Add OpenID Connect login support (#77)

* Add OpenID Connect login support
* Add docs for OIDC config with Google Auth
* Use Google styles for log in
- Add support for linking existing account
- Force users to sign-in with passoword first, when linking existing accounts
- Add support to create new user when using OIDC
- Add identities to user to prevent account take-ver
- Make tests mocking instead of being integration tests
- Manage session handling correctly
- use OmniAuth.config.mock_auth instead of passing auth data via request env
* Conditionally render Oauth button

- Set a config item `configuration.x.auth.oidc_enabled`
- Hide button if disabled

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Signed-off-by: soky srm <sokysrm@gmail.com>
Co-authored-by: sokie <sokysrm@gmail.com>

test/controllers/oidc_accounts_controller_test.rb

@@ -0,0 +1,150 @@
+require "test_helper"
+
+class OidcAccountsControllerTest < ActionController::TestCase
+  setup do
+    @user = users(:family_admin)
+  end
+
+  def pending_auth
+    {
+      "provider" => "openid_connect",
+      "uid" => "new-uid-12345",
+      "email" => @user.email,
+      "name" => "Bob Dylan",
+      "first_name" => "Bob",
+      "last_name" => "Dylan"
+    }
+  end
+
+  test "should show link page when pending auth exists" do
+    session[:pending_oidc_auth] = pending_auth
+    get :link
+    assert_response :success
+  end
+
+  test "should redirect to login when no pending auth" do
+    get :link
+    assert_redirected_to new_session_path
+    assert_equal "No pending OIDC authentication found", flash[:alert]
+  end
+
+  test "should create OIDC identity with valid password" do
+    session[:pending_oidc_auth] = pending_auth
+
+    assert_difference "OidcIdentity.count", 1 do
+      post :create_link,
+        params: {
+          email: @user.email,
+          password: user_password_test
+        }
+    end
+
+    assert_redirected_to root_path
+    assert_not_nil @user.oidc_identities.find_by(
+      provider: pending_auth["provider"],
+      uid: pending_auth["uid"]
+    )
+  end
+
+  test "should reject linking with invalid password" do
+    session[:pending_oidc_auth] = pending_auth
+
+    assert_no_difference "OidcIdentity.count" do
+      post :create_link,
+        params: {
+          email: @user.email,
+          password: "wrongpassword"
+        }
+    end
+
+    assert_response :unprocessable_entity
+    assert_equal "Invalid email or password", flash[:alert]
+  end
+
+  test "should redirect to MFA when user has MFA enabled" do
+    @user.setup_mfa!
+    @user.enable_mfa!
+
+    session[:pending_oidc_auth] = pending_auth
+
+    post :create_link,
+      params: {
+        email: @user.email,
+        password: user_password_test
+      }
+
+    assert_redirected_to verify_mfa_path
+  end
+
+  test "should reject create_link when no pending auth" do
+    post :create_link, params: {
+      email: @user.email,
+      password: user_password_test
+    }
+
+    assert_redirected_to new_session_path
+    assert_equal "No pending OIDC authentication found", flash[:alert]
+  end
+
+  # New user registration tests
+  def new_user_auth
+    {
+      "provider" => "openid_connect",
+      "uid" => "new-uid-99999",
+      "email" => "newuser@example.com",
+      "name" => "New User",
+      "first_name" => "New",
+      "last_name" => "User"
+    }
+  end
+
+  test "should show create account option for new user" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    get :link
+    assert_response :success
+    assert_select "h3", text: "Create New Account"
+    assert_select "strong", text: new_user_auth["email"]
+  end
+
+  test "should create new user account via OIDC" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    assert_difference [ "User.count", "OidcIdentity.count", "Family.count" ], 1 do
+      post :create_user
+    end
+
+    assert_redirected_to root_path
+    assert_equal "Welcome! Your account has been created.", flash[:notice]
+
+    # Verify user was created with correct details
+    new_user = User.find_by(email: new_user_auth["email"])
+    assert_not_nil new_user
+    assert_equal new_user_auth["first_name"], new_user.first_name
+    assert_equal new_user_auth["last_name"], new_user.last_name
+    assert_equal "admin", new_user.role
+
+    # Verify OIDC identity was created
+    oidc_identity = new_user.oidc_identities.first
+    assert_not_nil oidc_identity
+    assert_equal new_user_auth["provider"], oidc_identity.provider
+    assert_equal new_user_auth["uid"], oidc_identity.uid
+  end
+
+  test "should create session after OIDC registration" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    post :create_user
+
+    # Verify session was created
+    new_user = User.find_by(email: new_user_auth["email"])
+    assert Session.exists?(user_id: new_user.id)
+  end
+
+  test "should reject create_user when no pending auth" do
+    post :create_user
+
+    assert_redirected_to new_session_path
+    assert_equal "No pending OIDC authentication found", flash[:alert]
+  end
+end

test/controllers/sessions_controller_test.rb

@@ -5,6 +5,24 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     @user = users(:family_admin)
   end
 
