feat: Login with OAuth via OpenID Connect (OIDC) (#3280)

* initial oidc implementation * add dynamic scheme * e2e test setup * add caching * fix * try this * add libldap-2.5 to runtime dependencies (#2849) * New translations en-us.json (Norwegian) (#2851) * New Crowdin updates (#2855) * New translations en-us.json (Italian) * New translations en-us.json (Norwegian) * New translations en-us.json (Portuguese) * fix * remove cache * cache yarn deps * cache docker image * cleanup action * lint * fix tests * remove not needed variables * run code gen * fix tests * add docs * move code into custom scheme * remove unneeded type * fix oidc admin * add more tests * add better spacing on login page * create auth providers * clean up testing stuff * type fixes * add OIDC auth method to postgres enum * add option to bypass login screen and go directly to iDP * remove check so we can fallback to another auth method oauth fails * Add provider name to be shown at the login screen * add new properties to admin about api * fix spec * add a prompt to change auth method when changing password * Create new auth section. Add more info on auth methods * update docs * run ruff * update docs * format * docs gen * formatting * initialize logger in class * mypy type fixes * docs gen * add models to get proper fields in docs and fix serialization * validate id token before using it * only request a mealie token on initial callback * remove unused method * fix unit tests * docs gen * check for valid idToken before getting token * add iss to mealie token * check to see if we already have a mealie token before getting one * fix lock file * update authlib * update lock file * add remember me environment variable * add user group setting to allow only certain groups to log in --------- Co-authored-by: Carter Mintey <cmintey8@gmail.com> Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com>
2025-08-05 05:25:26 +02:00 · 2024-03-10 13:51:36 -05:00 · 2024-03-10 13:51:36 -05:00 · 5f6844eceb
commit 5f6844eceb
parent bea1a592d7
53 changed files with 1533 additions and 400 deletions
--- a/tests/e2e/.gitignore
+++ b/tests/e2e/.gitignore
@ -0,0 +1,5 @@
+node_modules/
+/test-results/
+/playwright-report/
+/blob-report/
+/playwright/.cache/
--- a/tests/e2e/docker/docker-compose.yml
+++ b/tests/e2e/docker/docker-compose.yml
@ -0,0 +1,52 @@
+version: "3.4"
+services:
+  oidc-mock-server:
+    container_name: oidc-mock-server
+    image: ghcr.io/navikt/mock-oauth2-server:2.1.0
+    network_mode: host
+    environment:
+      LOG_LEVEL: "debug"
+      SERVER_PORT: 8080
+
+  ldap:
+    image: rroemhild/test-openldap
+    ports:
+      - 10389:10389
+
+  mealie:
+    container_name: mealie
+    image: mealie:e2e
+    build:
+      context: ../../../
+      target: production
+      dockerfile: ./docker/Dockerfile
+    restart: always
+    volumes:
+      - mealie-data:/app/data/
+    network_mode: host
+    environment:
+      ALLOW_SIGNUP: True
+      DB_ENGINE: sqlite
+
+      OIDC_AUTH_ENABLED: True
+      OIDC_SIGNUP_ENABLED: True
+      OIDC_ADMIN_GROUP: admin
+      OIDC_CONFIGURATION_URL: http://localhost:8080/default/.well-known/openid-configuration
+      OIDC_CLIENT_ID: default
+
+      LDAP_AUTH_ENABLED: True
+      LDAP_SERVER_URL: ldap://localhost:10389
+      LDAP_TLS_INSECURE: true
+      LDAP_ENABLE_STARTTLS: false
+      LDAP_BASE_DN: "ou=people,dc=planetexpress,dc=com"
+      LDAP_QUERY_BIND: "cn=admin,dc=planetexpress,dc=com"
+      LDAP_QUERY_PASSWORD: "GoodNewsEveryone"
+      LDAP_USER_FILTER: "(&(|({id_attribute}={input})({mail_attribute}={input}))(|(memberOf=cn=ship_crew,ou=people,dc=planetexpress,dc=com)(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)))"
+      LDAP_ADMIN_FILTER: "memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com"
+      LDAP_ID_ATTRIBUTE: uid
