local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 51 Pull requests 13 Projects 1 Releases Packages 1 Activity Actions

Account Ressource # SSO closes #39, #40 and #41 #72

Merged
carla merged 12 commits from feature/39_account_ressource into main 2025-07-02 17:05:55 +02:00
Conversation 14 Commits 12 Files changed 40 +1299 -430
carla commented 2025-06-04 09:36:56 +02:00
Owner
Copy link
  • added User und Token Resource in Accounts domain
  • added AshAuthenticationPhoenix dependancy with password login strategy for testing
  • ../members route is now only accessible if logged in
- added User und Token Resource in Accounts domain - added AshAuthenticationPhoenix dependancy with password login strategy for testing - ../members route is now only accessible if logged in
carla added 2 commits 2025-06-04 09:36:57 +02:00
carla force-pushed feature/39_account_ressource from 483e506361 to e0f26c6164 2025-06-19 15:34:50 +02:00 Compare
carla changed title from WIP: feature/39_account_ressource to WIP: Account Ressource # SSO closes https://git.local-it.org/local-it/mitgliederverwaltung/issues/39, https://git.local-it.org/local-it/mitgliederverwaltung/issues/40 and https://git.local-it.org/local-it/mitgliederverwaltung/issues/41 2025-06-19 15:36:55 +02:00
carla changed title from WIP: Account Ressource # SSO closes https://git.local-it.org/local-it/mitgliederverwaltung/issues/39, https://git.local-it.org/local-it/mitgliederverwaltung/issues/40 and https://git.local-it.org/local-it/mitgliederverwaltung/issues/41 to WIP: Account Ressource # SSO closes #39, #40 and #41 2025-06-19 15:37:40 +02:00
carla commented 2025-06-19 15:38:01 +02:00
Author
Owner
Copy link

#39
#40
#31

https://git.local-it.org/local-it/mitgliederverwaltung/issues/39 https://git.local-it.org/local-it/mitgliederverwaltung/issues/40 https://git.local-it.org/local-it/mitgliederverwaltung/issues/31
requested reviews from simon, rafael 2025-06-19 15:39:10 +02:00
carla commented 2025-06-20 08:53:31 +02:00
Author
Owner
Copy link
  1. Just run
  2. than go to localhost:8080,
  3. login with admin:
    admin@localhost
    Password from docker compose file
  4. add client from the admin panel
    name: mv
    redirect uris: http://localhost:4000/auth/user/rauthy/callback
    authorization_code, password, client_creentials (maybe also just fewer needed)
    allowed origins: http://localhost:4000
    access/id token algortihm: RS256 --> EDDSA did not work for me, found just few infos in the ashauthentication docs
  5. copy secret to dev.ex client_secret file
  6. abort and run mix phx.server again
1. Just run 2. than go to localhost:8080, 3. login with admin: admin@localhost Password from docker compose file 4. add client from the admin panel name: mv redirect uris: http://localhost:4000/auth/user/rauthy/callback authorization_code, password, client_creentials (maybe also just fewer needed) allowed origins: http://localhost:4000 access/id token algortihm: RS256 --> EDDSA did not work for me, found just few infos in the ashauthentication docs 5. copy secret to dev.ex client_secret file 6. abort and run mix phx.server again
carla added 1 commit 2025-06-20 08:54:19 +02:00
carla changed title from WIP: Account Ressource # SSO closes #39, #40 and #41 to Account Ressource # SSO closes #39, #40 and #41 2025-06-20 10:14:40 +02:00
rafael commented 2025-06-20 12:50:09 +02:00
Collaborator
Copy link

Seems like there's a migration missing here, when I try to sign up it throws an error:

(undefined_table) relation \"users\" does not exist
Seems like there's a migration missing here, when I try to sign up it throws an error: ``` (undefined_table) relation \"users\" does not exist ```
rafael commented 2025-06-20 12:54:36 +02:00
Collaborator
Copy link

After I've generated a migration, I get the following error:

** (Postgrex.Error) ERROR 42704 (undefined_object) type "citext" does not exist

I think this is due to the type :ci_string in the email attribute. According to the ash_postgres docs, this requires a postgres extension: https://hexdocs.pm/ash_postgres/AshPostgres.Repo.html#module-installed-extensions but I'm not sure what the best way to enable it is.

After I've generated a migration, I get the following error: ``` ** (Postgrex.Error) ERROR 42704 (undefined_object) type "citext" does not exist ``` I think this is due to the type `:ci_string` in the email attribute. According to the ash_postgres docs, this requires a postgres extension: https://hexdocs.pm/ash_postgres/AshPostgres.Repo.html#module-installed-extensions but I'm not sure what the best way to enable it is.
carla commented 2025-06-20 13:02:17 +02:00
Author
Owner
Copy link

Ufff, I don't know why the migrations got lost... I will check that

Ufff, I don't know why the migrations got lost... I will check that
rafael reviewed 2025-06-20 13:04:51 +02:00
rafael left a comment
Collaborator
Copy link

This looks great already!

I'd love to get EdDSA working as RSA is becoming quite outdated already. If the docs are too sparse here, we could ask a quick question in the Ash Discord to check if it might be possible?

This looks great already! I'd love to get EdDSA working as RSA is becoming quite outdated already. If the docs are too sparse here, we could ask a quick question in the Ash Discord to check if it might be possible?
docker-compose.yml Outdated
@ -21,0 +33,4 @@
rauthy:
container_name: rauthy-test
image: ghcr.io/sebadob/rauthy:latest
rafael commented 2025-06-20 11:45:12 +02:00
Collaborator
Copy link

I think we could pin this to a specific version, and renovate will open a PR when a new version comes out so we can explicitly test if it still works :)

I think we could pin this to a specific version, and renovate will open a PR when a new version comes out so we can explicitly test if it still works :)
👍 1
carla marked this conversation as resolved
lib/mv_web/controllers/auth_controller.ex Outdated
@ -0,0 +36,4 @@
"""
_ ->
"Incorrect email or password"
rafael commented 2025-06-20 12:58:21 +02:00
Collaborator
Copy link

I think this case will match if there's any other error, e.g. when there's a problem with the database. To help with debugging, you could add a Logger.error call before returning this message so we can see what went wrong in the terminal. If you do this, don't forget to require Logger at the top of the file :)

I think this case will match if there's any other error, e.g. when there's a problem with the database. To help with debugging, you could add a `Logger.error` call before returning this message so we can see what went wrong in the terminal. If you do this, don't forget to `require Logger` at the top of the file :)
👍 1
rafael commented 2025-06-20 13:10:59 +02:00
Collaborator
Copy link

For others testing this, I ran into this rauthy issue while setting up which I'm still not entirely sure how to fix properly. One option is to test with HTTPS, but it's annoying to make browsers accept a self-signed certificate. The other option is to test with HTTP, which requires these environment vars in docker-compose.yml:

      - LISTEN_SCHEME=http
      - PUB_URL=localhost:8080
For others testing this, I [ran into this rauthy issue while setting up](https://github.com/sebadob/rauthy/issues/1054) which I'm still not entirely sure how to fix properly. One option is to test with HTTPS, but it's annoying to make browsers accept a self-signed certificate. The other option is to test with HTTP, which requires these environment vars in docker-compose.yml: ``` - LISTEN_SCHEME=http - PUB_URL=localhost:8080 ```
carla added 1 commit 2025-06-20 13:11:36 +02:00
rafael reviewed 2025-06-20 13:33:41 +02:00
config/dev.exs Outdated
@ -87,0 +93,4 @@
config :mv, :rauthy,
client_id: "mv",
base_url: "http://localhost:8080/auth/v1",
client_secret: "GWGkEWBLRAzZruXhipQKSjeaOtwZtKdETBABHLAXVoqrhsJoXUOsIDfNVOXCQUEv",
rafael commented 2025-06-20 13:33:41 +02:00
Collaborator
Copy link

Since this will be different for every developer, we'll have modified files in our git status which we need to take care not to git add accidentally 🧐 Maybe we can do something like this:

client_secret: System.get_env("OIDC_CLIENT_SECRET"),

and then create an .env file which we can add to the .gitignore? We can then automatically load .env using an option in the Justfile :)

Since this will be different for every developer, we'll have modified files in our `git status` which we need to take care not to `git add` accidentally 🧐 Maybe we can do something like this: ``` client_secret: System.get_env("OIDC_CLIENT_SECRET"), ``` and then create an `.env` file which we can add to the `.gitignore`? We can then automatically load `.env` using an option in the `Justfile` :)
carla added 1 commit 2025-06-20 13:51:44 +02:00
carla commented 2025-06-20 13:59:53 +02:00
Author
Owner
Copy link

@rafael wrote in #72 (comment):

For others testing this, I ran into this rauthy issue while setting up which I'm still not entirely sure how to fix properly. One option is to test with HTTPS, but it's annoying to make browsers accept a self-signed certificate. The other option is to test with HTTP, which requires these environment vars in docker-compose.yml:

      - LISTEN_SCHEME=http
      - PUB_URL=localhost:8080

Should we add that to the wiki in a new page "dev setup" as a disclaimer?

@rafael wrote in https://git.local-it.org/local-it/mitgliederverwaltung/pulls/72#issuecomment-11746: > For others testing this, I [ran into this rauthy issue while setting up](https://github.com/sebadob/rauthy/issues/1054) which I'm still not entirely sure how to fix properly. One option is to test with HTTPS, but it's annoying to make browsers accept a self-signed certificate. The other option is to test with HTTP, which requires these environment vars in docker-compose.yml: > > ```text > - LISTEN_SCHEME=http > - PUB_URL=localhost:8080 > ``` Should we add that to the wiki in a new page "dev setup" as a disclaimer?
👍 1
carla commented 2025-06-20 14:00:25 +02:00
Author
Owner
Copy link

@rafael wrote in #72 (comment):

After I've generated a migration, I get the following error:

** (Postgrex.Error) ERROR 42704 (undefined_object) type "citext" does not exist

I think this is due to the type :ci_string in the email attribute. According to the ash_postgres docs, this requires a postgres extension: https://hexdocs.pm/ash_postgres/AshPostgres.Repo.html#module-installed-extensions but I'm not sure what the best way to enable it is.

With the last migration it should be fixed. The migration for extensions was lost

@rafael wrote in https://git.local-it.org/local-it/mitgliederverwaltung/pulls/72#issuecomment-11742: > After I've generated a migration, I get the following error: > > ```text > ** (Postgrex.Error) ERROR 42704 (undefined_object) type "citext" does not exist > ``` > > I think this is due to the type `:ci_string` in the email attribute. According to the ash_postgres docs, this requires a postgres extension: https://hexdocs.pm/ash_postgres/AshPostgres.Repo.html#module-installed-extensions but I'm not sure what the best way to enable it is. With the last migration it should be fixed. The migration for extensions was lost
carla commented 2025-06-24 09:48:19 +02:00
Author
Owner
Copy link

@rafael wrote in #72 (comment):

This looks great already!

I'd love to get EdDSA working as RSA is becoming quite outdated already. If the docs are too sparse here, we could ask a quick question in the Ash Discord to check if it might be possible?

I did not manage to solve this and wrote in the Elixir Forum. The person who developed AshAuthentication delegated me to assent to raise an issue there, what I did. I created an issue and put it on waiting so we can implement EdDSA when they respond and give me a hint what to do.
Links:
Elixir Forum: https://elixirforum.com/t/ashauthentication-eddsa-algorithm-not-working/71401/2
Issue: https://github.com/pow-auth/assent/issues/193

Our new Issue: #87

--> Link to setup client in Rauthy: https://wiki.local-it.org/doc/tutorials-ZGOrqvyJ6K#h-rauthy-und-authentication-einrichten

@rafael wrote in https://git.local-it.org/local-it/mitgliederverwaltung/pulls/72#issuecomment-11745: > This looks great already! > > I'd love to get EdDSA working as RSA is becoming quite outdated already. If the docs are too sparse here, we could ask a quick question in the Ash Discord to check if it might be possible? I did not manage to solve this and wrote in the Elixir Forum. The person who developed AshAuthentication delegated me to assent to raise an issue there, what I did. I created an issue and put it on waiting so we can implement EdDSA when they respond and give me a hint what to do. Links: Elixir Forum: https://elixirforum.com/t/ashauthentication-eddsa-algorithm-not-working/71401/2 Issue: https://github.com/pow-auth/assent/issues/193 Our new Issue: https://git.local-it.org/local-it/mitgliederverwaltung/issues/87 --> Link to setup client in Rauthy: https://wiki.local-it.org/doc/tutorials-ZGOrqvyJ6K#h-rauthy-und-authentication-einrichten
carla added 1 commit 2025-06-24 09:53:45 +02:00
carla force-pushed feature/39_account_ressource from 08b3735c1b to b1f5e09eaf 2025-06-26 14:01:00 +02:00 Compare
simon commented 2025-07-01 10:20:08 +02:00
Owner
Copy link

just test yields 7 failures, some obiously related to the addition of auth

`just test` yields 7 failures, some obiously related to the addition of auth
simon requested changes 2025-07-02 10:53:10 +02:00
Dismissed
docker-compose.yml Outdated
@ -1,0 +2,4 @@
networks:
local:
rauthy-test:
simon commented 2025-07-01 12:13:16 +02:00
Owner
Copy link

geht es darum rauthy zu testen? Oder um rauthy für die Ausführung von Tests?

der container wird ja immer gestartet, wenn ich just run ausführe, d.h. auch für die dev-Umgebung oder?

geht es darum rauthy zu testen? Oder um rauthy für die Ausführung von Tests? der container wird ja immer gestartet, wenn ich just run ausführe, d.h. auch für die dev-Umgebung oder?
carla commented 2025-07-02 11:09:21 +02:00
Author
Owner
Copy link

Das habe ich aus dem first start von den rauthy pages übernommen. Aber ja, da gebe ich dir Recht, ich benenne ihn in rauthy-dev um, denke das ist eindeutiger? Auf prod würden wir ja vrmtl nict Rauth ynutzen

Das habe ich aus dem first start von den rauthy pages übernommen. Aber ja, da gebe ich dir Recht, ich benenne ihn in rauthy-dev um, denke das ist eindeutiger? Auf prod würden wir ja vrmtl nict Rauth ynutzen
simon marked this conversation as resolved
lib/accounts/user.ex Outdated
@ -0,0 +62,4 @@
prepare AshAuthentication.Preparations.FilterBySubject
end
read :sign_in_with_rauthy do
simon commented 2025-07-01 12:17:59 +02:00
Owner
Copy link

rauthy ist ja nur einer von beliebig tauschbaren OIDC-providern, oder?
Nach meinem Verständnis müsste der code sich sprachlich dann doch allgemein auf oidc provider beziehen und nicht rauthy speziell.

Wenn ich nicht irgendwas übersehe oder noch nicht verstehe

rauthy ist ja nur einer von beliebig tauschbaren OIDC-providern, oder? Nach meinem Verständnis müsste der code sich sprachlich dann doch allgemein auf oidc provider beziehen und nicht rauthy speziell. Wenn ich nicht irgendwas übersehe oder noch nicht verstehe
carla commented 2025-07-02 11:13:34 +02:00
Author
Owner
Copy link

Nein da hast du Recht, vielleicht ist da auch sso passend, es wird dann auch in der UI im Button automatisch angezeigt. Ich habs jetzt einfach so gemacht um es klarer zu halten. Also für mich macht es erstmal so Sinn, aber wenn du dich mit was anderem besser fühlst kann ichs gern ändern :)

Nein da hast du Recht, vielleicht ist da auch sso passend, es wird dann auch in der UI im Button automatisch angezeigt. Ich habs jetzt einfach so gemacht um es klarer zu halten. Also für mich macht es erstmal so Sinn, aber wenn du dich mit was anderem besser fühlst kann ichs gern ändern :)
simon marked this conversation as resolved
lib/membership/member.ex Outdated
@ -77,25 +77,21 @@ defmodule Mv.Membership.Member do
where: [present(:join_date)],
message: "cannot be in the future"
simon commented 2025-07-01 12:29:18 +02:00
Owner
Copy link

ist jetzt sehr picky, aber gerne sowas ausm PR raushalten :)

ist jetzt sehr picky, aber gerne sowas ausm PR raushalten :)
👍 1
simon marked this conversation as resolved
lib/mv_web/controllers/auth_controller.ex Outdated
@ -0,0 +9,4 @@
message =
case activity do
{:confirm_new_user, :confirm} -> "Your email address has now been confirmed"
simon commented 2025-07-02 10:35:10 +02:00
Owner
Copy link

Die ganzen Messages müssten mit der Internationalisierung jetzt auch mit gettext aufgerufen werden, oder?

Die ganzen Messages müssten mit der Internationalisierung jetzt auch mit gettext aufgerufen werden, oder?
carla commented 2025-07-02 11:35:55 +02:00
Author
Owner
Copy link

Yess, ist ja erst mit dem letzten merge des PRs dazu gekommen, aber kann ich jetzt nch machen.
Ich würde aber trotzdem die Übersetzungen jetzt erstmal leer machen und ehrlich gesagt dann in einem Rutsch machen.

Yess, ist ja erst mit dem letzten merge des PRs dazu gekommen, aber kann ich jetzt nch machen. Ich würde aber trotzdem die Übersetzungen jetzt erstmal leer machen und ehrlich gesagt dann in einem Rutsch machen.
simon marked this conversation as resolved
carla added 1 commit 2025-07-02 11:33:14 +02:00
carla added 1 commit 2025-07-02 12:35:51 +02:00
carla added 1 commit 2025-07-02 13:11:25 +02:00
simon approved these changes 2025-07-02 16:26:51 +02:00
carla force-pushed feature/39_account_ressource from 50b603991b to d7ced0d9e5 2025-07-02 17:03:43 +02:00 Compare
carla merged commit 25f8362d68 into main 2025-07-02 17:05:55 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
rafael
simon
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
high priority

   
invalid

Something is wrong

  
L

5 h

  
low priority

   
M

3 h

  
medium priority

   
needs refinement

   
question

More information is needed

  
S

1 h

  
UX research

   
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
high priority
invalid
L
low priority
M
medium priority
needs refinement
question
S
UX research
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: local-it/mitgliederverwaltung#72
No description provided.
Delete branch "feature/39_account_ressource"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?