Introduce support for 3rd-party auth (OAuth2 & LDAP)

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
master
Thomas Citharel 3 years ago
parent 59a538feba
commit 9a080c1f10
No known key found for this signature in database
GPG Key ID: A061B9DDE0CA0773

@ -118,6 +118,30 @@ config :guardian, Guardian.DB,
config :elixir, :time_zone_database, Tzdata.TimeZoneDatabase
config :mobilizon,
Mobilizon.Service.Auth.Authenticator,
Mobilizon.Service.Auth.MobilizonAuthenticator
config :ueberauth,
Ueberauth,
providers: []
config :mobilizon, :auth, oauth_consumer_strategies: []
config :mobilizon, :ldap,
enabled: System.get_env("LDAP_ENABLED") == "true",
host: System.get_env("LDAP_HOST") || "localhost",
port: String.to_integer(System.get_env("LDAP_PORT") || "389"),
ssl: System.get_env("LDAP_SSL") == "true",
sslopts: [],
tls: System.get_env("LDAP_TLS") == "true",
tlsopts: [],
base: System.get_env("LDAP_BASE") || "dc=example,dc=com",
uid: System.get_env("LDAP_UID") || "cn",
require_bind_for_search: !(System.get_env("LDAP_REQUIRE_BIND_FOR_SEARCH") == "false"),
bind_uid: System.get_env("LDAP_BIND_UID"),
bind_password: System.get_env("LDAP_BIND_PASSWORD")
config :geolix,
databases: [
%{

@ -0,0 +1,26 @@
<template>
<a
class="button is-light"
v-if="Object.keys(SELECTED_PROVIDERS).includes(oauthProvider.id)"
:href="`/auth/${oauthProvider.id}`"
>
<b-icon :icon="oauthProvider.id" />
<span>{{ SELECTED_PROVIDERS[oauthProvider.id] }}</span></a
>
<a class="button is-light" :href="`/auth/${oauthProvider.id}`" v-else>
<b-icon icon="lock" />
<span>{{ oauthProvider.label }}</span>
</a>
</template>
<script lang="ts">
import { Component, Vue, Prop } from "vue-property-decorator";
import { IOAuthProvider } from "../../types/config.model";
import { SELECTED_PROVIDERS } from "../../utils/auth";
@Component
export default class AuthProvider extends Vue {
@Prop({ required: true, type: Object }) oauthProvider!: IOAuthProvider;
SELECTED_PROVIDERS = SELECTED_PROVIDERS;
}
</script>

@ -0,0 +1,26 @@
<template>
<div>
<b>{{ $t("Sign in with") }}</b>
<div class="buttons">
<auth-provider
v-for="provider in oauthProviders"
:oauthProvider="provider"
:key="provider.id"
/>
</div>
</div>
</template>
<script lang="ts">
import { Component, Vue, Prop } from "vue-property-decorator";
import { IOAuthProvider } from "../../types/config.model";
import AuthProvider from "./AuthProvider.vue";
@Component({
components: {
AuthProvider,
},
})
export default class AuthProviders extends Vue {
@Prop({ required: true, type: Array }) oauthProviders!: IOAuthProvider[];
}
</script>

@ -62,6 +62,13 @@ export const CONFIG = gql`
features {
groups
}
auth {
ldap
oauthProviders {
id
label
}
}
}
}
`;

@ -35,6 +35,15 @@ export const LOGGED_USER = gql`
loggedUser {
id
email
defaultActor {
id
preferredUsername
name
avatar {
url
}
}
provider
}
}
`;
@ -64,7 +73,7 @@ export const VALIDATE_EMAIL = gql`
`;
export const DELETE_ACCOUNT = gql`
mutation DeleteAccount($password: String, $userId: ID!) {
mutation DeleteAccount($password: String, $userId: ID) {
deleteAccount(password: $password, userId: $userId) {
id
}

@ -703,5 +703,10 @@
"New discussion": "New discussion",
"Create a discussion": "Create a discussion",
"Create the discussion": "Create the discussion",
"View all discussions": "View all discussions"
"View all discussions": "View all discussions",
"Sign in with": "Sign in with",
"Your email address was automatically set based on your {provider} account.": "Your email address was automatically set based on your {provider} account.",
"You can't change your password because you are registered through {provider}.": "You can't change your password because you are registered through {provider}.",
"Error while login with {provider}. Retry or login another way.": "Error while login with {provider}. Retry or login another way.",
"Error while login with {provider}. This login provider doesn't exist.": "Error while login with {provider}. This login provider doesn't exist."
}

