feat: Add ability to enforce SSO

Closes #543, closes #545
2025-07-19 21:29:43 +02:00 · 2024-02-01 00:31:15 +01:00 · 2024-02-01 00:31:15 +01:00 · 5e8027f5d6
commit 5e8027f5d6
parent 0dc24ffafd
10 changed files with 80 additions and 46 deletions
--- a/client/src/components/Login/Login.jsx
+++ b/client/src/components/Login/Login.jsx
@ -68,6 +68,7 @@ const Login = React.memo(
    isSubmittingUsingOidc,
    error,
    withOidc,
    isOidcEnforced,
    onAuthenticate,
    onAuthenticateUsingOidc,
    onMessageDismiss,
@ -107,8 +108,10 @@ const Login = React.memo(
    }, [onAuthenticate, data]);
    useEffect(() => {
-      emailOrUsernameField.current.focus();
+      if (!isOidcEnforced) {
-    }, []);
+        emailOrUsernameField.current.focus();
      }
    }, [isOidcEnforced]);
    useEffect(() => {
      if (wasSubmitting && !isSubmitting && error) {
@ -159,51 +162,57 @@ const Login = React.memo(
                        onDismiss={onMessageDismiss}
                      />
                    )}
-                    <Form size="large" onSubmit={handleSubmit}>
+                    {!isOidcEnforced && (
-                      <div className={styles.inputWrapper}>
+                      <Form size="large" onSubmit={handleSubmit}>
-                        <div className={styles.inputLabel}>{t('common.emailOrUsername')}</div>
+                        <div className={styles.inputWrapper}>
-                        <Input
+                          <div className={styles.inputLabel}>{t('common.emailOrUsername')}</div>
-                          fluid
+                          <Input
-                          ref={emailOrUsernameField}
+                            fluid
-                          name="emailOrUsername"
+                            ref={emailOrUsernameField}
-                          value={data.emailOrUsername}
+                            name="emailOrUsername"
-                          readOnly={isSubmitting}
+                            value={data.emailOrUsername}
-                          className={styles.input}
+                            readOnly={isSubmitting}
-                          onChange={handleFieldChange}
+                            className={styles.input}
                            onChange={handleFieldChange}
                          />
                        </div>
                        <div className={styles.inputWrapper}>
                          <div className={styles.inputLabel}>{t('common.password')}</div>
                          <Input.Password
                            fluid
                            ref={passwordField}
                            name="password"
                            value={data.password}
                            readOnly={isSubmitting}
                            className={styles.input}
                            onChange={handleFieldChange}
                          />
                        </div>
                        <Form.Button
                          primary
                          size="large"
                          icon="right arrow"
                          labelPosition="right"
                          content={t('action.logIn')}
                          floated="right"
                          loading={isSubmitting}
                          disabled={isSubmitting || isSubmittingUsingOidc}
                        />
-                      </div>
+                      </Form>
-                      <div className={styles.inputWrapper}>
+                    )}
                        <div className={styles.inputLabel}>{t('common.password')}</div>
                        <Input.Password
                          fluid
                          ref={passwordField}
                          name="password"
                          value={data.password}
                          readOnly={isSubmitting}
                          className={styles.input}
                          onChange={handleFieldChange}
                        />
                      </div>
                      <Form.Button
                        primary
                        size="large"
                        icon="right arrow"
                        labelPosition="right"
                        content={t('action.logIn')}
                        floated="right"
                        loading={isSubmitting}
                        disabled={isSubmitting || isSubmittingUsingOidc}
                      />
                    </Form>
                    {withOidc && (
                      <Button
                        type="button"
                        fluid={isOidcEnforced}
                        primary={isOidcEnforced}
                        size={isOidcEnforced ? 'large' : undefined}
                        icon={isOidcEnforced ? 'right arrow' : undefined}
                        labelPosition={isOidcEnforced ? 'right' : undefined}
                        content={t('action.logInWithSSO')}
                        loading={isSubmittingUsingOidc}
                        disabled={isSubmitting || isSubmittingUsingOidc}
                        onClick={onAuthenticateUsingOidc}
-                      >
+                      />
                        {t('action.logInWithSSO')}
                      </Button>
                    )}
                  </div>
                </div>
@ -242,6 +251,7 @@ Login.propTypes = {
  isSubmittingUsingOidc: PropTypes.bool.isRequired,
  error: PropTypes.object, // eslint-disable-line react/forbid-prop-types
  withOidc: PropTypes.bool.isRequired,
  isOidcEnforced: PropTypes.bool.isRequired,
  onAuthenticate: PropTypes.func.isRequired,
  onAuthenticateUsingOidc: PropTypes.func.isRequired,
  onMessageDismiss: PropTypes.func.isRequired,
--- a/client/src/components/UsersModal/UsersModal.jsx
+++ b/client/src/components/UsersModal/UsersModal.jsx
@ -10,6 +10,7 @@ import Item from './Item';
 const UsersModal = React.memo(
  ({
    items,
    canAdd,
    onUpdate,
    onUsernameUpdate,
    onUsernameUpdateMessageDismiss,
@ -130,11 +131,13 @@ const UsersModal = React.memo(
            </Table.Body>
          </Table>
        </Modal.Content>
-        <Modal.Actions>
+        {canAdd && (
-          <UserAddPopupContainer>
+          <Modal.Actions>
-            <Button positive content={t('action.addUser')} />
+            <UserAddPopupContainer>
-          </UserAddPopupContainer>
+              <Button positive content={t('action.addUser')} />
-        </Modal.Actions>
+            </UserAddPopupContainer>
          </Modal.Actions>
        )}
      </Modal>
    );
  },
@ -142,6 +145,7 @@ const UsersModal = React.memo(
 UsersModal.propTypes = {
  items: PropTypes.array.isRequired, // eslint-disable-line react/forbid-prop-types
  canAdd: PropTypes.bool.isRequired,
  onUpdate: PropTypes.func.isRequired,
  onUsernameUpdate: PropTypes.func.isRequired,
  onUsernameUpdateMessageDismiss: PropTypes.func.isRequired,
--- a/client/src/containers/LoginContainer.js
+++ b/client/src/containers/LoginContainer.js
@ -20,6 +20,7 @@ const mapStateToProps = (state) => {
    isSubmittingUsingOidc,
    error,
    withOidc: !!oidcConfig,
    isOidcEnforced: oidcConfig && oidcConfig.isEnforced,
  };
 };
--- a/client/src/containers/UsersModalContainer.js
+++ b/client/src/containers/UsersModalContainer.js
@ -6,10 +6,12 @@ import entryActions from '../entry-actions';
 import UsersModal from '../components/UsersModal';
 const mapStateToProps = (state) => {
  const oidcConfig = selectors.selectOidcConfig(state);
  const users = selectors.selectUsersExceptCurrent(state);
  return {
    items: users,
    canAdd: !oidcConfig || !oidcConfig.isEnforced,
  };
 };
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -50,6 +50,7 @@ services:
      # - OIDC_ROLES_ATTRIBUTE=groups
      # - OIDC_IGNORE_USERNAME=true
      # - OIDC_IGNORE_ROLES=true
      # - OIDC_ENFORCED=true
    depends_on:
      - postgres
--- a/server/.env.sample
+++ b/server/.env.sample
@ -33,6 +33,7 @@ SECRET_KEY=notsecretkey
 # OIDC_ROLES_ATTRIBUTE=groups
 # OIDC_IGNORE_USERNAME=true
 # OIDC_IGNORE_ROLES=true
 # OIDC_ENFORCED=true
 ## Do not edit this
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -46,8 +46,11 @@ module.exports = {
  },
  async fn(inputs) {
-    const remoteAddress = getRemoteAddress(this.req);
+    if (sails.config.custom.oidcEnforced) {
      throw Errors.USE_SINGLE_SIGN_ON;
    }
    const remoteAddress = getRemoteAddress(this.req);
    const user = await sails.helpers.users.getOneByEmailOrUsername(inputs.emailOrUsername);
    if (!user) {
--- a/server/api/controllers/show-config.js
+++ b/server/api/controllers/show-config.js
@ -10,6 +10,7 @@ module.exports = {
          response_mode: 'fragment',
        }),
        endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
        isEnforced: sails.config.custom.oidcEnforced,
      };
    }
--- a/server/api/controllers/users/create.js
+++ b/server/api/controllers/users/create.js
@ -1,6 +1,9 @@
 const zxcvbn = require('zxcvbn');
 const Errors = {
  NOT_ENOUGH_RIGHTS: {
    notEnoughRights: 'Not enough rights',
  },
  EMAIL_ALREADY_IN_USE: {
    emailAlreadyInUse: 'Email already in use',
  },
@ -56,6 +59,9 @@ module.exports = {
  },
  exits: {
    notEnoughRights: {
      responseType: 'forbidden',
    },
    emailAlreadyInUse: {
      responseType: 'conflict',
    },
@ -65,6 +71,10 @@ module.exports = {
  },
  async fn(inputs) {
    if (sails.config.custom.oidcEnforced) {
      throw Errors.NOT_ENOUGH_RIGHTS;
    }
    const values = _.pick(inputs, [
      'email',
      'password',
--- a/server/config/custom.js
+++ b/server/config/custom.js
@ -44,6 +44,7 @@ module.exports.custom = {
  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
  oidcIgnoreUsername: process.env.OIDC_IGNORE_USERNAME === 'true',
  oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',
  oidcEnforced: process.env.OIDC_ENFORCED === 'true',
  // TODO: move client base url to environment variable?
  oidcRedirectUri: `${