Add OpenID Connect login support (#77)

* Add OpenID Connect login support
* Add docs for OIDC config with Google Auth
* Use Google styles for log in
- Add support for linking existing account
- Force users to sign-in with passoword first, when linking existing accounts
- Add support to create new user when using OIDC
- Add identities to user to prevent account take-ver
- Make tests mocking instead of being integration tests
- Manage session handling correctly
- use OmniAuth.config.mock_auth instead of passing auth data via request env
* Conditionally render Oauth button

- Set a config item `configuration.x.auth.oidc_enabled`
- Hide button if disabled

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Signed-off-by: soky srm <sokysrm@gmail.com>
Co-authored-by: sokie <sokysrm@gmail.com>

test/controllers/sessions_controller_test.rb

@@ -5,6 +5,24 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     @user = users(:family_admin)
   end
 
+  teardown do
+    # Clear OmniAuth mock auth after each test
+    OmniAuth.config.mock_auth[:openid_connect] = nil
+  end
+
+  def setup_omniauth_mock(provider:, uid:, email:, name:, first_name: nil, last_name: nil)
+    OmniAuth.config.mock_auth[:openid_connect] = OmniAuth::AuthHash.new({
+      provider: provider,
+      uid: uid,
+      info: {
+        email: email,
+        name: name,
+        first_name: first_name,
+        last_name: last_name
+      }.compact
+    })
+  end
+
   test "login page" do
     get new_session_url
     assert_response :success
@@ -48,4 +66,107 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     assert_equal @user.id, session[:mfa_user_id]
     assert_not Session.exists?(user_id: @user.id)
   end
+
+  # OIDC Authentication Tests
+  test "authenticates with existing OIDC identity" do
+    oidc_identity = oidc_identities(:bob_google)
+
+    # Set up OmniAuth mock
+    setup_omniauth_mock(
+      provider: oidc_identity.provider,
+      uid: oidc_identity.uid,
+      email: @user.email,
+      name: "Bob Dylan",
+      first_name: "Bob",
+      last_name: "Dylan"
+    )
+
+    get "/auth/openid_connect/callback"
+
+    assert_redirected_to root_path
+    assert Session.exists?(user_id: @user.id)
+  end
+
+  test "redirects to MFA when user has MFA and uses OIDC" do
+    @user.setup_mfa!
+    @user.enable_mfa!
+    @user.sessions.destroy_all
+    oidc_identity = oidc_identities(:bob_google)
+
+    # Set up OmniAuth mock
+    setup_omniauth_mock(
+      provider: oidc_identity.provider,
+      uid: oidc_identity.uid,
+      email: @user.email,
+      name: "Bob Dylan"
+    )
+
+    get "/auth/openid_connect/callback"
+
+    assert_redirected_to verify_mfa_path
+    assert_equal @user.id, session[:mfa_user_id]
+    assert_not Session.exists?(user_id: @user.id)
+  end
+
+  test "redirects to account linking when no OIDC identity exists" do
+    # Use an existing user's email who doesn't have OIDC linked yet
+    user_without_oidc = users(:new_email)
+
+    # Set up OmniAuth mock
+    setup_omniauth_mock(
+      provider: "openid_connect",
+      uid: "new-uid-99999",
+      email: user_without_oidc.email,
+      name: "New User"
+    )
+
+    get "/auth/openid_connect/callback"
+
+    assert_redirected_to link_oidc_account_path
+
+    # Follow redirect to verify session data is accessible
+    follow_redirect!
+    assert_response :success
+
+    # Verify the session has the pending auth data by checking page content
+    assert_select "p", text: /To link your openid_connect account/
+  end
+
+  test "handles missing auth data gracefully" do
+    # Set up mock with invalid/incomplete auth to simulate failure
+    OmniAuth.config.mock_auth[:openid_connect] = OmniAuth::AuthHash.new({
+      provider: nil,
+      uid: nil
+    })
+
+    get "/auth/openid_connect/callback"
+
+    assert_redirected_to new_session_path
+    assert_equal "Could not authenticate via OpenID Connect.", flash[:alert]
+  end
+
+  test "prevents account takeover via email matching" do
+    # Clean up any existing sessions
+    @user.sessions.destroy_all
+
+    # This test verifies that we can't authenticate just by matching email
+    # The user must have an existing OIDC identity with matching provider + uid
+    # Set up OmniAuth mock
+    setup_omniauth_mock(
+      provider: "openid_connect",
+      uid: "attacker-uid-12345", # Different UID than user's OIDC identity
+      email: @user.email, # Same email as existing user
+      name: "Attacker"
+    )
+
+    get "/auth/openid_connect/callback"
+
+    # Should NOT create a session, should redirect to account linking
+    assert_redirected_to link_oidc_account_path
+    assert_not Session.exists?(user_id: @user.id), "Session should not be created for unlinked OIDC identity"
+
+    # Follow redirect to verify we're on the link page (not logged in)
+    follow_redirect!
+    assert_response :success
+  end
 end