mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 22:34:47 +00:00
b23711ae0d
* Add configuration and logic for dynamic SSO provider support and stricter JIT account creation - Introduced `config/auth.yml` for centralized auth configuration and documentation. - Added support for multiple SSO providers, including Google, GitHub, and OpenID Connect. - Implemented stricter JIT SSO account creation modes (`create_and_link` vs `link_only`). - Enabled optional restriction of JIT creation by allowed email domains. - Enhanced OmniAuth initializer for dynamic provider setup and better configurability. - Refined login UI to handle local login disabling and emergency super-admin override. - Updated account creation flow to respect JIT mode and domain checks. - Added tests for SSO account creation, login form visibility, and emergency overrides. # Conflicts: # app/controllers/sessions_controller.rb * remove non-translation * Refactor authentication views to use translation keys and update locale files - Extracted hardcoded strings in `oidc_accounts/link.html.erb` and `sessions/new.html.erb` into translation keys for better localization support. - Added missing translations for English and Spanish in `sessions` and `oidc_accounts` locale files. * Enhance OmniAuth provider configuration and refine local login override logic - Updated OmniAuth initializer to support dynamic provider configuration with `name` and scoped parameters for Google and GitHub. - Improved local login logic to enforce stricter handling of super-admin override when local login is disabled. - Added test for invalid super-admin override credentials. * Document Google sign-in configuration for local development and self-hosted environments --------- Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>
137 lines
4.1 KiB
Ruby
137 lines
4.1 KiB
Ruby
class OidcAccountsController < ApplicationController
|
|
skip_authentication only: [ :link, :create_link, :new_user, :create_user ]
|
|
layout "auth"
|
|
|
|
def link
|
|
# Check if there's pending OIDC auth in session
|
|
@pending_auth = session[:pending_oidc_auth]
|
|
|
|
if @pending_auth.nil?
|
|
redirect_to new_session_path, alert: "No pending OIDC authentication found"
|
|
return
|
|
end
|
|
|
|
@email = @pending_auth["email"]
|
|
@user_exists = User.exists?(email: @email) if @email.present?
|
|
|
|
# Determine whether we should offer JIT account creation for this
|
|
# pending auth, based on JIT mode and allowed domains.
|
|
@allow_account_creation = !AuthConfig.jit_link_only? && AuthConfig.allowed_oidc_domain?(@email)
|
|
end
|
|
|
|
def create_link
|
|
@pending_auth = session[:pending_oidc_auth]
|
|
|
|
if @pending_auth.nil?
|
|
redirect_to new_session_path, alert: "No pending OIDC authentication found"
|
|
return
|
|
end
|
|
|
|
# Verify user's password to confirm identity
|
|
user = User.authenticate_by(email: params[:email], password: params[:password])
|
|
|
|
if user
|
|
# Create the OIDC identity link
|
|
oidc_identity = OidcIdentity.create_from_omniauth(
|
|
build_auth_hash(@pending_auth),
|
|
user
|
|
)
|
|
|
|
# Clear pending auth from session
|
|
session.delete(:pending_oidc_auth)
|
|
|
|
# Check if user has MFA enabled
|
|
if user.otp_required?
|
|
session[:mfa_user_id] = user.id
|
|
redirect_to verify_mfa_path
|
|
else
|
|
@session = create_session_for(user)
|
|
redirect_to root_path, notice: "Account successfully linked to #{@pending_auth['provider']}"
|
|
end
|
|
else
|
|
@email = params[:email]
|
|
@user_exists = User.exists?(email: @email) if @email.present?
|
|
flash.now[:alert] = "Invalid email or password"
|
|
render :link, status: :unprocessable_entity
|
|
end
|
|
end
|
|
|
|
def new_user
|
|
# Check if there's pending OIDC auth in session
|
|
@pending_auth = session[:pending_oidc_auth]
|
|
|
|
if @pending_auth.nil?
|
|
redirect_to new_session_path, alert: "No pending OIDC authentication found"
|
|
return
|
|
end
|
|
|
|
# Pre-fill user details from OIDC provider
|
|
@user = User.new(
|
|
email: @pending_auth["email"],
|
|
first_name: @pending_auth["first_name"],
|
|
last_name: @pending_auth["last_name"]
|
|
)
|
|
end
|
|
|
|
def create_user
|
|
@pending_auth = session[:pending_oidc_auth]
|
|
|
|
if @pending_auth.nil?
|
|
redirect_to new_session_path, alert: "No pending OIDC authentication found"
|
|
return
|
|
end
|
|
|
|
email = @pending_auth["email"]
|
|
|
|
# Respect global JIT configuration: in link_only mode or when the email
|
|
# domain is not allowed, block JIT account creation and send the user
|
|
# back to the login page with a clear message.
|
|
unless !AuthConfig.jit_link_only? && AuthConfig.allowed_oidc_domain?(email)
|
|
redirect_to new_session_path, alert: "SSO account creation is disabled. Please contact an administrator."
|
|
return
|
|
end
|
|
|
|
# Create user with a secure random password since they're using SSO
|
|
secure_password = SecureRandom.base58(32)
|
|
@user = User.new(
|
|
email: email,
|
|
first_name: @pending_auth["first_name"],
|
|
last_name: @pending_auth["last_name"],
|
|
password: secure_password,
|
|
password_confirmation: secure_password
|
|
)
|
|
|
|
# Create new family for this user
|
|
@user.family = Family.new
|
|
@user.role = :admin
|
|
|
|
if @user.save
|
|
# Create the OIDC (or other SSO) identity
|
|
OidcIdentity.create_from_omniauth(
|
|
build_auth_hash(@pending_auth),
|
|
@user
|
|
)
|
|
|
|
# Clear pending auth from session
|
|
session.delete(:pending_oidc_auth)
|
|
|
|
# Create session and log them in
|
|
@session = create_session_for(@user)
|
|
redirect_to root_path, notice: "Welcome! Your account has been created."
|
|
else
|
|
render :new_user, status: :unprocessable_entity
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
# Convert pending auth hash to OmniAuth-like structure
|
|
def build_auth_hash(pending_auth)
|
|
OpenStruct.new(
|
|
provider: pending_auth["provider"],
|
|
uid: pending_auth["uid"],
|
|
info: OpenStruct.new(pending_auth.slice("email", "name", "first_name", "last_name"))
|
|
)
|
|
end
|
|
end
|