mealie/frontend/schemes/DynamicOpenIDConnectScheme.js

import jwtDecode from "jwt-decode"
import { ConfigurationDocument, OpenIDConnectScheme } from "~auth/runtime"

/**
 * Custom Scheme that dynamically gets the OpenID Connect configuration from the backend.
 * This is needed because the SPA frontend does not have access to runtime environment variables.
 */
export default class DynamicOpenIDConnectScheme extends OpenIDConnectScheme {

    async mounted() {
        await this.getConfiguration();
        this.options.scope = ["openid", "profile", "email", "groups"]

        this.configurationDocument = new ConfigurationDocument(
            this,
            this.$auth.$storage
        )


        // eslint-disable-next-line @typescript-eslint/no-unsafe-return
        return await super.mounted()
    }

    async fetchUser() {
      if (!this.check().valid) {
        return
      }

      const { data } = await this.$auth.requestWith(this.name, {
        url: "/api/users/self"
      })

      this.$auth.setUser(data)
    }

    async _handleCallback() {
      // sometimes the mealie token is being sent in the request to the IdP on callback which
      // causes an error, so we clear it if we have one
      if (this.token.get()) {
        this.token.reset();
      }
      const redirect = await super._handleCallback()
      await this.updateAccessToken()

      // eslint-disable-next-line @typescript-eslint/no-unsafe-return
      return redirect;
    }

    async updateAccessToken() {
      if (!this.idToken.sync()) {
        return
      }
      if (this.isValidMealieToken()) {
        return
      }

      try {
        const response = await this.$auth.requestWith(this.name, {
          url: "/api/auth/token",
          method: "post"
        })
        // Update tokens with mealie token
        this.updateTokens(response)
      } catch {
        const currentUrl = new URL(window.location.href)
        if (currentUrl.pathname === "/login" && currentUrl.searchParams.has("direct")) {
          return
        }
        window.location.replace("/login?direct=1")
      }
    }

    isValidMealieToken() {
      if (this.token.status().valid()) {
        let iss = null;
        try {
          // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
          iss = jwtDecode(this.token.get()).iss
        } catch (e) {
          // pass
        }
        return iss === "mealie"
      }
      return false
    }

    async getConfiguration() {
        const route = "/api/app/about/oidc";

        try {
            const response = await fetch(route);
            const data = await response.json();
            this.options.endpoints.configuration = data.configurationUrl;
            this.options.clientId = data.clientId;
        } catch (error) {
            // pass
        }
    }
}
feat: Login with OAuth via OpenID Connect (OIDC) (#3280) * initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com> 2024-03-10 13:51:36 -05:00			`import jwtDecode from "jwt-decode"`
			`import { ConfigurationDocument, OpenIDConnectScheme } from "~auth/runtime"`

			`/**`
			`* Custom Scheme that dynamically gets the OpenID Connect configuration from the backend.`
			`* This is needed because the SPA frontend does not have access to runtime environment variables.`
			`*/`
			`export default class DynamicOpenIDConnectScheme extends OpenIDConnectScheme {`

			`async mounted() {`
			`await this.getConfiguration();`
			`this.options.scope = ["openid", "profile", "email", "groups"]`

			`this.configurationDocument = new ConfigurationDocument(`
			`this,`
			`this.$auth.$storage`
			`)`


			`// eslint-disable-next-line @typescript-eslint/no-unsafe-return`
			`return await super.mounted()`
			`}`

			`async fetchUser() {`
			`if (!this.check().valid) {`
			`return`
			`}`

			`const { data } = await this.$auth.requestWith(this.name, {`
			`url: "/api/users/self"`
			`})`

			`this.$auth.setUser(data)`
			`}`

			`async _handleCallback() {`
fix: (OAuth) redirect to direct login on failure (#3406) 2024-04-02 10:13:30 -05:00			`// sometimes the mealie token is being sent in the request to the IdP on callback which`
			`// causes an error, so we clear it if we have one`
			`if (this.token.get()) {`
			`this.token.reset();`
			`}`
feat: Login with OAuth via OpenID Connect (OIDC) (#3280) * initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com> 2024-03-10 13:51:36 -05:00			`const redirect = await super._handleCallback()`
			`await this.updateAccessToken()`

			`// eslint-disable-next-line @typescript-eslint/no-unsafe-return`
			`return redirect;`
			`}`

			`async updateAccessToken() {`
			`if (!this.idToken.sync()) {`
			`return`
			`}`
			`if (this.isValidMealieToken()) {`
			`return`
			`}`

fix: (OAuth) redirect to direct login on failure (#3406) 2024-04-02 10:13:30 -05:00			`try {`
			`const response = await this.$auth.requestWith(this.name, {`
			`url: "/api/auth/token",`
			`method: "post"`
			`})`
			`// Update tokens with mealie token`
			`this.updateTokens(response)`
			`} catch {`
			`const currentUrl = new URL(window.location.href)`
			`if (currentUrl.pathname === "/login" && currentUrl.searchParams.has("direct")) {`
			`return`
			`}`
			`window.location.replace("/login?direct=1")`
			`}`
feat: Login with OAuth via OpenID Connect (OIDC) (#3280) * initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com> 2024-03-10 13:51:36 -05:00			`}`

			`isValidMealieToken() {`
			`if (this.token.status().valid()) {`
			`let iss = null;`
			`try {`
			`// eslint-disable-next-line @typescript-eslint/no-unsafe-argument`
			`iss = jwtDecode(this.token.get()).iss`
			`} catch (e) {`
			`// pass`
			`}`
			`return iss === "mealie"`
			`}`
			`return false`
			`}`

			`async getConfiguration() {`
			`const route = "/api/app/about/oidc";`

			`try {`
			`const response = await fetch(route);`
			`const data = await response.json();`
			`this.options.endpoints.configuration = data.configurationUrl;`
			`this.options.clientId = data.clientId;`
			`} catch (error) {`
			`// pass`
			`}`
			`}`
			`}`