Introduce support for 3rd-party auth (OAuth2 & LDAP)

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
3 years ago · 9a080c1f10
parent 59a538feba
commit 9a080c1f10
48 changed files with 1379 additions and 239 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -118,6 +118,30 @@ config :guardian, Guardian.DB,

 config :elixir, :time_zone_database, Tzdata.TimeZoneDatabase

+config :mobilizon,
+       Mobilizon.Service.Auth.Authenticator,
+       Mobilizon.Service.Auth.MobilizonAuthenticator
+
+config :ueberauth,
+       Ueberauth,
+       providers: []
+
+config :mobilizon, :auth, oauth_consumer_strategies: []
+
+config :mobilizon, :ldap,
+  enabled: System.get_env("LDAP_ENABLED") == "true",
+  host: System.get_env("LDAP_HOST") || "localhost",
+  port: String.to_integer(System.get_env("LDAP_PORT") || "389"),
+  ssl: System.get_env("LDAP_SSL") == "true",
+  sslopts: [],
+  tls: System.get_env("LDAP_TLS") == "true",
+  tlsopts: [],
+  base: System.get_env("LDAP_BASE") || "dc=example,dc=com",
+  uid: System.get_env("LDAP_UID") || "cn",
+  require_bind_for_search: !(System.get_env("LDAP_REQUIRE_BIND_FOR_SEARCH") == "false"),
+  bind_uid: System.get_env("LDAP_BIND_UID"),
+  bind_password: System.get_env("LDAP_BIND_PASSWORD")
+
 config :geolix,
  databases: [
    %{
--- a/js/src/components/User/AuthProvider.vue
+++ b/js/src/components/User/AuthProvider.vue
@ -0,0 +1,26 @@
+<template>
+  <a
+    class="button is-light"
+    v-if="Object.keys(SELECTED_PROVIDERS).includes(oauthProvider.id)"
+    :href="`/auth/${oauthProvider.id}`"
+  >
+    <b-icon :icon="oauthProvider.id" />
+    <span>{{ SELECTED_PROVIDERS[oauthProvider.id] }}</span></a
+  >
+  <a class="button is-light" :href="`/auth/${oauthProvider.id}`" v-else>
+    <b-icon icon="lock" />
+    <span>{{ oauthProvider.label }}</span>
+  </a>
+</template>
+<script lang="ts">
+import { Component, Vue, Prop } from "vue-property-decorator";
+import { IOAuthProvider } from "../../types/config.model";
+import { SELECTED_PROVIDERS } from "../../utils/auth";
+
+@Component
+export default class AuthProvider extends Vue {
+  @Prop({ required: true, type: Object }) oauthProvider!: IOAuthProvider;
+
+  SELECTED_PROVIDERS = SELECTED_PROVIDERS;
+}
+</script>
--- a/js/src/components/User/AuthProviders.vue
+++ b/js/src/components/User/AuthProviders.vue
@ -0,0 +1,26 @@
+<template>
+  <div>
+    <b>{{ $t("Sign in with") }}</b>
+    <div class="buttons">
+      <auth-provider
+        v-for="provider in oauthProviders"
+        :oauthProvider="provider"
+        :key="provider.id"
+      />
+    </div>
+  </div>
+</template>
+<script lang="ts">
+import { Component, Vue, Prop } from "vue-property-decorator";
+import { IOAuthProvider } from "../../types/config.model";
+import AuthProvider from "./AuthProvider.vue";
+
+@Component({
+  components: {
+    AuthProvider,
+  },
+})
+export default class AuthProviders extends Vue {
+  @Prop({ required: true, type: Array }) oauthProviders!: IOAuthProvider[];
+}
+</script>
--- a/js/src/graphql/config.ts
+++ b/js/src/graphql/config.ts
@ -62,6 +62,13 @@ export const CONFIG = gql`
      features {
        groups
      }
+      auth {
+        ldap
+        oauthProviders {
+          id
+          label
+        }
+      }
    }
  }
 `;
--- a/js/src/graphql/user.ts
+++ b/js/src/graphql/user.ts
@ -35,6 +35,15 @@ export const LOGGED_USER = gql`
    loggedUser {
      id
      email
+      defaultActor {
+        id
+        preferredUsername
+        name
+        avatar {
+          url
+        }
+      }
+      provider
    }
  }
 `;
@ -64,7 +73,7 @@ export const VALIDATE_EMAIL = gql`
 `;

 export const DELETE_ACCOUNT = gql`
-  mutation DeleteAccount($password: String, $userId: ID!) {
+  mutation DeleteAccount($password: String, $userId: ID) {
    deleteAccount(password: $password, userId: $userId) {
      id
    }
--- a/js/src/i18n/en_US.json
+++ b/js/src/i18n/en_US.json
@ -703,5 +703,10 @@
  "New discussion": "New discussion",
  "Create a discussion": "Create a discussion",
  "Create the discussion": "Create the discussion",
-  "View all discussions": "View all discussions"
+  "View all discussions": "View all discussions",
+  "Sign in with": "Sign in with",
+  "Your email address was automatically set based on your {provider} account.": "Your email address was automatically set based on your {provider} account.",
+  "You can't change your password because you are registered through {provider}.": "You can't change your password because you are registered through {provider}.",
+  "Error while login with {provider}. Retry or login another way.": "Error while login with {provider}. Retry or login another way.",
+  "Error while login with {provider}. This login provider doesn't exist.": "Error while login with {provider}. This login provider doesn't exist."
 }
--- a/js/src/i18n/fr_FR.json
+++ b/js/src/i18n/fr_FR.json
@ -703,5 +703,10 @@
  "{number} participations": "Aucune participation|Une participation|{number} participations",
  "{profile} (by default)": "{profile} (par défault)",
  "{title} ({count} todos)": "{title} ({count} todos)",
-  "© The OpenStreetMap Contributors": "© Les Contributeur⋅ices OpenStreetMap"
+  "© The OpenStreetMap Contributors": "© Les Contributeur⋅ices OpenStreetMap",
+  "Sign in with": "Se connecter avec",
+  "Your email address was automatically set based on your {provider} account.": "Votre adresse email a été définie automatiquement en se basant sur votre compte {provider}.",
+  "You can't change your password because you are registered through {provider}.": "Vous ne pouvez pas changer votre mot de passe car vous vous êtes enregistré via {provider}.",
+  "Error while login with {provider}. Retry or login another way.": "Erreur lors de la connexion avec {provider}. Réessayez ou bien connectez vous autrement.",
+  "Error while login with {provider}. This login provider doesn't exist.": "Erreur lors de la connexion avec {provider}. Cette méthode de connexion n'existe pas."
 }
--- a/js/src/router/index.ts
+++ b/js/src/router/index.ts
@ -112,6 +112,11 @@ const router = new Router({
      component: () => import(/* webpackChunkName: "cookies" */ "@/views/Interact.vue"),
      meta: { requiredAuth: false },
    },
+    {
+      path: "/auth/:provider/callback",
+      name: "auth-callback",
+      component: () => import("@/views/User/ProviderValidation.vue"),
+    },
    {
      path: "/404",
      name: RouteName.PAGE_NOT_FOUND,
--- a/js/src/types/config.model.ts
+++ b/js/src/types/config.model.ts
@ -74,4 +74,13 @@ export interface IConfig {
  };
  federating: boolean;
  version: string;
+  auth: {
+    ldap: boolean;
+    oauthProviders: IOAuthProvider[];
+  };
+}
+
+export interface IOAuthProvider {
+  id: string;
+  label: string;
 }
--- a/js/src/types/current-user.model.ts
+++ b/js/src/types/current-user.model.ts
@ -9,15 +9,11 @@ export enum ICurrentUserRole {
 }

 export interface ICurrentUser {
-  id: number;
+  id: string;
  email: string;
  isLoggedIn: boolean;
  role: ICurrentUserRole;
-  participations: Paginate<IParticipant>;
-  defaultActor: IPerson;
-  drafts: IEvent[];
-  settings: IUserSettings;
-  locale: string;
+  defaultActor?: IPerson;
 }

 export interface IUser extends ICurrentUser {
@ -25,6 +21,22 @@ export interface IUser extends ICurrentUser {
  confirmationSendAt: Date;
  actors: IPerson[];
  disabled: boolean;
+  participations: Paginate<IParticipant>;
+  drafts: IEvent[];
+  settings: IUserSettings;
+  locale: string;
+  provider?: string;
+}
+
+export enum IAuthProvider {
+  LDAP = "ldap",
+  GOOGLE = "google",
+  DISCORD = "discord",
+  GITHUB = "github",
+  KEYCLOAK = "keycloak",
+  FACEBOOK = "facebook",
+  GITLAB = "gitlab",
+  TWITTER = "twitter",
 }

 export enum INotificationPendingParticipationEnum {
--- a/js/src/types/login-error-code.model.ts
+++ b/js/src/types/login-error-code.model.ts
@ -6,4 +6,6 @@ export enum LoginError {
  USER_NOT_CONFIRMED = "User account not confirmed",
  USER_DOES_NOT_EXIST = "No user with this email was found",
  USER_EMAIL_PASSWORD_INVALID = "Impossible to authenticate, either your email or password are invalid.",
+  LOGIN_PROVIDER_ERROR = "Error with Login Provider",
+  LOGIN_PROVIDER_NOT_FOUND = "Login Provider not found",
 }
--- a/js/src/utils/auth.ts
+++ b/js/src/utils/auth.ts
@ -94,3 +94,14 @@ export async function logout(apollo: ApolloClient<NormalizedCacheObject>) {

  deleteUserData();
 }
+
+export const SELECTED_PROVIDERS: { [key: string]: string } = {
+  twitter: "Twitter",
+  discord: "Discord",
+  facebook: "Facebook",
+  github: "Github",
+  gitlab: "Gitlab",
+  google: "Google",
+  keycloak: "Keycloak",
+  ldap: "LDAP",
+};
--- a/js/src/views/Settings/AccountSettings.vue
+++ b/js/src/views/Settings/AccountSettings.vue
@ -1,5 +1,5 @@
 <template>
-  <div>
+  <div v-if="loggedUser">
    <nav class="breadcrumb" aria-label="breadcrumbs">
      <ul>
        <li>
@ -24,6 +24,13 @@
      >
        <b slot="email">{{ loggedUser.email }}</b>
      </i18n>
+      <b-message v-if="!canChangeEmail" type="is-warning" :closable="false">
+        {{
+          $t("Your email address was automatically set based on your {provider} account.", {
+            provider: providerName(loggedUser.provider),
+          })
+        }}
+      </b-message>
      <b-notification
        type="is-danger"
        has-icon
@ -33,7 +40,7 @@
        v-for="error in changeEmailErrors"
        >{{ error }}</b-notification
      >
-      <form @submit.prevent="resetEmailAction" ref="emailForm" class="form">
+      <form @submit.prevent="resetEmailAction" ref="emailForm" class="form" v-if="canChangeEmail">
        <b-field :label="$t('New email')">
          <b-input aria-required="true" required type="email" v-model="newEmail" />
        </b-field>
@ -58,6 +65,13 @@
      <div class="setting-title">
        <h2>{{ $t("Password") }}</h2>
      </div>
+      <b-message v-if="!canChangePassword" type="is-warning" :closable="false">
+        {{
+          $t("You can't change your password because you are registered through {provider}.", {
+            provider: providerName(loggedUser.provider),
+          })
+        }}
+      </b-message>
      <b-notification
        type="is-danger"
        has-icon
@ -67,7 +81,12 @@
        v-for="error in changePasswordErrors"
        >{{ error }}</b-notification
      >
-      <form @submit.prevent="resetPasswordAction" ref="passwordForm" class="form">
+      <form
+        @submit.prevent="resetPasswordAction"
+        ref="passwordForm"
+        class="form"
+        v-if="canChangePassword"
+      >
        <b-field :label="$t('Old password')">
          <b-input
            aria-required="true"
@ -124,11 +143,11 @@
                    <br />
                    <b>{{ $t("There will be no way to recover your data.") }}</b>
                  </p>
-                  <p class="content">
+                  <p class="content" v-if="hasUserGotAPassword">
                    {{ $t("Please enter your password to confirm this action.") }}
                  </p>
                  <form @submit.prevent="deleteAccount">
-                    <b-field>
+                    <b-field v-if="hasUserGotAPassword">
                      <b-input
                        type="password"
                        v-model="passwordForAccountDeletion"
@ -160,8 +179,8 @@
 import { Component, Vue, Ref } from "vue-property-decorator";
 import { CHANGE_EMAIL, CHANGE_PASSWORD, DELETE_ACCOUNT, LOGGED_USER } from "../../graphql/user";
 import RouteName from "../../router/name";
-import { ICurrentUser } from "../../types/current-user.model";
-import { logout } from "../../utils/auth";
+import { IUser, IAuthProvider } from "../../types/current-user.model";
+import { logout, SELECTED_PROVIDERS } from "../../utils/auth";

@Component({
  apollo: {
@ -171,7 +190,7 @@ import { logout } from "../../utils/auth";
 export default class AccountSettings extends Vue {
  @Ref("passwordForm") readonly passwordForm!: HTMLElement;

-  loggedUser!: ICurrentUser;
+  loggedUser!: IUser;

  passwordForEmailChange = "";

@ -243,7 +262,7 @@ export default class AccountSettings extends Vue {
      await this.$apollo.mutate({
        mutation: DELETE_ACCOUNT,
        variables: {
-          password: this.passwordForAccountDeletion,
+          password: this.hasUserGotAPassword ? this.passwordForAccountDeletion : null,
        },
      });
      await logout(this.$apollo.provider.defaultClient);
@ -260,6 +279,28 @@ export default class AccountSettings extends Vue {
    }
  }

+  get canChangePassword() {
+    return !this.loggedUser.provider;
+  }
+
+  get canChangeEmail() {
+    return !this.loggedUser.provider;
+  }
+
+  providerName(id: string) {
+    if (SELECTED_PROVIDERS[id]) {
+      return SELECTED_PROVIDERS[id];
+    }
+    return id;
+  }
+
+  get hasUserGotAPassword(): boolean {
+    return (
+      this.loggedUser &&
+      (this.loggedUser.provider == null || this.loggedUser.provider == IAuthProvider.LDAP)
+    );
+  }
+
  private handleErrors(type: string, err: any) {
    console.error(err);

--- a/js/src/views/Settings/Notifications.vue
+++ b/js/src/views/Settings/Notifications.vue
@ -95,10 +95,7 @@
 <script lang="ts">
 import { Component, Vue, Watch } from "vue-property-decorator";
 import { USER_SETTINGS, SET_USER_SETTINGS } from "../../graphql/user";
-import {
-  ICurrentUser,
-  INotificationPendingParticipationEnum,
-} from "../../types/current-user.model";
+import { IUser, INotificationPendingParticipationEnum } from "../../types/current-user.model";
 import RouteName from "../../router/name";

@Component({
@ -107,7 +104,7 @@ import RouteName from "../../router/name";
  },
 })
 export default class Notifications extends Vue {
-  loggedUser!: ICurrentUser;
+  loggedUser!: IUser;

  notificationOnDay = true;

--- a/js/src/views/Settings/Preferences.vue
+++ b/js/src/views/Settings/Preferences.vue
@ -52,7 +52,7 @@ import { Component, Vue, Watch } from "vue-property-decorator";
 import { TIMEZONES } from "../../graphql/config";
 import { USER_SETTINGS, SET_USER_SETTINGS, UPDATE_USER_LOCALE } from "../../graphql/user";
 import { IConfig } from "../../types/config.model";
-import { ICurrentUser } from "../../types/current-user.model";
+import { IUser } from "../../types/current-user.model";
 import langs from "../../i18n/langs.json";
 import RouteName from "../../router/name";

@ -65,7 +65,7 @@ import RouteName from "../../router/name";
 export default class Preferences extends Vue {
  config!: IConfig;

-  loggedUser!: ICurrentUser;
+  loggedUser!: IUser;

  selectedTimezone: string | null = null;

@ -74,7 +74,7 @@ export default class Preferences extends Vue {
  RouteName = RouteName;

  @Watch("loggedUser")
-  setSavedTimezone(loggedUser: ICurrentUser) {
+  setSavedTimezone(loggedUser: IUser) {
    if (loggedUser && loggedUser.settings.timezone) {
      this.selectedTimezone = loggedUser.settings.timezone;
    } else {
--- a/js/src/views/User/Login.vue
+++ b/js/src/views/User/Login.vue
@ -10,6 +10,26 @@
          :aria-close-label="$t('Close')"
          >{{ $t("You need to login.") }}</b-message
        >
+        <b-message
+          v-else-if="errorCode === LoginError.LOGIN_PROVIDER_ERROR"
+          type="is-danger"
+          :aria-close-label="$t('Close')"
+          >{{
+            $t("Error while login with {provider}. Retry or login another way.", {
+              provider: $route.query.provider,
+            })
+          }}</b-message
+        >
+        <b-message
+          v-else-if="errorCode === LoginError.LOGIN_PROVIDER_NOT_FOUND"
+          type="is-danger"
+          :aria-close-label="$t('Close')"
+          >{{
+            $t("Error while login with {provider}. This login provider doesn't exist.", {
+              provider: $route.query.provider,
+            })
+          }}</b-message
+        >
        <b-message title="Error" type="is-danger" v-for="error in errors" :key="error">
          <span v-if="error === LoginError.USER_NOT_CONFIRMED">
            <span>
@ -60,6 +80,11 @@
          <p class="control has-text-centered">
            <button class="button is-primary is-large">{{ $t("Login") }}</button>
          </p>
+
+          <div class="control" v-if="config && config.auth.oauthProviders.length > 0">
+            <auth-providers :oauthProviders="config.auth.oauthProviders" />
+          </div>
+
          <p class="control">
            <router-link
              class="button is-text"
@ -103,6 +128,7 @@ import { LoginErrorCode, LoginError } from "../../types/login-error-code.model";
 import { ICurrentUser } from "../../types/current-user.model";
 import { CONFIG } from "../../graphql/config";
 import { IConfig } from "../../types/config.model";
+import AuthProviders from "../../components/User/AuthProviders.vue";

@Component({
  apollo: {
@ -113,6 +139,9 @@ import { IConfig } from "../../types/config.model";
      query: CURRENT_USER_CLIENT,
    },
  },
+  components: {
+    AuthProviders,
+  },
  metaInfo() {
    return {
      // if no subcomponents specify a metaInfo.title, this title will be used
--- a/js/src/views/User/ProviderValidation.vue
+++ b/js/src/views/User/ProviderValidation.vue
@ -0,0 +1,64 @@
+<template> </template>
+<script lang="ts">
+import { Component, Prop, Vue } from "vue-property-decorator";
+import { VALIDATE_USER, UPDATE_CURRENT_USER_CLIENT, LOGGED_USER } from "../../graphql/user";
+import RouteName from "../../router/name";
+import { saveUserData, changeIdentity } from "../../utils/auth";
+import { ILogin } from "../../types/login.model";
+import { ICurrentUserRole, ICurrentUser, IUser } from "../../types/current-user.model";
+import { IDENTITIES } from "../../graphql/actor";
+
+@Component
+export default class ProviderValidate extends Vue {
+  async mounted() {
+    const accessToken = this.getValueFromMeta("auth-access-token");
+    const refreshToken = this.getValueFromMeta("auth-refresh-token");
+    const userId = this.getValueFromMeta("auth-user-id");
+    const userEmail = this.getValueFromMeta("auth-user-email");
+    const userRole = this.getValueFromMeta("auth-user-role") as ICurrentUserRole;
+    const userActorId = this.getValueFromMeta("auth-user-actor-id");
+
+    if (!(userId && userEmail && userRole && accessToken && refreshToken)) {
+      return this.$router.push("/");
+    }
+    const login = {
+      user: { id: userId, email: userEmail, role: userRole, isLoggedIn: true },
+      accessToken,
+      refreshToken,
+    };
+    saveUserData(login);
+    await this.$apollo.mutate({
+      mutation: UPDATE_CURRENT_USER_CLIENT,
+      variables: {
+        id: userId,
+        email: userEmail,
+        isLoggedIn: true,
+        role: ICurrentUserRole.USER,
+      },
+    });
+    const { data } = await this.$apollo.query<{ loggedUser: IUser }>({
+      query: LOGGED_USER,
+    });
+    const { loggedUser } = data;
+
+    if (loggedUser.defaultActor) {
+      await changeIdentity(this.$apollo.provider.defaultClient, loggedUser.defaultActor);
+      await this.$router.push({ name: RouteName.HOME });
+    } else {
+      // If the user didn't register any profile yet, let's create one for them
+      await this.$router.push({
+        name: RouteName.REGISTER_PROFILE,
+        params: { email: loggedUser.email, userAlreadyActivated: "true" },
+      });
+    }
+  }
+
+  getValueFromMeta(name: string) {
+    const element = document.querySelector(`meta[name="${name}"]`);
+    if (element && element.getAttribute("content")) {
+      return element.getAttribute("content");
+    }
+    return null;
+  }
+}
+</script>
--- a/js/src/views/User/Register.vue
+++ b/js/src/views/User/Register.vue
@ -96,6 +96,7 @@
                {{ $t("Register") }}
              </b-button>
            </p>
+
            <p class="control">
              <router-link
                class="button is-text"
@ -113,6 +114,11 @@
                >{{ $t("Login") }}</router-link
              >
            </p>
+
+            <hr />
+            <div class="control" v-if="config && config.auth.oauthProviders.length > 0">
+              <auth-providers :oauthProviders="config.auth.oauthProviders" />
+            </div>
          </form>

          <div v-if="errors.length > 0">
@ -131,9 +137,10 @@ import RouteName from "../../router/name";
 import { IConfig } from "../../types/config.model";
 import { CONFIG } from "../../graphql/config";
 import Subtitle from "../../components/Utils/Subtitle.vue";
+import AuthProviders from "../../components/User/AuthProviders.vue";

@Component({
-  components: { Subtitle },
+  components: { Subtitle, AuthProviders },
  metaInfo() {
    return {
      // if no subcomponents specify a metaInfo.title, this title will be used
--- a/js/src/views/User/Validate.vue
+++ b/js/src/views/User/Validate.vue
@ -18,7 +18,7 @@
 import { Component, Prop, Vue } from "vue-property-decorator";
 import { VALIDATE_USER, UPDATE_CURRENT_USER_CLIENT } from "../../graphql/user";
 import RouteName from "../../router/name";
-import { saveUserData, changeIdentity } from "../../utils/auth";
+import { saveUserData, saveTokenData, changeIdentity } from "../../utils/auth";
 import { ILogin } from "../../types/login.model";
 import { ICurrentUserRole } from "../../types/current-user.model";

@ -45,6 +45,7 @@ export default class Validate extends Vue {

      if (data) {
        saveUserData(data.validateUser);
+        saveTokenData(data.validateUser);

        const { user } = data.validateUser;

--- a/lib/graphql/resolvers/config.ex
+++ b/lib/graphql/resolvers/config.ex
@ -124,7 +124,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Config do
      },
      rules: Config.instance_rules(),
      version: Config.instance_version(),
-      federating: Config.instance_federating()
+      federating: Config.instance_federating(),
+      auth: %{
+        ldap: Config.ldap_enabled?(),
+        oauth_providers: Config.oauth_consumer_strategies()
+      }
    }
  end
 end
--- a/lib/graphql/resolvers/person.ex
+++ b/lib/graphql/resolvers/person.ex
@ -202,10 +202,12 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
  """
  def register_person(_parent, args, _resolution) do
    with {:ok, %User{} = user} <- Users.get_user_by_email(args.email),
-         {:no_actor, nil} <- {:no_actor, Users.get_actor_for_user(user)},
+         user_actor <- Users.get_actor_for_user(user),
+         no_actor <- is_nil(user_actor),
+         {:no_actor, true} <- {:no_actor, no_actor},
         args <- Map.put(args, :user_id, user.id),
         args <- save_attached_pictures(args),
-         {:ok, %Actor{} = new_person} <- Actors.new_person(args) do
+         {:ok, %Actor{} = new_person} <- Actors.new_person(args, true) do
      {:ok, new_person}
    else
      {:error, :user_not_found} ->
--- a/lib/graphql/resolvers/user.ex
+++ b/lib/graphql/resolvers/user.ex
@ -9,6 +9,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
  alias Mobilizon.Actors.Actor
  alias Mobilizon.Crypto
  alias Mobilizon.Federation.ActivityPub
+  alias Mobilizon.Service.Auth.Authenticator
  alias Mobilizon.Storage.{Page, Repo}
  alias Mobilizon.Users.{Setting, User}

@ -59,18 +60,16 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
  Login an user. Returns a token and the user
  """
  def login_user(_parent, %{email: email, password: password}, _resolution) do
-    with {:ok, %User{confirmed_at: %DateTime{}} = user} <- Users.get_user_by_email(email),
-         {:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
-           Users.authenticate(%{user: user, password: password}) do
-      {:ok, %{access_token: access_token, refresh_token: refresh_token, user: user}}
-    else
-      {:ok, %User{confirmed_at: nil} = _user} ->
-        {:error, "User account not confirmed"}
+    case Authenticator.authenticate(email, password) do
+      {:ok,
+       %{access_token: _access_token, refresh_token: _refresh_token, user: _user} =
+           user_and_tokens} ->
+        {:ok, user_and_tokens}

      {:error, :user_not_found} ->
        {:error, "No user with this email was found"}

-      {:error, :unauthorized} ->
+      {:error, _error} ->
        {:error, "Impossible to authenticate, either your email or password are invalid."}
    end
  end
@ -82,7 +81,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
    with {:ok, user, _claims} <- Auth.Guardian.resource_from_token(refresh_token),
         {:ok, _old, {exchanged_token, _claims}} <-
           Auth.Guardian.exchange(refresh_token, ["access", "refresh"], "access"),
-         {:ok, refresh_token} <- Users.generate_refresh_token(user) do
+         {:ok, refresh_token} <- Authenticator.generate_refresh_token(user) do
      {:ok, %{access_token: exchanged_token, refresh_token: refresh_token}}
    else
      {:error, message} ->
@ -151,7 +150,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
           {:check_confirmation_token, Email.User.check_confirmation_token(token)},
         {:get_actor, actor} <- {:get_actor, Users.get_actor_for_user(user)},
         {:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
-           Users.generate_tokens(user) do
+           Authenticator.generate_tokens(user) do
      {:ok,
       %{
         access_token: access_token,
@ -192,10 +191,15 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
  def send_reset_password(_parent, args, _resolution) do
    with email <- Map.get(args, :email),
         {:ok, %User{locale: locale} = user} <- Users.get_user_by_email(email, true),
+         {:can_reset_password, true} <-
+           {:can_reset_password, Authenticator.can_reset_password?(user)},
         {:ok, %Bamboo.Email{} = _email_html} <-
           Email.User.send_password_reset_email(user, Map.get(args, :locale, locale)) do
      {:ok, email}
    else
+      {:can_reset_password, false} ->
+        {:error, "This user can't reset their password"}
+
      {:error, :user_not_found} ->
        # TODO : implement rate limits for this endpoint
        {:error, "No user with this email was found"}
@ -209,10 +213,10 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
  Reset the password from an user
  """
  def reset_password(_parent, %{password: password, token: token}, _resolution) do
-    with {:ok, %User{} = user} <-
+    with {:ok, %User{email: email} = user} <-
           Email.User.check_reset_password_token(password, token),
         {:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
-           Users.authenticate(%{user: user, password: password}) do
+           Authenticator.authenticate(email, password) do
      {:ok, %{access_token: access_token, refresh_token: refresh_token, user: user}}
    end
  end
@ -295,10 +299,12 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
  def change_password(
        _parent,
        %{old_password: old_password, new_password: new_password},
-        %{context: %{current_user: %User{password_hash: old_password_hash} = user}}
+        %{context: %{current_user: %User{} = user}}
      ) do
-    with {:current_password, true} <-
-           {:current_password, Argon2.verify_pass(old_password, old_password_hash)},
+    with {:can_change_password, true} <-
+           {:can_change_password, Authenticator.can_change_password?(user)},
+         {:current_password, {:ok, %User{}}} <-
+           {:current_password, Authenticator.login(user.email, old_password)},
         {:same_password, false} <- {:same_password, old_password == new_password},
         {:ok, %User{} = user} <-
           user
@ -306,7 +312,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
           |> Repo.update() do
      {:ok, user}
    else
-      {:current_password, false} ->
+      {:current_password, _} ->
        {:error, "The current password is invalid"}

      {:same_password, true} ->
@ -323,10 +329,12 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
  end

  def change_email(_parent, %{email: new_email, password: password}, %{
-        context: %{current_user: %User{email: old_email, password_hash: password_hash} = user}
+        context: %{current_user: %User{email: old_email} = user}
      }) do
-    with {:current_password, true} <-
-           {:current_password, Argon2.verify_pass(password, password_hash)},
+    with {:can_change_password, true} <-
+           {:can_change_password, Authenticator.can_change_email?(user)},
+         {:current_password, {:ok, %User{}}} <-
+           {:current_password, Authenticator.login(user.email, password)},
         {:same_email, false} <- {:same_email, new_email == old_email},
         {:email_valid, true} <- {:email_valid, Email.Checker.valid?(new_email)},
         {:ok, %User{} = user} <-
@ -347,7 +355,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do

      {:ok, user}
    else
-      {:current_password, false} ->
+      {:current_password, _} ->
        {:error, "The password provided is invalid"}

      {:same_email, true} ->
@ -377,14 +385,24 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
    end
  end

-  def delete_account(_parent, %{password: password}, %{
-        context: %{current_user: %User{password_hash: password_hash} = user}
+  def delete_account(_parent, args, %{
+        context: %{current_user: %User{email: email} = user}
      }) do
-    case {:current_password, Argon2.verify_pass(password, password_hash)} do
-      {:current_password, true} ->
+    with {:user_has_password, true} <- {:user_has_password, Authenticator.has_password?(user)},
+         {:confirmation_password, password} when not is_nil(password) <-
+           {:confirmation_password, Map.get(args, :password)},
+         {:current_password, {:ok, _}} <-
+           {:current_password, Authenticator.authenticate(email, password)} do
+      do_delete_account(user)
+    else
+      # If the user hasn't got any password (3rd-party auth)
+      {:user_has_password, false} ->
        do_delete_account(user)

-      {:current_password, false} ->
+      {:confirmation_password, nil} ->
+        {:error, "The password provided is invalid"}
+
+      {:current_password, _} ->
        {:error, "The password provided is invalid"}
    end
  end
--- a/lib/graphql/schema/config.ex
+++ b/lib/graphql/schema/config.ex
@ -39,6 +39,7 @@ defmodule Mobilizon.GraphQL.Schema.ConfigType do
    end

    field(:rules, :string, description: "The instance's rules")
+    field(:auth, :auth, description: "The instance auth methods")
  end

  object :terms do
@ -132,6 +133,16 @@ defmodule Mobilizon.GraphQL.Schema.ConfigType do
    field(:groups, :boolean)
  end

+  object :auth do
+    field(:ldap, :boolean, description: "Whether or not LDAP auth is enabled")
+    field(:oauth_providers, list_of(:oauth_provider), description: "List of oauth providers")
+  end
+
+  object :oauth_provider do
+    field(:id, :string, description: "The provider ID")
+    field(:label, :string, description: "The label for the auth provider")
+  end
+
  object :config_queries do
    @desc "Get the instance config"
    field :config, :config do
--- a/lib/graphql/schema/user.ex
+++ b/lib/graphql/schema/user.ex
@ -52,6 +52,8 @@ defmodule Mobilizon.GraphQL.Schema.UserType do

    field(:locale, :string, description: "The user's locale")

+    field(:provider, :string, description: "The user's login provider")
+
    field(:disabled, :boolean, description: "Whether the user is disabled")

    field(:participations, :paginated_participant_list,
--- a/lib/mobilizon/actors/actors.ex
+++ b/lib/mobilizon/actors/actors.ex
@ -13,6 +13,7 @@ defmodule Mobilizon.Actors do
  alias Mobilizon.Media.File
  alias Mobilizon.Service.Workers
  alias Mobilizon.Storage.{Page, Repo}
+  alias Mobilizon.Users

  alias Mobilizon.Federation.ActivityPub

@ -189,14 +190,19 @@ defmodule Mobilizon.Actors do
  Creates a new person actor.
  """
  @spec new_person(map) :: {:ok, Actor.t()} | {:error, Ecto.Changeset.t()}
-  def new_person(args) do
+  def new_person(args, default_actor \\ false) do
    args = Map.put(args, :keys, Crypto.generate_rsa_2048_private_key())

-    with {:ok, %Actor{} = person} <-
+    with {:ok, %Actor{id: person_id} = person} <-
           %Actor{}
           |> Actor.registration_changeset(args)
           |> Repo.insert() do
-      Events.create_feed_token(%{user_id: args["user_id"], actor_id: person.id})
+      Events.create_feed_token(%{user_id: args.user_id, actor_id: person.id})
+
+      if default_actor do
+        user = Users.get_user!(args.user_id)
+        Users.update_user(user, %{default_actor_id: person_id})
+      end

      {:ok, person}
    end
--- a/lib/mobilizon/config.ex
+++ b/lib/mobilizon/config.ex
@ -186,6 +186,24 @@ defmodule Mobilizon.Config do
  def anonymous_reporting?,
    do: Application.get_env(:mobilizon, :anonymous)[:reports][:allowed]

+  @spec oauth_consumer_strategies() :: list({atom(), String.t()})
+  def oauth_consumer_strategies do
+    [:auth, :oauth_consumer_strategies]
+    |> get([])
+    |> Enum.map(fn strategy ->
+      case strategy do
+        {id, label} when is_atom(id) -> %{id: id, label: label}
+        id when is_atom(id) -> %{id: id, label: nil}
+      end
+    end)
+  end
+
+  @spec oauth_consumer_enabled? :: boolean()
+  def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
+
+  @spec ldap_enabled? :: boolean()
+  def ldap_enabled?, do: get([:ldap, :enabled], false)
+
  def instance_resource_providers do
    types = get_in(Application.get_env(:mobilizon, Mobilizon.Service.ResourceProviders), [:types])

