Initial OpenID integration with Cloudron

Author: nebulade

CloudronManifest.json

@@ -12,7 +12,9 @@
   "httpPort": 3000,
   "addons": {
     "mongodb": {},
-    "ldap": {},
+    "oidc": {
+      "loginRedirectUri": "/api/callback"
+    },
     "localstorage": {}
   },
   "tags": ["notes", "bookmarks", "todo", "ideas", "feed", "markdown"],

app.js

@@ -4,20 +4,23 @@
 
 require('supererror')({ splatchError: true });
 
-var PORT = process.env.PORT || 3000;
-var BIND_ADDRESS = process.env.BIND_ADDRESS || '0.0.0.0';
+const PORT = process.env.VITE_DEV_PORT || process.env.PORT || 3000;
+const BIND_ADDRESS = process.env.BIND_ADDRESS || '0.0.0.0';
 
 if (!process.env.CLOUDRON_APP_ORIGIN) {
     console.log('No CLOUDRON_APP_ORIGIN env var set. Falling back to http://localhost');
 }
 
+const APP_ORIGIN = process.env.CLOUDRON_APP_ORIGIN || `http://localhost:${PORT}`;
+
 var express = require('express'),
     json = require('body-parser').json,
     config = require('./src/config.js'),
     cors = require('cors'),
     session = require('express-session'),
     MongoStore = require('connect-mongo'),
     multer  = require('multer'),
+    oidc = require('express-openid-connect'),
     routes = require('./src/routes.js'),
     lastmile = require('connect-lastmile'),
     logic = require('./src/logic.js'),
@@ -35,6 +38,15 @@ var memoryUpload = multer({ storage: multer.memoryStorage({}) }).any();
 
 router.del = router.delete;
 
+router.get ('/api/login', function (req, res) {
+    res.oidc.login({
+        returnTo: '/',
+        authorizationParams: {
+            redirect_uri: `${APP_ORIGIN}/api/callback`,
+        }
+    });
+});
+
 router.post('/api/things', routes.auth, routes.add);
 router.get ('/api/things', routes.auth, routes.getAll);
 router.get ('/api/things/:id', routes.auth, routes.get);
@@ -52,9 +64,6 @@ router.get ('/api/settings', routes.auth, routes.settingsGet);
 router.get ('/api/export', routes.auth, routes.exportThings);
 router.post('/api/import', routes.auth, diskUpload, routes.importThings);
 
-router.post('/api/login', routes.login);
-router.get ('/api/logout', routes.auth, routes.logout);
-
 router.get ('/api/profile', routes.auth, routes.profile);
 
 // public apis
@@ -90,6 +99,73 @@ app.use(session({
     cookie: { sameSite: 'strict' },
     store: MongoStore.create({ mongoUrl: config.databaseUrl })
 }));
+
+if (process.env.CLOUDRON_OIDC_ISSUER) {
+    app.use(oidc.auth({
+        issuerBaseURL: process.env.CLOUDRON_OIDC_ISSUER,
+        baseURL: APP_ORIGIN,
+        clientID: process.env.CLOUDRON_OIDC_CLIENT_ID,
+        clientSecret: process.env.CLOUDRON_OIDC_CLIENT_SECRET,
+        secret: 'FIXME this secret',
+        authorizationParams: {
+            response_type: 'code',
+            scope: 'openid profile email'
+        },
+        authRequired: false,
+        routes: {
+            callback: '/api/callback',
+            login: false,
+            logout: '/api/logout'
+        }
+    }));
+} else {
+    // mock oidc
+    console.log('CLOUDRON_OIDC_ISSUER is not set, using mock OpenID for development');
+
+    app.use((req, res, next) => {
+        res.oidc = {
+            login(options) {
+                res.writeHead(200, { 'Content-Type': 'text/html' })
+                res.write(require('fs').readFileSync(__dirname + '/oidc_develop_user_select.html', 'utf8').replaceAll('REDIRECT_URI', options.authorizationParams.redirect_uri));
+                res.end()
+            }
+        };
+
+        req.oidc = {
+            user: {},
+            isAuthenticated() {
+                return !!req.session.username;
+            }
+        };
+
+        if (req.session.username) {
+            req.oidc.user = {
+                sub: req.session.username,
+                family_name: 'Cloudron',
+                given_name: req.session.username.toUpperCase(),
+                locale: 'en-US',
+                name: 'Cloudron ' + req.session.username.toUpperCase(),
+                preferred_username: req.session.username,
+                email: req.session.username + '@cloudron.local',
+                email_verified: true
+            };
+        }
+
+        next();
+    });
+
+    app.use('/api/callback', (req, res) => {
+        console.log(req.query)
+        req.session.username = req.query.username;
+        res.redirect(`http://localhost:${PORT}/`);
+    });
+
+    app.use('/api/logout', (req, res) => {
+        req.session.username = null;
+        res.status(200).send({});
+    });
+}
+
 app.use(router);
 app.use(lastmile());
 

