feat: add oidc #131

Author: bayang

build.gradle.kts

@@ -43,6 +43,7 @@ dependencies {
     implementation("org.springframework.boot:spring-boot-starter-web")
     implementation("org.springframework.boot:spring-boot-starter-webflux")
     implementation("org.springframework.boot:spring-boot-starter-security")
+    implementation("org.springframework.boot:spring-boot-starter-oauth2-client")
     implementation("org.springframework.data:spring-data-jdbc") // required since exposed 0.51.0
     implementation("org.springframework.session:spring-session-core")
     implementation("org.springframework.session:spring-session-jdbc")
@@ -73,6 +74,7 @@ dependencies {
     implementation("io.github.microutils:kotlin-logging-jvm:3.0.5")
     implementation("com.github.slugify:slugify:3.0.7")
     implementation("commons-io:commons-io:2.16.1")
+    implementation("org.apache.commons:commons-lang3:3.17.0")
     implementation("commons-validator:commons-validator:1.7")
     implementation("org.jsoup:jsoup:1.18.1")
     implementation("net.coobird:thumbnailator:0.4.20")

src/jelu-ui/src/components/Login.vue

@@ -5,6 +5,9 @@ import { key } from '../store'
 import { StringUtils } from '../utils/StringUtils'
 import { useI18n } from 'vue-i18n'
 import { useTitle } from '@vueuse/core'
+import dataService from "../services/DataService";
+import { OAuth2ClientDto } from '../model/oauth-client-dto'
+import urls from '../urls'
 
 const { t } = useI18n({
       inheritLocale: true,
@@ -17,6 +20,13 @@ const loginValidation = ref('')
 const passwordValidation = ref('')
 const errorMessage = ref('')
 const progress: Ref<boolean> = ref(false)
+const providers: Ref<Array<OAuth2ClientDto>> = ref([])
+
+const getOauthproviders = () => {
+  dataService.oauth2Providers().then(res => {
+    providers.value = res
+  })
+}
 
 useTitle('Jelu | Login')
 
@@ -106,18 +116,42 @@ const createInitialUser = async () => {
     }
   }
 }
-onMounted(() => {
-            console.log(`form data ${form}`)
-        })
 
-const submit = () => {
-  if (displayInitialSetup.value) {
-    createInitialUser()
-  }
-  else {
-    logUser()
-  }
+const oauth2Login = (provider: OAuth2ClientDto) => {
+const url = `${urls.BASE_URL}/oauth2/authorization/${provider.registrationId}`
+      const height = 600
+      const width = 600
+      const y = window.top!.outerHeight / 2 + window.top!.screenY - (height / 2)
+      const x = window.top!.outerWidth / 2 + window.top!.screenX - (width / 2)
+      window.open(url, 'oauth2Login',
+        `toolbar=no,
+        location=off,
+        status=no,
+        menubar=no,
+        scrollbars=yes,
+        resizable=yes,
+        top=${y},
+        left=${x},
+        width=${height},
+        height=${width}`,
+      )
 }
+
+// onMounted(() => {
+  // console.log(`form data ${form}`)
+  // })
+  
+  const submit = () => {
+    if (displayInitialSetup.value) {
+      createInitialUser()
+    }
+    else {
+      logUser()
+    }
+  }
+
+
+  getOauthproviders()
 </script>
 
 <template>
@@ -218,6 +252,20 @@ const submit = () => {
           {{ errorMessage }}
         </p>
       </div>
+      <div class="mt-3">
+        <button
+          v-for="provider in providers"
+          :key="provider.name"
+          class="btn btn-info mx-2 capitalize"
+          :disabled="displayInitialSetup"
+          @click="oauth2Login(provider)"
+        >
+          <span class="icon">
+            <i :class="'mdi mdi-18px mdi-' + provider.registrationId" />
+          </span>
+          {{ t("labels.social_login", {provider: provider.registrationId}) }}
+        </button>
+      </div>
       <progress
         v-if="progress"
         class="animate-pulse progress progress-success mt-5"

src/jelu-ui/src/locales/en.json

@@ -116,7 +116,8 @@
       "apply" : "apply",
       "loading": "loading",
       "pick_camera": "pick camera",
-      "add_narrator": "Add a narrator"
+      "add_narrator": "Add a narrator",
+      "social_login": "sign in with {provider}"
     },
     "settings" : {
         "pick_language" : "Pick your language",

src/jelu-ui/src/model/oauth-client-dto.ts

@@ -0,0 +1,4 @@
+export interface OAuth2ClientDto {
+  name: string,
+  registrationId: string,
+}

src/jelu-ui/src/router.ts

@@ -1,6 +1,7 @@
 import { createRouter, createWebHistory } from 'vue-router'
 import store from './store'
 import AdminBaseVue from './components/AdminBase.vue'
+import urls from './urls'
 
 const isLogged = () => {
     if (!store.getters.getLogged) {
@@ -141,6 +142,21 @@ router.beforeEach((to, from, next) => {
     console.log(`from : ${from.name?.toString()}`)
     console.log(from)
     console.log(store.getters.getLogged)
+    
+    if (window.opener !== null &&
+    window.name === 'oauth2Login' &&
+    to.query.server_redirect === 'Y'
+  ) {
+    if (!to.query.error) {
+      // authentication succeeded, we redirect the parent window so that it can login via cookie
+      window.opener.location.href = urls.BASE_URL
+    } else {
+      // authentication failed, we cascade the error message to the parent
+      window.opener.location.href = window.location
+    }
+    // we can close the popup
+    window.close()
+  }
     if (from.name == undefined 
         && from.matched.length < 1) {
         console.log('undefined wanting to go to ' + to.name?.toString())

src/jelu-ui/src/services/DataService.ts

@@ -25,6 +25,8 @@ import { MetadataRequest } from "../model/MetadataRequest";
 import { Series, SeriesUpdate } from "../model/Series";
 import { DirectoryListing } from "../model/DirectoryListing";
 import { BookQuote, CreateBookQuoteDto, UpdateBookQuoteDto } from "../model/BookQuote";
+import urls from "../urls";
+import { OAuth2ClientDto } from "../model/oauth-client-dto";
 
 class DataService {
 
@@ -80,25 +82,9 @@ class DataService {
 
   private API_BOOK_QUOTES = '/book-quotes';
 
-  private MODE: string;
-
-  private BASE_URL: string;
-
   constructor() {
-    if (import.meta.env.DEV) {
-      this.MODE = "dev"
-      this.BASE_URL = import.meta.env.VITE_API_URL as string
-    }
-    else {
-      this.MODE = "prod"
-      this.BASE_URL = window.location.origin
-      this.BASE_URL.endsWith("/") ? this.BASE_URL = this.BASE_URL + "api/v1"
-        : this.BASE_URL = this.BASE_URL + "/api/v1"
-    }
-    console.log(`running in ${this.MODE} mode at ${this.BASE_URL}`)
-
     this.apiClient = axios.create({
-      baseURL: this.BASE_URL,
+      baseURL: urls.API_URL,
       headers: {
         "Content-type": "application/json",
         'X-Requested-With': 'XMLHttpRequest'
@@ -1858,6 +1844,23 @@ class DataService {
     }
   }
 
+  oauth2Providers = async () => {
+    try {
+      const response = await this.apiClient.get<Array<OAuth2ClientDto>>("/oauth2/providers");
+      console.log("called oauth providers")
+      console.log(response)
+      return response.data;
+    }
+    catch (error) {
+      if (axios.isAxiosError(error) && error.response) {
+        console.log("error axios " + error.response.status + " " + error.response.data.error)
+      }
+      console.log("error oauth providers " + (error as AxiosError).code)
+      throw new Error("error oauth providers " + error)
+    }
+  }
+  
+
 }
 
 export default new DataService()

src/jelu-ui/src/urls.ts

@@ -0,0 +1,24 @@
+class Urls {
+
+    public MODE: string;
+
+    public BASE_URL: string;
+
+    public API_URL: string
+
+    constructor() {
+        if (import.meta.env.DEV) {
+            this.MODE = "dev"
+            this.BASE_URL = import.meta.env.VITE_API_URL as string
+            this.API_URL = this.BASE_URL
+        }
+        else {
+            this.MODE = "prod"
+            this.BASE_URL = window.location.origin.endsWith("/") ? window.location.origin.slice(0, -1) : window.location.origin
+            this.API_URL = this.BASE_URL + "/api/v1"
+        }
+        console.log(`running in ${this.MODE} mode at ${this.BASE_URL} and ${this.API_URL}`)
+    }
+
+}
+export default new Urls()

src/main/kotlin/io/github/bayang/jelu/config/JeluProperties.kt

@@ -59,6 +59,8 @@ data class JeluProperties(
     data class Auth(
         var ldap: Ldap,
         var proxy: Proxy,
+        var oauth2AccountCreation: Boolean = false,
+        var oidcEmailVerification: Boolean = true,
     )
 
     data class Ldap(

src/main/kotlin/io/github/bayang/jelu/config/SecurityConfig.kt

@@ -11,7 +11,15 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.http.SessionCreationPolicy
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.crypto.password.PasswordEncoder
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest
+import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserService
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException
+import org.springframework.security.oauth2.core.oidc.user.OidcUser
+import org.springframework.security.oauth2.core.user.OAuth2User
 import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource
 