--- a/lib/mobilizon/users/user.ex
+++ b/lib/mobilizon/users/user.ex
@ -40,14 +40,18 @@ defmodule Mobilizon.Users.User do
    :confirmation_token,
    :reset_password_sent_at,
    :reset_password_token,
+    :default_actor_id,
    :locale,
    :unconfirmed_email,
-    :disabled
+    :disabled,
+    :provider
  ]
  @attrs @required_attrs ++ @optional_attrs

  @registration_required_attrs @required_attrs ++ [:password]

+  @auth_provider_required_attrs @required_attrs ++ [:provider]
+
  @password_change_required_attrs [:password]
  @password_reset_required_attrs @password_change_required_attrs ++
                                   [:reset_password_token, :reset_password_sent_at]
@ -67,6 +71,7 @@ defmodule Mobilizon.Users.User do
    field(:unconfirmed_email, :string)
    field(:locale, :string, default: "en")
    field(:disabled, :boolean, default: false)
+    field(:provider, :string)

    belongs_to(:default_actor, Actor)
    has_many(:actors, Actor)
@ -116,6 +121,16 @@ defmodule Mobilizon.Users.User do
    )
  end

+  @doc false
+  @spec auth_provider_changeset(t, map) :: Ecto.Changeset.t()
+  def auth_provider_changeset(%__MODULE__{} = user, attrs) do
+    user
+    |> changeset(attrs)
+    |> cast_assoc(:default_actor)
+    |> put_change(:confirmed_at, DateTime.utc_now() |> DateTime.truncate(:second))
+    |> validate_required(@auth_provider_required_attrs)
+  end
+
  @doc false
  @spec send_password_reset_changeset(t, map) :: Ecto.Changeset.t()
  def send_password_reset_changeset(%__MODULE__{} = user, attrs) do
--- a/lib/mobilizon/users/users.ex
+++ b/lib/mobilizon/users/users.ex
@ -15,13 +15,6 @@ defmodule Mobilizon.Users do
  alias Mobilizon.Storage.{Page, Repo}
  alias Mobilizon.Users.{Setting, User}

-  alias Mobilizon.Web.Auth
-
-  @type tokens :: %{
-          required(:access_token) => String.t(),
-          required(:refresh_token) => String.t()
-        }
-
  defenum(UserRole, :user_role, [:administrator, :moderator, :user])

  defenum(NotificationPendingNotificationDelay, none: 0, direct: 1, one_hour: 5, one_day: 10)
@ -41,6 +34,18 @@ defmodule Mobilizon.Users do
    end
  end

+  @spec create_external(String.t(), String.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()}
+  def create_external(email, provider) do
+    with {:ok, %User{} = user} <-
+           %User{}
+           |> User.auth_provider_changeset(%{email: email, provider: provider})
+           |> Repo.insert() do
+      Events.create_feed_token(%{user_id: user.id})
+
+      {:ok, user}
+    end
+  end
+
  @doc """
  Gets a single user.
  Raises `Ecto.NoResultsError` if the user does not exist.
@ -75,6 +80,16 @@ defmodule Mobilizon.Users do
    end
  end

+  @doc """
+  Gets an user by its email.
+  """
+  @spec get_user_by_email!(String.t(), boolean | nil) :: User.t()
+  def get_user_by_email!(email, activated \\ nil) do
+    email
+    |> user_by_email_query(activated)
+    |> Repo.one!()
+  end
+
  @doc """
  Get an user by its activation token.
  """
@ -267,52 +282,6 @@ defmodule Mobilizon.Users do
  @spec count_users :: integer
  def count_users, do: Repo.one(from(u in User, select: count(u.id)))

-  @doc """
-  Authenticate an user.
-  """
-  @spec authenticate(User.t()) :: {:ok, tokens} | {:error, :unauthorized}
-  def authenticate(%{user: %User{password_hash: password_hash} = user, password: password}) do
-    # Does password match the one stored in the database?
-    if Argon2.verify_pass(password, password_hash) do
-      {:ok, _tokens} = generate_tokens(user)
-    else
-      {:error, :unauthorized}
-    end
-  end
-
-  @doc """
-  Generates access token and refresh token for an user.
-  """
-  @spec generate_tokens(User.t()) :: {:ok, tokens}
-  def generate_tokens(user) do
-    with {:ok, access_token} <- generate_access_token(user),
-         {:ok, refresh_token} <- generate_refresh_token(user) do
-      {:ok, %{access_token: access_token, refresh_token: refresh_token}}
-    end
-  end
-
-  @doc """
-  Generates access token for an user.
-  """
-  @spec generate_access_token(User.t()) :: {:ok, String.t()}
-  def generate_access_token(user) do
-    with {:ok, access_token, _claims} <-
-           Auth.Guardian.encode_and_sign(user, %{}, token_type: "access") do
-      {:ok, access_token}
-    end
-  end
-
-  @doc """
-  Generates refresh token for an user.
-  """
-  @spec generate_refresh_token(User.t()) :: {:ok, String.t()}
-  def generate_refresh_token(user) do
-    with {:ok, refresh_token, _claims} <-
-           Auth.Guardian.encode_and_sign(user, %{}, token_type: "refresh") do
-      {:ok, refresh_token}
-    end
-  end
-
  @doc """
  Gets a settings for an user.

