Add OIDC support (#77)

Add OIDC support
Co-authored-by: Sketch <75850871+noahpistilli@users.noreply.github.com>

config-example.py

@@ -29,3 +29,17 @@
 url1_cdn_url = "http://url1.videos.wiilink24.com"
 
 ds_rsa_key_path = ""
+
+# OpenID Connect configuration
+oidc_client_secrets_json = {
+    "web": {
+        "client_id": "",
+        "client_secret": "",
+        "auth_uri": "",
+        "token_uri": "",
+        "userinfo_uri": "",
+        "issuer": "",
+        "redirect_uris": ["http://localhost:8080/authorize"],
+    }
+}
+oidc_logout_url = ""

models.py

@@ -13,12 +13,6 @@
 import json
 
 db = SQLAlchemy()
-login = LoginManager()
-
-
-@login.user_loader
-def load_user(id):
-    return User.query.get(int(id))
 
 
 class DictType(TypeDecorator):

requirements.txt

@@ -2,9 +2,9 @@ Flask>=2.2
 lxml>=4.8
 psycopg2>=2.9
 flask_sqlalchemy==3.0.3
-flask-login>=0.6.3
 flask-wtf>=1.2.0
 flask-migrate>=3.1
+flask-oidc>=2.2.0
 git+https://github.com/WiiLink24/pycrc16@v0.1.2#egg=crc16
 pillow>=9
 pycryptodome>=3.14

room.py

@@ -6,7 +6,7 @@
 from sentry_sdk.integrations.flask import FlaskIntegration
 from sqlalchemy_searchable import make_searchable
 
-from models import db, login
+from models import db
 from pytz import utc
 
 
@@ -28,6 +28,8 @@
 app.config["SQLALCHEMY_DATABASE_URI"] = config.db_url
 app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
 app.config["SECRET_KEY"] = config.secret_key
+app.config["OIDC_CLIENT_SECRETS"] = config.oidc_client_secrets_json
+app.config["OIDC_SCOPES"] = "openid profile"
 
 # Ensure DB tables are created.
 # Importing models must occur after the DB is instantiated.
@@ -38,8 +40,6 @@
 
 # Ensure the DB is able to determine migration needs.
 migrate = Migrate(app, db)
-login.init_app(app)
-
 
 with app.app_context():
     # Ensure our database is present.

templates/includes/sidebar.html

@@ -22,7 +22,7 @@
 {% endmacro %}
 
 <aside class="menu">
-    {% if current_user.is_authenticated %}
+    {% if g.oidc_user.logged_in %}
     <p class="menu-label">
         General
     </p>
@@ -42,8 +42,6 @@
     <p class="menu-label">
         Account
     </p>
-    {{ menu_item('Add User', 'new_user', 'fa-user') }}
-    {{ menu_item('Change Password', 'change_password', 'fa-key') }}
     <ul class="menu-list">
         <li><a href="{{ url_for('logout') }}"><i class="fas fa-sign-out-alt" style="margin-right: .75em; width: 1em; height: 1em;"></i>Logout</a></li>
     </ul>

templates/login.html

@@ -5,17 +5,10 @@
 {% endblock %}
 
 {% block content %}
-    <form action="" method="post">
-        <p>
-            {{ form.hidden_tag() }}
-            {{ form.username.label(class_="label") }}
-            {{ form.username(size=32, class_="input") }}
-            <br>
-            <br>
-            {{ form.password.label(class_="label") }}
-            {{ form.password(size=32, class_="input") }}
-        </p>
-        <br>
-        <p>{{ form.submit(class_="button is-link") }}</p>
-    </form>
+    <h1 class="title">Click below to enter the underground.</h1>
+    <p class="buttons" style="display: block">
+        <a href="{{ url_for('admin') }}">
+            <button class="button is-link">Login with WiiLink Internal</button>
+        </a>
+    </p>
 {% endblock %}

templates/underground.html

@@ -5,7 +5,7 @@
 {% endblock %}
 
 {% block content %}
-    <h1 class="title">Welcome, {{ current_user.username }}.</h1>
+    <h1 class="title">Welcome, {{ g.oidc_user.profile.name }}.</h1>
     <h2 class="subtitle">Click on an operation below to get started:</h2>
     <p class="buttons" style="display: block">
         <a href="{{ url_for('list_intro_info') }}">
@@ -43,14 +43,6 @@ <h2 class="subtitle">Click on an operation below to get started:</h2>
         </a>
         <br/>
         <br/>
-        <a href="{{ url_for('new_user') }}">
-            <button class="button is-link">Add User</button>
-        </a>
-        <a href="{{ url_for('change_password') }}">
-            <button class="button is-link">Change Password</button>
-        </a>
-        <br/>
-        <br/>
         <a href="{{ url_for('logout') }}">
             <button class="button is-danger">Logout</button>
         </a>

theunderground/admin.py

@@ -1,13 +1,21 @@
 import uuid
 
 from flask import url_for, flash, render_template, send_from_directory
-from flask_login import current_user, login_user, login_required, logout_user
 from werkzeug.utils import redirect
+from flask_oidc import OpenIDConnect
 from first import conf_first_bin_xml
-
 from models import User, db
 from room import app
-from theunderground.forms import LoginForm, NewUserForm, ChangePasswordForm
+
+import config
+
+
+oidc = OpenIDConnect(app)
+
+
+@app.context_processor
+def inject_oidc():
+    return dict(oidc=oidc)
 
 
 def is_maintenance():
@@ -18,11 +26,6 @@ def is_maintenance():
         return False
 