@ -703,5 +703,10 @@
"{number} participations": "Aucune participation|Une participation|{number} participations",
"{profile} (by default)": "{profile} (par défault)",
"{title} ({count} todos)": "{title} ({count} todos)",
"© The OpenStreetMap Contributors": "© Les Contributeur⋅ices OpenStreetMap"
"© The OpenStreetMap Contributors": "© Les Contributeur⋅ices OpenStreetMap",
"Sign in with": "Se connecter avec",
"Your email address was automatically set based on your {provider} account.": "Votre adresse email a été définie automatiquement en se basant sur votre compte {provider}.",
"You can't change your password because you are registered through {provider}.": "Vous ne pouvez pas changer votre mot de passe car vous vous êtes enregistré via {provider}.",
"Error while login with {provider}. Retry or login another way.": "Erreur lors de la connexion avec {provider}. Réessayez ou bien connectez vous autrement.",
"Error while login with {provider}. This login provider doesn't exist.": "Erreur lors de la connexion avec {provider}. Cette méthode de connexion n'existe pas."
}

@ -112,6 +112,11 @@ const router = new Router({
component: () => import(/* webpackChunkName: "cookies" */ "@/views/Interact.vue"),
meta: { requiredAuth: false },
},
{
path: "/auth/:provider/callback",
name: "auth-callback",
component: () => import("@/views/User/ProviderValidation.vue"),
},
{
path: "/404",
name: RouteName.PAGE_NOT_FOUND,

@ -74,4 +74,13 @@ export interface IConfig {
};
federating: boolean;
version: string;
auth: {
ldap: boolean;
oauthProviders: IOAuthProvider[];
};
}
export interface IOAuthProvider {
id: string;
label: string;
}

@ -9,15 +9,11 @@ export enum ICurrentUserRole {
}
export interface ICurrentUser {
id: number;
id: string;
email: string;
isLoggedIn: boolean;
role: ICurrentUserRole;
participations: Paginate<IParticipant>;
defaultActor: IPerson;
drafts: IEvent[];
settings: IUserSettings;
locale: string;
defaultActor?: IPerson;
}
export interface IUser extends ICurrentUser {
@ -25,6 +21,22 @@ export interface IUser extends ICurrentUser {
confirmationSendAt: Date;
actors: IPerson[];
disabled: boolean;
participations: Paginate<IParticipant>;
drafts: IEvent[];
settings: IUserSettings;
locale: string;
provider?: string;
}
export enum IAuthProvider {
LDAP = "ldap",
GOOGLE = "google",
DISCORD = "discord",
GITHUB = "github",
KEYCLOAK = "keycloak",
FACEBOOK = "facebook",
GITLAB = "gitlab",
TWITTER = "twitter",
}
export enum INotificationPendingParticipationEnum {

@ -6,4 +6,6 @@ export enum LoginError {
USER_NOT_CONFIRMED = "User account not confirmed",
USER_DOES_NOT_EXIST = "No user with this email was found",
USER_EMAIL_PASSWORD_INVALID = "Impossible to authenticate, either your email or password are invalid.",
LOGIN_PROVIDER_ERROR = "Error with Login Provider",
LOGIN_PROVIDER_NOT_FOUND = "Login Provider not found",
}

@ -94,3 +94,14 @@ export async function logout(apollo: ApolloClient<NormalizedCacheObject>) {
deleteUserData();
}
export const SELECTED_PROVIDERS: { [key: string]: string } = {
twitter: "Twitter",
discord: "Discord",
facebook: "Facebook",
github: "Github",
gitlab: "Gitlab",
google: "Google",
keycloak: "Keycloak",
ldap: "LDAP",
};

@ -1,5 +1,5 @@
<template>
<div>
<div v-if="loggedUser">
<nav class="breadcrumb" aria-label="breadcrumbs">
<ul>
<li>
@ -24,6 +24,13 @@
>
<b slot="email">{{ loggedUser.email }}</b>
</i18n>
<b-message v-if="!canChangeEmail" type="is-warning" :closable="false">
{{
$t("Your email address was automatically set based on your {provider} account.", {
provider: providerName(loggedUser.provider),
})
}}
</b-message>
<b-notification
type="is-danger"
has-icon
@ -33,7 +40,7 @@
v-for="error in changeEmailErrors"
>{{ error }}</b-notification
>
<form @submit.prevent="resetEmailAction" ref="emailForm" class="form">
<form @submit.prevent="resetEmailAction" ref="emailForm" class="form" v-if="canChangeEmail">
<b-field :label="$t('New email')">
<b-input aria-required="true" required type="email" v-model="newEmail" />
</b-field>
@ -58,6 +65,13 @@
<div class="setting-title">
<h2>{{ $t("Password") }}</h2>
</div>
<b-message v-if="!canChangePassword" type="is-warning" :closable="false">
{{
$t("You can't change your password because you are registered through {provider}.", {
provider: providerName(loggedUser.provider),
})
}}
</b-message>
<b-notification
type="is-danger"
has-icon
@ -67,7 +81,12 @@
v-for="error in changePasswordErrors"
>{{ error }}</b-notification
>
<form @submit.prevent="resetPasswordAction" ref="passwordForm" class="form">
<form
@submit.prevent="resetPasswordAction"
ref="passwordForm"
class="form"
v-if="canChangePassword"
>
<b-field :label="$t('Old password')">
<b-input
aria-required="true"
@ -124,11 +143,11 @@
<br />
<b>{{ $t("There will be no way to recover your data.") }}</b>
</p>
<p class="content">
<p class="content" v-if="hasUserGotAPassword">
{{ $t("Please enter your password to confirm this action.") }}
</p>
<form @submit.prevent="deleteAccount">
<b-field>
<b-field v-if="hasUserGotAPassword">
<b-input
type="password"
v-model="passwordForAccountDeletion"
@ -160,8 +179,8 @@
import { Component, Vue, Ref } from "vue-property-decorator";
import { CHANGE_EMAIL, CHANGE_PASSWORD, DELETE_ACCOUNT, LOGGED_USER } from "../../graphql/user";
import RouteName from "../../router/name";
import { ICurrentUser } from "../../types/current-user.model";
import { logout } from "../../utils/auth";
import { IUser, IAuthProvider } from "../../types/current-user.model";
import { logout, SELECTED_PROVIDERS } from "../../utils/auth";
@Component({
apollo: {
@ -171,7 +190,7 @@ import { logout } from "../../utils/auth";
export default class AccountSettings extends Vue {
@Ref("passwordForm") readonly passwordForm!: HTMLElement;
loggedUser!: ICurrentUser;
loggedUser!: IUser;
passwordForEmailChange = "";
@ -243,7 +262,7 @@ export default class AccountSettings extends Vue {
await this.$apollo.mutate({
mutation: DELETE_ACCOUNT,
variables: {
password: this.passwordForAccountDeletion,
password: this.hasUserGotAPassword ? this.passwordForAccountDeletion : null,
},
});
await logout(this.$apollo.provider.defaultClient);
@ -260,6 +279,28 @@ export default class AccountSettings extends Vue {
}
}
get canChangePassword() {
return !this.loggedUser.provider;
}
get canChangeEmail() {
return !this.loggedUser.provider;
}
providerName(id: string) {
if (SELECTED_PROVIDERS[id]) {
return SELECTED_PROVIDERS[id];
}
return id;
}
get hasUserGotAPassword(): boolean {
return (
this.loggedUser &&
(this.loggedUser.provider == null || this.loggedUser.provider == IAuthProvider.LDAP)
);
}
private handleErrors(type: string, err: any) {
console.error(err);

@ -95,10 +95,7 @@
<script lang="ts">
import { Component, Vue, Watch } from "vue-property-decorator";
import { USER_SETTINGS, SET_USER_SETTINGS } from "../../graphql/user";
import {
ICurrentUser,
INotificationPendingParticipationEnum,
} from "../../types/current-user.model";
import { IUser, INotificationPendingParticipationEnum } from "../../types/current-user.model";
import RouteName from "../../router/name";
@Component({
@ -107,7 +104,7 @@ import RouteName from "../../router/name";
},
})
export default class Notifications extends Vue {
loggedUser!: ICurrentUser;
loggedUser!: IUser;
notificationOnDay = true;

@ -52,7 +52,7 @@ import { Component, Vue, Watch } from "vue-property-decorator";
import { TIMEZONES } from "../../graphql/config";
import { USER_SETTINGS, SET_USER_SETTINGS, UPDATE_USER_LOCALE } from "../../graphql/user";
import { IConfig } from "../../types/config.model";
import { ICurrentUser } from "../../types/current-user.model";
import { IUser } from "../../types/current-user.model";
import langs from "../../i18n/langs.json";
import RouteName from "../../router/name";
@ -65,7 +65,7 @@ import RouteName from "../../router/name";
export default class Preferences extends Vue {
config!: IConfig;
loggedUser!: ICurrentUser;
loggedUser!: IUser;
selectedTimezone: string | null = null;
@ -74,7 +74,7 @@ export default class Preferences extends Vue {
RouteName = RouteName;
@Watch("loggedUser")
setSavedTimezone(loggedUser: ICurrentUser) {
setSavedTimezone(loggedUser: IUser) {
if (loggedUser && loggedUser.settings.timezone) {
this.selectedTimezone = loggedUser.settings.timezone;
} else {

@ -10,6 +10,26 @@
:aria-close-label="$t('Close')"
>{{ $t("You need to login.") }}</b-message
>
<b-message
v-else-if="errorCode === LoginError.LOGIN_PROVIDER_ERROR"
type="is-danger"
:aria-close-label="$t('Close')"
>{{
$t("Error while login with {provider}. Retry or login another way.", {
provider: $route.query.provider,
})
}}</b-message
>
<b-message
v-else-if="errorCode === LoginError.LOGIN_PROVIDER_NOT_FOUND"
type="is-danger"
:aria-close-label="$t('Close')"
>{{
$t("Error while login with {provider}. This login provider doesn't exist.", {
provider: $route.query.provider,
})
}}</b-message
>
<b-message title="Error" type="is-danger" v-for="error in errors" :key="error">
<span v-if="error === LoginError.USER_NOT_CONFIRMED">
<span>
@ -60,6 +80,11 @@
<p class="control has-text-centered">
<button class="button is-primary is-large">{{ $t("Login") }}</button>
</p>
<div class="control" v-if="config && config.auth.oauthProviders.length > 0">
<auth-providers :oauthProviders="config.auth.oauthProviders" />
</div>
<p class="control">
<router-link
class="button is-text"
@ -103,6 +128,7 @@ import { LoginErrorCode, LoginError } from "../../types/login-error-code.model";
import { ICurrentUser } from "../../types/current-user.model";
import { CONFIG } from "../../graphql/config";
import { IConfig } from "../../types/config.model";
import AuthProviders from "../../components/User/AuthProviders.vue";
@Component({
apollo: {
@ -113,6 +139,9 @@ import { IConfig } from "../../types/config.model";
query: CURRENT_USER_CLIENT,
},
},
components: {
AuthProviders,
},
metaInfo() {
return {
// if no subcomponents specify a metaInfo.title, this title will be used

@ -0,0 +1,64 @@
<template> </template>
<script lang="ts">
import { Component, Prop, Vue } from "vue-property-decorator";
import { VALIDATE_USER, UPDATE_CURRENT_USER_CLIENT, LOGGED_USER } from "../../graphql/user";
import RouteName from "../../router/name";
import { saveUserData, changeIdentity } from "../../utils/auth";
import { ILogin } from "../../types/login.model";
import { ICurrentUserRole, ICurrentUser, IUser } from "../../types/current-user.model";
import { IDENTITIES } from "../../graphql/actor";
@Component
export default class ProviderValidate extends Vue {
async mounted() {
const accessToken = this.getValueFromMeta("auth-access-token");
const refreshToken = this.getValueFromMeta("auth-refresh-token");
const userId = this.getValueFromMeta("auth-user-id");
const userEmail = this.getValueFromMeta("auth-user-email");
const userRole = this.getValueFromMeta("auth-user-role") as ICurrentUserRole;
const userActorId = this.getValueFromMeta("auth-user-actor-id");
if (!(userId && userEmail && userRole && accessToken && refreshToken)) {
return this.$router.push("/");
}
const login = {
user: { id: userId, email: userEmail, role: userRole, isLoggedIn: true },
accessToken,
refreshToken,
};
saveUserData(login);
await this.$apollo.mutate({
mutation: UPDATE_CURRENT_USER_CLIENT,
variables: {
id: userId,
email: userEmail,
isLoggedIn: true,
role: ICurrentUserRole.USER,
},
});
const { data } = await this.$apollo.query<{ loggedUser: IUser }>({
query: LOGGED_USER,
});
const { loggedUser } = data;
if (loggedUser.defaultActor) {
await changeIdentity(this.$apollo.provider.defaultClient, loggedUser.defaultActor);
await this.$router.push({ name: RouteName.HOME });
} else {
// If the user didn't register any profile yet, let's create one for them
await this.$router.push({
name: RouteName.REGISTER_PROFILE,
params: { email: loggedUser.email, userAlreadyActivated: "true" },
});
}
}
getValueFromMeta(name: string) {
const element = document.querySelector(`meta[name="${name}"]`);
if (element && element.getAttribute("content")) {
return element.getAttribute("content");
}
return null;
}
}
</script>

@ -96,6 +96,7 @@
{{ $t("Register") }}
</b-button>
</p>
<p class="control">
<router-link
class="button is-text"
@ -113,6 +114,11 @@
>{{ $t("Login") }}</router-link
>
</p>
<hr />
<div class="control" v-if="config && config.auth.oauthProviders.length > 0">
<auth-providers :oauthProviders="config.auth.oauthProviders" />
</div>
</form>
<div v-if="errors.length > 0">
@ -131,9 +137,10 @@ import RouteName from "../../router/name";
import { IConfig } from "../../types/config.model";
import { CONFIG } from "../../graphql/config";
import Subtitle from "../../components/Utils/Subtitle.vue";
import AuthProviders from "../../components/User/AuthProviders.vue";
@Component({
components: { Subtitle },
components: { Subtitle, AuthProviders },
metaInfo() {
return {
// if no subcomponents specify a metaInfo.title, this title will be used

@ -18,7 +18,7 @@
import { Component, Prop, Vue } from "vue-property-decorator";
import { VALIDATE_USER, UPDATE_CURRENT_USER_CLIENT } from "../../graphql/user";
import RouteName from "../../router/name";
import { saveUserData, changeIdentity } from "../../utils/auth";
import { saveUserData, saveTokenData, changeIdentity } from "../../utils/auth";
import { ILogin } from "../../types/login.model";
import { ICurrentUserRole } from "../../types/current-user.model";
@ -45,6 +45,7 @@ export default class Validate extends Vue {
if (data) {
saveUserData(data.validateUser);
saveTokenData(data.validateUser);
const { user } = data.validateUser;

@ -124,7 +124,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Config do
},
rules: Config.instance_rules(),
version: Config.instance_version(),
federating: Config.instance_federating()
federating: Config.instance_federating(),
auth: %{
ldap: Config.ldap_enabled?(),
oauth_providers: Config.oauth_consumer_strategies()
}
}
end
end