frontend/templates/view-login.html

@@ -6,17 +6,7 @@
       <div class="row">
         <div class="col-md-4 col-md-offset-4 white-boxes shadow">
           <h3>Login</h3>
-          <form @submit.prevent="login()">
-            <div class="form-group" :class="{ 'has-error': error }">
-              <label class="control-label">Username</label>
-              <input type="text" class="form-control" id="inputUsername" v-model="username" :disabled="busy" required autofocus/>
-            </div>
-            <div class="form-group" :class="{ 'has-error': error }">
-              <label class="control-label">Password</label>
-              <input type="password" class="form-control" v-model="password" :disabled="busy" required/>
-            </div>
-            <button type="submit" class="btn btn-success" :disabled="busy"><i class="spinner alt" v-show="busy"></i> Login</button>
-          </form>
+          <a href="/api/login" class="btn btn-success">Login with Cloudron</a>
         </div>
       </div>
     </div>

frontend/templates/view-login.js

@@ -4,43 +4,12 @@
 
 Vue.component('view-login', {
     template: '#view-login-template',
-    data: function () {
-        return {
-            busy: false,
-            error: false,
-            username: '',
-            password: '',
-            users: []
-        };
+    data() {
+        return {};
     },
     methods: {
         login: function () {
-            var that = this;
 
-            that.busy = true;
-            that.error = false;
-
-            that.$root.Core.session.login(that.username, that.password, function (error, user) {
-                that.busy = false;
-
-                if (error) {
-                    that.error = true;
-                    that.username = '';
-                    that.password = '';
-
-                    Vue.nextTick(function () { $('#inputUsername').focus(); });
-
-                    // print unexpected errors
-                    if (error.status !== 401) console.error('Login failed:', error);
-
-                    return;
-                }
-
-                that.error = false;
-
-                // TODO should be a signal/slot
-                that.$root.main();
-            });
         }
     },
     ready: function () {

localdevelopment

@@ -8,7 +8,7 @@ CONTAINER_NAME="mongo-server-meemo"
 OUT=`docker inspect ${CONTAINER_NAME}` || true
 if [[ "${OUT}" = "[]" ]]; then
     echo "Starting ${CONTAINER_NAME}..."
-    docker run --name ${CONTAINER_NAME} -d mongo:4.2.12-bionic
+    docker run --name ${CONTAINER_NAME} -d mongo:5.0.20
 else
     echo "${CONTAINER_NAME} already running. If you want to start fresh, run 'docker rm --force ${CONTAINER_NAME}'"
 fi
@@ -20,13 +20,6 @@ done
 
 export MONGODB_IP=`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${CONTAINER_NAME}`
 
-echo ""
-echo "Adding developer test user:"
-echo "username: test"
-echo "password: test"
-echo ""
-./admin user-add --username test --password test --display-name "Test User" || true
-
 export CLOUDRON_MONGODB_URL="mongodb://${MONGODB_IP}:27017/meemo"
 export CLOUDRON_APP_ORIGIN="http://localhost:3000"
 

oidc_develop_user_select.html

@@ -0,0 +1,10 @@
+<html>
+<body>
+    <h1>OpenID mock</h1>
+    <p>Choose with which user to continue:</p>
+    <ul>
+        <li><a href="REDIRECT_URI?username=admin">Admin</a></li>
+        <li><a href="REDIRECT_URI?username=helena">Helena</a></li>
+    </ul>
+</body>
+</html>