+      LDAP_NAME_ATTRIBUTE: cn
+      LDAP_MAIL_ATTRIBUTE: mail
+
+volumes:
+  mealie-data:
+    driver: local
--- a/tests/e2e/login.spec.ts
+++ b/tests/e2e/login.spec.ts
@ -0,0 +1,140 @@
+import { test, expect } from '@playwright/test';
+
+test('password login', async ({ page }) => {
+    const username = "changeme@example.com"
+    const password = "MyPassword"
+    const name = "Change Me"
+
+    await page.goto('http://localhost:9000/login');
+    await page.getByLabel('Email or Username').click();
+    await page.getByLabel('Email or Username').fill(username);
+    await page.locator('div').filter({ hasText: /^Password$/ }).nth(3).click();
+    await page.getByLabel('Password').fill(password);
+    await page.getByRole('button', { name: 'Login', exact: true }).click();
+    await expect(page.getByRole('navigation')).toContainText(name);
+});
+
+test('ldap login', async ({ page }) => {
+    const username = "bender"
+    const password = "bender"
+    const name = "Bender Bending Rodríguez"
+
+    await page.goto('http://localhost:9000/login');
+    await page.getByLabel('Email or Username').click();
+    await page.getByLabel('Email or Username').fill(username);
+    await page.locator('div').filter({ hasText: /^Password$/ }).nth(3).click();
+    await page.getByLabel('Password').fill(password);
+    await page.getByRole('button', { name: 'Login', exact: true }).click();
+    await expect(page.getByRole('navigation')).toContainText(name);
+    await expect(page.getByRole('link', { name: 'Settings' })).not.toBeVisible();
+});
+
+test('ldap admin login', async ({ page }) => {
+    const username = "professor"
+    const password = "professor"
+    const name = "Hubert J. Farnsworth"
+
+    await page.goto('http://localhost:9000/login');
+    await page.getByLabel('Email or Username').click();
+    await page.getByLabel('Email or Username').fill(username);
+    await page.locator('div').filter({ hasText: /^Password$/ }).nth(3).click();
+    await page.getByLabel('Password').fill(password);
+    await page.getByRole('button', { name: 'Login', exact: true }).click();
+    await expect(page.getByRole('navigation')).toContainText(name);
+    await expect(page.getByRole('link', { name: 'Settings' })).toBeVisible();
+});
+
+test('oidc initial login', async ({ page }) => {
+    const username = "testUser"
+    const name = "Test User"
+    const claims = {
+        "sub": username,
+        "email": `${username}@example.com`,
+        "preferred_username": username,
+        "name": name
+    }
+
+    await page.goto('http://localhost:9000/login');
+    await page.getByRole('button', { name: 'Login with OAuth' }).click();
+    await page.getByPlaceholder('Enter any user/subject').fill(username);
+    await page.getByPlaceholder('Optional claims JSON value,').fill(JSON.stringify(claims));
+    await page.getByRole('button', { name: 'Sign-in' }).click();
+    await expect(page.getByRole('navigation')).toContainText(name);
+    await expect(page.getByRole('link', { name: 'Settings' })).not.toBeVisible();
+});
+
+test('oidc sequential login', async ({ page }) => {
+    const username = "testUser2"
+    const name = "Test User 2"
+    const claims = {
+        "sub": username,
+        "email": `${username}@example.com`,
+        "preferred_username": username,
+        "name": name
+    }
+
+    await page.goto('http://localhost:9000/login');
+    await page.getByRole('button', { name: 'Login with OAuth' }).click();
+    await page.getByPlaceholder('Enter any user/subject').fill(username);
+    await page.getByPlaceholder('Optional claims JSON value,').fill(JSON.stringify(claims));
+    await page.getByRole('button', { name: 'Sign-in' }).click();
+    await expect(page.getByRole('navigation')).toContainText(name);
+    await page.getByRole('button', { name: 'Logout' }).click();
+