@ -202,10 +202,12 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
"""
def register_person(_parent, args, _resolution) do
with {:ok, %User{} = user} <- Users.get_user_by_email(args.email),
{:no_actor, nil} <- {:no_actor, Users.get_actor_for_user(user)},
user_actor <- Users.get_actor_for_user(user),
no_actor <- is_nil(user_actor),
{:no_actor, true} <- {:no_actor, no_actor},
args <- Map.put(args, :user_id, user.id),
args <- save_attached_pictures(args),
{:ok, %Actor{} = new_person} <- Actors.new_person(args) do
{:ok, %Actor{} = new_person} <- Actors.new_person(args, true) do
{:ok, new_person}
else
{:error, :user_not_found} ->

@ -9,6 +9,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
alias Mobilizon.Actors.Actor
alias Mobilizon.Crypto
alias Mobilizon.Federation.ActivityPub
alias Mobilizon.Service.Auth.Authenticator
alias Mobilizon.Storage.{Page, Repo}
alias Mobilizon.Users.{Setting, User}
@ -59,18 +60,16 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
Login an user. Returns a token and the user
"""
def login_user(_parent, %{email: email, password: password}, _resolution) do
with {:ok, %User{confirmed_at: %DateTime{}} = user} <- Users.get_user_by_email(email),
{:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
Users.authenticate(%{user: user, password: password}) do
{:ok, %{access_token: access_token, refresh_token: refresh_token, user: user}}
else
{:ok, %User{confirmed_at: nil} = _user} ->
{:error, "User account not confirmed"}
case Authenticator.authenticate(email, password) do
{:ok,
%{access_token: _access_token, refresh_token: _refresh_token, user: _user} =
user_and_tokens} ->
{:ok, user_and_tokens}
{:error, :user_not_found} ->
{:error, "No user with this email was found"}
{:error, :unauthorized} ->
{:error, _error} ->
{:error, "Impossible to authenticate, either your email or password are invalid."}
end
end
@ -82,7 +81,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
with {:ok, user, _claims} <- Auth.Guardian.resource_from_token(refresh_token),
{:ok, _old, {exchanged_token, _claims}} <-
Auth.Guardian.exchange(refresh_token, ["access", "refresh"], "access"),
{:ok, refresh_token} <- Users.generate_refresh_token(user) do
{:ok, refresh_token} <- Authenticator.generate_refresh_token(user) do
{:ok, %{access_token: exchanged_token, refresh_token: refresh_token}}
else
{:error, message} ->
@ -151,7 +150,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
{:check_confirmation_token, Email.User.check_confirmation_token(token)},
{:get_actor, actor} <- {:get_actor, Users.get_actor_for_user(user)},
{:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
Users.generate_tokens(user) do
Authenticator.generate_tokens(user) do
{:ok,
%{
access_token: access_token,
@ -192,10 +191,15 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
def send_reset_password(_parent, args, _resolution) do
with email <- Map.get(args, :email),
{:ok, %User{locale: locale} = user} <- Users.get_user_by_email(email, true),
{:can_reset_password, true} <-
{:can_reset_password, Authenticator.can_reset_password?(user)},
{:ok, %Bamboo.Email{} = _email_html} <-
Email.User.send_password_reset_email(user, Map.get(args, :locale, locale)) do
{:ok, email}
else
{:can_reset_password, false} ->
{:error, "This user can't reset their password"}
{:error, :user_not_found} ->
# TODO : implement rate limits for this endpoint
{:error, "No user with this email was found"}
@ -209,10 +213,10 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
Reset the password from an user
"""
def reset_password(_parent, %{password: password, token: token}, _resolution) do
with {:ok, %User{} = user} <-
with {:ok, %User{email: email} = user} <-
Email.User.check_reset_password_token(password, token),
{:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
Users.authenticate(%{user: user, password: password}) do
Authenticator.authenticate(email, password) do
{:ok, %{access_token: access_token, refresh_token: refresh_token, user: user}}
end
end
@ -295,10 +299,12 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
def change_password(
_parent,
%{old_password: old_password, new_password: new_password},
%{context: %{current_user: %User{password_hash: old_password_hash} = user}}
%{context: %{current_user: %User{} = user}}
) do
with {:current_password, true} <-
{:current_password, Argon2.verify_pass(old_password, old_password_hash)},
with {:can_change_password, true} <-
{:can_change_password, Authenticator.can_change_password?(user)},
{:current_password, {:ok, %User{}}} <-
{:current_password, Authenticator.login(user.email, old_password)},
{:same_password, false} <- {:same_password, old_password == new_password},
{:ok, %User{} = user} <-
user
@ -306,7 +312,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
|> Repo.update() do
{:ok, user}
else
{:current_password, false} ->
{:current_password, _} ->
{:error, "The current password is invalid"}
{:same_password, true} ->
@ -323,10 +329,12 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
end
def change_email(_parent, %{email: new_email, password: password}, %{
context: %{current_user: %User{email: old_email, password_hash: password_hash} = user}
context: %{current_user: %User{email: old_email} = user}
}) do
with {:current_password, true} <-
{:current_password, Argon2.verify_pass(password, password_hash)},
with {:can_change_password, true} <-
{:can_change_password, Authenticator.can_change_email?(user)},
{:current_password, {:ok, %User{}}} <-
{:current_password, Authenticator.login(user.email, password)},
{:same_email, false} <- {:same_email, new_email == old_email},
{:email_valid, true} <- {:email_valid, Email.Checker.valid?(new_email)},
{:ok, %User{} = user} <-
@ -347,7 +355,7 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
{:ok, user}
else
{:current_password, false} ->
{:current_password, _} ->
{:error, "The password provided is invalid"}
{:same_email, true} ->
@ -377,14 +385,24 @@ defmodule Mobilizon.GraphQL.Resolvers.User do
end
end
def delete_account(_parent, %{password: password}, %{
context: %{current_user: %User{password_hash: password_hash} = user}
def delete_account(_parent, args, %{
context: %{current_user: %User{email: email} = user}
}) do
case {:current_password, Argon2.verify_pass(password, password_hash)} do
{:current_password, true} ->
with {:user_has_password, true} <- {:user_has_password, Authenticator.has_password?(user)},
{:confirmation_password, password} when not is_nil(password) <-
{:confirmation_password, Map.get(args, :password)},
{:current_password, {:ok, _}} <-
{:current_password, Authenticator.authenticate(email, password)} do
do_delete_account(user)
else
# If the user hasn't got any password (3rd-party auth)
{:user_has_password, false} ->
do_delete_account(user)
{:current_password, false} ->
{:confirmation_password, nil} ->
{:error, "The password provided is invalid"}
{:current_password, _} ->
{:error, "The password provided is invalid"}
end
end