--- a/lib/service/auth/authenticator.ex
+++ b/lib/service/auth/authenticator.ex
@ -0,0 +1,93 @@
+defmodule Mobilizon.Service.Auth.Authenticator do
+  @moduledoc """
+  Module to handle authentification (currently through database or LDAP)
+  """
+  alias Mobilizon.Users
+  alias Mobilizon.Users.User
+  alias Mobilizon.Web.Auth.Guardian
+
+  @type tokens :: %{
+          required(:access_token) => String.t(),
+          required(:refresh_token) => String.t()
+        }
+
+  @type tokens_with_user :: %{
+          required(:access_token) => String.t(),
+          required(:refresh_token) => String.t(),
+          required(:user) => User.t()
+        }
+
+  def implementation do
+    Mobilizon.Config.get(
+      Mobilizon.Service.Auth.Authenticator,
+      Mobilizon.Service.Auth.MobilizonAuthenticator
+    )
+  end
+
+  @callback login(String.t(), String.t()) :: {:ok, User.t()} | {:error, any()}
+  @spec login(String.t(), String.t()) :: {:ok, User.t()} | {:error, any()}
+  def login(email, password), do: implementation().login(email, password)
+
+  @callback can_change_email?(User.t()) :: boolean
+  def can_change_email?(%User{} = user), do: implementation().can_change_email?(user)
+
+  @callback can_change_password?(User.t()) :: boolean
+  def can_change_password?(%User{} = user), do: implementation().can_change_password?(user)
+
+  @spec has_password?(User.t()) :: boolean()
+  def has_password?(%User{provider: provider}), do: is_nil(provider) or provider == "ldap"
+
+  @spec can_reset_password?(User.t()) :: boolean()
+  def can_reset_password?(%User{} = user), do: has_password?(user) && can_change_password?(user)
+
+  @spec authenticate(String.t(), String.t()) :: {:ok, tokens_with_user()}
+  def authenticate(email, password) do
+    with {:ok, %User{} = user} <- login(email, password),
+         {:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
+           generate_tokens(user) do
+      {:ok, %{access_token: access_token, refresh_token: refresh_token, user: user}}
+    end
+  end
+
+  @doc """
+  Generates access token and refresh token for an user.
+  """
+  @spec generate_tokens(User.t()) :: {:ok, tokens}
+  def generate_tokens(user) do
+    with {:ok, access_token} <- generate_access_token(user),
+         {:ok, refresh_token} <- generate_refresh_token(user) do
+      {:ok, %{access_token: access_token, refresh_token: refresh_token}}
+    end
+  end
+
+  @doc """
+  Generates access token for an user.
+  """
+  @spec generate_access_token(User.t()) :: {:ok, String.t()}
+  def generate_access_token(user) do
+    with {:ok, access_token, _claims} <-
+           Guardian.encode_and_sign(user, %{}, token_type: "access") do
+      {:ok, access_token}
+    end
+  end
+
+  @doc """
+  Generates refresh token for an user.
+  """
+  @spec generate_refresh_token(User.t()) :: {:ok, String.t()}
+  def generate_refresh_token(user) do
+    with {:ok, refresh_token, _claims} <-
+           Guardian.encode_and_sign(user, %{}, token_type: "refresh") do
+      {:ok, refresh_token}
+    end
+  end
+
+  @spec fetch_user(String.t()) :: User.t() | {:error, :user_not_found}
+  def fetch_user(nil), do: {:error, :user_not_found}
+
+  def fetch_user(email) when not is_nil(email) do
+    with {:ok, %User{} = user} <- Users.get_user_by_email(email, true) do
+      user
+    end
+  end
+end
--- a/lib/service/auth/ldap_authenticator.ex
+++ b/lib/service/auth/ldap_authenticator.ex
@ -0,0 +1,180 @@
+# Portions of this file are derived from Pleroma:
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Mobilizon.Service.Auth.LDAPAuthenticator do
+  @moduledoc """
+  Authenticate Mobilizon users through LDAP accounts
+  """
+  alias Mobilizon.Service.Auth.{Authenticator, MobilizonAuthenticator}
+  alias Mobilizon.Users
+  alias Mobilizon.Users.User
+
+  require Logger
+
+  import Authenticator,
+    only: [fetch_user: 1]
+
+  @behaviour Authenticator
+  @base MobilizonAuthenticator
+
+  @connection_timeout 10_000
+  @search_timeout 10_000
+
+  def login(email, password) do
+    with {:ldap, true} <- {:ldap, Mobilizon.Config.get([:ldap, :enabled])},
+         %User{} = user <- ldap_user(email, password) do
+      {:ok, user}
+    else
+      {:error, {:ldap_connection_error, _}} ->
+        # When LDAP is unavailable, try default authenticator
+        @base.login(email, password)
+
+      {:ldap, _} ->
+        @base.login(email, password)
+
+      error ->
+        error
+    end
+  end
+
+  def can_change_email?(%User{provider: provider}), do: provider != "ldap"
+
+  def can_change_password?(%User{provider: provider}), do: provider != "ldap"
+
+  defp ldap_user(email, password) do
+    ldap = Mobilizon.Config.get(:ldap, [])
+    host = Keyword.get(ldap, :host, "localhost")
+    port = Keyword.get(ldap, :port, 389)
+    ssl = Keyword.get(ldap, :ssl, false)
+    sslopts = Keyword.get(ldap, :sslopts, [])
+
+    options =
+      [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
+        if sslopts != [], do: [{:sslopts, sslopts}], else: []
+
+    case :eldap.open([to_charlist(host)], options) do
+      {:ok, connection} ->
+        try do
+          ensure_eventual_tls(connection, ldap)
+
+          base = Keyword.get(ldap, :base)
+          uid_field = Keyword.get(ldap, :uid, "cn")
+
+          # We first need to find the LDAP UID/CN for this specif email
+          with uid when is_binary(uid) <- search_user(connection, ldap, base, uid_field, email),
+               # Then we can verify the user's password
+               :ok <- bind_user(connection, base, uid_field, uid, password) do
+            case fetch_user(email) do
+              %User{} = user ->
+                user
+
+              _ ->
+                register_user(email)
+            end
+          else
+            {:error, error} ->
+              {:error, error}
+
+            error ->
+              {:error, error}
+          end
+        after
+          :eldap.close(connection)
+        end
+
+      {:error, error} ->
+        Logger.error("Could not open LDAP connection: #{inspect(error)}")
+        {:error, {:ldap_connection_error, error}}
+    end
+  end
+
+  @spec bind_user(any(), String.t(), String.t(), String.t(), String.t()) ::
+          User.t() |