Updated Discord Authentication Module to allow optionally filtering based on Server Roles.

.gitignore

@@ -47,3 +47,4 @@ test-results/
 
 # Localization Resources
 /server/locales/**/*.yml
+yarn.lock

package.json

@@ -70,6 +70,7 @@
     "dependency-graph": "0.11.0",
     "diff": "4.0.2",
     "diff2html": "3.1.14",
+    "discord-oauth2": "2.11.0",
     "dompurify": "2.4.3",
     "dotize": "0.3.0",
     "elasticsearch6": "npm:@elastic/elasticsearch@6",

server/helpers/error.js

@@ -73,6 +73,10 @@ module.exports = {
     message: 'You are not authorized to register. Your domain is not whitelisted.',
     code: 1011
   }),
+  AuthDiscordRoleUnauthorized: CustomError('AuthDiscordRoleUnauthorized', {
+    message: 'You are not authorized to register. You lack the necessary Server Roles.',
+    code: 1012
+  }),
   AuthRequired: CustomError('AuthRequired', {
     message: 'You must be authenticated to access this resource.',
     code: 1019

server/modules/authentication/discord/authentication.js

@@ -6,6 +6,18 @@
 
 const DiscordStrategy = require('passport-discord').Strategy
 const _ = require('lodash')
+const DiscordOauth2 = require('./node_modules/discord-oauth2/index.js') //I don't remember why I 
+
+// Checks for the existence of all of the required role IDs in the member's guild role IDs.
+function hasRoles(memberRoles, authRoles) {
+  if (authRoles.every(value => {
+    return memberRoles.includes(value)
+  })) {
+    return true
+  } else {
+    return false
+  }
+};
 
 module.exports = {
   init (passport, conf) {
@@ -19,9 +31,16 @@ module.exports = {
         passReqToCallback: true
       }, async (req, accessToken, refreshToken, profile, cb) => {
         try {
-          if (conf.guildId && !_.some(profile.guilds, { id: conf.guildId })) {
+          if (conf.roles) {
+            const discord = new DiscordOauth2()
+            const memberRoles = await discord.getGuildMember(accessToken, conf.guildId)
+            if (!hasRoles(memberRoles.roles, conf.roles.split())) {
+              throw new WIKI.Error.AuthLoginFailed()
+            }
+          } else if (conf.guildId && !_.some(profile.guilds, { id: conf.guildId })) {
             throw new WIKI.Error.AuthLoginFailed()
           }
+
           const user = await WIKI.models.users.processProfile({
             providerKey: req.params.strategy,
             profile: {

server/modules/authentication/discord/definition.yml

@@ -23,3 +23,8 @@ props:
     title: Server ID
     hint: Optional - Your unique server identifier, such that only members are authorized
     order: 3
+  roles:
+    type: String
+    title: Required Roles
+    hint: Optional - Comma-separated list of server role IDs that are required for access (you must hae a Server ID configured to use this.)
+    order: 4

server/modules/authentication/discord/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "wikijs-discord-oauth2",
+  "version": "1.0.0",
+  "description": "Supports using Discord as a SSO source, and allows the administrator to configure discord groups that are required for authentication.",
+  "main": "authentication.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [
+    "wikijs",
+    "discord",
+    "sso"
+  ],
+  "author": "Tom Dakan",
+  "license": "AGPL-3.0-or-later",
+  "dependencies": {
+    "discord-oauth2": "^2.11.0"
+  }
+}

yarn.lock

@@ -8490,6 +8490,11 @@ dir-glob@^3.0.1:
   dependencies:
     path-type "^4.0.0"
 
+discord-oauth2@2.11.0:
+  version "2.11.0"
+  resolved "https://registry.yarnpkg.com/discord-oauth2/-/discord-oauth2-2.11.0.tgz#799acc6777a216f8fbbf72d5ea29086eb4303f85"
+  integrity sha512-pIbgXm498f7vqNd8/7JwoLd36YMFOFASSJdqyCGdwQpaG7ULHu9nLyifpVXI1b88xvNLqQwqugS8jxkn8Ypd1Q==
+
 doctrine@1.5.0:
   version "1.5.0"
   resolved "https://registry.yarnpkg.com/doctrine/-/doctrine-1.5.0.tgz#379dce730f6166f76cefa4e6707a159b02c5a6fa"