mirror of
https://github.com/mealie-recipes/mealie.git
synced 2025-07-22 06:39:41 +02:00
feat: Login with OAuth via OpenID Connect (OIDC) (#3280)
Some checks are pending
CodeQL / Analyze (javascript-typescript) (push) Waiting to run
CodeQL / Analyze (python) (push) Waiting to run
Docker Nightly Production / Frontend and End-to-End Tests (push) Waiting to run
Docker Nightly Production / Build Tagged Release (push) Blocked by required conditions
Docker Nightly Production / Backend Server Tests (push) Waiting to run
Docker Nightly Production / Notify Discord (push) Blocked by required conditions
Some checks are pending
CodeQL / Analyze (javascript-typescript) (push) Waiting to run
CodeQL / Analyze (python) (push) Waiting to run
Docker Nightly Production / Frontend and End-to-End Tests (push) Waiting to run
Docker Nightly Production / Build Tagged Release (push) Blocked by required conditions
Docker Nightly Production / Backend Server Tests (push) Waiting to run
Docker Nightly Production / Notify Discord (push) Blocked by required conditions
* initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com>
This commit is contained in:
Hayden
GitHub
parent
bea1a592d7
commit
5f6844eceb
53 changed files with 1533 additions and 400 deletions
87
frontend/schemes/DynamicOpenIDConnectScheme.js
Normal file
87
frontend/schemes/DynamicOpenIDConnectScheme.js
Normal file
|
|
@ -0,0 +1,87 @@
|
|||
import jwtDecode from "jwt-decode"
|
||||
import { ConfigurationDocument, OpenIDConnectScheme } from "~auth/runtime"
|
||||
|
||||
/**
|
||||
* Custom Scheme that dynamically gets the OpenID Connect configuration from the backend.
|
||||
* This is needed because the SPA frontend does not have access to runtime environment variables.
|
||||
*/
|
||||
export default class DynamicOpenIDConnectScheme extends OpenIDConnectScheme {
|
||||
|
||||
async mounted() {
|
||||
await this.getConfiguration();
|
||||
this.options.scope = ["openid", "profile", "email", "groups"]
|
||||
|
||||
this.configurationDocument = new ConfigurationDocument(
|
||||
this,
|
||||
this.$auth.$storage
|
||||
)
|
||||
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-unsafe-return
|
||||
return await super.mounted()
|
||||
}
|
||||
|
||||
async fetchUser() {
|
||||
if (!this.check().valid) {
|
||||
return
|
||||
}
|
||||
|
||||
const { data } = await this.$auth.requestWith(this.name, {
|
||||
url: "/api/users/self"
|
||||
})
|
||||
|
||||
this.$auth.setUser(data)
|
||||
}
|
||||
|
||||
async _handleCallback() {
|
||||
const redirect = await super._handleCallback()
|
||||
await this.updateAccessToken()
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-unsafe-return
|
||||
return redirect;
|
||||
}
|
||||
|
||||
async updateAccessToken() {
|
||||
if (!this.idToken.sync()) {
|
||||
return
|
||||
}
|
||||
if (this.isValidMealieToken()) {
|
||||
return
|
||||
}
|
||||
|
||||
const response = await this.$auth.requestWith(this.name, {
|
||||
url: "/api/auth/token",
|
||||
method: "post"
|
||||
})
|
||||
|
||||
// Update tokens with mealie token
|
||||
this.updateTokens(response)
|
||||
}
|
||||
|
||||
isValidMealieToken() {
|
||||
if (this.token.status().valid()) {
|
||||
let iss = null;
|
||||
try {
|
||||
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
|
||||
iss = jwtDecode(this.token.get()).iss
|
||||
} catch (e) {
|
||||
// pass
|
||||
}
|
||||
return iss === "mealie"
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
async getConfiguration() {
|
||||
const route = "/api/app/about/oidc";
|
||||
|
||||
try {
|
||||
const response = await fetch(route);
|
||||
const data = await response.json();
|
||||
this.options.endpoints.configuration = data.configurationUrl;
|
||||
this.options.clientId = data.clientId;
|
||||
} catch (error) {
|
||||
// pass
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue