kobotoolbox · bufke · Nov 17, 2023 · Sep 19, 2023 · Sep 19, 2023 · Sep 19, 2023
diff --git a/dependencies/pip/dev_requirements.txt b/dependencies/pip/dev_requirements.txt
@@ -145,7 +145,7 @@ django==3.2.15
     #   jsonfield
     #   kobo-service-account
     #   model-bakery
-django-allauth==0.54.0
+django-allauth==0.57.0
     # via -r dependencies/pip/requirements.in
 django-amazon-ses==4.0.1
     # via -r dependencies/pip/requirements.in

diff --git a/dependencies/pip/requirements.txt b/dependencies/pip/requirements.txt
@@ -123,7 +123,7 @@ django==3.2.15
     #   djangorestframework
     #   jsonfield
     #   kobo-service-account
-django-allauth==0.54.0
+django-allauth==0.57.0
     # via -r dependencies/pip/requirements.in
 django-amazon-ses==4.0.1
     # via -r dependencies/pip/requirements.in

diff --git a/jsapp/js/account/security/sso/ssoSection.component.tsx b/jsapp/js/account/security/sso/ssoSection.component.tsx
@@ -1,7 +1,6 @@
 import React from 'react';
 import {observer} from 'mobx-react-lite';
 import sessionStore from 'js/stores/session';
-import {PATHS} from 'js/router/routerConstants';
 import styles from './ssoSection.module.scss';
 import {deleteSocialAccount} from './sso.api';
 import Button from 'jsapp/js/components/common/button';
@@ -53,7 +52,7 @@ const SsoSection = observer(() => {
             <a
               href={
                 'accounts/' +
-                socialApp.provider +
+                (socialApp.provider_id || socialApp.provider) +
                 '/login/?process=connect&next=%2F%23%2Faccount%2Fsecurity'
               }
               className={styles.passwordLink}

diff --git a/jsapp/js/dataInterface.ts b/jsapp/js/dataInterface.ts
@@ -653,6 +653,7 @@ export type PermissionsConfigResponse = PaginatedResponse<PermissionDefinition>;
 
 interface SocialAccount {
   provider: string;
+  provider_id: string;
   uid: string;
   last_login: string;
   date_joined: string;

diff --git a/jsapp/js/envStore.ts b/jsapp/js/envStore.ts
@@ -62,6 +62,7 @@ export interface EnvStoreFieldItem {
 export interface SocialApp {
   name: string;
   provider: string;
+  provider_id: string;
   client_id: string;
 }
 

diff --git a/kobo/apps/accounts/apps.py b/kobo/apps/accounts/apps.py
@@ -13,24 +13,22 @@ class AccountExtrasConfig(AppConfig):
 @register()
 def check_socialaccount_providers(app_configs, **kwargs):
     """
-    Don't allow `kobo` to be set as the `id` value in `SOCIALACCOUNT_PROVIDERS` 
+    Don't allow `kobo` to be set as the `id` value in `SOCIALACCOUNT_PROVIDERS`
     settings because it breaks the login page redirect when language is changed.
     """
     errors = []
-    social_app_ids = [
-        apps['id']
-        for apps in settings.SOCIALACCOUNT_PROVIDERS['openid_connect'][
-            'SERVERS'
+    if hasattr(settings, 'SOCIALACCOUNT_PROVIDERS'):
+        social_app_ids = [
+            apps.get('APPS', []) for apps in settings.SOCIALACCOUNT_PROVIDERS
         ]
-    ]
-    if 'kobo' in social_app_ids:
-        errors.append(
-            Error(
-                f'Please do not use `kobo` as the `id` value in '
-                '`SOCIALACCOUNT_PROVIDERS` settings.',
-                hint='`kobo` is not a valid value for this setting.',
-                obj=settings,
-                id='kobo.apps.accounts.E001',
+        if 'kobo' in social_app_ids:
+            errors.append(
+                Error(
+                    f'Please do not use `kobo` as the `id` value in '
+                    '`SOCIALACCOUNT_PROVIDERS` settings.',
+                    hint='`kobo` is not a valid value for this setting.',
+                    obj=settings,
+                    id='kobo.apps.accounts.E001',
+                )
             )
-        )
     return errors
diff --git a/kobo/apps/accounts/templatetags/get_provider_appname.py b/kobo/apps/accounts/templatetags/get_provider_appname.py
@@ -26,7 +26,7 @@ def get_provider_appname(context, provider=None):
     provider = provider or context['provider']
     request = context['request']
     try:
-        appname = provider.get_app(request).name
+        appname = provider.app.name
         if appname:
             return appname
         return SocialApp.objects.get_current(provider, request).name
@@ -36,6 +36,4 @@ def get_provider_appname(context, provider=None):
 
 @register.simple_tag()
 def get_social_apps():
-    if settings.SOCIALACCOUNT_PROVIDERS:
-        return SocialApp.objects.filter(custom_data__isnull=True)
-    return []
+    return SocialApp.objects.filter(custom_data__isnull=True)
diff --git a/kobo/apps/django_allauth/__init__.py b/kobo/apps/django_allauth/__init__.py
diff --git a/kobo/apps/django_allauth/admin.py b/kobo/apps/django_allauth/admin.py
@@ -0,0 +1,48 @@
+from allauth.socialaccount.admin import SocialAppForm, SocialAppAdmin
+from allauth.socialaccount.models import SocialApp
+from django.contrib import admin
+from django.core.exceptions import ValidationError
+from django.db.models import Q
+
+
+class RequireProviderIdSocialAppForm(SocialAppForm):
+    def __init__(self, *args, **kwargs):
+        super(SocialAppForm, self).__init__(*args, **kwargs)
+        # require the provider_id in the admin, since we can't make it required on allauth's model
+        self.fields['provider_id'].required = True
+
+    def clean_provider_id(self):
+        reserved_keywords = ['kobo']
+        provider_id = self.cleaned_data.get('provider_id')
+        # we check this already for the ID in kobo/apps/accounts/apps.py
+        if provider_id in reserved_keywords:
+            raise ValidationError(
+                f'`{provider_id}` is not a valid value for the `provider_id` setting.'
+            )
+
+        """
+        By default, django-allauth only supports showing one provider on the login screen.
+        But OIDC providers allow multiple subproviders, so kpi has some additional code to display multiple providers.
+        Because of that, we need to make sure that the `provider` and `provider_id` fields are unique.
+        django-allauth (as of 0.57.0) technically enforces this on the model level, but in practice it's flawed.
+        """
+        if SocialApp.objects.filter(
+            Q(provider_id=provider_id) |
+            Q(provider=provider_id)
+        ).exists():
+            raise ValidationError(
+                """The Provider ID value must be unique and cannot match an existing Provider name.
+                Please use a different value."""
+            )
+        return provider_id
+
+
+class RequireProviderIdSocialAppAdmin(SocialAppAdmin):
+    form = RequireProviderIdSocialAppForm
+
+    class Meta:
+        proxy = True
+
+
+admin.site.unregister(SocialApp)
+admin.site.register(SocialApp, RequireProviderIdSocialAppAdmin)
diff --git a/kobo/settings/base.py b/kobo/settings/base.py
@@ -128,13 +128,15 @@
     'kobo.apps.trash_bin.TrashBinAppConfig',
     'kobo.apps.markdownx_uploader.MarkdownxUploaderAppConfig',
     'kobo.apps.form_disclaimer.FormDisclaimerAppConfig',
+    'kobo.apps.django_allauth',
 )
 
 MIDDLEWARE = [
     'corsheaders.middleware.CorsMiddleware',
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'hub.middleware.LocaleMiddleware',
+    'allauth.account.middleware.AccountMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
@@ -1031,61 +1033,6 @@ def dj_stripe_request_callback_method():
     "UNSAFE_SSO_REGISTRATION_EMAIL_DISABLE", False
 )
 
-# See https://django-allauth.readthedocs.io/en/latest/configuration.html
-# Map env vars to upstream dict values, include exact case. Underscores for delimiter.
-# Example: SOCIALACCOUNT_PROVIDERS_provider_SETTING
-# Use numbers for arrays such as _1_FOO, _1_BAR, _2_FOO, _2_BAR
-SOCIALACCOUNT_PROVIDERS = {}
-if MICROSOFT_TENANT := env.str('SOCIALACCOUNT_PROVIDERS_microsoft_TENANT', None):
-    SOCIALACCOUNT_PROVIDERS['microsoft'] = {'TENANT': MICROSOFT_TENANT}
-# Parse oidc settings as nested dict in array. Example:
-# SOCIALACCOUNT_PROVIDERS_openid_connect_SERVERS_0_id: "google" # Must be unique
-# SOCIALACCOUNT_PROVIDERS_openid_connect_SERVERS_0_server_url: "https://accounts.google.com"
-# SOCIALACCOUNT_PROVIDERS_openid_connect_SERVERS_0_name: "Kobo Google Apps"
-# Only OIDC supports multiple providers. For example, to add two Google Apps sign ins - use
-# OIDC and assign them a different server number. Do not use the allauth google provider.
-oidc_prefix = "SOCIALACCOUNT_PROVIDERS_openid_connect_SERVERS_"
-oidc_pattern = re.compile(r"{prefix}\w+".format(prefix=oidc_prefix))
-oidc_servers = {}
-oidc_nested_keys = ['APP', 'SCOPE', 'AUTH_PARAMS']
-
-for key, value in {
-    key.replace(oidc_prefix, ""): val
-    for key, val in os.environ.items()
-    if oidc_pattern.match(key)
-}.items():
-    number, setting = key.split("_", 1)
-    parsed_key = None
-    nested_key = filter(lambda setting_key : setting.startswith(setting_key), oidc_nested_keys)
-    nested_key = list(nested_key)
-    if len(nested_key):
-        _, parsed_key = setting.split(nested_key[0] + "_", 1)
-        setting = nested_key[0]
-    if number in oidc_servers:
-        if parsed_key:
-            if setting in oidc_servers[number]:
-                if parsed_key.isdigit():
-                    oidc_servers[number][setting].append(value)
-                else:
-                    oidc_servers[number][setting][parsed_key] = value
-            else:
-                if parsed_key.isdigit():
-                    oidc_servers[number][setting] = [value]
-                else:
-                    oidc_servers[number][setting] = {parsed_key: value}
-        else:
-            oidc_servers[number][setting] = value
-    else:
-        if parsed_key:
-            if parsed_key.isdigit():
-                oidc_servers[number] = {setting: [value]}
-            else:
-                oidc_servers[number] = {setting: {parsed_key: value}}
-        else:
-            oidc_servers[number] = {setting: value}
-oidc_servers = [x for x in oidc_servers.values()]
-SOCIALACCOUNT_PROVIDERS["openid_connect"] = {"SERVERS": oidc_servers}
-
 WEBPACK_LOADER = {
     'DEFAULT': {
         'BUNDLE_DIR_NAME': 'jsapp/compiled/',

diff --git a/kpi/views/environment.py b/kpi/views/environment.py
@@ -156,16 +156,11 @@ def process_user_metadata_configs(request):
     def process_other_configs(request):
         data = {}
 
-        # django-allauth social apps are configured in both settings and the
-        # database. Optimize by avoiding extra DB call when unnecessary
-        social_apps = []
-        if settings.SOCIALACCOUNT_PROVIDERS:
-            social_apps = list(
-                SocialApp.objects.filter(custom_data__isnull=True).values(
-                    'provider', 'name', 'client_id'
-                )
+        data['social_apps'] = list(
+            SocialApp.objects.filter(custom_data__isnull=True).values(
+                'provider', 'name', 'client_id', 'provider_id'
             )
-        data['social_apps'] = social_apps
+        )
 
         data['asr_mt_features_enabled'] = _check_asr_mt_access_for_user(
             request.user