Signed-off-by: Thomas Citharel <tcit@tcit.fr>master
parent
59a538feba
commit
9a080c1f10
@ -0,0 +1,26 @@
|
||||
<template>
|
||||
<a
|
||||
class="button is-light"
|
||||
v-if="Object.keys(SELECTED_PROVIDERS).includes(oauthProvider.id)"
|
||||
:href="`/auth/${oauthProvider.id}`"
|
||||
>
|
||||
<b-icon :icon="oauthProvider.id" />
|
||||
<span>{{ SELECTED_PROVIDERS[oauthProvider.id] }}</span></a
|
||||
>
|
||||
<a class="button is-light" :href="`/auth/${oauthProvider.id}`" v-else>
|
||||
<b-icon icon="lock" />
|
||||
<span>{{ oauthProvider.label }}</span>
|
||||
</a>
|
||||
</template>
|
||||
<script lang="ts">
|
||||
import { Component, Vue, Prop } from "vue-property-decorator";
|
||||
import { IOAuthProvider } from "../../types/config.model";
|
||||
import { SELECTED_PROVIDERS } from "../../utils/auth";
|
||||
|
||||
@Component
|
||||
export default class AuthProvider extends Vue {
|
||||
@Prop({ required: true, type: Object }) oauthProvider!: IOAuthProvider;
|
||||
|
||||
SELECTED_PROVIDERS = SELECTED_PROVIDERS;
|
||||
}
|
||||
</script>
|
@ -0,0 +1,26 @@
|
||||
<template>
|
||||
<div>
|
||||
<b>{{ $t("Sign in with") }}</b>
|
||||
<div class="buttons">
|
||||
<auth-provider
|
||||
v-for="provider in oauthProviders"
|
||||
:oauthProvider="provider"
|
||||
:key="provider.id"
|
||||
/>
|
||||
</div>
|
||||
</div>
|
||||
</template>
|
||||
<script lang="ts">
|
||||
import { Component, Vue, Prop } from "vue-property-decorator";
|
||||
import { IOAuthProvider } from "../../types/config.model";
|
||||
import AuthProvider from "./AuthProvider.vue";
|
||||
|
||||
@Component({
|
||||
components: {
|
||||
AuthProvider,
|
||||
},
|
||||
})
|
||||
export default class AuthProviders extends Vue {
|
||||
@Prop({ required: true, type: Array }) oauthProviders!: IOAuthProvider[];
|
||||
}
|
||||
</script>
|
@ -0,0 +1,64 @@
|
||||
<template> </template>
|
||||
<script lang="ts">
|
||||
import { Component, Prop, Vue } from "vue-property-decorator";
|
||||
import { VALIDATE_USER, UPDATE_CURRENT_USER_CLIENT, LOGGED_USER } from "../../graphql/user";
|
||||
import RouteName from "../../router/name";
|
||||
import { saveUserData, changeIdentity } from "../../utils/auth";
|
||||
import { ILogin } from "../../types/login.model";
|
||||
import { ICurrentUserRole, ICurrentUser, IUser } from "../../types/current-user.model";
|
||||
import { IDENTITIES } from "../../graphql/actor";
|
||||
|
||||
@Component
|
||||
export default class ProviderValidate extends Vue {
|
||||
async mounted() {
|
||||
const accessToken = this.getValueFromMeta("auth-access-token");
|
||||
const refreshToken = this.getValueFromMeta("auth-refresh-token");
|
||||
const userId = this.getValueFromMeta("auth-user-id");
|
||||
const userEmail = this.getValueFromMeta("auth-user-email");
|
||||
const userRole = this.getValueFromMeta("auth-user-role") as ICurrentUserRole;
|
||||
const userActorId = this.getValueFromMeta("auth-user-actor-id");
|
||||
|
||||
if (!(userId && userEmail && userRole && accessToken && refreshToken)) {
|
||||
return this.$router.push("/");
|
||||
}
|
||||
const login = {
|
||||
user: { id: userId, email: userEmail, role: userRole, isLoggedIn: true },
|
||||
accessToken,
|
||||
refreshToken,
|
||||
};
|
||||
saveUserData(login);
|
||||
await this.$apollo.mutate({
|
||||
mutation: UPDATE_CURRENT_USER_CLIENT,
|
||||
variables: {
|
||||
id: userId,
|
||||
email: userEmail,
|
||||
isLoggedIn: true,
|
||||
role: ICurrentUserRole.USER,
|
||||
},
|
||||
});
|
||||
const { data } = await this.$apollo.query<{ loggedUser: IUser }>({
|
||||
query: LOGGED_USER,
|
||||
});
|
||||
const { loggedUser } = data;
|
||||
|
||||