 
-@app.login_manager.unauthorized_handler
-def unauthorized():
-    return redirect(url_for("root"))
-
-
 @app.route("/")
 def index():
     return redirect(url_for("root"))
@@ -34,63 +37,24 @@ def root():
     return redirect(url_for("login"))
 
 
-@app.route("/theunderground/login", methods=["GET", "POST"])
+@app.route("/theunderground/login")
 def login():
-    if current_user.is_authenticated:
+    if oidc.user_loggedin:
         return redirect(url_for("admin"))
 
-    form = LoginForm()
-    if form.validate_on_submit():
-        user = User.query.filter_by(username=form.username.data).first()
-        if user is None or not user.check_password(form.password.data):
-            flash("Invalid username or password")
-        else:
-            login_user(user, remember=False)
-            return redirect(url_for("admin"))
-
-    return render_template("login.html", form=form)
-
-
-@app.route("/theunderground/create", methods=["GET", "POST"])
-@login_required
-def new_user():
-    form = NewUserForm()
-    if form.validate_on_submit():
-        u = User(username=form.username.data)
-        u.set_password(form.password1.data)
-        db.session.add(u)
-        db.session.commit()
-
-        return redirect(url_for("root"))
-
-    return render_template("user_new.html", form=form)
-
-
-@app.route("/theunderground/change_password", methods=["GET", "POST"])
-@login_required
-def change_password():
-    form = ChangePasswordForm()
-    if form.validate_on_submit():
-        print(type(current_user))
-        u = User.query.filter_by(username=current_user.username).first()
-        u.set_password(form.new_password.data)
-        db.session.add(u)
-        db.session.commit()
-        return redirect(url_for("admin"))
-
-    return render_template(
-        "user_pwchange.html", form=form, username=current_user.username
-    )
+    return render_template("login.html")
 
 
 @app.route("/theunderground/logout")
-@login_required
+@oidc.require_login
 def logout():
-    logout_user()
-    return redirect(url_for("login"))
+    oidc.logout()
+    response = redirect(config.oidc_logout_url)
+    response.set_cookie("session", expires=0)
+    return response
 
 
 @app.route("/theunderground/admin")
-@login_required
+@oidc.require_login
 def admin():
     return render_template("underground.html", maintenance=is_maintenance())

theunderground/categories.py

@@ -2,19 +2,19 @@
 import config
 
 from flask import redirect, render_template, request, url_for
-from flask_login import login_required
+
 from flask_wtf.file import FileRequired
 from werkzeug import exceptions
-
 from asset_data import NormalCategoryAsset
 from models import Categories, db
 from room import app, s3
 from theunderground.forms import CategoryForm
 from theunderground.operations import manage_delete_item
+from theunderground.admin import oidc
 
 
 @app.route("/theunderground/categories")
-@login_required
+@oidc.require_login
 def list_categories():
     page_num = request.args.get("page", default=1, type=int)
 
@@ -31,7 +31,7 @@ def list_categories():
 
 
 @app.route("/theunderground/categories/add", methods=["GET", "POST"])
-@login_required
+@oidc.require_login
 def add_category():
     form = CategoryForm()
     # As we're adding, ensure a file is required.
@@ -52,7 +52,7 @@ def add_category():
 
 
 @app.route("/theunderground/categories/<category>/edit", methods=["GET", "POST"])
-@login_required
+@oidc.require_login
 def edit_category(category):
     form = CategoryForm()
     form.submit.label.text = "Edit"
@@ -84,7 +84,7 @@ def edit_category(category):
 
 
 @app.route("/theunderground/categories/<category>/remove", methods=["GET", "POST"])
-@login_required
+@oidc.require_login
 def remove_category(category):
     def drop_category():
         db.session.delete(current_category)
@@ -104,7 +104,7 @@ def drop_category():
 
 
 @app.route("/theunderground/categories/<category>/thumbnail.jpg")
-@login_required
+@oidc.require_login
 def get_category_thumbnail(category):
     if s3:
         return redirect(f"{config.url1_cdn_url}/list/category/img/{category}.img")

theunderground/concierge.py

@@ -3,12 +3,12 @@
 from io import BytesIO
 
 from flask import render_template, url_for, redirect
-from flask_login import login_required
 
 from models import db, ConciergeMiis, MiiMsgInfo, MiiData
 from room import app
 from theunderground.forms import ConciergeForm
 from theunderground.operations import manage_delete_item
+from theunderground.admin import oidc
 from room import s3
 from url1.event_today import event_today
 from url1.mii import obtain_mii, mii_met
@@ -17,7 +17,7 @@
 
 
 @app.route("/theunderground/concierge")
-@login_required
+@oidc.require_login
 def list_concierge():
     concierge_miis = (
         db.session.query(ConciergeMiis, MiiData)
@@ -34,7 +34,7 @@ def list_concierge():
 
 
 @app.route("/theunderground/concierge/<mii_id>", methods=["GET", "POST"])
-@login_required
+@oidc.require_login
 def edit_concierge(mii_id):
     form = ConciergeForm()
     if form.validate_on_submit():
@@ -74,7 +74,7 @@ def edit_concierge(mii_id):
 
 
 @app.route("/theunderground/concierge/<mii_id>/remove", methods=["GET", "POST"])
-@login_required
+@oidc.require_login
 def remove_concierge(mii_id):
     def drop_concierge():
         db.session.delete(ConciergeMiis.query.filter_by(mii_id=mii_id).first())