auth/plugin.rb

# frozen_string_literal: true

# name: discourse-development-auth
# about: A fake authentication provider for development puposes only
# version: 1.0
# authors: David Taylor
# url: https://github.com/discourse/discourse-development-auth

raise "discourse-development-auth is highly insecure and should not be installed in production" if Rails.env.production?

PLUGIN_NAME = "discourse-development-auth"

module ::OmniAuth
  module Strategies
    class Development
      include ::OmniAuth::Strategy

      FIELDS = %w{
        uid
        name
        email
        email_verified
        nickname
        first_name
        last_name
        location
        description
        image
      }

      COOKIE = "development-auth-defaults"

      def request_phase
        return unless is_allowed?
        if (env['REQUEST_METHOD'] == 'POST') && (request.params['uid'])
          data = request.params.slice(*FIELDS)

          r = Rack::Response.new
          r.set_cookie(COOKIE, {value: data.to_json, path: "/", expires: 1.month.from_now})

          uri = URI.parse(callback_path)
          uri.query = URI.encode_www_form(data)
          r.redirect(uri)

          return r.finish
        end

        build_form.to_response
      end

      def build_form
        token = begin
          verifier = CSRFTokenVerifier.new
          verifier.call(env)
          verifier.form_authenticity_token
        end

        request = Rack::Request.new(env)
        raw_defaults = request.cookies[COOKIE] || "{}"
        defaults = JSON.parse(raw_defaults) rescue {}
        defaults["uid"] = SecureRandom.hex(8) unless defaults["uid"].present?
        defaults["email_verified"] = "true" unless defaults["email_verified"].present?

        OmniAuth::Form.build(:title => "Fake Authentication Provider") do
          html "\n<input type='hidden' name='authenticity_token' value='#{token}'/>"

          FIELDS.each do |f|
            label_field(f, f)
            if f == "email_verified"
              html "<input type='checkbox' id='#{f}' name='#{f}' value='true' #{"checked" if defaults[f] == "true"}/>"
            else
              html "<input type='text' id='#{f}' name='#{f}' value='#{defaults[f]}'/>"
            end
          end
        end
      end

      def callback_phase
        return unless is_allowed?
        super
      end

      def auth_hash
        info = request.params.slice(*FIELDS)
        uid = info.delete("uid")
        email_verified = (info.delete("email_verified") == "true")
        OmniAuth::Utils.deep_merge(super, {
          'uid' => uid,
          'info' => info,
          'extra' => { "raw_info" => { "email_verified" => email_verified } }
        })
      end

      def is_allowed?
        return true if DiscourseDev.config.allow_anonymous_to_impersonate
        fail!("Enable `allow_anonymous_to_impersonate` setting in `config/dev.yml` file.")
        false
      end
    end
  end
end

class DevelopmentAuthenticator < Auth::ManagedAuthenticator
  def name
    'developmentauth'
  end

  def can_revoke?
    true
  end

  def can_connect_existing_user?
    true
  end

  def enabled?
    DiscourseDev.auth_plugin_enabled?
  end

  def register_middleware(omniauth)
    omniauth.provider :development, name: :developmentauth
  end

  def primary_email_verified?(auth)
    auth['extra']['raw_info']['email_verified']
  end
end

auth_provider authenticator: DevelopmentAuthenticator.new


### DiscourseConnect
after_initialize do
  module ::DevelopmentAuth
    class Engine < ::Rails::Engine
      engine_name PLUGIN_NAME
      isolate_namespace ::DevelopmentAuth
    end
  end

  class ::DevelopmentAuth::FakeDiscourseConnectController < ::ApplicationController
    requires_plugin "discourse-development-auth"

    skip_before_action :check_xhr, :preload_json, :redirect_to_login_if_required, :verify_authenticity_token

    SIMPLE_FIELDS = %w{
      external_id
      email
      username
      name
    }
    ADVANCED_FIELDS = SingleSignOn::ACCESSORS.map(&:to_s) - SIMPLE_FIELDS
    FIELDS = SIMPLE_FIELDS + ADVANCED_FIELDS

    BOOLS = SingleSignOn::BOOLS.map(&:to_s)

    COOKIE = "development-auth-discourseconnect-defaults"

    def auth
      return unless is_allowed?

      params.require(:sso)
      @payload = request.query_string
      sso = SingleSignOn.parse(@payload, SiteSetting.discourse_connect_secret)

      if request.method == "POST" && params[:external_id]
        data = {}
        FIELDS.each do |f|
          sso.send(:"#{f}=", params[f])
          data[f] = params[f]
          cookies[COOKIE] = { value: data.to_json, path: "/", expires: 1.month.from_now }
        end

        return redirect_to sso.to_url(sso.return_sso_url)
      end

      raw_defaults = cookies[COOKIE] || "{}"
      @defaults = JSON.parse(raw_defaults) rescue {}
      @defaults["return_sso_url"] = sso.return_sso_url
      @defaults["nonce"] = sso.nonce
      @defaults["external_id"] = SecureRandom.hex(8) unless @defaults["external_id"].present?
      render_form
    end

    private

    def render_form
      @simple_fields = SIMPLE_FIELDS
      @advanced_fields = ADVANCED_FIELDS
      @bools = BOOLS
      append_view_path(File.expand_path("../app/views", __FILE__))
      render template: "fake_discourse_connect/form", layout: false
    end
  end 

  DevelopmentAuth::Engine.routes.draw do
    get "/fake-discourse-connect" => "fake_discourse_connect#auth"
    post "/fake-discourse-connect" => "fake_discourse_connect#auth"
  end

  Discourse::Application.routes.append do
    mount ::DevelopmentAuth::Engine, at: "/development-auth"
  end

  DiscourseSingleSignOn.singleton_class.prepend(Module.new do
    def sso_url
      if DiscourseDev.auth_plugin_enabled?
        return "#{Discourse.base_path}/development-auth/fake-discourse-connect"
      end
      super
    end
  end)

  EnableSsoValidator.prepend(Module.new do
    def valid_value?(val)
      return true if DiscourseDev.auth_plugin_enabled?
      super
    end
  end)
end