if (loggedUser.defaultActor) {
|
||||
await changeIdentity(this.$apollo.provider.defaultClient, loggedUser.defaultActor);
|
||||
await this.$router.push({ name: RouteName.HOME });
|
||||
} else {
|
||||
// If the user didn't register any profile yet, let's create one for them
|
||||
await this.$router.push({
|
||||
name: RouteName.REGISTER_PROFILE,
|
||||
params: { email: loggedUser.email, userAlreadyActivated: "true" },
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
getValueFromMeta(name: string) {
|
||||
const element = document.querySelector(`meta[name="${name}"]`);
|
||||
if (element && element.getAttribute("content")) {
|
||||
return element.getAttribute("content");
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}
|
||||
</script>
|
@ -0,0 +1,93 @@
|
||||
defmodule Mobilizon.Service.Auth.Authenticator do
|
||||
@moduledoc """
|
||||
Module to handle authentification (currently through database or LDAP)
|
||||
"""
|
||||
alias Mobilizon.Users
|
||||
alias Mobilizon.Users.User
|
||||
alias Mobilizon.Web.Auth.Guardian
|
||||
|
||||
@type tokens :: %{
|
||||
required(:access_token) => String.t(),
|
||||
required(:refresh_token) => String.t()
|
||||
}
|
||||
|
||||
@type tokens_with_user :: %{
|
||||
required(:access_token) => String.t(),
|
||||
required(:refresh_token) => String.t(),
|
||||
required(:user) => User.t()
|
||||
}
|
||||
|
||||
def implementation do
|
||||
Mobilizon.Config.get(
|
||||
Mobilizon.Service.Auth.Authenticator,
|
||||
Mobilizon.Service.Auth.MobilizonAuthenticator
|
||||
)
|
||||
end
|
||||
|
||||
@callback login(String.t(), String.t()) :: {:ok, User.t()} | {:error, any()}
|
||||
@spec login(String.t(), String.t()) :: {:ok, User.t()} | {:error, any()}
|
||||
def login(email, password), do: implementation().login(email, password)
|
||||
|
||||
@callback can_change_email?(User.t()) :: boolean
|
||||
def can_change_email?(%User{} = user), do: implementation().can_change_email?(user)
|
||||
|
||||
@callback can_change_password?(User.t()) :: boolean
|
||||
def can_change_password?(%User{} = user), do: implementation().can_change_password?(user)
|
||||
|
||||
@spec has_password?(User.t()) :: boolean()
|
||||
def has_password?(%User{provider: provider}), do: is_nil(provider) or provider == "ldap"
|
||||
|
||||
@spec can_reset_password?(User.t()) :: boolean()
|
||||
def can_reset_password?(%User{} = user), do: has_password?(user) && can_change_password?(user)
|
||||
|
||||
@spec authenticate(String.t(), String.t()) :: {:ok, tokens_with_user()}
|
||||
def authenticate(email, password) do
|
||||
with {:ok, %User{} = user} <- login(email, password),
|
||||
{:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
|
||||
generate_tokens(user) do
|
||||
{:ok, %{access_token: access_token, refresh_token: refresh_token, user: user}}
|
||||
end
|
||||
end
|
||||
|
||||
@doc """
|
||||
Generates access token and refresh token for an user.
|
||||
"""
|
||||
@spec generate_tokens(User.t()) :: {:ok, tokens}
|
||||
def generate_tokens(user) do
|
||||
with {:ok, access_token} <- generate_access_token(user),
|
||||
{:ok, refresh_token} <- generate_refresh_token(user) do
|
||||
{:ok, %{access_token: access_token, refresh_token: refresh_token}}
|
||||
end
|
||||
end
|
||||
|
||||
@doc """
|
||||
Generates access token for an user.
|
||||
"""
|
||||
@spec generate_access_token(User.t()) :: {:ok, String.t()}
|
||||
def generate_access_token(user) do
|
||||
with {:ok, access_token, _claims} <-
|
||||
Guardian.encode_and_sign(user, %{}, token_type: "access") do
|
||||
{:ok, access_token}
|
||||
end
|
||||
end
|
||||
|
||||
@doc """
|
||||
Generates refresh token for an user.