@@ -24,8 +32,13 @@ class SecurityConfig(
     private val passwordEncoder: PasswordEncoder,
     private val authHeaderFilter: AuthHeaderFilter?,
     private val userAgentWebAuthenticationDetailsSource: WebAuthenticationDetailsSource,
+    private val oauth2UserService: OAuth2UserService<OAuth2UserRequest, OAuth2User>,
+    private val oidcUserService: OAuth2UserService<OidcUserRequest, OidcUser>,
+    clientRegistrationRepository: InMemoryClientRegistrationRepository?,
 ) {
 
+    private val oauth2Enabled = clientRegistrationRepository != null
+
     @Bean
     @Throws(Exception::class)
     fun securityFilterChain(http: HttpSecurity): SecurityFilterChain? {
@@ -40,6 +53,8 @@ class SecurityConfig(
                 // only apply security to those endpoints
                 it.requestMatchers(
                     "/api/**",
+                    "/oauth2/authorization/**",
+                    "/login/oauth2/code/**",
                 )
             }
             .authorizeHttpRequests {
@@ -48,6 +63,7 @@ class SecurityConfig(
                     "/api/v1/setup/status",
                     "/api/v1/server-settings",
                     "/api/v1/reviews/**",
+                    "/api/v1/oauth2/providers",
                 ).permitAll()
                 it.requestMatchers(HttpMethod.GET, "/api/v1/reviews/**").permitAll()
                 it.requestMatchers(HttpMethod.GET, "/api/v1/books/**").permitAll()
@@ -87,6 +103,29 @@ class SecurityConfig(
         if (properties.auth.proxy.enabled) {
             http.addFilterBefore(authHeaderFilter, UsernamePasswordAuthenticationFilter::class.java)
         }
+        if (oauth2Enabled) {
+            http.oauth2Login { oauth2 ->
+                oauth2.userInfoEndpoint {
+                    it.userService(oauth2UserService)
+                    it.oidcUserService(oidcUserService)
+                }
+                oauth2.authenticationDetailsSource(userAgentWebAuthenticationDetailsSource)
+                oauth2
+                    .loginPage("/login")
+                    .defaultSuccessUrl("/?server_redirect=Y", true)
+                    .failureHandler { request, response, exception ->
+                        val errorMessage =
+                            when (exception) {
+                                is OAuth2AuthenticationException -> exception.error.errorCode
+                                else -> exception.message
+                            }
+                        val url = "/login?server_redirect=Y&error=$errorMessage"
+                        SimpleUrlAuthenticationFailureHandler(url).onAuthenticationFailure(request, response, exception)
+                    }
+                oauth2.redirectionEndpoint {
+                }
+            }
+        }
         return http.build()
     }
 }

src/main/kotlin/io/github/bayang/jelu/config/SessionConfig.kt

@@ -17,7 +17,8 @@ import org.springframework.session.config.SessionRepositoryCustomizer
 import org.springframework.session.jdbc.JdbcIndexedSessionRepository
 import org.springframework.session.jdbc.config.annotation.web.http.EnableJdbcHttpSession
 import org.springframework.session.security.SpringSessionBackedSessionRegistry
-import org.springframework.session.web.http.HeaderHttpSessionIdResolver
+import org.springframework.session.web.http.CookieSerializer
+import org.springframework.session.web.http.DefaultCookieSerializer
 import org.springframework.session.web.http.HttpSessionIdResolver
 import java.io.IOException
 import java.io.InputStream
@@ -36,9 +37,22 @@ class SessionConfig : BeanClassLoaderAware {
         "DELETE FROM %TABLE_NAME% WHERE PRIMARY_ID IN (SELECT SESSION_PRIMARY_ID FROM %TABLE_NAME%_ATTRIBUTES WHERE ATTRIBUTE_NAME = 'org.springframework.session.security.SpringSessionBackedSessionInformation.EXPIRED' AND ATTRIBUTE_BYTES = 'true') OR EXPIRY_TIME < ?\n"
 
     @Bean
-    fun httpSessionIdResolver(): HttpSessionIdResolver {
-        return HeaderHttpSessionIdResolver.xAuthToken()
-    }
+    fun sessionCookieName() = "SESSION"
+
+    @Bean
+    fun sessionHeaderName() = "X-Auth-Token"
+
+    @Bean
+    fun httpSessionIdResolver(
+        sessionHeaderName: String,
+        cookieSerializer: CookieSerializer,
+    ): HttpSessionIdResolver = SmartHttpSessionIdResolver(sessionHeaderName, cookieSerializer)
+
+    @Bean
+    fun cookieSerializer(sessionCookieName: String): CookieSerializer =
+        DefaultCookieSerializer().apply {
+            setCookieName(sessionCookieName)
+        }
 
     @Bean
     fun sessionRegistry(sessionRepository: FindByIndexNameSessionRepository<*>): SessionRegistry =