+    await page.goto('http://localhost:9000/login');
+    await page.getByRole('button', { name: 'Login with OAuth' }).click();
+    await page.getByPlaceholder('Enter any user/subject').fill(username);
+    await page.getByPlaceholder('Optional claims JSON value,').fill(JSON.stringify(claims));
+    await page.getByRole('button', { name: 'Sign-in' }).click();
+    await expect(page.getByRole('navigation')).toContainText(name);
+});
+
+test('settings page verify oidc', async ({ page }) => {
+    const username = "oidcUser"
+    const name = "OIDC User"
+    const claims = {
+        "sub": username,
+        "email": `${username}@example.com`,
+        "preferred_username": username,
+        "name": name
+    }
+
+    await page.goto('http://localhost:9000/login');
+    await page.getByRole('button', { name: 'Login with OAuth' }).click();
+    await page.getByPlaceholder('Enter any user/subject').fill(username);
+    await page.getByPlaceholder('Optional claims JSON value,').fill(JSON.stringify(claims));
+    await page.getByRole('button', { name: 'Sign-in' }).click();
+    await expect(page.getByRole('navigation')).toContainText(name);
+    await page.getByRole('button', { name: 'Logout' }).click();
+
+    await page.goto('http://localhost:9000/login');
+    await page.getByLabel('Email or Username').click();
+    await page.getByLabel('Email or Username').fill('changeme@example.com');
+    await page.getByLabel('Password').click();
+    await page.getByLabel('Password').fill('MyPassword');
+    await page.getByRole('button', { name: 'Login', exact: true }).click();
+    await page.getByRole('link', { name: 'Settings' }).click();
+    await page.getByRole('link', { name: 'Users' }).click();
+    await page.getByRole('cell', { name: username, exact: true }).click();
+    await expect(page.getByText('Permissions Administrator')).toBeVisible();
+});
+
+test('oidc admin user', async ({ page }) => {
+    const username = "oidcAdmin"
+    const name = "OIDC Admin"
+    const claims = {
+        "sub": username,
+        "email": `${username}@example.com`,
+        "preferred_username": username,
+        "name": name,
+        "groups": ["admin"]
+    }
+
+    await page.goto('http://localhost:9000/login');
+    await page.getByRole('button', { name: 'Login with OAuth' }).click();
+    await page.getByPlaceholder('Enter any user/subject').fill(username);
+    await page.getByPlaceholder('Optional claims JSON value,').fill(JSON.stringify(claims));
+    await page.getByRole('button', { name: 'Sign-in' }).click();
+    await expect(page.getByRole('navigation')).toContainText(name);
+    await expect(page.getByRole('link', { name: 'Settings' })).toBeVisible();
+});
--- a/tests/e2e/package.json
+++ b/tests/e2e/package.json
@ -0,0 +1,11 @@
+{
+  "name": "e2e",
+  "version": "1.0.0",
+  "main": "index.js",
+  "license": "MIT",
+  "devDependencies": {
+    "@playwright/test": "^1.40.1",
+    "@types/node": "^20.10.4"
+  },
+  "scripts": {}
+}
--- a/tests/e2e/playwright.config.ts
+++ b/tests/e2e/playwright.config.ts
@ -0,0 +1,77 @@
+import { defineConfig, devices } from '@playwright/test';
+
+/**
+ * Read environment variables from file.
+ * https://github.com/motdotla/dotenv
+ */
+// require('dotenv').config();
+
+/**
+ * See https://playwright.dev/docs/test-configuration.
+ */
+export default defineConfig({
+  testDir: './.',
+  /* Run tests in files in parallel */
+  fullyParallel: true,
+  /* Fail the build on CI if you accidentally left test.only in the source code. */
+  forbidOnly: !!process.env.CI,
+  /* Retry on CI only */
+  retries: process.env.CI ? 2 : 0,
+  /* Opt out of parallel tests on CI. */
+  workers: process.env.CI ? 1 : undefined,
+  /* Reporter to use. See https://playwright.dev/docs/test-reporters */
+  reporter: 'html',
+  /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