|
||||
"""
|
||||
@spec generate_refresh_token(User.t()) :: {:ok, String.t()}
|
||||
def generate_refresh_token(user) do
|
||||
with {:ok, refresh_token, _claims} <-
|
||||
Guardian.encode_and_sign(user, %{}, token_type: "refresh") do
|
||||
{:ok, refresh_token}
|
||||
end
|
||||
end
|
||||
|
||||
@spec fetch_user(String.t()) :: User.t() | {:error, :user_not_found}
|
||||
def fetch_user(nil), do: {:error, :user_not_found}
|
||||
|
||||
def fetch_user(email) when not is_nil(email) do
|
||||
with {:ok, %User{} = user} <- Users.get_user_by_email(email, true) do
|
||||
user
|
||||
end
|
||||
end
|
||||
end
|
@ -0,0 +1,180 @@
|
||||
# Portions of this file are derived from Pleroma:
|
||||
# Pleroma: A lightweight social networking server
|
||||
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
defmodule Mobilizon.Service.Auth.LDAPAuthenticator do
|
||||
@moduledoc """
|
||||
Authenticate Mobilizon users through LDAP accounts
|
||||
"""
|
||||
alias Mobilizon.Service.Auth.{Authenticator, MobilizonAuthenticator}
|
||||
alias Mobilizon.Users
|
||||
alias Mobilizon.Users.User
|
||||
|
||||
require Logger
|
||||
|
||||
import Authenticator,
|
||||
only: [fetch_user: 1]
|
||||
|
||||
@behaviour Authenticator
|
||||
@base MobilizonAuthenticator
|
||||
|
||||
@connection_timeout 10_000
|
||||
@search_timeout 10_000
|
||||
|
||||
def login(email, password) do
|
||||
with {:ldap, true} <- {:ldap, Mobilizon.Config.get([:ldap, :enabled])},
|
||||
%User{} = user <- ldap_user(email, password) do
|
||||
{:ok, user}
|
||||
else
|
||||
{:error, {:ldap_connection_error, _}} ->
|
||||
# When LDAP is unavailable, try default authenticator
|
||||
@base.login(email, password)
|
||||
|
||||
{:ldap, _} ->
|
||||
@base.login(email, password)
|
||||
|
||||
error ->
|
||||
error
|
||||
end
|
||||
end
|
||||
|
||||
def can_change_email?(%User{provider: provider}), do: provider != "ldap"
|
||||
|
||||
def can_change_password?(%User{provider: provider}), do: provider != "ldap"
|
||||
|
||||
defp ldap_user(email, password) do
|
||||
ldap = Mobilizon.Config.get(:ldap, [])
|
||||
host = Keyword.get(ldap, :host, "localhost")
|
||||
port = Keyword.get(ldap, :port, 389)
|
||||
ssl = Keyword.get(ldap, :ssl, false)
|
||||
sslopts = Keyword.get(ldap, :sslopts, [])
|
||||
|
||||
options =
|
||||
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
|
||||
if sslopts != [], do: [{:sslopts, sslopts}], else: []
|
||||
|
||||
case :eldap.open([to_charlist(host)], options) do
|
||||
{:ok, connection} ->
|
||||
try do
|
||||
ensure_eventual_tls(connection, ldap)
|
||||
|
||||
base = Keyword.get(ldap, :base)
|
||||
uid_field = Keyword.get(ldap, :uid, "cn")
|
||||
|
||||
# We first need to find the LDAP UID/CN for this specif email
|
||||
with uid when is_binary(uid) <- search_user(connection, ldap, base, uid_field, email),
|
||||
# Then we can verify the user's password
|
||||
:ok <- bind_user(connection, base, uid_field, uid, password) do
|
||||
case fetch_user(email) do
|
||||
%User{} = user ->
|
||||
user
|
||||
|
||||
_ ->
|
||||
register_user(email)
|
||||
end
|
||||
else
|
||||
{:error, error} ->
|
||||
{:error, error}
|
||||
|
||||
error ->
|
||||
{:error, error}
|
||||
end
|
||||
after
|
||||
:eldap.close(connection)
|
||||
end
|
||||
|
||||
{:error, error} ->
|
||||
Logger.error("Could not open LDAP connection: #{inspect(error)}")
|
||||
{:error, {:ldap_connection_error, error}}
|
||||
end
|
||||
end
|
||||
|
||||
@spec bind_user(any(), String.t(), String.t(), String.t(), String.t()) ::
|
||||
User.t() | |