('should show the login form', () => {
+            cy.get('input[data-cy="identity"]').should('exist');
+            cy.get('input[data-cy="password"]').should('exist');
+            cy.get('button[data-cy="sign-in"]').should('exist');
+        });
+
+        it('should show the button to sign in with the configured identity provider', () => {
+            cy.get('button[data-cy="oidc-login"]').should('exist');
+            cy.get('button[data-cy="oidc-login"]').should('contain.text', 'Sign in with ACME OIDC Provider');
+        });
+
+        describe('logging in with a username and password', () => {
+            // These tests are the same as the ones above, but we need to repeat them here because the OIDC configuration
+            beforeEach(() => {
+                // Delete and recreate the test user
+                cy.deleteTestUser();
+                cy.createTestUser();
+            });
+
+            it('should log the user in when the credentials are correct', () => {
+                // Fill in the form with the test user's email and the correct password
+                cy.get('input[data-cy="identity"]').type(TEST_USER_EMAIL);
+                cy.get('input[data-cy="password"]').type(TEST_USER_PASSWORD);
+
+                // Intercept the POST request to /api/tokens, so we can wait for it to complete before proceeding
+                cy.intercept('POST', '/api/tokens').as('login');
+
+                // Click the sign-in button
+                cy.get('button[data-cy="sign-in"]').click();
+                cy.wait('@login');
+
+                // Expect a 200 from the backend
+                cy.get('@login').its('response.statusCode').should('eq', 200);
+
+                // Expect the user to be redirected to the dashboard with a welcome message
+                cy.get('h1[data-cy="page-title"]').should('contain.text', `Hi ${TEST_USER_NICKNAME}`);
+
+            });
+
+            it('should show an error message if the password is incorrect', () => {
+                // Fill in the form with the test user's email and an incorrect password
+                cy.get('input[data-cy="identity"]').type(TEST_USER_EMAIL);
+                cy.get('input[data-cy="password"]').type(`${TEST_USER_PASSWORD}_obviously_not_correct`);
+
+                // Intercept the POST request to /api/tokens, so we can wait for it to complete before checking the error message
+                cy.intercept('POST', '/api/tokens').as('login');
+
+                // Click the sign-in button
+                cy.get('button[data-cy="sign-in"]').click();
+                cy.wait('@login');
+
+                // Expect a 401 from the backend
+                cy.get('@login').its('response.statusCode').should('eq', 401);
+                // Expect an error message on the UI
+                cy.get('div[data-cy="password-error"]').should('contain.text', 'Invalid password');
+            });
+
+            it('should show an error message if the email is incorrect', () => {
+                // Fill in the form with the test user's email and an incorrect password
+                cy.get('input[data-cy="identity"]').type(`definitely_not_${TEST_USER_EMAIL}`);
+                cy.get('input[data-cy="password"]').type(TEST_USER_PASSWORD);
+
+                // Intercept the POST request to /api/tokens, so we can wait for it to complete before checking the error message
+                cy.intercept('POST', '/api/tokens').as('login');
+
+                // Click the sign-in button
+                cy.get('button[data-cy="sign-in"]').click();
+                cy.wait('@login');
+
+                // Expect a 401 from the backend
+                cy.get('@login').its('response.statusCode').should('eq', 401);
+                // Expect an error message on the UI
+                cy.get('div[data-cy="password-error"]').should('contain.text', 'No relevant user found');
+            });
+        });
+
+        describe('logging in with OIDC', () => {
+           beforeEach(() => {
+                // Delete and recreate the test user
+                cy.deleteTestUser();
+                cy.createTestUser();
+           });
+
+           // TODO: Create a dummy OIDC provider that we can use for testing so we can test this fully.
+        });
+    });
+});

test/cypress/support/commands.js

@@ -10,6 +10,13 @@
 //
 
 import 'cypress-wait-until';
+import {
+	DEFAULT_ADMIN_EMAIL,
+	DEFAULT_ADMIN_PASSWORD,
+	TEST_USER_EMAIL,
+	TEST_USER_NAME,
+	TEST_USER_NICKNAME, TEST_USER_PASSWORD
+} from "./constants";
 
 Cypress.Commands.add('randomString', (length) => {
 	var result           = '';
@@ -40,13 +47,118 @@ Cypress.Commands.add('validateSwaggerSchema', (method, code, path, data) => {
 	}).should('equal', null);
 });
 
