Feature: Add "Authentication Method" to allow existing users to sign in with LDAP (#2143)

* adds authentication method for users * fix db migration with postgres * tests for auth method * update migration ids * hide auth method on user creation form * (docs): Added documentation for the new authentication method * update migration * add to auto-form instead of having hidden fields
2025-08-04 21:15:22 +02:00 · 2023-02-26 13:12:16 -06:00 · 2023-02-26 13:12:16 -06:00 · 2e6ad5da8e
commit 2e6ad5da8e
parent 39012adcc1
24 changed files with 213 additions and 24 deletions
--- a/tests/fixtures/fixture_users.py
+++ b/tests/fixtures/fixture_users.py
@ -3,6 +3,9 @@ from typing import Generator

 from pytest import fixture
 from starlette.testclient import TestClient
+from mealie.db.db_setup import session_context
+from mealie.db.models.users.users import AuthMethod
+from mealie.repos.all_repositories import get_repositories

 from tests import utils
 from tests.utils import api_routes
@ -181,3 +184,25 @@ def user_token(admin_token, api_client: TestClient):
    # Log in as this user
    form_data = {"username": create_data["email"], "password": "useruser"}
    return utils.login(form_data, api_client)
+
+
+@fixture(scope="module")
+def ldap_user():
+    # Create an LDAP user directly instead of using TestClient since we don't have
+    # a LDAP service set up
+    with session_context() as session:
+        db = get_repositories(session)
+        user = db.users.create(
+            {
+                "username": utils.random_string(10),
+                "password": "mealie_password_not_important",
+                "full_name": utils.random_string(10),
+                "email": utils.random_string(10),
+                "admin": False,
+                "auth_method": AuthMethod.LDAP,
+            }
+        )
+    yield user
+    with session_context() as session:
+        db = get_repositories(session)
+        db.users.delete(user.id)
--- a/tests/integration_tests/admin_tests/test_admin_user_actions.py
+++ b/tests/integration_tests/admin_tests/test_admin_user_actions.py
@ -1,6 +1,7 @@
 from fastapi.testclient import TestClient

 from mealie.core.config import get_app_settings
+from mealie.db.models.users.users import AuthMethod
 from tests import utils
 from tests.utils import api_routes
 from tests.utils.factories import random_email, random_string
@ -55,6 +56,7 @@ def test_create_user(api_client: TestClient, admin_token):
    assert user_data["email"] == create_data["email"]
    assert user_data["group"] == create_data["group"]
    assert user_data["admin"] == create_data["admin"]
+    assert user_data["authMethod"] == AuthMethod.MEALIE.value


 def test_create_user_as_non_admin(api_client: TestClient, user_token):
@ -73,6 +75,7 @@ def test_update_user(api_client: TestClient, admin_user: TestUser):
    # Change data
    update_data["fullName"] = random_string()
    update_data["email"] = random_email()
+    update_data["authMethod"] = AuthMethod.LDAP.value

    response = api_client.put(
        api_routes.admin_users_item_id(update_data["id"]), headers=admin_user.token, json=update_data
@ -80,6 +83,11 @@ def test_update_user(api_client: TestClient, admin_user: TestUser):

    assert response.status_code == 200

+    user_data = response.json()
+    assert user_data["fullName"] == update_data["fullName"]
+    assert user_data["email"] == update_data["email"]
+    assert user_data["authMethod"] == update_data["authMethod"]
+

 def test_update_other_user_as_not_admin(api_client: TestClient, unique_user: TestUser, g2_user: TestUser):
    settings = get_app_settings()
--- a/tests/integration_tests/user_tests/test_user_password_reset_service.py
+++ b/tests/integration_tests/user_tests/test_user_password_reset_service.py
@ -4,6 +4,7 @@ import pytest
 from fastapi.testclient import TestClient

 from mealie.db.db_setup import session_context
+from mealie.schema.user.user import PrivateUser
 from mealie.services.user_services.password_reset_service import PasswordResetService
 from tests.utils import api_routes
 from tests.utils.factories import random_string
@ -56,3 +57,24 @@ def test_password_reset(api_client: TestClient, unique_user: TestUser, casing: s
    # Test successful password reset
    response = api_client.post(api_routes.users_reset_password, json=payload)
    assert response.status_code == 400
+
+
+@pytest.mark.parametrize("casing", ["lower", "upper", "mixed"])
+def test_password_reset_ldap(ldap_user: PrivateUser, casing: str):
+    cased_email = ""
+    if casing == "lower":
+        cased_email = ldap_user.email.lower()
+    elif casing == "upper":
+        cased_email = ldap_user.email.upper()
+    else:
+        for i, letter in enumerate(ldap_user.email):
+            if i % 2 == 0:
+                cased_email += letter.upper()
+            else:
+                cased_email += letter.lower()
+        cased_email
+
+    with session_context() as session:
+        service = PasswordResetService(session)
+        token = service.generate_reset_token(cased_email)
+        assert token is None
--- a/tests/unit_tests/test_security.py
+++ b/tests/unit_tests/test_security.py
@ -7,7 +7,9 @@ from mealie.core import security
 from mealie.core.config import get_app_settings
 from mealie.core.dependencies import validate_file_token
 from mealie.db.db_setup import session_context
-from tests.utils.factories import random_string
+from mealie.db.models.users.users import AuthMethod
+from mealie.schema.user.user import PrivateUser
+from tests.utils import random_string