+  use: {
+    /* Base URL to use in actions like `await page.goto('/')`. */
+    // baseURL: 'http://127.0.0.1:3000',
+
+    /* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
+    trace: 'on-first-retry',
+  },
+
+  /* Configure projects for major browsers */
+  projects: [
+    {
+      name: 'chromium',
+      use: { ...devices['Desktop Chrome'] },
+    },
+
+    {
+      name: 'firefox',
+      use: { ...devices['Desktop Firefox'] },
+    },
+
+    {
+      name: 'webkit',
+      use: { ...devices['Desktop Safari'] },
+    },
+
+    /* Test against mobile viewports. */
+    // {
+    //   name: 'Mobile Chrome',
+    //   use: { ...devices['Pixel 5'] },
+    // },
+    // {
+    //   name: 'Mobile Safari',
+    //   use: { ...devices['iPhone 12'] },
+    // },
+
+    /* Test against branded browsers. */
+    // {
+    //   name: 'Microsoft Edge',
+    //   use: { ...devices['Desktop Edge'], channel: 'msedge' },
+    // },
+    // {
+    //   name: 'Google Chrome',
+    //   use: { ...devices['Desktop Chrome'], channel: 'chrome' },
+    // },
+  ],
+
+  /* Run your local dev server before starting the tests */
+  // webServer: {
+  //   command: 'npm run start',
+  //   url: 'http://127.0.0.1:3000',
+  //   reuseExistingServer: !process.env.CI,
+  // },
+});
--- a/tests/e2e/yarn.lock
+++ b/tests/e2e/yarn.lock
@ -0,0 +1,41 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+"@playwright/test@^1.40.1":
+  version "1.40.1"
+  resolved "https://registry.yarnpkg.com/@playwright/test/-/test-1.40.1.tgz#9e66322d97b1d74b9f8718bacab15080f24cde65"
+  integrity sha512-EaaawMTOeEItCRvfmkI9v6rBkF1svM8wjl/YPRrg2N2Wmp+4qJYkWtJsbew1szfKKDm6fPLy4YAanBhIlf9dWw==
+  dependencies:
+    playwright "1.40.1"
+
+"@types/node@^20.10.4":
+  version "20.10.4"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-20.10.4.tgz#b246fd84d55d5b1b71bf51f964bd514409347198"
+  integrity sha512-D08YG6rr8X90YB56tSIuBaddy/UXAA9RKJoFvrsnogAum/0pmjkgi4+2nx96A330FmioegBWmEYQ+syqCFaveg==
+  dependencies:
+    undici-types "~5.26.4"
+
+fsevents@2.3.2:
+  version "2.3.2"
+  resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.2.tgz#8a526f78b8fdf4623b709e0b975c52c24c02fd1a"
+  integrity sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==
+
+playwright-core@1.40.1:
+  version "1.40.1"
+  resolved "https://registry.yarnpkg.com/playwright-core/-/playwright-core-1.40.1.tgz#442d15e86866a87d90d07af528e0afabe4c75c05"
+  integrity sha512-+hkOycxPiV534c4HhpfX6yrlawqVUzITRKwHAmYfmsVreltEl6fAZJ3DPfLMOODw0H3s1Itd6MDCWmP1fl/QvQ==
+
+playwright@1.40.1:
+  version "1.40.1"
+  resolved "https://registry.yarnpkg.com/playwright/-/playwright-1.40.1.tgz#a11bf8dca15be5a194851dbbf3df235b9f53d7ae"
+  integrity sha512-2eHI7IioIpQ0bS1Ovg/HszsN/XKNwEG1kbzSDDmADpclKc7CyqkHw7Mg2JCz/bbCxg25QUPcjksoMW7JcIFQmw==
+  dependencies:
+    playwright-core "1.40.1"
+  optionalDependencies:
+    fsevents "2.3.2"
+
+undici-types@~5.26.4:
+  version "5.26.5"
+  resolved "https://registry.yarnpkg.com/undici-types/-/undici-types-5.26.5.tgz#bcd539893d00b56e964fd2657a4866b221a65617"
+  integrity sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==
--- a/tests/unit_tests/test_security.py
+++ b/tests/unit_tests/test_security.py
@ -6,8 +6,11 @@ from pytest import MonkeyPatch
 from mealie.core import security
 from mealie.core.config import get_app_settings
 from mealie.core.dependencies import validate_file_token
+from mealie.core.security.providers.credentials_provider import CredentialsProvider, CredentialsRequest
+from mealie.core.security.providers.ldap_provider import LDAPProvider
 from mealie.db.db_setup import session_context
 from mealie.db.models.users.users import AuthMethod
+from mealie.schema.user.auth import CredentialsRequestForm
 from mealie.schema.user.user import PrivateUser
 from tests.utils import random_string

