From e478cedef7a76511ff4a0fa83bf03fd0cb51d588 Mon Sep 17 00:00:00 2001
From: Felix Eckhofer <felix@eckhofer.com>
Date: Wed, 31 Aug 2022 10:22:06 +0000
Subject: [PATCH] Add generic SSO authentication support

---
 .../installation/backend-config.md            |  6 ++++
 .../installation/frontend-config.md           |  8 +++++
 frontend/nuxt.config.js                       |  6 +++-
 frontend/pages/login.vue                      | 19 ++++++++++--
 frontend/schemes/maybeSSO.ts                  | 21 ++++++++++++++
 frontend/store/index.js                       | 24 +++++++++++++++
 frontend/types/ts-shim.d.ts                   |  4 +++
 mealie/core/security/security.py              | 29 +++++++++++++++++--
 mealie/core/settings/settings.py              |  5 ++++
 mealie/routes/auth/auth.py                    |  7 ++---
 template.env                                  |  5 ++++
 11 files changed, 125 insertions(+), 9 deletions(-)
 create mode 100644 frontend/schemes/maybeSSO.ts

diff --git a/docs/docs/documentation/getting-started/installation/backend-config.md b/docs/docs/documentation/getting-started/installation/backend-config.md
index 051bc1f6a3..636ecf9714 100644
--- a/docs/docs/documentation/getting-started/installation/backend-config.md
+++ b/docs/docs/documentation/getting-started/installation/backend-config.md
@@ -67,3 +67,9 @@ Changing the webworker settings may cause unforeseen memory leak issues with Mea
 | LDAP_SERVER_URL    |  None   | LDAP server URL (e.g. ldap://ldap.example.com)                                                                     |
 | LDAP_BIND_TEMPLATE |  None   | Templated DN for users, `{}` will be replaced with the username (e.g. `cn={},dc=example,dc=com`)                   |
 | LDAP_ADMIN_FILTER  |  None   | Optional LDAP filter, which tells Mealie the LDAP user is an admin (e.g. `(memberOf=cn=admins,dc=example,dc=com)`) |
+
+### SSO
+
+| Variables               | Default | Description                                                                                                                                                   |
+| ----------------------- | :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| SSO_TRUSTED_HEADER_USER |  None   | Authenticate via an external SSO server with this HTTP header being trusted from a reverse proxy. Must be identical to the frontend setting of the same name. |
diff --git a/docs/docs/documentation/getting-started/installation/frontend-config.md b/docs/docs/documentation/getting-started/installation/frontend-config.md
index ad1c28ba73..b8dc3dddd1 100644
--- a/docs/docs/documentation/getting-started/installation/frontend-config.md
+++ b/docs/docs/documentation/getting-started/installation/frontend-config.md
@@ -27,3 +27,11 @@ Setting the following environmental variables will change the theme of the front
 | THEME_DARK_INFO       | #1976D2 | Dark Theme Config Variable  |
 | THEME_DARK_WARNING    | #FF6D00 | Dark Theme Config Variable  |
 | THEME_DARK_ERROR      | #EF5350 | Dark Theme Config Variable  |
+
+### SSO
+
+| Variables               | Default | Description                                                                                                                                                  |
+| ----------------------- | :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| SSO_TRUSTED_HEADER_USER |  None   | Authenticate via an external SSO server with this HTTP header being trusted from a reverse proxy. Must be identical to the backend setting of the same name. |
+| SSO_LOGIN_URL           |  None   | URL to redirect to when a login is required. Must be an absolute URL.                                                                                        |
+| SSO_LOGOUT_URL          |  None   | URL to redirect to after the frontend logs the user out (logout page of the IdP)                                                                             |
diff --git a/frontend/nuxt.config.js b/frontend/nuxt.config.js
index 53a7d030c4..8d8dbc2eb0 100644
--- a/frontend/nuxt.config.js
+++ b/frontend/nuxt.config.js
@@ -110,7 +110,8 @@ export default {
     },
     // Options
     strategies: {
-      local: {
+      maybeSSO: {
+        scheme: './schemes/maybeSSO',
         resetOnError: true,
         token: {
           property: "access_token",
@@ -235,6 +236,9 @@ export default {
   publicRuntimeConfig: {
     GLOBAL_MIDDLEWARE: process.env.GLOBAL_MIDDLEWARE || null,
     SUB_PATH: process.env.SUB_PATH || "",
+    SSO_TRUSTED_HEADER_USER: process.env.SSO_TRUSTED_HEADER_USER || null,
+    SSO_LOGIN_URL: process.env.SSO_LOGIN_URL || null,
+    SSO_LOGOUT_URL: process.env.SSO_LOGOUT_URL || null,
     axios: {
       browserBaseURL: process.env.SUB_PATH || "",
     },
diff --git a/frontend/pages/login.vue b/frontend/pages/login.vue
index ea550e0a88..1e144a984b 100644
--- a/frontend/pages/login.vue
+++ b/frontend/pages/login.vue
@@ -109,7 +109,7 @@
 </template>
 
 <script lang="ts">
-import { defineComponent, ref, useContext, computed, reactive } from "@nuxtjs/composition-api";
+import { defineComponent, onMounted, ref, useContext, computed, reactive } from "@nuxtjs/composition-api";
 import { useDark } from "@vueuse/core";
 import { useAppInfo } from "~/composables/api";
 import { usePasswordField } from "~/composables/use-passwords";
@@ -151,7 +151,7 @@ export default defineComponent({
       formData.append("remember_me", String(form.remember));
 
       try {
-        await $auth.loginWith("local", { data: formData });
+        await $auth.loginWith("maybeSSO", { data: formData });
       } catch (error) {
         // TODO Check if error is an AxiosError, but isAxiosError is not working right now
         // See https://github.com/nuxt-community/axios-module/issues/550
@@ -170,6 +170,12 @@ export default defineComponent({
       loggingIn.value = false;
     }
 
+    onMounted(() => {
+      if ($auth.loggedIn) {
+        $auth.redirect("home");
+      }
+    });
+
     return {
       isDark,
       form,
@@ -183,6 +189,15 @@ export default defineComponent({
     };
   },
 
+  asyncData(ctx) {
+    // Redirect to external login if SSO is enabled, but user is not logged in
+    // with the SSO provider
+    if (ctx.$config.SSO_TRUSTED_HEADER_USER !== null && ctx.$auth.ctx.store.state.ssoUser === null && ctx.$config.SSO_LOGIN_URL !== null) {
+      const loginUrl: string = ctx.$config.SSO_LOGIN_URL;
+      ctx.redirect(loginUrl);
+    }
+  },
+
   head() {
     return {
       title: this.$t("user.login") as string,
diff --git a/frontend/schemes/maybeSSO.ts b/frontend/schemes/maybeSSO.ts
new file mode 100644
index 0000000000..7c7694f2d3
--- /dev/null
+++ b/frontend/schemes/maybeSSO.ts
@@ -0,0 +1,21 @@
+import { HTTPResponse } from "@nuxtjs/auth-next";
+import { LocalScheme } from "~auth/runtime"
+
+export default class MaybeSSO extends LocalScheme {
+  async mounted(): Promise<HTTPResponse | void> {
+    // nuxt-auth can't be configured from the environment directly, so we
+    // overwrite redirect.logout here
+    if (this.$auth.ctx.$config.SSO_LOGOUT_URL !== null) {
+      this.$auth.options.redirect.logout = this.$auth.ctx.$config.SSO_LOGOUT_URL;
+    }
+
+    if (!this.$auth.loggedIn && this.$auth.ctx.store.state.ssoUser !== null) {
+      const formData = new FormData();
+      formData.append("username", "sso");
+      formData.append("password", "sso");
+      await this.$auth.loginWith("maybeSSO", { data: formData });
+    }
+
+    return await super.mounted();
+  }
+}
diff --git a/frontend/store/index.js b/frontend/store/index.js
index 8b377524ef..f3d1815ed2 100644
--- a/frontend/store/index.js
+++ b/frontend/store/index.js
@@ -1 +1,25 @@
 export const store = {};
+
+export const state = () => ({
+  ssoUser: null
+})
+
+export const mutations = {
+  set_sso_user(state, user) {
+    state.ssoUser = user
+  }
+}
+
+export const actions = {
+  async nuxtServerInit({ commit }, { req, $config }) {
+    let trustedHeader = $config.SSO_TRUSTED_HEADER_USER;
+    if (trustedHeader !== null) {
+      // req.headers has lower-cased keys
+      trustedHeader = trustedHeader.toLowerCase();
+
+      if (req.headers && req.headers[trustedHeader]) {
+        await commit("set_sso_user", req.headers[trustedHeader]);
+      }
+    }
+  }
+}
diff --git a/frontend/types/ts-shim.d.ts b/frontend/types/ts-shim.d.ts
index 0660bd67a5..71bba6af4d 100644
--- a/frontend/types/ts-shim.d.ts
+++ b/frontend/types/ts-shim.d.ts
@@ -2,3 +2,7 @@ declare module "*.vue" {
   import Vue from "vue";
   export default Vue;
 }
+
+declare module "~auth/runtime" {
+  export { LocalScheme, SchemeCheck } from "@nuxtjs/auth-next"
+}
diff --git a/mealie/core/security/security.py b/mealie/core/security/security.py
index fe4118021b..3dd67c742d 100644
--- a/mealie/core/security/security.py
+++ b/mealie/core/security/security.py
@@ -80,10 +80,35 @@ def user_from_ldap(db: AllRepositories, username: str, password: str) -> Private
     return user
 