+  teardown do
+    # Clear OmniAuth mock auth after each test
+    OmniAuth.config.mock_auth[:openid_connect] = nil
+  end
+
+  def setup_omniauth_mock(provider:, uid:, email:, name:, first_name: nil, last_name: nil)
+    OmniAuth.config.mock_auth[:openid_connect] = OmniAuth::AuthHash.new({
+      provider: provider,
+      uid: uid,
+      info: {
+        email: email,
+        name: name,
+        first_name: first_name,
+        last_name: last_name
+      }.compact
+    })
+  end
+
   test "login page" do
     get new_session_url
     assert_response :success
@@ -48,4 +66,107 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     assert_equal @user.id, session[:mfa_user_id]
     assert_not Session.exists?(user_id: @user.id)
   end
+
+  # OIDC Authentication Tests
+  test "authenticates with existing OIDC identity" do
+    oidc_identity = oidc_identities(:bob_google)
+
+    # Set up OmniAuth mock
+    setup_omniauth_mock(
+      provider: oidc_identity.provider,
+      uid: oidc_identity.uid,
+      email: @user.email,
+      name: "Bob Dylan",
+      first_name: "Bob",
+      last_name: "Dylan"
+    )
+
+    get "/auth/openid_connect/callback"
+
+    assert_redirected_to root_path
+    assert Session.exists?(user_id: @user.id)
+  end
+
+  test "redirects to MFA when user has MFA and uses OIDC" do
+    @user.setup_mfa!
+    @user.enable_mfa!
+    @user.sessions.destroy_all
+    oidc_identity = oidc_identities(:bob_google)
+
+    # Set up OmniAuth mock
+    setup_omniauth_mock(
+      provider: oidc_identity.provider,
+      uid: oidc_identity.uid,
+      email: @user.email,
+      name: "Bob Dylan"
+    )
+
+    get "/auth/openid_connect/callback"
+
+    assert_redirected_to verify_mfa_path
+    assert_equal @user.id, session[:mfa_user_id]
+    assert_not Session.exists?(user_id: @user.id)
+  end
+
+  test "redirects to account linking when no OIDC identity exists" do
+    # Use an existing user's email who doesn't have OIDC linked yet
+    user_without_oidc = users(:new_email)
+
+    # Set up OmniAuth mock
+    setup_omniauth_mock(
+      provider: "openid_connect",
+      uid: "new-uid-99999",
+      email: user_without_oidc.email,
+      name: "New User"
+    )
+
+    get "/auth/openid_connect/callback"
+
+    assert_redirected_to link_oidc_account_path
+
+    # Follow redirect to verify session data is accessible
+    follow_redirect!
+    assert_response :success
+
+    # Verify the session has the pending auth data by checking page content
+    assert_select "p", text: /To link your openid_connect account/
+  end
+
+  test "handles missing auth data gracefully" do
+    # Set up mock with invalid/incomplete auth to simulate failure
+    OmniAuth.config.mock_auth[:openid_connect] = OmniAuth::AuthHash.new({
+      provider: nil,
+      uid: nil
+    })
+
+    get "/auth/openid_connect/callback"
+
+    assert_redirected_to new_session_path
+    assert_equal "Could not authenticate via OpenID Connect.", flash[:alert]
+  end
+
+  test "prevents account takeover via email matching" do
+    # Clean up any existing sessions
+    @user.sessions.destroy_all
+
+    # This test verifies that we can't authenticate just by matching email
+    # The user must have an existing OIDC identity with matching provider + uid
+    # Set up OmniAuth mock
+    setup_omniauth_mock(
+      provider: "openid_connect",
+      uid: "attacker-uid-12345", # Different UID than user's OIDC identity
+      email: @user.email, # Same email as existing user
+      name: "Attacker"
+    )
+
+    get "/auth/openid_connect/callback"
+
+    # Should NOT create a session, should redirect to account linking
+    assert_redirected_to link_oidc_account_path
+    assert_not Session.exists?(user_id: @user.id), "Session should not be created for unlinked OIDC identity"
+
+    # Follow redirect to verify we're on the link page (not logged in)
+    follow_redirect!
+    assert_response :success
+  end
 end