+/**
+ * Configure OIDC settings in the backend, so we can test scenarios around OIDC being enabled or disabled.
+ */
+Cypress.Commands.add('configureOidc', (enabled) => {
+	cy.getToken().then((token) => {
+		if (enabled) {
+			cy.task('backendApiPut', {
+				token: token,
+				path: '/api/settings/oidc-config',
+				data: {
+					meta: {
+						name: 'ACME OIDC Provider',
+						clientID: 'clientID',
+						clientSecret: 'clientSecret',
+						// TODO: Create dummy OIDC provider for testing
+						issuerURL: 'https://oidc.example.com',
+						redirectURL: 'https://redirect.example.com/api/oidc/callback',
+						enabled: true,
+					}
+				},
+			})
+		} else {
+			cy.task('backendApiPut', {
+				token: token,
+				path: '/api/settings/oidc-config',
+				data: {
+					meta: {
+						name: '',
+						clientID: '',
+						clientSecret: '',
+						issuerURL: '',
+						redirectURL: '',
+						enabled: false,
+					}
+				},
+			})
+		}
+	});
+});
+
+/**
+ * Create a new user in the backend for testing purposes.
+ *
+ * The created user will have a name, nickname, email, and password as defined in the constants file (TEST_USER_*).
+ *
+ * @param {boolean} withPassword Whether to create the user with a password or not (default: true)
+ */
+Cypress.Commands.add('createTestUser', (withPassword) => {
+	if (withPassword === undefined) {
+		withPassword = true;
+	}
+
+	cy.getToken().then((token) => {
+		cy.task('backendApiPost', {
+			token: token,
+			path: '/api/users',
+			data: {
+				name: TEST_USER_NAME,
+				nickname: TEST_USER_NICKNAME,
+				email: TEST_USER_EMAIL,
+				roles: ['admin'],
+				is_disabled: false,
+				auth: withPassword ? {
+					type: 'password',
+					secret: TEST_USER_PASSWORD
+				} : {}
+			}
+		})
+	});
+});
+
+
+/**
+ * Delete the test user from the backend.
+ * The test user is identified by the email address defined in the constants file (TEST_USER_EMAIL).
+ *
+ * This command will only attempt to delete the test user if it exists.
+ */
+Cypress.Commands.add('deleteTestUser', () => {
+	cy.getToken().then((token) => {
+		cy.task('backendApiGet', {
+			token: token,
+			path: '/api/users',
+		}).then((data) => {
+			// Find the test user
+			const testUser = data.find(user => user.email === TEST_USER_EMAIL);
+
+			// If the test user doesn't exist, we don't need to delete it
+			if (!testUser) {
+				return;
+			}
+
+			// Delete the test user
+			cy.task('backendApiDelete', {
+				token: token,
+				path: `/api/users/${testUser.id}`,
+			});
+		});
+	});
+});
+
+/**
+ * Get a new token from the backend.
+ * The token will be created using the default admin email and password defined in the constants file (DEFAULT_ADMIN_*).
+ */
 Cypress.Commands.add('getToken', () => {
 	// login with existing user
 	cy.task('backendApiPost', {
 		path: '/api/tokens',
 		data: {
-			identity: 'admin@example.com',
-			secret:   'changeme'
+			identity: DEFAULT_ADMIN_EMAIL,
+			secret: DEFAULT_ADMIN_PASSWORD
 		}
 	}).then(res => {
 		cy.wrap(res.token);

test/cypress/support/constants.js

@@ -0,0 +1,16 @@
+// Description: Constants used in the tests.
+
+/**
+ *  The default admin user is used to get tokens from the backend API to make requests.
+ *  It is also used to create the test user.
+ */
+export const DEFAULT_ADMIN_EMAIL = Cypress.env('DEFAULT_ADMIN_EMAIL') || 'admin@example.com';
+export const DEFAULT_ADMIN_PASSWORD =  Cypress.env('DEFAULT_ADMIN_PASSWORD') || 'changeme';
+
+/**
+ * The test user is created and deleted by the tests using `cy.createTestUser()` and `cy.deleteTestUser()`.
+ */
+export const TEST_USER_NAME = 'Robert Ross';
+export const TEST_USER_NICKNAME = 'Bob';
+export const TEST_USER_EMAIL = 'bob@ross.com';
+export const TEST_USER_PASSWORD = 'changeme';

test/yarn.lock

@@ -132,9 +132,9 @@
   integrity sha512-BsWiH1yFGjXXS2yvrf5LyuoSIIbPrGUWob917o+BTKuZ7qJdxX8aJLRxs1fS9n6r7vESrq1OUqb68dANcFXuQQ==
 
 "@eslint/plugin-kit@^0.2.0":
-  version "0.2.3"
-  resolved "https://registry.yarnpkg.com/@eslint/plugin-kit/-/plugin-kit-0.2.3.tgz#812980a6a41ecf3a8341719f92a6d1e784a2e0e8"
-  integrity sha512-2b/g5hRmpbb1o4GnTZax9N9m0FXzz9OV42ZzI4rDDMDuHUqigAiQCEWChBWCY4ztAGVRjoWT19v0yMmc5/L5kA==
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/@eslint/plugin-kit/-/plugin-kit-0.2.0.tgz#8712dccae365d24e9eeecb7b346f85e750ba343d"
+  integrity sha512-vH9PiIMMwvhCx31Af3HiGzsVNULDbyVkHXwlemn/B0TFj/00ho3y55efXrUZTfQipxoHC5u4xq6zblww1zm1Ig==
   dependencies:
     levn "^0.4.1"
 
@@ -628,9 +628,9 @@ core-util-is@1.0.2:
   integrity sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=
 
 cross-spawn@^7.0.0, cross-spawn@^7.0.2:
-  version "7.0.6"
-  resolved "https://registry.yarnpkg.com/cross-spawn/-/cross-spawn-7.0.6.tgz#8a58fe78f00dcd70c370451759dfbfaf03e8ee9f"
-  integrity sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==
+  version "7.0.3"
+  resolved "https://registry.yarnpkg.com/cross-spawn/-/cross-spawn-7.0.3.tgz#f73a85b9d5d41d045551c177e2882d4ac85728a6"
+  integrity sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==
   dependencies:
     path-key "^3.1.0"
     shebang-command "^2.0.0"