Add support for logging in via a Google account

The required configuration in hydra.conf: enable_google_login = 1 google_client_id = 238429sdjkds....apps.googleusercontent.com and optionally persona_allowed_domains to restrict to one or more domains.
2016-01-13 17:32:52 +01:00 · 2016-01-13 17:32:52 +01:00 · 5a580b1bb2
parent f11ce7e219
commit 5a580b1bb2
7 changed files with 227 additions and 123 deletions
--- a/release.nix
+++ b/release.nix
@ -117,6 +117,7 @@ rec {
            CatalystViewJSON
            CatalystViewTT
            CatalystXScriptServerStarman
            CryptJWT
            CryptRandPasswd
            DBDPg
            DBDSQLite
--- a/src/lib/Hydra/Controller/Root.pm
+++ b/src/lib/Hydra/Controller/Root.pm
@ -14,10 +14,12 @@ use JSON;
 # Put this controller at top-level.
 __PACKAGE__->config->{namespace} = '';
 sub noLoginNeeded {
  my ($c) = @_;
  return $c->request->path eq "persona-login" ||
         $c->request->path eq "google-login" ||
         $c->request->path eq "login" ||
         $c->request->path eq "logo" ||
         $c->request->path =~ /^static\//;
@ -35,7 +37,6 @@ sub begin :Private {
    $c->stash->{tracker} = $ENV{"HYDRA_TRACKER"};
    $c->stash->{flashMsg} = $c->flash->{flashMsg};
    $c->stash->{successMsg} = $c->flash->{successMsg};
    $c->stash->{personaEnabled} = $c->config->{enable_persona} // "0" eq "1";
    $c->stash->{isPrivateHydra} = $c->config->{private} // "0" ne "0";
@ -69,6 +70,7 @@ sub begin :Private {
    }
 }
 sub deserialize :ActionClass('Deserialize') { }
--- a/src/lib/Hydra/Controller/User.pm
+++ b/src/lib/Hydra/Controller/User.pm
@ -4,6 +4,7 @@ use utf8;
 use strict;
 use warnings;
 use base 'Hydra::Base::Controller::REST';
 use Crypt::JWT qw(decode_jwt);
 use Crypt::RandPasswd;
 use Digest::SHA1 qw(sha1_hex);
 use Hydra::Helper::Nix;
@ -45,11 +46,63 @@ sub logout_POST {
 }
 sub doEmailLogin {
    my ($self, $c, $type, $email, $fullName) = @_;
    die "No email address provided.\n" unless defined $email;
    # Be paranoid about the email address format, since we do use it
    # in URLs.
    die "Illegal email address.\n" unless $email =~ /^[a-zA-Z0-9\.\-\_]+@[a-zA-Z0-9\.\-\_]+$/;
    # If persona_allowed_domains is set, check if the email address
    # returned is on these domains.  When not configured, allow all
    # domains.
    my $allowed_domains = $c->config->{persona_allowed_domains} || "";
    if ($allowed_domains ne "") {
        my $email_ok = 0;
        my @domains = split ',', $allowed_domains;
        map { $_ =~ s/^\s*(.*?)\s*$/$1/ } @domains;
        foreach my $domain (@domains) {
            $email_ok = $email_ok || ((split '@', $email)[1] eq $domain);
        }
        error($c, "Your email address does not belong to a domain that is allowed to log in.\n")
            unless $email_ok;
    }
    my $user = $c->find_user({ username => $email });
    if ($user) {
        # Automatically upgrade Persona accounts to Google accounts.
        if ($user->type eq "persona" && $type eq "google") {
            $user->update({type => "google"});
        }
        die "You cannot login via login type '$type'.\n" if $user->type ne $type;
    } else {
        $c->model('DB::Users')->create(
            { username => $email
            , fullname => $fullName,
            , password => "!"
            , emailaddress => $email,
            , type => $type
            });
        $user = $c->find_user({ username => $email }) or die;
    }
    $c->set_authenticated($user);
    $self->status_no_content($c);
    $c->flash->{successMsg} = "You are now signed in as <tt>" . encode_entities($email) . "</tt>.";
 }
 sub persona_login :Path('/persona-login') Args(0) {
    my ($self, $c) = @_;
    requirePost($c);
-    error($c, "Persona support is not enabled.") unless $c->stash->{personaEnabled};
+    error($c, "Logging in via Persona is not enabled.") unless $c->config->{enable_persona};
    my $assertion = $c->stash->{params}->{assertion} or die;
@ -64,42 +117,54 @@ sub persona_login :Path('/persona-login') Args(0) {
    my $d = decode_json($response->decoded_content) or die;
    error($c, "Persona says: $d->{reason}") if $d->{status} ne "okay";
-    my $email = $d->{email} or die;
+    doEmailLogin($self, $c, "persona", $d->{email}, undef);
 }
    # Be paranoid about the email address format, since we do use it
    # in URLs.
    die "Illegal email address." unless $email =~ /^[a-zA-Z0-9\.\-\_]+@[a-zA-Z0-9\.\-\_]+$/;
-    # If persona_allowed_domains is set, check if the email address returned is on these domains.
