OIDC

.github/workflows/docker-publish-rootless.yaml

@@ -2,7 +2,7 @@ name: Docker publish rootless
 
 on:
   schedule:
-    - cron: '00 6 * * *'
+    - cron: '00 0 * * *'
   push:
     branches: [ "main" ]
     paths:

.github/workflows/docker-publish.yaml

@@ -2,7 +2,7 @@ name: Docker publish
 
 on:
   schedule:
-    - cron: '00 6 * * *'
+    - cron: '00 0 * * *'
   push:
     branches: [ "main" ]
     paths:

README.md

@@ -4,9 +4,9 @@
 
 <h1 align="center" style="margin-top: -10px"> HomeBox </h1>
 <p align="center" style="width: 100;">
-   <a href="https://homebox.sysadminsmedia.com">Docs</a>
+   <a href="https://homebox.software/en/">Docs</a>
    |
-   <a href="https://homebox.fly.dev">Demo</a>
+   <a href="https://demo.homebox.software">Demo</a>
    |
    <a href="https://discord.gg/aY4DCkpNA9">Discord</a>
 </p>
@@ -24,7 +24,7 @@ Check out screenshots of the project [here](https://imgur.com/a/5gLWt2j).
 
 ## Quick Start
 
-[Configuration & Docker Compose](https://homebox.sysadminsmedia.com/en/quick-start.html)
+[Configuration & Docker Compose](https://homebox.software/en/quick-start.html)
 
 ```bash
 # If using the rootless image, ensure data 

backend/app/api/providers/extractors.go

@@ -2,6 +2,7 @@ package providers
 
 import (
 	"errors"
+	"github.com/sysadminsmedia/homebox/backend/internal/core/services"
 	"net/http"
 
 	"github.com/hay-kot/httpkit/server"
@@ -53,3 +54,41 @@ func getLoginForm(r *http.Request) (LoginForm, error) {
 
 	return loginForm, nil
 }
+
+func getOAuthForm(r *http.Request) (services.OAuthValidate, error) {
+	var oauthForm services.OAuthValidate
+	switch r.Header.Get("Content-Type") {
+	case "application/x-www-form-urlencoded":
+		err := r.ParseForm()
+		if err != nil {
+			return oauthForm, errors.New("failed to parse form")
+		}
+
+		oauthForm.Issuer = r.PostFormValue("issuer")
+		oauthForm.Code = r.PostFormValue("code")
+		oauthForm.State = r.PostFormValue("state")
+	case "application/json":
+		err := server.Decode(r, &oauthForm)
+		if err != nil {
+			log.Err(err).Msg("failed to decode OAuth form")
+			return oauthForm, err
+		}
+	default:
+		return oauthForm, errors.New("invalid content type")
+	}
+
+	if oauthForm.Issuer == "" || oauthForm.Code == "" {
+		return oauthForm, validate.NewFieldErrors(
+			validate.FieldError{
+				Field: "iss",
+				Error: "Issuer is empty",
+			},
+			validate.FieldError{
+				Field: "code",
+				Error: "Code is missing",
+			},
+		)
+	}
+
+	return oauthForm, nil
+}

backend/app/api/providers/oauth.go

@@ -0,0 +1,67 @@
+package providers
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/rs/zerolog/log"
+	"github.com/sysadminsmedia/homebox/backend/internal/core/services"
+	"golang.org/x/oauth2"
+	"net/http"
+	"os"
+	"strings"
+)
+
+type OAuthProvider struct {
+	name    string
+	service *services.OAuthService
+	config  *services.OAuthConfig
+}
+
+func NewOAuthProvider(ctx context.Context, service *services.OAuthService, name string) (*OAuthProvider, error) {
+	upperName := strings.ToUpper(name)
+	clientId := os.Getenv(fmt.Sprintf("HBOX_OAUTH_%s_ID", upperName))
+	clientSecret := os.Getenv(fmt.Sprintf("HBOX_OAUTH_%s_SECRET", upperName))
+	redirectUri := os.Getenv(fmt.Sprintf("HBOX_OAUTH_%s_REDIRECT", upperName))
+
+	providerUrl := os.Getenv(fmt.Sprintf("HBOX_OAUTH_%s_URL", upperName))
+	// TODO: fallback for all variabnles if no well known is supported
+	if providerUrl == "" {
+		return nil, errors.New("Provider url not given")
+	}
+	provider, err := oidc.NewProvider(ctx, providerUrl)
+	if err != nil {
+		return nil, err
+	}
+	log.Debug().Str("AuthUrl", provider.Endpoint().AuthURL).Msg("discovered oauth provider")
+
+	return &OAuthProvider{
+		name:    name,
+		service: service,
+		config: &services.OAuthConfig{
+			Config: &oauth2.Config{
+				ClientID:     clientId,
+				ClientSecret: clientSecret,
+				Endpoint:     provider.Endpoint(),
+				RedirectURL:  redirectUri,
+				Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+			},
+			Provider: provider,
+			Verifier: provider.Verifier(&oidc.Config{ClientID: clientId}),
+		},
+	}, nil
+}
+
+func (p *OAuthProvider) Name() string {
+	return p.name
+}
+
+func (p *OAuthProvider) Authenticate(w http.ResponseWriter, r *http.Request) (services.UserAuthTokenDetail, error) {
+	oauthForm, err := getOAuthForm(r)
+	if err != nil {
+		return services.UserAuthTokenDetail{}, err
+	}