@ -113,6 +116,11 @@ def test_create_file_token():
    assert file_path == validate_file_token(file_token)


+def get_provider(session, username: str, password: str):
+    request_data = CredentialsRequest(username=username, password=password)
+    return LDAPProvider(session, request_data)
+
+
 def test_ldap_user_creation(monkeypatch: MonkeyPatch):
    user, mail, name, password, query_bind, query_password = setup_env(monkeypatch)

@ -125,7 +133,8 @@ def test_ldap_user_creation(monkeypatch: MonkeyPatch):
    get_app_settings.cache_clear()

    with session_context() as session:
-        result = security.authenticate_user(session, user, password)
+        provider = get_provider(session, user, password)
+        result = provider.get_user()

    assert result
    assert result.username == user
@ -146,9 +155,10 @@ def test_ldap_user_creation_fail(monkeypatch: MonkeyPatch):
    get_app_settings.cache_clear()

    with session_context() as session:
-        result = security.authenticate_user(session, user, password + "a")
+        provider = get_provider(session, user, password + "a")
+        result = provider.get_user()

-    assert result is False
+    assert result is None


 def test_ldap_user_creation_non_admin(monkeypatch: MonkeyPatch):
@ -164,7 +174,8 @@ def test_ldap_user_creation_non_admin(monkeypatch: MonkeyPatch):
    get_app_settings.cache_clear()

    with session_context() as session:
-        result = security.authenticate_user(session, user, password)
+        provider = get_provider(session, user, password)
+        result = provider.get_user()

    assert result
    assert result.username == user
@ -186,7 +197,8 @@ def test_ldap_user_creation_admin(monkeypatch: MonkeyPatch):
    get_app_settings.cache_clear()

    with session_context() as session:
-        result = security.authenticate_user(session, user, password)
+        provider = get_provider(session, user, password)
+        result = provider.get_user()

    assert result
    assert result.username == user
@ -198,35 +210,17 @@ def test_ldap_user_creation_admin(monkeypatch: MonkeyPatch):
 def test_ldap_disabled(monkeypatch: MonkeyPatch):
    monkeypatch.setenv("LDAP_AUTH_ENABLED", "False")

-    user = random_string(10)
-    password = random_string(10)
-
-    class LdapConnMock:
-        def simple_bind_s(self, dn, bind_pw):
-            assert False  # When LDAP is disabled, this method should not be called
-
-        def search_s(self, dn, scope, filter, attrlist):
-            pass
-
-        def set_option(self, option, invalue):
-            pass
-
-        def unbind_s(self):
-            pass
-
-        def start_tls_s(self):
-            pass
-
-    def ldap_initialize_mock(url):
-        assert url == ""
-        return LdapConnMock()
-
-    monkeypatch.setattr(ldap, "initialize", ldap_initialize_mock)
+    class Request:
+        def __init__(self, auth_strategy: str):
+            self.cookies = {"mealie.auth.strategy": auth_strategy}

    get_app_settings.cache_clear()

    with session_context() as session:
-        security.authenticate_user(session, user, password)
+        form = CredentialsRequestForm("username", "password", False)
+        provider = security.get_auth_provider(session, Request("local"), form)
+
+    assert isinstance(provider, CredentialsProvider)


 def test_user_login_ldap_auth_method(monkeypatch: MonkeyPatch, ldap_user: PrivateUser):
@ -245,7 +239,8 @@ def test_user_login_ldap_auth_method(monkeypatch: MonkeyPatch, ldap_user: Privat
    get_app_settings.cache_clear()

    with session_context() as session:
-        result = security.authenticate_user(session, ldap_user.username, ldap_password)
+        provider = get_provider(session, ldap_user.username, ldap_password)
+        result = provider.get_user()

    assert result
    assert result.username == ldap_user.username
--- a/tests/utils/api_routes/init.py
+++ b/tests/utils/api_routes/init.py
@ -43,6 +43,8 @@ admin_users_unlock = "/api/admin/users/unlock"
 """`/api/admin/users/unlock`"""
 app_about = "/api/app/about"
 """`/api/app/about`"""
+app_about_oidc = "/api/app/about/oidc"
+"""`/api/app/about/oidc`"""
 app_about_startup_info = "/api/app/about/startup-info"
 """`/api/app/about/startup-info`"""
 app_about_theme = "/api/app/about/theme"