@ -39,6 +39,7 @@ defmodule Mobilizon.GraphQL.Schema.ConfigType do
end
field(:rules, :string, description: "The instance's rules")
field(:auth, :auth, description: "The instance auth methods")
end
object :terms do
@ -132,6 +133,16 @@ defmodule Mobilizon.GraphQL.Schema.ConfigType do
field(:groups, :boolean)
end
object :auth do
field(:ldap, :boolean, description: "Whether or not LDAP auth is enabled")
field(:oauth_providers, list_of(:oauth_provider), description: "List of oauth providers")
end
object :oauth_provider do
field(:id, :string, description: "The provider ID")
field(:label, :string, description: "The label for the auth provider")
end
object :config_queries do
@desc "Get the instance config"
field :config, :config do

@ -52,6 +52,8 @@ defmodule Mobilizon.GraphQL.Schema.UserType do
field(:locale, :string, description: "The user's locale")
field(:provider, :string, description: "The user's login provider")
field(:disabled, :boolean, description: "Whether the user is disabled")
field(:participations, :paginated_participant_list,

@ -13,6 +13,7 @@ defmodule Mobilizon.Actors do
alias Mobilizon.Media.File
alias Mobilizon.Service.Workers
alias Mobilizon.Storage.{Page, Repo}
alias Mobilizon.Users
alias Mobilizon.Federation.ActivityPub
@ -189,14 +190,19 @@ defmodule Mobilizon.Actors do
Creates a new person actor.
"""
@spec new_person(map) :: {:ok, Actor.t()} | {:error, Ecto.Changeset.t()}
def new_person(args) do
def new_person(args, default_actor \\ false) do
args = Map.put(args, :keys, Crypto.generate_rsa_2048_private_key())
with {:ok, %Actor{} = person} <-
with {:ok, %Actor{id: person_id} = person} <-
%Actor{}
|> Actor.registration_changeset(args)
|> Repo.insert() do
Events.create_feed_token(%{user_id: args["user_id"], actor_id: person.id})
Events.create_feed_token(%{user_id: args.user_id, actor_id: person.id})
if default_actor do
user = Users.get_user!(args.user_id)
Users.update_user(user, %{default_actor_id: person_id})
end
{:ok, person}
end

@ -186,6 +186,24 @@ defmodule Mobilizon.Config do
def anonymous_reporting?,
do: Application.get_env(:mobilizon, :anonymous)[:reports][:allowed]
@spec oauth_consumer_strategies() :: list({atom(), String.t()})
def oauth_consumer_strategies do
[:auth, :oauth_consumer_strategies]
|> get([])
|> Enum.map(fn strategy ->
case strategy do
{id, label} when is_atom(id) -> %{id: id, label: label}
id when is_atom(id) -> %{id: id, label: nil}
end
end)
end
@spec oauth_consumer_enabled? :: boolean()
def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
@spec ldap_enabled? :: boolean()
def ldap_enabled?, do: get([:ldap, :enabled], false)
def instance_resource_providers do
types = get_in(Application.get_env(:mobilizon, Mobilizon.Service.ResourceProviders), [:types])

