GlobalSettings: oidc_only checkbox, ENV merge for OIDC, disable when OIDC not configured

2026-02-24 15:07:44 +01:00 · 2026-02-24 15:07:44 +01:00 · 3f73a36076
commit 3f73a36076
parent c49758fc46
1 changed files with 98 additions and 3 deletions
--- a/lib/mv_web/live/global_settings_live.ex
+++ b/lib/mv_web/live/global_settings_live.ex
@ -58,6 +58,8 @@ defmodule MvWeb.GlobalSettingsLive do
      |> assign(:oidc_client_secret_env_set, Mv.Config.oidc_client_secret_env_set?())
      |> assign(:oidc_admin_group_name_env_set, Mv.Config.oidc_admin_group_name_env_set?())
      |> assign(:oidc_groups_claim_env_set, Mv.Config.oidc_groups_claim_env_set?())
+      |> assign(:oidc_only_env_set, Mv.Config.oidc_only_env_set?())
+      |> assign(:oidc_configured, Mv.Config.oidc_configured?())
      |> assign(:oidc_client_secret_set, present?(settings.oidc_client_secret))
      |> assign_form()

@ -293,12 +295,36 @@ defmodule MvWeb.GlobalSettingsLive do
                )
              }
            />
+            <div class="form-control">
+              <label class="label cursor-pointer justify-start gap-2">
+                <.input
+                  field={@form[:oidc_only]}
+                  type="checkbox"
+                  class="checkbox checkbox-sm"
+                  disabled={@oidc_only_env_set or not @oidc_configured}
+                />
+                <span class="label-text">
+                  {gettext("Only OIDC sign-in (hide password login)")}
+                  <%= if @oidc_only_env_set do %>
+                    <span class="label-text-alt text-base-content/70 ml-1">
+                      ({gettext("From OIDC_ONLY")})
+                    </span>
+                  <% end %>
+                </span>
+              </label>
+              <p class="label-text-alt text-base-content/70 mt-1">
+                {gettext(
+                  "When enabled and OIDC is configured, the sign-in page shows only the Single Sign-On button."
+                )}
+              </p>
+            </div>
          </div>
          <.button
            :if={
              not (@oidc_client_id_env_set and @oidc_base_url_env_set and
                     @oidc_redirect_uri_env_set and @oidc_client_secret_env_set and
-                     @oidc_admin_group_name_env_set and @oidc_groups_claim_env_set)
+                     @oidc_admin_group_name_env_set and @oidc_groups_claim_env_set and
+                     @oidc_only_env_set)
            }
            phx-disable-with={gettext("Saving...")}
            variant="primary"
@ -419,8 +445,17 @@ defmodule MvWeb.GlobalSettingsLive do
  end

  defp assign_form(%{assigns: %{settings: settings}} = socket) do
-    # Never put API key / client secret into form/DOM to avoid secret leak
-    settings_for_form = %{settings | vereinfacht_api_key: nil, oidc_client_secret: nil}
+    # Show ENV values in disabled fields (Vereinfacht and OIDC); never expose API key / client secret
+    settings_display =
+      settings
+      |> merge_vereinfacht_env_values()
+      |> merge_oidc_env_values()
+
+    settings_for_form = %{
+      settings_display
+      | vereinfacht_api_key: nil,
+        oidc_client_secret: nil
+    }

    form =
      AshPhoenix.Form.for_update(
@ -434,6 +469,66 @@ defmodule MvWeb.GlobalSettingsLive do
    assign(socket, form: to_form(form))
  end

+  defp put_if_env_set(map, _key, false, _value), do: map
+  defp put_if_env_set(map, key, true, value), do: Map.put(map, key, value)
+
+  defp merge_vereinfacht_env_values(s) do
+    s
+    |> put_if_env_set(
+      :vereinfacht_api_url,
+      Mv.Config.vereinfacht_api_url_env_set?(),
+      Mv.Config.vereinfacht_api_url()
+    )
+    |> put_if_env_set(
+      :vereinfacht_club_id,
+      Mv.Config.vereinfacht_club_id_env_set?(),
+      Mv.Config.vereinfacht_club_id()
+    )
+    |> put_if_env_set(
+      :vereinfacht_app_url,
+      Mv.Config.vereinfacht_app_url_env_set?(),
+      Mv.Config.vereinfacht_app_url()
+    )
+  end
+
+  defp merge_oidc_env_values(s) do
+    s
+    |> put_if_env_set(
+      :oidc_client_id,
+      Mv.Config.oidc_client_id_env_set?(),
+      Mv.Config.oidc_client_id()
+    )
+    |> put_if_env_set(
+      :oidc_base_url,
+      Mv.Config.oidc_base_url_env_set?(),
+      Mv.Config.oidc_base_url()
+    )
+    |> put_if_env_set(
+      :oidc_redirect_uri,
+      Mv.Config.oidc_redirect_uri_env_set?(),
+      Mv.Config.oidc_redirect_uri()
+    )
+    |> put_if_env_set(
+      :oidc_admin_group_name,
+      Mv.Config.oidc_admin_group_name_env_set?(),
+      Mv.Config.oidc_admin_group_name()
+    )
+    |> put_if_env_set(
+      :oidc_groups_claim,
+      Mv.Config.oidc_groups_claim_env_set?(),
+      Mv.Config.oidc_groups_claim()
+    )
+    |> put_if_oidc_only_env_set()
+  end
+
+  defp put_if_oidc_only_env_set(s) do
+    if Mv.Config.oidc_only_env_set?() do
+      Map.put(s, :oidc_only, Mv.Config.oidc_only?())
+    else
+      s
+    end
+  end
+
  defp enrich_sync_errors([]), do: []

  defp enrich_sync_errors(errors) when is_list(errors) do