From c381b86b5e94d670d66bb79e48f87f1389ed3239 Mon Sep 17 00:00:00 2001 From: Simon Date: Mon, 16 Mar 2026 19:09:07 +0100 Subject: [PATCH] Improve oidc only mode (#474) ## Description of the implemented changes The changes were: - [x] Bugfixing - [x] New Feature - [ ] Breaking Change - [x] Refactoring **OIDC-only mode improvements and UX tweaks (success toasts, unauthenticated redirect).** ## What has been changed? ### OIDC-only mode (new feature) - **Admin settings:** "Only OIDC sign-in" is an immediate toggle at the top of the OIDC section (no save button). Enabling it also turns off "Allow direct registration". When OIDC-only is on, the registration checkbox is disabled and shows a tooltip (DaisyUI `<.tooltip>`). - **Backend:** Password sign-in is forbidden via Ash policy (`OidcOnlyActive` check). Password registration is blocked via validation `OidcOnlyBlocksPasswordRegistration`. New plug `OidcOnlySignInRedirect`: when OIDC-only and OIDC are configured, GET `/sign-in` redirects to the OIDC flow; GET `/auth/user/password/sign_in_with_token` is rejected with redirect + flash. `AuthController.success/4` also rejects password sign-in when OIDC-only. - **Tests:** GlobalSettingsLive (OIDC-only UI), AuthController (redirect and password sign-in rejection), User authentication (register_with_password blocked when OIDC-only). ### UX / behaviour (no new feature flag) - **Success toasts:** Success flash messages auto-dismiss after 5 seconds via JS hook `FlashAutoDismiss` and optional `auto_clear_ms` on `<.flash>` (used for success in root layout and `flash_group`). - **Unauthenticated users:** Redirect to sign-in without the "You don't have permission to access this page" flash; that message is only shown to logged-in users who lack access. Logic in `LiveHelpers` and `CheckPagePermission` plug; test updated accordingly. ### Other - Layouts: comment about unprocessed join-request count no longer uses "TODO" (Credo). - Gettext: German translation for "Home" (Startseite); POT/PO kept in sync. - CHANGELOG: Unreleased section updated with the above. ## Definition of Done ### Code Quality - [x] No new technical depths - [x] Linting passed - [x] Documentation is added where needed (module docs, comments where non-obvious) ### Accessibility - [x] New elements are properly defined with html-tags (labels, aria-label on checkboxes) - [x] Colour contrast follows WCAG criteria (unchanged) - [x] Aria labels are added when needed (e.g. oidc-only and registration checkboxes) - [x] Everything is accessible by keyboard (toggles and buttons unchanged) - [x] Tab-Order is comprehensible - [x] All interactive elements have a visible focus (existing patterns) ### Testing - [x] Tests for new code are written (OIDC-only UI, auth controller, user auth; SMTP config builder and mailer) - [x] All tests pass - [ ] axe-core dev tools show no critical or major issues (not re-run for this PR; suggest spot-check on settings and sign-in) ## Additional Notes - **OIDC-only:** When the `OIDC_ONLY` env var is set, the toggle is read-only and shows "(From OIDC_ONLY)". When OIDC is not configured, the toggle is disabled. - **Invalidation:** Enabling OIDC-only sets `registration_enabled: false` in one update; disabling OIDC-only only updates `oidc_only` (registration left as-is). - **Review focus:** Plug order in router (OidcOnlySignInRedirect), policy/validation order in User, and that all OIDC-only paths (form, plug, controller) stay consistent. Reviewed-on: https://git.local-it.org/local-it/mitgliederverwaltung/pulls/474 Co-authored-by: Simon Co-committed-by: Simon --- CHANGELOG.md | 7 + assets/js/app.js | 19 +++ docs/admin-bootstrap-and-oidc-role-sync.md | 1 + docs/feature-roadmap.md | 5 + lib/accounts/user.ex | 10 ++ .../oidc_only_blocks_password_registration.ex | 27 ++++ .../authorization/checks/oidc_only_active.ex | 16 ++ lib/mv_web/components/core_components.ex | 8 + lib/mv_web/components/layouts.ex | 2 +- lib/mv_web/components/layouts/root.html.heex | 2 +- lib/mv_web/controllers/auth_controller.ex | 31 +++- lib/mv_web/live/global_settings_live.ex | 145 +++++++++++++----- lib/mv_web/live_helpers.ex | 9 +- lib/mv_web/plugs/check_page_permission.ex | 9 +- .../plugs/oidc_only_sign_in_redirect.ex | 73 +++++++++ lib/mv_web/router.ex | 1 + priv/gettext/de/LC_MESSAGES/default.po | 10 ++ priv/gettext/default.pot | 10 ++ priv/gettext/en/LC_MESSAGES/default.po | 10 ++ test/accounts/user_authentication_test.exs | 27 ++++ .../controllers/auth_controller_test.exs | 141 ++++++++++++++++- .../mv_web/live/global_settings_live_test.exs | 65 ++++++++ .../plugs/check_page_permission_test.exs | 5 +- 23 files changed, 579 insertions(+), 54 deletions(-) create mode 100644 lib/accounts/user/validations/oidc_only_blocks_password_registration.ex create mode 100644 lib/mv/authorization/checks/oidc_only_active.ex create mode 100644 lib/mv_web/plugs/oidc_only_sign_in_redirect.ex diff --git a/CHANGELOG.md b/CHANGELOG.md index d39df9b..7cc8ea5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added +- **Improved OIDC-only mode** – Admin can enable “Only OIDC sign-in” in settings; when enabled, direct registration is disabled and sign-in page redirects to OIDC when configured. +- **Success toast auto-dismiss** – Success flash messages (e.g. “Settings saved”) hide automatically after 5 seconds instead of requiring the user to close them. + +### Changed +- **Unauthenticated access** – Users who are not logged in are redirected to sign-in without showing a “no permission” message; the message is only shown to logged-in users who lack access. + ### Fixed - **SMTP configuration** – Repaired so that both port 587 (TLS/STARTTLS) and 465 (SSL) work correctly. diff --git a/assets/js/app.js b/assets/js/app.js index 87f2c25..4c7e3c5 100644 --- a/assets/js/app.js +++ b/assets/js/app.js @@ -113,6 +113,25 @@ Hooks.FocusRestore = { } } +// FlashAutoDismiss: after a delay, clear the flash so the toast hides without user clicking X (e.g. success toasts) +Hooks.FlashAutoDismiss = { + mounted() { + const ms = this.el.dataset.autoClearMs + if (!ms) return + const delay = parseInt(ms, 10) + if (delay > 0) { + this.timer = setTimeout(() => { + const key = this.el.dataset.clearFlashKey || "success" + this.pushEvent("lv:clear-flash", {key}) + }, delay) + } + }, + + destroyed() { + if (this.timer) clearTimeout(this.timer) + } +} + // TabListKeydown hook: WCAG tab pattern — prevent default for ArrowLeft/ArrowRight so the server can handle tab switch (roving tabindex) Hooks.TabListKeydown = { mounted() { diff --git a/docs/admin-bootstrap-and-oidc-role-sync.md b/docs/admin-bootstrap-and-oidc-role-sync.md index 5e26c85..aa5c155 100644 --- a/docs/admin-bootstrap-and-oidc-role-sync.md +++ b/docs/admin-bootstrap-and-oidc-role-sync.md @@ -38,6 +38,7 @@ ### Sign-in page (OIDC-only mode) - `OIDC_ONLY` (or Settings → OIDC → "Only OIDC sign-in") – When set to true/1/yes and OIDC is configured, the sign-in page shows only the Single Sign-On button (password login is hidden). ENV takes precedence over Settings. +- **Redirect loop fix:** After an OIDC failure (e.g. provider down), the app redirects to `/sign-in?oidc_failed=1`. The plug `OidcOnlySignInRedirect` does not redirect that request back to OIDC, so the sign-in page is shown with the error (no endless redirect). ### Sync Logic diff --git a/docs/feature-roadmap.md b/docs/feature-roadmap.md index 6383660..2ec15a5 100644 --- a/docs/feature-roadmap.md +++ b/docs/feature-roadmap.md @@ -49,6 +49,11 @@ - ✅ **Page-level authorization** - LiveView page access control - ✅ **System role protection** - Critical roles cannot be deleted +**Planned: OIDC-only mode (TDD, tests first):** +- Admin Settings: When OIDC-only is enabled, disable "Allow direct registration" toggle and show hint (tests in `GlobalSettingsLiveTest`). +- Backend: Reject password sign-in and `register_with_password` when OIDC-only (tests in `AuthControllerTest`, `Accounts`). +- GET `/sign-in` redirect to OIDC when OIDC-only and OIDC configured (tests in `AuthControllerTest`). Implementation to follow after tests. + **Missing Features:** - ❌ Password reset flow - ❌ Email verification diff --git a/lib/accounts/user.ex b/lib/accounts/user.ex index 29a2d4b..0127796 100644 --- a/lib/accounts/user.ex +++ b/lib/accounts/user.ex @@ -362,6 +362,12 @@ defmodule Mv.Accounts.User do # Authorization Policies # Order matters: Most specific policies first, then general permission check policies do + # When OIDC-only is active, password sign-in is forbidden (SSO only). + policy action(:sign_in_with_password) do + forbid_if Mv.Authorization.Checks.OidcOnlyActive + authorize_if always() + end + # AshAuthentication bypass (registration/login without actor) bypass AshAuthentication.Checks.AshAuthenticationInteraction do description "Allow AshAuthentication internal operations (registration, login)" @@ -409,6 +415,10 @@ defmodule Mv.Accounts.User do validate {Mv.Accounts.User.Validations.RegistrationEnabled, []}, where: [action_is(:register_with_password)] + # Block password registration when OIDC-only mode is active + validate {Mv.Accounts.User.Validations.OidcOnlyBlocksPasswordRegistration, []}, + where: [action_is(:register_with_password)] + # Email uniqueness check for all actions that change the email attribute # Validates that user email is not already used by another (unlinked) member validate Mv.Accounts.User.Validations.EmailNotUsedByOtherMember diff --git a/lib/accounts/user/validations/oidc_only_blocks_password_registration.ex b/lib/accounts/user/validations/oidc_only_blocks_password_registration.ex new file mode 100644 index 0000000..e4d9a35 --- /dev/null +++ b/lib/accounts/user/validations/oidc_only_blocks_password_registration.ex @@ -0,0 +1,27 @@ +defmodule Mv.Accounts.User.Validations.OidcOnlyBlocksPasswordRegistration do + @moduledoc """ + Validation that blocks direct registration (register_with_password) when + OIDC-only mode is active. In OIDC-only mode, sign-in and registration are + only allowed via OIDC (SSO). + """ + use Ash.Resource.Validation + + @impl true + def init(opts), do: {:ok, opts} + + @impl true + def validate(_changeset, _opts, _context) do + if Mv.Config.oidc_only?() do + {:error, + field: :base, + message: + Gettext.dgettext( + MvWeb.Gettext, + "default", + "Registration with password is disabled when only OIDC sign-in is active." + )} + else + :ok + end + end +end diff --git a/lib/mv/authorization/checks/oidc_only_active.ex b/lib/mv/authorization/checks/oidc_only_active.ex new file mode 100644 index 0000000..8d56ca1 --- /dev/null +++ b/lib/mv/authorization/checks/oidc_only_active.ex @@ -0,0 +1,16 @@ +defmodule Mv.Authorization.Checks.OidcOnlyActive do + @moduledoc """ + Policy check: true when OIDC-only mode is active (Config.oidc_only?()). + + Used to forbid password sign-in when only OIDC (SSO) sign-in is allowed. + """ + use Ash.Policy.SimpleCheck + + alias Mv.Config + + @impl true + def describe(_opts), do: "OIDC-only mode is active" + + @impl true + def match?(_actor, _context, _opts), do: Config.oidc_only?() +end diff --git a/lib/mv_web/components/core_components.ex b/lib/mv_web/components/core_components.ex index 8c58c32..b5bd763 100644 --- a/lib/mv_web/components/core_components.ex +++ b/lib/mv_web/components/core_components.ex @@ -63,6 +63,11 @@ defmodule MvWeb.CoreComponents do values: [:info, :error, :success, :warning], doc: "used for styling and flash lookup" + attr :auto_clear_ms, :integer, + default: nil, + doc: + "when set, flash is auto-dismissed after this many milliseconds (e.g. 5000 for success toasts)" + attr :rest, :global, doc: "the arbitrary HTML attributes to add to the flash container" slot :inner_block, doc: "the optional inner block that renders the flash message" @@ -74,6 +79,9 @@ defmodule MvWeb.CoreComponents do
hide("##{@id}")} role="alert" class="pointer-events-auto" diff --git a/lib/mv_web/components/layouts.ex b/lib/mv_web/components/layouts.ex index 5a96001..54f589d 100644 --- a/lib/mv_web/components/layouts.ex +++ b/lib/mv_web/components/layouts.ex @@ -265,7 +265,7 @@ defmodule MvWeb.Layouts do aria-live="polite" class="z-50 toast toast-bottom toast-end flex flex-col gap-2 pointer-events-none" > - <.flash kind={:success} flash={@flash} /> + <.flash kind={:success} flash={@flash} auto_clear_ms={5000} /> <.flash kind={:warning} flash={@flash} /> <.flash kind={:info} flash={@flash} /> <.flash kind={:error} flash={@flash} /> diff --git a/lib/mv_web/components/layouts/root.html.heex b/lib/mv_web/components/layouts/root.html.heex index 5419b73..bb900aa 100644 --- a/lib/mv_web/components/layouts/root.html.heex +++ b/lib/mv_web/components/layouts/root.html.heex @@ -74,7 +74,7 @@ aria-live="polite" class="z-50 flex flex-col gap-2 toast toast-bottom toast-end" > - <.flash id="flash-success-root" kind={:success} flash={@flash} /> + <.flash id="flash-success-root" kind={:success} flash={@flash} auto_clear_ms={5000} /> <.flash id="flash-warning-root" kind={:warning} flash={@flash} /> <.flash id="flash-info-root" kind={:info} flash={@flash} /> <.flash id="flash-error-root" kind={:error} flash={@flash} /> diff --git a/lib/mv_web/controllers/auth_controller.ex b/lib/mv_web/controllers/auth_controller.ex index 20a76f5..adde4e8 100644 --- a/lib/mv_web/controllers/auth_controller.ex +++ b/lib/mv_web/controllers/auth_controller.ex @@ -15,8 +15,23 @@ defmodule MvWeb.AuthController do use AshAuthentication.Phoenix.Controller alias Mv.Accounts.User.Errors.PasswordVerificationRequired + alias Mv.Config - def success(conn, activity, user, _token) do + def success(conn, {:password, :sign_in} = _activity, user, token) do + if Config.oidc_only?() do + conn + |> put_flash(:error, gettext("Only sign-in via Single Sign-On (SSO) is allowed.")) + |> redirect(to: sign_in_path_after_oidc_failure()) + else + success_continue(conn, {:password, :sign_in}, user, token) + end + end + + def success(conn, activity, user, token) do + success_continue(conn, activity, user, token) + end + + defp success_continue(conn, activity, user, _token) do return_to = get_session(conn, :return_to) || ~p"/" message = @@ -134,7 +149,7 @@ defmodule MvWeb.AuthController do _ -> conn |> put_flash(:error, gettext("Unable to authenticate with OIDC. Please try again.")) - |> redirect(to: ~p"/sign-in") + |> redirect(to: sign_in_path_after_oidc_failure()) end end @@ -148,7 +163,7 @@ defmodule MvWeb.AuthController do :error, gettext("The authentication server is currently unavailable. Please try again later.") ) - |> redirect(to: ~p"/sign-in") + |> redirect(to: sign_in_path_after_oidc_failure()) end # Handle Assent invalid response errors (configuration or malformed responses) @@ -161,7 +176,7 @@ defmodule MvWeb.AuthController do :error, gettext("Authentication configuration error. Please contact the administrator.") ) - |> redirect(to: ~p"/sign-in") + |> redirect(to: sign_in_path_after_oidc_failure()) end # Catch-all clause for any other error types @@ -171,7 +186,7 @@ defmodule MvWeb.AuthController do conn |> put_flash(:error, gettext("Unable to authenticate with OIDC. Please try again.")) - |> redirect(to: ~p"/sign-in") + |> redirect(to: sign_in_path_after_oidc_failure()) end # Handle generic AuthenticationFailed errors @@ -211,10 +226,14 @@ defmodule MvWeb.AuthController do conn |> put_flash(:error, error_message) - |> redirect(to: ~p"/sign-in") + |> redirect(to: sign_in_path_after_oidc_failure()) end end + # Path used when redirecting to sign-in after an OIDC failure. The query param tells + # OidcOnlySignInRedirect to show the sign-in page instead of redirecting back to OIDC (avoids loop). + defp sign_in_path_after_oidc_failure, do: "/sign-in?oidc_failed=1" + # Extract meaningful error message from Ash errors defp extract_meaningful_error_message(errors) do # Look for specific error messages in InvalidAttribute errors diff --git a/lib/mv_web/live/global_settings_live.ex b/lib/mv_web/live/global_settings_live.ex index f69b947..cb57631 100644 --- a/lib/mv_web/live/global_settings_live.ex +++ b/lib/mv_web/live/global_settings_live.ex @@ -19,6 +19,7 @@ defmodule MvWeb.GlobalSettingsLive do ## Events - `validate` / `save` - Club settings form - `toggle_registration_enabled` - Enable/disable direct registration (/register) + - `toggle_oidc_only` - Enable/disable OIDC-only sign-in (immediate, outside OIDC form) - `toggle_join_form_enabled` - Enable/disable the join form - `add_join_form_field` / `remove_join_form_field` - Manage join form fields - `toggle_join_form_field_required` - Toggle required flag per field @@ -80,6 +81,7 @@ defmodule MvWeb.GlobalSettingsLive do |> assign(:oidc_admin_group_name_env_set, Mv.Config.oidc_admin_group_name_env_set?()) |> assign(:oidc_groups_claim_env_set, Mv.Config.oidc_groups_claim_env_set?()) |> assign(:oidc_only_env_set, Mv.Config.oidc_only_env_set?()) + |> assign(:oidc_only, Mv.Config.oidc_only?()) |> assign(:oidc_configured, Mv.Config.oidc_configured?()) |> assign(:oidc_client_secret_set, Mv.Config.oidc_client_secret_set?()) |> assign(:registration_enabled, settings.registration_enabled != false) @@ -625,11 +627,30 @@ defmodule MvWeb.GlobalSettingsLive do class="checkbox checkbox-sm" checked={@registration_enabled} phx-click="toggle_registration_enabled" + disabled={@oidc_only} aria-label={gettext("Allow direct registration (/register)")} /> -

{gettext("OIDC (Single Sign-On)")}

@@ -638,6 +659,38 @@ defmodule MvWeb.GlobalSettingsLive do {gettext("Some values are set via environment variables. Those fields are read-only.")}

<% end %> +
+ + +
+

+ {gettext( + "When enabled and OIDC is configured, the sign-in page shows only the Single Sign-On button." + )} +

<.form for={@form} id="oidc-form" phx-change="validate" phx-submit="save">
<.input @@ -744,27 +797,6 @@ defmodule MvWeb.GlobalSettingsLive do ) } /> -
- <.input - field={@form[:oidc_only]} - type="checkbox" - class="checkbox checkbox-sm" - disabled={@oidc_only_env_set or not @oidc_configured} - label={ - if @oidc_only_env_set do - gettext("Only OIDC sign-in (hide password login)") <> - " (" <> gettext("From OIDC_ONLY") <> ")" - else - gettext("Only OIDC sign-in (hide password login)") - end - } - /> -

- {gettext( - "When enabled and OIDC is configured, the sign-in page shows only the Single Sign-On button." - )} -

-
<.button :if={ @@ -868,18 +900,19 @@ defmodule MvWeb.GlobalSettingsLive do saves_vereinfacht = vereinfacht_params?(setting_params_clean) case MvWeb.LiveHelpers.submit_form(socket.assigns.form, setting_params_clean, actor) do - {:ok, _updated_settings} -> - {:ok, fresh_settings} = Membership.get_settings() - + {:ok, updated_settings} -> + # Use the returned record for the form so saved values show immediately; + # get_settings() can return cached data without the new attribute until reload. test_result = if saves_vereinfacht, do: Mv.Vereinfacht.test_connection(), else: nil socket = socket - |> assign(:settings, fresh_settings) - |> assign(:registration_enabled, fresh_settings.registration_enabled != false) - |> assign(:vereinfacht_api_key_set, present?(fresh_settings.vereinfacht_api_key)) + |> assign(:settings, updated_settings) + |> assign(:registration_enabled, updated_settings.registration_enabled != false) + |> assign(:vereinfacht_api_key_set, present?(updated_settings.vereinfacht_api_key)) |> assign(:oidc_client_secret_set, Mv.Config.oidc_client_secret_set?()) + |> assign(:oidc_only, Mv.Config.oidc_only?()) |> assign(:oidc_configured, Mv.Config.oidc_configured?()) |> assign(:smtp_configured, Mv.Config.smtp_configured?()) |> assign(:smtp_password_set, present?(Mv.Config.smtp_password())) @@ -916,19 +949,53 @@ defmodule MvWeb.GlobalSettingsLive do @impl true def handle_event("toggle_registration_enabled", _params, socket) do - settings = socket.assigns.settings - new_value = not socket.assigns.registration_enabled + if Mv.Config.oidc_only?() do + {:noreply, socket} + else + settings = socket.assigns.settings + new_value = not socket.assigns.registration_enabled - case Membership.update_settings(settings, %{registration_enabled: new_value}) do - {:ok, updated_settings} -> - {:noreply, - socket - |> assign(:settings, updated_settings) - |> assign(:registration_enabled, updated_settings.registration_enabled != false) - |> assign_form()} + case Membership.update_settings(settings, %{registration_enabled: new_value}) do + {:ok, updated_settings} -> + {:noreply, + socket + |> assign(:settings, updated_settings) + |> assign(:registration_enabled, updated_settings.registration_enabled != false) + |> assign_form()} - {:error, _} -> - {:noreply, put_flash(socket, :error, gettext("Failed to update setting."))} + {:error, _} -> + {:noreply, put_flash(socket, :error, gettext("Failed to update setting."))} + end + end + end + + @impl true + def handle_event("toggle_oidc_only", _params, socket) do + if socket.assigns.oidc_only_env_set do + {:noreply, socket} + else + settings = socket.assigns.settings + new_value = not socket.assigns.oidc_only + + # When enabling OIDC-only, also disable direct registration; when disabling, only change oidc_only. + params = + if new_value, + do: %{oidc_only: true, registration_enabled: false}, + else: %{oidc_only: false} + + case Membership.update_settings(settings, params) do + {:ok, updated_settings} -> + {:noreply, + socket + |> assign(:settings, updated_settings) + |> assign(:oidc_only, updated_settings.oidc_only == true) + |> assign(:registration_enabled, updated_settings.registration_enabled != false) + |> assign_form() + |> put_flash(:success, gettext("Settings updated successfully"))} + + {:error, _} -> + {:noreply, put_flash(socket, :error, gettext("Failed to update setting."))} + end end end diff --git a/lib/mv_web/live_helpers.ex b/lib/mv_web/live_helpers.ex index 38a0157..4206aa6 100644 --- a/lib/mv_web/live_helpers.ex +++ b/lib/mv_web/live_helpers.ex @@ -74,7 +74,7 @@ defmodule MvWeb.LiveHelpers do socket = socket - |> Phoenix.LiveView.put_flash(:error, "You don't have permission to access this page.") + |> maybe_put_access_denied_flash(user) |> Phoenix.LiveView.push_navigate(to: redirect_to) {:halt, socket} @@ -82,6 +82,13 @@ defmodule MvWeb.LiveHelpers do end end + # Only show "no permission" when user is logged in; unauthenticated users are redirected to sign-in without flash. + defp maybe_put_access_denied_flash(socket, nil), do: socket + + defp maybe_put_access_denied_flash(socket, _user) do + Phoenix.LiveView.put_flash(socket, :error, "You don't have permission to access this page.") + end + defp ensure_user_role_loaded(socket) do user = socket.assigns[:current_user] diff --git a/lib/mv_web/plugs/check_page_permission.ex b/lib/mv_web/plugs/check_page_permission.ex index ff6d47d..b2f37ec 100644 --- a/lib/mv_web/plugs/check_page_permission.ex +++ b/lib/mv_web/plugs/check_page_permission.ex @@ -54,7 +54,7 @@ defmodule MvWeb.Plugs.CheckPagePermission do conn |> fetch_session() |> fetch_flash() - |> put_flash(:error, "You don't have permission to access this page.") + |> maybe_put_access_denied_flash(user) |> redirect(to: redirect_to) |> halt() end @@ -75,6 +75,13 @@ defmodule MvWeb.Plugs.CheckPagePermission do defp redirect_target(user), do: redirect_target_for_user(user) + # Only set "no permission" flash when user is logged in; unauthenticated users get redirect only, no flash. + defp maybe_put_access_denied_flash(conn, nil), do: conn + + defp maybe_put_access_denied_flash(conn, _user) do + put_flash(conn, :error, "You don't have permission to access this page.") + end + @doc """ Returns true if the path is public (no auth/permission check). Used by LiveView hook to skip redirect on sign-in etc. diff --git a/lib/mv_web/plugs/oidc_only_sign_in_redirect.ex b/lib/mv_web/plugs/oidc_only_sign_in_redirect.ex new file mode 100644 index 0000000..9cf2a16 --- /dev/null +++ b/lib/mv_web/plugs/oidc_only_sign_in_redirect.ex @@ -0,0 +1,73 @@ +defmodule MvWeb.Plugs.OidcOnlySignInRedirect do + @moduledoc """ + When OIDC-only mode is active: + - GET /sign-in redirects to the OIDC flow when OIDC is configured (sign-in page skipped). + - GET /sign-in?oidc_failed=1 is not redirected, so the sign-in page is shown after an OIDC + failure (avoids redirect loop when the provider is down or misconfigured). + - GET /auth/user/password/sign_in_with_token is rejected (redirect to /sign-in with error) + so password sign-in cannot complete. + """ + import Plug.Conn + import Phoenix.Controller + + alias Mv.Config + + def init(opts), do: opts + + def call(conn, _opts) do + conn + |> maybe_redirect_sign_in_to_oidc() + |> maybe_reject_password_token_sign_in() + end + + defp maybe_redirect_sign_in_to_oidc(conn) do + if conn.request_path != "/sign-in" or conn.method != "GET" do + conn + else + conn = fetch_query_params(conn) + maybe_redirect_sign_in_to_oidc_checked(conn) + end + end + + defp maybe_redirect_sign_in_to_oidc_checked(conn) do + cond do + # Show sign-in page when returning from OIDC failure to avoid redirect loop. + conn.query_params["oidc_failed"] -> conn + Config.oidc_only?() and Config.oidc_configured?() -> redirect_and_halt(conn) + true -> conn + end + end + + defp redirect_and_halt(conn) do + conn + |> redirect(to: "/auth/user/oidc") + |> halt() + end + + defp maybe_reject_password_token_sign_in(conn) do + if conn.halted, do: conn, else: reject_password_token_sign_in_if_applicable(conn) + end + + defp reject_password_token_sign_in_if_applicable(conn) do + path = conn.request_path + + password_token_path? = + path =~ ~r|/auth/user/password/sign_in_with_token| and conn.method == "GET" + + if password_token_path? and Config.oidc_only?() do + message = + Gettext.dgettext( + MvWeb.Gettext, + "default", + "Only sign-in via Single Sign-On (SSO) is allowed." + ) + + conn + |> put_flash(:error, message) + |> redirect(to: "/sign-in") + |> halt() + else + conn + end + end +end diff --git a/lib/mv_web/router.ex b/lib/mv_web/router.ex index f115535..591dead 100644 --- a/lib/mv_web/router.ex +++ b/lib/mv_web/router.ex @@ -18,6 +18,7 @@ defmodule MvWeb.Router do plug MvWeb.Plugs.CheckPagePermission plug MvWeb.Plugs.JoinFormEnabled plug MvWeb.Plugs.RegistrationEnabled + plug MvWeb.Plugs.OidcOnlySignInRedirect end pipeline :api do diff --git a/priv/gettext/de/LC_MESSAGES/default.po b/priv/gettext/de/LC_MESSAGES/default.po index c4cacc8..383fb1c 100644 --- a/priv/gettext/de/LC_MESSAGES/default.po +++ b/priv/gettext/de/LC_MESSAGES/default.po @@ -3895,3 +3895,13 @@ msgstr "Rolle %{name}" #, elixir-autogen, elixir-format msgid "User %{email}" msgstr "Benutzer*in %{email}" + +#: lib/mv_web/live/global_settings_live.ex +#, elixir-autogen, elixir-format +msgid "Only OIDC sign-in is active. This option is disabled." +msgstr "Nur OIDC-Anmeldung ist aktiv. Diese Option ist deaktiviert." + +#: lib/mv_web/controllers/auth_controller.ex +#, elixir-autogen, elixir-format +msgid "Only sign-in via Single Sign-On (SSO) is allowed." +msgstr "Nur Anmeldung per Single Sign-On (SSO) ist erlaubt." diff --git a/priv/gettext/default.pot b/priv/gettext/default.pot index a845e1e..3e2eb5d 100644 --- a/priv/gettext/default.pot +++ b/priv/gettext/default.pot @@ -3895,3 +3895,13 @@ msgstr "" #, elixir-autogen, elixir-format msgid "User %{email}" msgstr "" + +#: lib/mv_web/live/global_settings_live.ex +#, elixir-autogen, elixir-format +msgid "Only OIDC sign-in is active. This option is disabled." +msgstr "" + +#: lib/mv_web/controllers/auth_controller.ex +#, elixir-autogen, elixir-format +msgid "Only sign-in via Single Sign-On (SSO) is allowed." +msgstr "" diff --git a/priv/gettext/en/LC_MESSAGES/default.po b/priv/gettext/en/LC_MESSAGES/default.po index d01da60..21314a5 100644 --- a/priv/gettext/en/LC_MESSAGES/default.po +++ b/priv/gettext/en/LC_MESSAGES/default.po @@ -3895,3 +3895,13 @@ msgstr "Role %{name}" #, elixir-autogen, elixir-format msgid "User %{email}" msgstr "User %{email}" + +#: lib/mv_web/live/global_settings_live.ex +#, elixir-autogen, elixir-format +msgid "Only OIDC sign-in is active. This option is disabled." +msgstr "" + +#: lib/mv_web/controllers/auth_controller.ex +#, elixir-autogen, elixir-format +msgid "Only sign-in via Single Sign-On (SSO) is allowed." +msgstr "" diff --git a/test/accounts/user_authentication_test.exs b/test/accounts/user_authentication_test.exs index 1b47165..b759e8a 100644 --- a/test/accounts/user_authentication_test.exs +++ b/test/accounts/user_authentication_test.exs @@ -288,4 +288,31 @@ defmodule Mv.Accounts.UserAuthenticationTest do end end end + + describe "register_with_password when OIDC-only is enabled" do + alias Mv.Membership + + test "returns error when OIDC-only is enabled" do + {:ok, settings} = Membership.get_settings() + original_oidc_only = Map.get(settings, :oidc_only, false) + {:ok, _} = Membership.update_settings(settings, %{oidc_only: true}) + + try do + attrs = %{ + email: "newuser#{System.unique_integer([:positive])}@example.com", + password: "SecurePassword123" + } + + result = + Mv.Accounts.User + |> Ash.Changeset.for_create(:register_with_password, attrs) + |> Ash.create() + + assert {:error, _} = result + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original_oidc_only}) + end + end + end end diff --git a/test/mv_web/controllers/auth_controller_test.exs b/test/mv_web/controllers/auth_controller_test.exs index e449284..f1fbd76 100644 --- a/test/mv_web/controllers/auth_controller_test.exs +++ b/test/mv_web/controllers/auth_controller_test.exs @@ -283,6 +283,141 @@ defmodule MvWeb.AuthControllerTest do assert to =~ "/auth/user/password/sign_in_with_token" end + describe "when OIDC-only is enabled" do + setup %{conn: authenticated_conn} do + {:ok, settings} = Membership.get_settings() + original_oidc_only = Map.get(settings, :oidc_only, false) + {:ok, _} = Membership.update_settings(settings, %{oidc_only: true}) + + conn = build_unauthenticated_conn(authenticated_conn) + {:ok, conn: conn, original_oidc_only: original_oidc_only} + end + + test "password sign-in is rejected and redirects to sign-in with error", %{ + conn: conn, + original_oidc_only: original + } do + try do + _user = + create_test_user(%{ + email: "password@example.com", + password: "secret123", + oidc_id: nil + }) + + {:ok, view, _html} = live(conn, "/sign-in") + + result = + view + |> form("#user-password-sign-in-with-password", + user: %{email: "password@example.com", password: "secret123"} + ) + |> render_submit() + + # When OIDC-only is enabled, password sign-in must not succeed (no redirect to sign_in_with_token). + case result do + {:error, {:redirect, %{to: to}}} -> + refute to =~ "sign_in_with_token", + "Expected password sign-in to be rejected when OIDC-only, got redirect to: #{to}" + + _ -> + # LiveView re-rendered (e.g. with flash error) instead of redirecting to success + :ok + end + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original}) + end + end + end + + describe "GET /sign-in when OIDC-only" do + test "redirects to OIDC flow when OIDC-only and OIDC are configured", %{ + conn: authenticated_conn + } do + {:ok, settings} = Membership.get_settings() + + prev = %{ + oidc_only: settings.oidc_only, + oidc_client_id: settings.oidc_client_id, + oidc_base_url: settings.oidc_base_url, + oidc_redirect_uri: settings.oidc_redirect_uri + } + + {:ok, _} = + Membership.update_settings(settings, %{ + oidc_only: true, + oidc_client_id: "test-client", + oidc_base_url: "https://idp.example.com", + oidc_redirect_uri: "http://localhost:4000/auth/user/oidc/callback", + oidc_client_secret: "test-secret" + }) + + try do + conn = build_unauthenticated_conn(authenticated_conn) + conn = get(conn, ~p"/sign-in") + assert redirected_to(conn) =~ "/auth/user/oidc" + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, prev) + end + end + + test "returns 200 when OIDC-only but oidc_failed=1 (avoids redirect loop)", %{ + conn: authenticated_conn + } do + {:ok, settings} = Membership.get_settings() + + prev = %{ + oidc_only: settings.oidc_only, + oidc_client_id: settings.oidc_client_id, + oidc_base_url: settings.oidc_base_url, + oidc_redirect_uri: settings.oidc_redirect_uri + } + + {:ok, _} = + Membership.update_settings(settings, %{ + oidc_only: true, + oidc_client_id: "test-client", + oidc_base_url: "https://idp.example.com", + oidc_redirect_uri: "http://localhost:4000/auth/user/oidc/callback", + oidc_client_secret: "test-secret" + }) + + try do + conn = build_unauthenticated_conn(authenticated_conn) + conn = get(conn, "/sign-in?oidc_failed=1") + assert conn.status == 200 + # Sign-in page is shown, not redirect to OIDC + assert conn.resp_body =~ "Sign in" or conn.resp_body =~ "sign-in" + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, prev) + end + end + + test "returns 200 when OIDC-only but OIDC not configured", %{conn: authenticated_conn} do + {:ok, settings} = Membership.get_settings() + original_oidc_only = Map.get(settings, :oidc_only, false) + {:ok, _} = Membership.update_settings(settings, %{oidc_only: true}) + + try do + conn = build_unauthenticated_conn(authenticated_conn) + conn = get(conn, ~p"/sign-in") + assert conn.status == 200 + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original_oidc_only}) + end + end + + test "returns 200 when OIDC-only is disabled", %{conn: authenticated_conn} do + conn = build_unauthenticated_conn(authenticated_conn) + conn = get(conn, ~p"/sign-in") + assert conn.status == 200 + end + end + # OIDC/Rauthy error handling tests describe "handle_oidc_failure/2" do test "Assent.ServerUnreachableError redirects to sign-in with error flash", %{ @@ -298,7 +433,7 @@ defmodule MvWeb.AuthControllerTest do conn = MvWeb.AuthController.failure(conn, {:oidc, :callback}, error) - assert redirected_to(conn) == ~p"/sign-in" + assert redirected_to(conn) == "/sign-in?oidc_failed=1" assert Phoenix.Flash.get(conn.assigns.flash, :error) == "The authentication server is currently unavailable. Please try again later." @@ -320,7 +455,7 @@ defmodule MvWeb.AuthControllerTest do conn = MvWeb.AuthController.failure(conn, {:oidc, :callback}, error) - assert redirected_to(conn) == ~p"/sign-in" + assert redirected_to(conn) == "/sign-in?oidc_failed=1" assert Phoenix.Flash.get(conn.assigns.flash, :error) == "Authentication configuration error. Please contact the administrator." @@ -334,7 +469,7 @@ defmodule MvWeb.AuthControllerTest do conn = MvWeb.AuthController.failure(conn, {:oidc, :callback}, unknown_reason) - assert redirected_to(conn) == ~p"/sign-in" + assert redirected_to(conn) == "/sign-in?oidc_failed=1" assert Phoenix.Flash.get(conn.assigns.flash, :error) == "Unable to authenticate with OIDC. Please try again." diff --git a/test/mv_web/live/global_settings_live_test.exs b/test/mv_web/live/global_settings_live_test.exs index e48c44b..92da11b 100644 --- a/test/mv_web/live/global_settings_live_test.exs +++ b/test/mv_web/live/global_settings_live_test.exs @@ -110,4 +110,69 @@ defmodule MvWeb.GlobalSettingsLiveTest do assert html =~ "SMTP" or html =~ "E-Mail" or html =~ "Settings" end end + + describe "Authentication section when OIDC-only is enabled" do + setup %{conn: conn} do + user = create_test_user(%{email: "admin@example.com"}) + conn = conn_with_oidc_user(conn, user) + {:ok, settings} = Membership.get_settings() + original_oidc_only = Map.get(settings, :oidc_only, false) + {:ok, _} = Membership.update_settings(settings, %{oidc_only: true}) + {:ok, conn: conn, original_oidc_only: original_oidc_only} + end + + @describetag :ui + test "registration checkbox is disabled when OIDC-only is enabled", %{ + conn: conn, + original_oidc_only: original + } do + try do + {:ok, view, _html} = live(conn, ~p"/settings") + assert has_element?(view, "#registration-enabled-checkbox[disabled]") + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original}) + end + end + + @describetag :ui + test "OIDC-only hint is visible when OIDC-only is enabled", %{ + conn: conn, + original_oidc_only: original + } do + try do + {:ok, view, _html} = live(conn, ~p"/settings") + assert has_element?(view, "[data-testid='oidc-only-registration-hint']") + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original}) + end + end + + test "when OIDC-only is disabled, registration checkbox is enabled and can be toggled", %{ + conn: conn, + original_oidc_only: original + } do + try do + {:ok, settings} = Membership.get_settings() + Membership.update_settings(settings, %{oidc_only: false}) + + {:ok, view, _html} = live(conn, ~p"/settings") + refute has_element?(view, "#registration-enabled-checkbox[disabled]") + + initial_checked = + view |> element("#registration-enabled-checkbox") |> render() =~ "checked" + + view + |> element("#registration-enabled-checkbox") + |> render_click() + + new_checked = view |> element("#registration-enabled-checkbox") |> render() =~ "checked" + assert new_checked != initial_checked + after + {:ok, s} = Membership.get_settings() + Membership.update_settings(s, %{oidc_only: original}) + end + end + end end diff --git a/test/mv_web/plugs/check_page_permission_test.exs b/test/mv_web/plugs/check_page_permission_test.exs index 2798161..76bed74 100644 --- a/test/mv_web/plugs/check_page_permission_test.exs +++ b/test/mv_web/plugs/check_page_permission_test.exs @@ -181,13 +181,14 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do end describe "unauthenticated user" do - test "nil current_user is denied and redirected to \"/sign-in\"" do + test "nil current_user is denied and redirected to \"/sign-in\" without access-denied flash" do conn = conn_without_user("/members") |> CheckPagePermission.call([]) assert conn.halted assert redirected_to(conn) == "/sign-in" - assert Phoenix.Flash.get(conn.assigns[:flash] || %{}, :error) == + # Unauthenticated users are redirected to sign-in only; no "no permission" message. + refute Phoenix.Flash.get(conn.assigns[:flash] || %{}, :error) == "You don't have permission to access this page." end end