@ -40,14 +40,18 @@ defmodule Mobilizon.Users.User do
:confirmation_token,
:reset_password_sent_at,
:reset_password_token,
:default_actor_id,
:locale,
:unconfirmed_email,
:disabled
:disabled,
:provider
]
@attrs @required_attrs ++ @optional_attrs
@registration_required_attrs @required_attrs ++ [:password]
@auth_provider_required_attrs @required_attrs ++ [:provider]
@password_change_required_attrs [:password]
@password_reset_required_attrs @password_change_required_attrs ++
[:reset_password_token, :reset_password_sent_at]
@ -67,6 +71,7 @@ defmodule Mobilizon.Users.User do
field(:unconfirmed_email, :string)
field(:locale, :string, default: "en")
field(:disabled, :boolean, default: false)
field(:provider, :string)
belongs_to(:default_actor, Actor)
has_many(:actors, Actor)
@ -116,6 +121,16 @@ defmodule Mobilizon.Users.User do
)
end
@doc false
@spec auth_provider_changeset(t, map) :: Ecto.Changeset.t()
def auth_provider_changeset(%__MODULE__{} = user, attrs) do
user
|> changeset(attrs)
|> cast_assoc(:default_actor)
|> put_change(:confirmed_at, DateTime.utc_now() |> DateTime.truncate(:second))
|> validate_required(@auth_provider_required_attrs)
end
@doc false
@spec send_password_reset_changeset(t, map) :: Ecto.Changeset.t()
def send_password_reset_changeset(%__MODULE__{} = user, attrs) do

@ -15,13 +15,6 @@ defmodule Mobilizon.Users do
alias Mobilizon.Storage.{Page, Repo}
alias Mobilizon.Users.{Setting, User}
alias Mobilizon.Web.Auth
@type tokens :: %{
required(:access_token) => String.t(),
required(:refresh_token) => String.t()
}
defenum(UserRole, :user_role, [:administrator, :moderator, :user])
defenum(NotificationPendingNotificationDelay, none: 0, direct: 1, one_hour: 5, one_day: 10)
@ -41,6 +34,18 @@ defmodule Mobilizon.Users do
end
end
@spec create_external(String.t(), String.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()}
def create_external(email, provider) do
with {:ok, %User{} = user} <-
%User{}
|> User.auth_provider_changeset(%{email: email, provider: provider})
|> Repo.insert() do
Events.create_feed_token(%{user_id: user.id})
{:ok, user}
end
end
@doc """
Gets a single user.
Raises `Ecto.NoResultsError` if the user does not exist.
@ -75,6 +80,16 @@ defmodule Mobilizon.Users do
end
end
@doc """
Gets an user by its email.
"""
@spec get_user_by_email!(String.t(), boolean | nil) :: User.t()
def get_user_by_email!(email, activated \\ nil) do
email
|> user_by_email_query(activated)
|> Repo.one!()
end
@doc """
Get an user by its activation token.
"""
@ -267,52 +282,6 @@ defmodule Mobilizon.Users do
@spec count_users :: integer
def count_users, do: Repo.one(from(u in User, select: count(u.id)))
@doc """
Authenticate an user.
"""
@spec authenticate(User.t()) :: {:ok, tokens} | {:error, :unauthorized}
def authenticate(%{user: %User{password_hash: password_hash} = user, password: password}) do
# Does password match the one stored in the database?
if Argon2.verify_pass(password, password_hash) do
{:ok, _tokens} = generate_tokens(user)
else
{:error, :unauthorized}
end
end
@doc """
Generates access token and refresh token for an user.
"""
@spec generate_tokens(User.t()) :: {:ok, tokens}
def generate_tokens(user) do
with {:ok, access_token} <- generate_access_token(user),
{:ok, refresh_token} <- generate_refresh_token(user) do
{:ok, %{access_token: access_token, refresh_token: refresh_token}}
end
end
@doc """
Generates access token for an user.
"""
@spec generate_access_token(User.t()) :: {:ok, String.t()}
def generate_access_token(user) do
with {:ok, access_token, _claims} <-
Auth.Guardian.encode_and_sign(user, %{}, token_type: "access") do
{:ok, access_token}
end
end
@doc """
Generates refresh token for an user.
"""
@spec generate_refresh_token(User.t()) :: {:ok, String.t()}
def generate_refresh_token(user) do
with {:ok, refresh_token, _claims} <-
Auth.Guardian.encode_and_sign(user, %{}, token_type: "refresh") do
{:ok, refresh_token}
end
end
@doc """
Gets a settings for an user.