+
+	return p.service.Login(r.Context(), p.config, oauthForm)
+}

backend/app/api/routes.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"embed"
 	"errors"
 	"fmt"
@@ -16,6 +17,7 @@ import (
 	"io"
 	"mime"
 	"net/http"
+	"os"
 	"path"
 	"path/filepath"
 )
@@ -66,12 +68,19 @@ func (a *app) mountRoutes(r *chi.Mux, chain *errchain.ErrChain, repos *repo.AllR
 
 		r.Get("/currencies", chain.ToHandlerFunc(v1Ctrl.HandleCurrency()))
 
-		providers := []v1.AuthProvider{
+		providerList := []v1.AuthProvider{
 			providers.NewLocalProvider(a.services.User),
 		}
+		if _, exist := os.LookupEnv("HBOX_OAUTH_OIDC_URL"); exist {
+			provider, err := providers.NewOAuthProvider(context.Background(), a.services.OAuth, "oidc")
+			if err != nil {
+				panic(err)
+			}
+			providerList = append(providerList, provider)
+		}
 
 		r.Post("/users/register", chain.ToHandlerFunc(v1Ctrl.HandleUserRegistration()))
-		r.Post("/users/login", chain.ToHandlerFunc(v1Ctrl.HandleAuthLogin(providers...)))
+		r.Post("/users/login", chain.ToHandlerFunc(v1Ctrl.HandleAuthLogin(providerList...)))
 
 		userMW := []errchain.Middleware{
 			a.mwAuthToken,

backend/go.mod

@@ -1,31 +1,31 @@
 module github.com/sysadminsmedia/homebox/backend
 
-go 1.22
-
-toolchain go1.22.0
+go 1.23.0
 
 require (
-	ariga.io/atlas v0.19.1
-	entgo.io/ent v0.12.5
-	github.com/ardanlabs/conf/v3 v3.1.7
+	ariga.io/atlas v0.27.0
+	entgo.io/ent v0.14.1
+	github.com/ardanlabs/conf/v3 v3.1.8
 	github.com/containrrr/shoutrrr v0.8.0
-	github.com/go-chi/chi/v5 v5.0.12
-	github.com/go-playground/validator/v10 v10.18.0
-	github.com/gocarina/gocsv v0.0.0-20231116093920-b87c2d0e983a
+	github.com/coreos/go-oidc/v3 v3.11.0
+	github.com/go-chi/chi/v5 v5.1.0
+	github.com/go-playground/validator/v10 v10.22.1
+	github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/schema v1.4.1
-	github.com/hay-kot/httpkit v0.0.9
-	github.com/mattn/go-sqlite3 v1.14.22
-	github.com/olahol/melody v1.1.4
+	github.com/hay-kot/httpkit v0.0.11
+	github.com/mattn/go-sqlite3 v1.14.23
+	github.com/olahol/melody v1.2.1
 	github.com/pkg/errors v0.9.1
-	github.com/rs/zerolog v1.32.0
-	github.com/stretchr/testify v1.8.4
+	github.com/rs/zerolog v1.33.0
+	github.com/stretchr/testify v1.9.0
 	github.com/swaggo/http-swagger/v2 v2.0.2
 	github.com/swaggo/swag v1.16.3
-	github.com/yeqown/go-qrcode/v2 v2.2.2
-	github.com/yeqown/go-qrcode/writer/standard v1.2.2
-	golang.org/x/crypto v0.23.0
-	modernc.org/sqlite v1.29.2
+	github.com/yeqown/go-qrcode/v2 v2.2.4
+	github.com/yeqown/go-qrcode/writer/standard v1.2.4
+	golang.org/x/crypto v0.27.0
+	golang.org/x/oauth2 v0.23.0
+	modernc.org/sqlite v1.33.1
 )
 
 require (
@@ -34,21 +34,22 @@ require (
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/fatih/color v1.16.0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
 	github.com/fogleman/gg v1.3.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
-	github.com/go-openapi/inflect v0.19.0 // indirect
-	github.com/go-openapi/jsonpointer v0.20.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/spec v0.20.9 // indirect
-	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-openapi/inflect v0.21.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/gorilla/websocket v1.5.1 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
-	github.com/hashicorp/hcl/v2 v2.19.1 // indirect
+	github.com/hashicorp/hcl/v2 v2.22.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -59,20 +60,21 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
-	github.com/swaggo/files/v2 v2.0.0 // indirect
+	github.com/swaggo/files/v2 v2.0.1 // indirect
 	github.com/yeqown/reedsolomon v1.0.0 // indirect
-	github.com/zclconf/go-cty v1.14.1 // indirect
-	golang.org/x/image v0.18.0 // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/net v0.25.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	github.com/zclconf/go-cty v1.15.0 // indirect
+	golang.org/x/image v0.20.0 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/tools v0.25.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
-	modernc.org/libc v1.41.0 // indirect
+	modernc.org/gc/v3 v3.0.0-20240801135723-a856999a2e4a // indirect
+	modernc.org/libc v1.60.1 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
-	modernc.org/memory v1.7.2 // indirect
+	modernc.org/memory v1.8.0 // indirect
 	modernc.org/strutil v1.2.0 // indirect
 	modernc.org/token v1.1.0 // indirect
 )