 
-def authenticate_user(session, email: str, password: str) -> PrivateUser | bool:
-    settings = get_app_settings()
+def user_from_sso(db: AllRepositories, username: str):
+    """Given a username, returns a user
 
+    It will either create a new user of that username or return an existing one. No checks are done, the SSO provider is responsible for authentication.
+    """
+    user = db.users.get_one(username, "username", any_case=True)
+    if not user:
+        user = db.users.create(
+            {
+                "username": username,
+                "password": "SSO",
+                # Fill the next two values with something unique and vaguely
+                # relevant
+                "full_name": username,
+                "email": username,
+                "admin": False,
+            },
+        )
+
+    return user
+
+
+def authenticate_user(session, email: str, password: str, request=None) -> PrivateUser | bool:
+    settings = get_app_settings()
     db = get_repositories(session)
+
+    if settings.SSO_TRUSTED_HEADER_USER and settings.SSO_TRUSTED_HEADER_USER in request.headers:
+        return user_from_sso(db, request.headers[settings.SSO_TRUSTED_HEADER_USER])
+
     user = db.users.get_one(email, "email", any_case=True)
 
     if not user:
diff --git a/mealie/core/settings/settings.py b/mealie/core/settings/settings.py
index d1740c93a1..0dc19fc310 100644
--- a/mealie/core/settings/settings.py
+++ b/mealie/core/settings/settings.py
@@ -129,6 +129,11 @@ def LDAP_ENABLED(self) -> bool:
         not_none = None not in required
         return self.LDAP_AUTH_ENABLED and not_none
 
+    # ===============================================
+    # SSO Configuration
+
+    SSO_TRUSTED_HEADER_USER: NoneStr = None
+
     # ===============================================
     # Testing Config
 
diff --git a/mealie/routes/auth/auth.py b/mealie/routes/auth/auth.py
index 3c69ecd911..1ba3fe2948 100644
--- a/mealie/routes/auth/auth.py
+++ b/mealie/routes/auth/auth.py
@@ -1,7 +1,7 @@
 from datetime import timedelta
 from typing import Optional
 
-from fastapi import APIRouter, Depends, Form, status
+from fastapi import APIRouter, Depends, Form, Request, status
 from fastapi.exceptions import HTTPException
 from fastapi.security import OAuth2PasswordRequestForm
 from pydantic import BaseModel
@@ -49,13 +49,12 @@ def respond(cls, token: str, token_type: str = "bearer") -> dict:
 
 
 @public_router.post("/token")
-def get_token(data: CustomOAuth2Form = Depends(), session: Session = Depends(generate_session)):
-
+def get_token(request: Request, data: CustomOAuth2Form = Depends(), session: Session = Depends(generate_session)):
     email = data.username
     password = data.password
 
     try:
-        user = authenticate_user(session, email, password)  # type: ignore
+        user = authenticate_user(session, email, password, request)  # type: ignore
     except UserLockedOut as e:
         raise HTTPException(status_code=status.HTTP_423_LOCKED, detail="User is locked out") from e
 
diff --git a/template.env b/template.env
index 7ef4fa463e..eef5998941 100644
--- a/template.env
+++ b/template.env
@@ -39,3 +39,8 @@ LDAP_AUTH_ENABLED=False
 LDAP_SERVER_URL=None
 LDAP_BIND_TEMPLATE=None
 LDAP_ADMIN_FILTER=None
+
+# Configuration for authentication via an external SSO service
+#SSO_TRUSTED_HEADER_USER="REMOTE_USER"
+#SSO_LOGIN_URL=""
+#SSO_LOGOUT_URL=""