@ -0,0 +1,93 @@
defmodule Mobilizon.Service.Auth.Authenticator do
@moduledoc """
Module to handle authentification (currently through database or LDAP)
"""
alias Mobilizon.Users
alias Mobilizon.Users.User
alias Mobilizon.Web.Auth.Guardian
@type tokens :: %{
required(:access_token) => String.t(),
required(:refresh_token) => String.t()
}
@type tokens_with_user :: %{
required(:access_token) => String.t(),
required(:refresh_token) => String.t(),
required(:user) => User.t()
}
def implementation do
Mobilizon.Config.get(
Mobilizon.Service.Auth.Authenticator,
Mobilizon.Service.Auth.MobilizonAuthenticator
)
end
@callback login(String.t(), String.t()) :: {:ok, User.t()} | {:error, any()}
@spec login(String.t(), String.t()) :: {:ok, User.t()} | {:error, any()}
def login(email, password), do: implementation().login(email, password)
@callback can_change_email?(User.t()) :: boolean
def can_change_email?(%User{} = user), do: implementation().can_change_email?(user)
@callback can_change_password?(User.t()) :: boolean
def can_change_password?(%User{} = user), do: implementation().can_change_password?(user)
@spec has_password?(User.t()) :: boolean()
def has_password?(%User{provider: provider}), do: is_nil(provider) or provider == "ldap"
@spec can_reset_password?(User.t()) :: boolean()
def can_reset_password?(%User{} = user), do: has_password?(user) && can_change_password?(user)
@spec authenticate(String.t(), String.t()) :: {:ok, tokens_with_user()}
def authenticate(email, password) do
with {:ok, %User{} = user} <- login(email, password),
{:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
generate_tokens(user) do
{:ok, %{access_token: access_token, refresh_token: refresh_token, user: user}}
end
end
@doc """
Generates access token and refresh token for an user.
"""
@spec generate_tokens(User.t()) :: {:ok, tokens}
def generate_tokens(user) do
with {:ok, access_token} <- generate_access_token(user),
{:ok, refresh_token} <- generate_refresh_token(user) do
{:ok, %{access_token: access_token, refresh_token: refresh_token}}
end
end
@doc """
Generates access token for an user.
"""
@spec generate_access_token(User.t()) :: {:ok, String.t()}
def generate_access_token(user) do
with {:ok, access_token, _claims} <-
Guardian.encode_and_sign(user, %{}, token_type: "access") do
{:ok, access_token}
end
end
@doc """
Generates refresh token for an user.
"""
@spec generate_refresh_token(User.t()) :: {:ok, String.t()}
def generate_refresh_token(user) do
with {:ok, refresh_token, _claims} <-
Guardian.encode_and_sign(user, %{}, token_type: "refresh") do
{:ok, refresh_token}
end
end
@spec fetch_user(String.t()) :: User.t() | {:error, :user_not_found}
def fetch_user(nil), do: {:error, :user_not_found}
def fetch_user(email) when not is_nil(email) do
with {:ok, %User{} = user} <- Users.get_user_by_email(email, true) do
user
end
end
end

@ -0,0 +1,180 @@
# Portions of this file are derived from Pleroma:
# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Mobilizon.Service.Auth.LDAPAuthenticator do
@moduledoc """
Authenticate Mobilizon users through LDAP accounts
"""
alias Mobilizon.Service.Auth.{Authenticator, MobilizonAuthenticator}
alias Mobilizon.Users
alias Mobilizon.Users.User
require Logger
import Authenticator,
only: [fetch_user: 1]
@behaviour Authenticator
@base MobilizonAuthenticator
@connection_timeout 10_000
@search_timeout 10_000
def login(email, password) do
with {:ldap, true} <- {:ldap, Mobilizon.Config.get([:ldap, :enabled])},
%User{} = user <- ldap_user(email, password) do
{:ok, user}
else
{:error, {:ldap_connection_error, _}} ->
# When LDAP is unavailable, try default authenticator
@base.login(email, password)
{:ldap, _} ->
@base.login(email, password)
error ->
error
end
end
def can_change_email?(%User{provider: provider}), do: provider != "ldap"
def can_change_password?(%User{provider: provider}), do: provider != "ldap"
defp ldap_user(email, password) do
ldap = Mobilizon.Config.get(:ldap, [])
host = Keyword.get(ldap, :host, "localhost")
port = Keyword.get(ldap, :port, 389)
ssl = Keyword.get(ldap, :ssl, false)
sslopts = Keyword.get(ldap, :sslopts, [])
options =
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
if sslopts != [], do: [{:sslopts, sslopts}], else: []
case :eldap.open([to_charlist(host)], options) do
{:ok, connection} ->
try do
ensure_eventual_tls(connection, ldap)
base = Keyword.get(ldap, :base)
uid_field = Keyword.get(ldap, :uid, "cn")
# We first need to find the LDAP UID/CN for this specif email
with uid when is_binary(uid) <- search_user(connection, ldap, base, uid_field, email),
# Then we can verify the user's password
:ok <- bind_user(connection, base, uid_field, uid, password) do
case fetch_user(email) do
%User{} = user ->
user
_ ->
register_user(email)
end
else
{:error, error} ->
{:error, error}
error ->
{:error, error}
end
after
:eldap.close(connection)
end
{:error, error} ->
Logger.error("Could not open LDAP connection: #{inspect(error)}")
{:error, {:ldap_connection_error, error}}
end
end
@spec bind_user(any(), String.t(), String.t(), String.t(), String.t()) ::
User.t() |