feat: improve oidc only mode

2026-03-16 17:14:54 +01:00 · 2026-03-16 17:14:54 +01:00 · 9b4f3b140c
commit 9b4f3b140c
parent a8d9fe6121
19 changed files with 330 additions and 43 deletions
--- a/lib/mv_web/components/core_components.ex
+++ b/lib/mv_web/components/core_components.ex
@ -63,6 +63,11 @@ defmodule MvWeb.CoreComponents do
    values: [:info, :error, :success, :warning],
    doc: "used for styling and flash lookup"

+  attr :auto_clear_ms, :integer,
+    default: nil,
+    doc:
+      "when set, flash is auto-dismissed after this many milliseconds (e.g. 5000 for success toasts)"
+
  attr :rest, :global, doc: "the arbitrary HTML attributes to add to the flash container"

  slot :inner_block, doc: "the optional inner block that renders the flash message"
@ -74,6 +79,9 @@ defmodule MvWeb.CoreComponents do
    <div
      :if={msg = render_slot(@inner_block) || Phoenix.Flash.get(@flash, @kind)}
      id={@id}
+      phx-hook={@auto_clear_ms && "FlashAutoDismiss"}
+      data-auto-clear-ms={@auto_clear_ms}
+      data-clear-flash-key={@auto_clear_ms && @kind}
      phx-click={JS.push("lv:clear-flash", value: %{key: @kind}) |> hide("##{@id}")}
      role="alert"
      class="pointer-events-auto"
--- a/lib/mv_web/components/layouts.ex
+++ b/lib/mv_web/components/layouts.ex
@ -171,7 +171,7 @@ defmodule MvWeb.Layouts do
            </label>
            <span class="font-bold">{@club_name}</span>
          </header>
-          
+
    <!-- Main Content (shared between mobile and desktop) -->
          <main class="px-4 py-8 sm:px-6 lg:px-8">
            <div class="mx-auto space-y-4 max-full">
@ -265,7 +265,7 @@ defmodule MvWeb.Layouts do
      aria-live="polite"
      class="z-50 toast toast-bottom toast-end flex flex-col gap-2 pointer-events-none"
    >
-      <.flash kind={:success} flash={@flash} />
+      <.flash kind={:success} flash={@flash} auto_clear_ms={5000} />
      <.flash kind={:warning} flash={@flash} />
      <.flash kind={:info} flash={@flash} />
      <.flash kind={:error} flash={@flash} />
--- a/lib/mv_web/components/layouts/root.html.heex
+++ b/lib/mv_web/components/layouts/root.html.heex
@ -74,7 +74,7 @@
      aria-live="polite"
      class="z-50 flex flex-col gap-2 toast toast-bottom toast-end"
    >
-      <.flash id="flash-success-root" kind={:success} flash={@flash} />
+      <.flash id="flash-success-root" kind={:success} flash={@flash} auto_clear_ms={5000} />
      <.flash id="flash-warning-root" kind={:warning} flash={@flash} />
      <.flash id="flash-info-root" kind={:info} flash={@flash} />
      <.flash id="flash-error-root" kind={:error} flash={@flash} />
--- a/lib/mv_web/controllers/auth_controller.ex
+++ b/lib/mv_web/controllers/auth_controller.ex
@ -15,8 +15,23 @@ defmodule MvWeb.AuthController do
  use AshAuthentication.Phoenix.Controller

  alias Mv.Accounts.User.Errors.PasswordVerificationRequired
+  alias Mv.Config

-  def success(conn, activity, user, _token) do
+  def success(conn, {:password, :sign_in} = _activity, user, token) do
+    if Config.oidc_only?() do
+      conn
+      |> put_flash(:error, gettext("Only sign-in via Single Sign-On (SSO) is allowed."))
+      |> redirect(to: ~p"/sign-in")
+    else
+      success_continue(conn, {:password, :sign_in}, user, token)
+    end
+  end
+
+  def success(conn, activity, user, token) do
+    success_continue(conn, activity, user, token)
+  end
+
+  defp success_continue(conn, activity, user, _token) do
    return_to = get_session(conn, :return_to) || ~p"/"

    message =
--- a/lib/mv_web/live/global_settings_live.ex
+++ b/lib/mv_web/live/global_settings_live.ex
@ -19,6 +19,7 @@ defmodule MvWeb.GlobalSettingsLive do
  ## Events
  - `validate` / `save` - Club settings form
  - `toggle_registration_enabled` - Enable/disable direct registration (/register)
+  - `toggle_oidc_only` - Enable/disable OIDC-only sign-in (immediate, outside OIDC form)
  - `toggle_join_form_enabled` - Enable/disable the join form
  - `add_join_form_field` / `remove_join_form_field` - Manage join form fields
  - `toggle_join_form_field_required` - Toggle required flag per field
@ -80,6 +81,7 @@ defmodule MvWeb.GlobalSettingsLive do
      |> assign(:oidc_admin_group_name_env_set, Mv.Config.oidc_admin_group_name_env_set?())
      |> assign(:oidc_groups_claim_env_set, Mv.Config.oidc_groups_claim_env_set?())
      |> assign(:oidc_only_env_set, Mv.Config.oidc_only_env_set?())
+      |> assign(:oidc_only, Mv.Config.oidc_only?())
      |> assign(:oidc_configured, Mv.Config.oidc_configured?())
      |> assign(:oidc_client_secret_set, Mv.Config.oidc_client_secret_set?())
      |> assign(:registration_enabled, settings.registration_enabled != false)
@ -625,11 +627,30 @@ defmodule MvWeb.GlobalSettingsLive do
              class="checkbox checkbox-sm"
              checked={@registration_enabled}
              phx-click="toggle_registration_enabled"
+              disabled={@oidc_only}
              aria-label={gettext("Allow direct registration (/register)")}
            />
-            <label for="registration-enabled-checkbox" class="cursor-pointer font-medium">
+            <label
+              for="registration-enabled-checkbox"
+              class={
+                if @oidc_only, do: "cursor-not-allowed opacity-70", else: "cursor-pointer font-medium"
+              }
+            >
              {gettext("Allow direct registration (/register)")}
            </label>
+            <%= if @oidc_only do %>
+              <.tooltip
+                content={gettext("Only OIDC sign-in is active. This option is disabled.")}
+                position="top"
+              >
+                <span
+                  data-testid="oidc-only-registration-hint"
+                  class="cursor-help text-base-content/70"
+                >
+                  ⓘ
+                </span>
+              </.tooltip>
+            <% end %>
          </div>

          <h3 class="font-medium mb-3">{gettext("OIDC (Single Sign-On)")}</h3>
@ -638,6 +659,38 @@ defmodule MvWeb.GlobalSettingsLive do
              {gettext("Some values are set via environment variables. Those fields are read-only.")}
            </p>
          <% end %>
+          <div class="flex items-center gap-3 mb-4">
+            <input
+              type="checkbox"
+              id="oidc-only-checkbox"
+              data-testid="oidc-only-checkbox"
+              class="checkbox checkbox-sm"
+              checked={@oidc_only}
+              phx-click="toggle_oidc_only"
+              disabled={@oidc_only_env_set or not @oidc_configured}
+              aria-label={gettext("Only OIDC sign-in (hide password login)")}
+            />
+            <label
+              for="oidc-only-checkbox"
+              class={
+                if @oidc_only_env_set or not @oidc_configured,
+                  do: "cursor-not-allowed opacity-70",
+                  else: "cursor-pointer font-medium"
+              }
+            >
+              {if @oidc_only_env_set do
+                gettext("Only OIDC sign-in (hide password login)") <>
+                  " (" <> gettext("From OIDC_ONLY") <> ")"
+              else
+                gettext("Only OIDC sign-in (hide password login)")
+              end}
+            </label>
+          </div>
+          <p class="label-text-alt text-base-content/70 mb-4">
+            {gettext(
+              "When enabled and OIDC is configured, the sign-in page shows only the Single Sign-On button."
+            )}
+          </p>
          <.form for={@form} id="oidc-form" phx-change="validate" phx-submit="save">
            <div class="grid gap-4">
              <.input
@ -744,27 +797,6 @@ defmodule MvWeb.GlobalSettingsLive do
                  )
                }
              />
-              <div class="form-control">
-                <.input
-                  field={@form[:oidc_only]}
-                  type="checkbox"
-                  class="checkbox checkbox-sm"
-                  disabled={@oidc_only_env_set or not @oidc_configured}
-                  label={
-                    if @oidc_only_env_set do
-                      gettext("Only OIDC sign-in (hide password login)") <>
-                        " (" <> gettext("From OIDC_ONLY") <> ")"
-                    else
-                      gettext("Only OIDC sign-in (hide password login)")
-                    end
-                  }
-                />
-                <p class="label-text-alt text-base-content/70 mt-1">
-                  {gettext(
-                    "When enabled and OIDC is configured, the sign-in page shows only the Single Sign-On button."
-                  )}
-                </p>
-              </div>
            </div>
            <.button
              :if={
@ -880,6 +912,7 @@ defmodule MvWeb.GlobalSettingsLive do
          |> assign(:registration_enabled, fresh_settings.registration_enabled != false)
          |> assign(:vereinfacht_api_key_set, present?(fresh_settings.vereinfacht_api_key))
          |> assign(:oidc_client_secret_set, Mv.Config.oidc_client_secret_set?())
+          |> assign(:oidc_only, Mv.Config.oidc_only?())
          |> assign(:oidc_configured, Mv.Config.oidc_configured?())
          |> assign(:smtp_configured, Mv.Config.smtp_configured?())
          |> assign(:smtp_password_set, present?(Mv.Config.smtp_password()))
@ -916,19 +949,53 @@ defmodule MvWeb.GlobalSettingsLive do

  @impl true
  def handle_event("toggle_registration_enabled", _params, socket) do
-    settings = socket.assigns.settings
-    new_value = not socket.assigns.registration_enabled
+    if Mv.Config.oidc_only?() do
+      {:noreply, socket}
+    else
+      settings = socket.assigns.settings
+      new_value = not socket.assigns.registration_enabled

-    case Membership.update_settings(settings, %{registration_enabled: new_value}) do
-      {:ok, updated_settings} ->
-        {:noreply,
-         socket
-         |> assign(:settings, updated_settings)
-         |> assign(:registration_enabled, updated_settings.registration_enabled != false)
-         |> assign_form()}
+      case Membership.update_settings(settings, %{registration_enabled: new_value}) do
+        {:ok, updated_settings} ->
+          {:noreply,
+           socket
+           |> assign(:settings, updated_settings)
+           |> assign(:registration_enabled, updated_settings.registration_enabled != false)
+           |> assign_form()}

-      {:error, _} ->
-        {:noreply, put_flash(socket, :error, gettext("Failed to update setting."))}
+        {:error, _} ->
+          {:noreply, put_flash(socket, :error, gettext("Failed to update setting."))}
+      end
+    end
+  end
+
+  @impl true
+  def handle_event("toggle_oidc_only", _params, socket) do
+    if socket.assigns.oidc_only_env_set do
+      {:noreply, socket}
+    else
+      settings = socket.assigns.settings
+      new_value = not socket.assigns.oidc_only
+
+      # When enabling OIDC-only, also disable direct registration; when disabling, only change oidc_only.
+      params =
+        if new_value,
+          do: %{oidc_only: true, registration_enabled: false},
+          else: %{oidc_only: false}
+
+      case Membership.update_settings(settings, params) do
+        {:ok, updated_settings} ->
+          {:noreply,
+           socket
+           |> assign(:settings, updated_settings)
+           |> assign(:oidc_only, updated_settings.oidc_only == true)
+           |> assign(:registration_enabled, updated_settings.registration_enabled != false)
+           |> assign_form()
+           |> put_flash(:success, gettext("Settings updated successfully"))}
+
+        {:error, _} ->
+          {:noreply, put_flash(socket, :error, gettext("Failed to update setting."))}
+      end
    end
  end

--- a/lib/mv_web/live_helpers.ex
+++ b/lib/mv_web/live_helpers.ex
@ -74,7 +74,7 @@ defmodule MvWeb.LiveHelpers do

        socket =
          socket
-          |> Phoenix.LiveView.put_flash(:error, "You don't have permission to access this page.")
+          |> maybe_put_access_denied_flash(user)
          |> Phoenix.LiveView.push_navigate(to: redirect_to)

        {:halt, socket}
@ -82,6 +82,13 @@ defmodule MvWeb.LiveHelpers do
    end
  end

+  # Only show "no permission" when user is logged in; unauthenticated users are redirected to sign-in without flash.
+  defp maybe_put_access_denied_flash(socket, nil), do: socket
+
+  defp maybe_put_access_denied_flash(socket, _user) do
+    Phoenix.LiveView.put_flash(socket, :error, "You don't have permission to access this page.")
+  end
+
  defp ensure_user_role_loaded(socket) do
    user = socket.assigns[:current_user]

--- a/lib/mv_web/plugs/check_page_permission.ex
+++ b/lib/mv_web/plugs/check_page_permission.ex
@ -54,7 +54,7 @@ defmodule MvWeb.Plugs.CheckPagePermission do
        conn
        |> fetch_session()
        |> fetch_flash()
-        |> put_flash(:error, "You don't have permission to access this page.")
+        |> maybe_put_access_denied_flash(user)
        |> redirect(to: redirect_to)
        |> halt()
      end
@ -75,6 +75,13 @@ defmodule MvWeb.Plugs.CheckPagePermission do

  defp redirect_target(user), do: redirect_target_for_user(user)

+  # Only set "no permission" flash when user is logged in; unauthenticated users get redirect only, no flash.
+  defp maybe_put_access_denied_flash(conn, nil), do: conn
+
+  defp maybe_put_access_denied_flash(conn, _user) do
+    put_flash(conn, :error, "You don't have permission to access this page.")
+  end
+
  @doc """
  Returns true if the path is public (no auth/permission check).
  Used by LiveView hook to skip redirect on sign-in etc.
--- a/lib/mv_web/plugs/oidc_only_sign_in_redirect.ex
+++ b/lib/mv_web/plugs/oidc_only_sign_in_redirect.ex
@ -0,0 +1,61 @@
+defmodule MvWeb.Plugs.OidcOnlySignInRedirect do
+  @moduledoc """
+  When OIDC-only mode is active:
+  - GET /sign-in redirects to the OIDC flow when OIDC is configured (sign-in page skipped).
+  - GET /auth/user/password/sign_in_with_token is rejected (redirect to /sign-in with error)
+  so password sign-in cannot complete.
+  """
+  import Plug.Conn
+  import Phoenix.Controller
+
+  alias Mv.Config
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    conn
+    |> maybe_redirect_sign_in_to_oidc()
+    |> maybe_reject_password_token_sign_in()
+  end
+
+  defp maybe_redirect_sign_in_to_oidc(conn) do
+    if conn.request_path == "/sign-in" and conn.method == "GET" do
+      if Config.oidc_only?() and Config.oidc_configured?() do
+        conn
+        |> redirect(to: "/auth/user/oidc")
+        |> halt()
+      else
+        conn
+      end
+    else
+      conn
+    end
+  end
+
+  defp maybe_reject_password_token_sign_in(conn) do
+    if conn.halted, do: conn, else: reject_password_token_sign_in_if_applicable(conn)
+  end
+
+  defp reject_password_token_sign_in_if_applicable(conn) do
+    path = conn.request_path
+
+    password_token_path? =
+      path =~ ~r|/auth/user/password/sign_in_with_token| and conn.method == "GET"
+
+    if password_token_path? and Config.oidc_only?() do
+      message =
+        Gettext.dgettext(
+          MvWeb.Gettext,
+          "default",
+          "Only sign-in via Single Sign-On (SSO) is allowed."
+        )
+
+      conn
+      |> put_flash(:error, message)
+      |> redirect(to: "/sign-in")
+      |> halt()
+    else
+      conn
+    end
+  end
+end
--- a/lib/mv_web/router.ex
+++ b/lib/mv_web/router.ex
@ -18,6 +18,7 @@ defmodule MvWeb.Router do
    plug MvWeb.Plugs.CheckPagePermission
    plug MvWeb.Plugs.JoinFormEnabled
    plug MvWeb.Plugs.RegistrationEnabled
+    plug MvWeb.Plugs.OidcOnlySignInRedirect
  end

  pipeline :api do