 class LdapConnMock:
@ -101,7 +103,7 @@ def test_create_file_token():
    assert file_path == validate_file_token(file_token)


-def test_ldap_authentication_mocked(monkeypatch: MonkeyPatch):
+def test_ldap_user_creation(monkeypatch: MonkeyPatch):
    user, mail, name, password, query_bind, query_password = setup_env(monkeypatch)

    def ldap_initialize_mock(url):
@ -122,7 +124,7 @@ def test_ldap_authentication_mocked(monkeypatch: MonkeyPatch):
    assert result.admin is False


-def test_ldap_authentication_failed_mocked(monkeypatch: MonkeyPatch):
+def test_ldap_user_creation_fail(monkeypatch: MonkeyPatch):
    user, mail, name, password, query_bind, query_password = setup_env(monkeypatch)

    def ldap_initialize_mock(url):
@ -139,7 +141,7 @@ def test_ldap_authentication_failed_mocked(monkeypatch: MonkeyPatch):
    assert result is False


-def test_ldap_authentication_non_admin_mocked(monkeypatch: MonkeyPatch):
+def test_ldap_user_creation_non_admin(monkeypatch: MonkeyPatch):
    user, mail, name, password, query_bind, query_password = setup_env(monkeypatch)
    monkeypatch.setenv("LDAP_ADMIN_FILTER", "(memberOf=cn=admins,dc=example,dc=com)")

@ -161,7 +163,7 @@ def test_ldap_authentication_non_admin_mocked(monkeypatch: MonkeyPatch):
    assert result.admin is False


-def test_ldap_authentication_admin_mocked(monkeypatch: MonkeyPatch):
+def test_ldap_user_creation_admin(monkeypatch: MonkeyPatch):
    user, mail, name, password, query_bind, query_password = setup_env(monkeypatch)
    monkeypatch.setenv("LDAP_ADMIN_FILTER", "(memberOf=cn=admins,dc=example,dc=com)")

@ -183,7 +185,7 @@ def test_ldap_authentication_admin_mocked(monkeypatch: MonkeyPatch):
    assert result.admin


-def test_ldap_authentication_disabled_mocked(monkeypatch: MonkeyPatch):
+def test_ldap_disabled(monkeypatch: MonkeyPatch):
    monkeypatch.setenv("LDAP_AUTH_ENABLED", "False")

    user = random_string(10)
@ -212,3 +214,29 @@ def test_ldap_authentication_disabled_mocked(monkeypatch: MonkeyPatch):

    with session_context() as session:
        security.authenticate_user(session, user, password)
+
+
+def test_user_login_ldap_auth_method(monkeypatch: MonkeyPatch, ldap_user: PrivateUser):
+    """
+    Test login from a user who was originally created in Mealie, but has since been converted
+    to LDAP auth method
+    """
+    _, _, name, ldap_password, query_bind, query_password = setup_env(monkeypatch)
+
+    def ldap_initialize_mock(url):
+        assert url == ""
+        return LdapConnMock(ldap_user.username, ldap_password, False, query_bind, query_password, ldap_user.email, name)
+
+    monkeypatch.setattr(ldap, "initialize", ldap_initialize_mock)
+
+    get_app_settings.cache_clear()
+
+    with session_context() as session:
+        result = security.authenticate_user(session, ldap_user.username, ldap_password)
+
+    assert result
+    assert result.username == ldap_user.username
+    assert result.email == ldap_user.email
+    assert result.full_name == ldap_user.full_name
+    assert result.admin == ldap_user.admin
+    assert result.auth_method == AuthMethod.LDAP
--- a/tests/utils/fixture_schemas.py
+++ b/tests/utils/fixture_schemas.py
@ -2,6 +2,8 @@ from dataclasses import dataclass
 from typing import Any
 from uuid import UUID

+from mealie.db.models.users.users import AuthMethod
+

@dataclass
 class TestUser:
@ -11,6 +13,7 @@ class TestUser:
    password: str
    _group_id: UUID
    token: Any
+    auth_method = AuthMethod.MEALIE

    @property
    def group_id(self) -> str: