72 lines
2 KiB
Elixir
72 lines
2 KiB
Elixir
defmodule Mv.Secrets do
|
|
@moduledoc """
|
|
Secret provider for AshAuthentication.
|
|
|
|
## Purpose
|
|
Provides runtime configuration secrets for Ash Authentication strategies,
|
|
particularly for OIDC (Rauthy) authentication.
|
|
|
|
## Configuration Source
|
|
Secrets are read via `Mv.Config` which prefers environment variables and
|
|
falls back to Settings from the database:
|
|
- OIDC_CLIENT_ID / settings.oidc_client_id
|
|
- OIDC_CLIENT_SECRET / settings.oidc_client_secret
|
|
- OIDC_BASE_URL / settings.oidc_base_url
|
|
- OIDC_REDIRECT_URI / settings.oidc_redirect_uri
|
|
|
|
When a value is nil, returns `{:error, MissingSecret}` so that AshAuthentication
|
|
does not crash (e.g. URI.new(nil)) and can redirect to sign-in with an error.
|
|
"""
|
|
use AshAuthentication.Secret
|
|
|
|
alias AshAuthentication.Errors.MissingSecret
|
|
|
|
def secret_for(
|
|
[:authentication, :strategies, :oidc, :client_id],
|
|
resource,
|
|
_opts,
|
|
_meth
|
|
) do
|
|
secret_or_error(Mv.Config.oidc_client_id(), resource, :client_id)
|
|
end
|
|
|
|
def secret_for(
|
|
[:authentication, :strategies, :oidc, :redirect_uri],
|
|
resource,
|
|
_opts,
|
|
_meth
|
|
) do
|
|
secret_or_error(Mv.Config.oidc_redirect_uri(), resource, :redirect_uri)
|
|
end
|
|
|
|
def secret_for(
|
|
[:authentication, :strategies, :oidc, :client_secret],
|
|
resource,
|
|
_opts,
|
|
_meth
|
|
) do
|
|
secret_or_error(Mv.Config.oidc_client_secret(), resource, :client_secret)
|
|
end
|
|
|
|
def secret_for(
|
|
[:authentication, :strategies, :oidc, :base_url],
|
|
resource,
|
|
_opts,
|
|
_meth
|
|
) do
|
|
secret_or_error(Mv.Config.oidc_base_url(), resource, :base_url)
|
|
end
|
|
|
|
defp secret_or_error(nil, resource, key) do
|
|
path = [:authentication, :strategies, :oidc, key]
|
|
{:error, MissingSecret.exception(path: path, resource: resource)}
|
|
end
|
|
|
|
defp secret_or_error(value, resource, key) when is_binary(value) do
|
|
if String.trim(value) == "" do
|
|
secret_or_error(nil, resource, key)
|
|
else
|
|
{:ok, value}
|
|
end
|
|
end
|
|
end
|