QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-04-07 22:34:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
98ae6782dccab5f89dda569b7bd2d22cfc5893ee
sure/app/models/auth_config.rb
LPW b23711ae0d Add configurable multi-provider SSO, SSO-only mode, and JIT controls via auth.yml (#441) 
* Add configuration and logic for dynamic SSO provider support and stricter JIT account creation

- Introduced `config/auth.yml` for centralized auth configuration and documentation.
- Added support for multiple SSO providers, including Google, GitHub, and OpenID Connect.
- Implemented stricter JIT SSO account creation modes (`create_and_link` vs `link_only`).
- Enabled optional restriction of JIT creation by allowed email domains.
- Enhanced OmniAuth initializer for dynamic provider setup and better configurability.
- Refined login UI to handle local login disabling and emergency super-admin override.
- Updated account creation flow to respect JIT mode and domain checks.
- Added tests for SSO account creation, login form visibility, and emergency overrides.

# Conflicts:
#	app/controllers/sessions_controller.rb

* remove non-translation

* Refactor authentication views to use translation keys and update locale files

- Extracted hardcoded strings in `oidc_accounts/link.html.erb` and `sessions/new.html.erb` into translation keys for better localization support.
- Added missing translations for English and Spanish in `sessions` and `oidc_accounts` locale files.

* Enhance OmniAuth provider configuration and refine local login override logic

- Updated OmniAuth initializer to support dynamic provider configuration with `name` and scoped parameters for Google and GitHub.
- Improved local login logic to enforce stricter handling of super-admin override when local login is disabled.
- Added test for invalid super-admin override credentials.

* Document Google sign-in configuration for local development and self-hosted environments

---------

Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>
2025-12-24 00:15:53 +01:00

81 lines
2.8 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
class AuthConfig
class << self
def local_login_enabled?
# Default to true if not configured to preserve existing behavior.
value = Rails.configuration.x.auth.local_login_enabled
value.nil? ? true : !!value
end
def local_admin_override_enabled?
!!Rails.configuration.x.auth.local_admin_override_enabled
end
# When the local login form should be visible on the login page.
# - true when local login is enabled for everyone
# - true when admin override is enabled (super-admin only backend guard)
# - false only in pure SSO-only mode
def local_login_form_visible?
local_login_enabled? || local_admin_override_enabled?
end
# When password-related features (e.g., password reset link) should be
# visible. These are disabled whenever local login is turned off, even if
# an admin override is configured.
def password_features_enabled?
local_login_enabled?
end
# Backend check to determine if a given user is allowed to authenticate via
# local email/password credentials.
#
# - If local login is enabled, all users may authenticate locally (even if
# the email does not map to a user, preserving existing error semantics).
# - If local login is disabled but admin override is enabled, only
# super-admins may authenticate locally.
# - If both are disabled, local login is blocked for everyone.
def local_login_allowed_for?(user)
# When local login is globally enabled, everyone can attempt to log in
# and we fall back to invalid credentials for bad email/password combos.
return true if local_login_enabled?
# From here on, local login is disabled except for potential overrides.
return false unless user
return user.super_admin? if local_admin_override_enabled?
false
end
def jit_link_only?
Rails.configuration.x.auth.jit_mode.to_s == "link_only"
end
def allowed_oidc_domains
Rails.configuration.x.auth.allowed_oidc_domains || []
end
# Returns true if the given email is allowed for JIT SSO account creation
# under the configured domain restrictions.
#
# - If no domains are configured, all emails are allowed (current behavior).
# - If domains are configured and email is blank, we treat it as not
# allowed for creation to avoid silently creating accounts without a
# verifiable domain.
def allowed_oidc_domain?(email)
domains = allowed_oidc_domains
return true if domains.empty?
return false if email.blank?
domain = email.split("@").last.to_s.downcase
domains.map(&:downcase).include?(domain)
end
def sso_providers
Rails.configuration.x.auth.sso_providers || []
end
end
end
Reference in New Issue View Git Blame Copy Permalink