+# From https://www.googleapis.com/oauth2/v3/certs. Should probably not
-    # When not configured, allow all domains.
+# hard-code this.
-    my $allowed_domains = $c->config->{persona_allowed_domains} || "";
+my $googleKeys = <<'EOF';
-    if ( $allowed_domains ne "") {
+{
-        my $email_ok = 0;
+ "keys": [
-        my @domains = split ',', $allowed_domains;
+  {
-        map { $_ =~ s/^\s*(.*?)\s*$/$1/ } @domains;
+   "kty": "RSA",
   "alg": "RS256",
   "use": "sig",
   "kid": "10685afd5291883ce668345afd77201390406f82",
   "n": "xeNopuszp35W6H1w2Tw4OrSwT8BZ9f7-2PoOyWZmfMmUDmYT2uxrZezDK0YLap5LVmpLNcpZP5Hj67_32NU3my4qfA-SlxuJMUxHWJF7Dqr-QNAqld0SZ_po4qz5ZTHDxNxoZ4iw_T-4lhIBGm0RIZprDDGPI7Vo8qIeIMjZywoh_nq32zB6tnjEUBvHcgay0qXEnQkKkavzHO_c5sLc1qXM0jDQVqyO1enevW2yA_8gP0Qb7014ycN5umCvEHc66c2_iNT-R4zgw8gd1g05n2xwyET8qb_3wi5LqUV-Cri4mJ2xwGY8uynlD2I4jVtOYJusBgNs6AfwyehzsLdwSQ",
   "e": "AQAB"
  },
  {
   "kty": "RSA",
   "alg": "RS256",
   "use": "sig",
   "kid": "5a68fc8a3ec0c30e0be95aa08db99a68a725467f",
   "n": "zmXvUwXYSo8VouhnkURp-3xywch-jPrk7q0gugqC7QIchBPnvdXdS-bj6sr1AqDl_hEDtiLGfiVr3Ft_U022rtHAl5n5NxyybUtZXWyT5yQZM4jopGBajavEUdCl9b4pqb-q_3fVaxUXe7re23sVjI5Bntd-8RYZ70tq-ZvCWBqsnz6lHi9Ditp3CZGWLMMBZlIv3nKnClOrZXL98Jmt7AAod-Gtk65saqnrMwWtBcI_Q-3u23ytywbMLanCeFFNUWlIOgZqyYYkOm-ylLRJzVaZ1THtcWILWCYUgxXjyF9DtXO3a8nct2JhdacD3LzRiPv3sXr31cg4arwUk19JoQ",
   "e": "AQAB"
  }
 ]
 }
 EOF
        foreach my $domain (@domains) {
            $email_ok = $email_ok || ((split '@', $email)[1] eq $domain);
        }
        die "Email address is not allowed to login." unless $email_ok;
    }
-    my $user = $c->find_user({ username => $email });
+sub google_login :Path('/google-login') Args(0) {
    my ($self, $c) = @_;
    requirePost($c);
-    if (!$user) {
+    error($c, "Logging in via Google is not enabled.") unless $c->config->{enable_google_login};
        $c->model('DB::Users')->create(
            { username => $email
            , password => "!"
            , emailaddress => $email,
            , type => "persona"
            });
        $user = $c->find_user({ username => $email }) or die;
    }
-    $c->set_authenticated($user);
+    my $data = decode_jwt(
        token => ($c->stash->{params}->{id_token} // die "No token."),
        kid_keys => $googleKeys,
        verify_exp => 1,
    );
-    $self->status_no_content($c);
+    die unless $data->{aud} eq $c->config->{google_client_id};
-    $c->flash->{successMsg} = "You are now signed in as <tt>" . encode_entities($email) . "</tt>.";
+    die unless $data->{iss} eq "accounts.google.com" || $data->{iss} eq "https://accounts.google.com";
    die "Email address is not verified" unless $data->{email_verified};
    # FIXME: verify hosted domain claim?
    doEmailLogin($self, $c, "google", $data->{email}, $data->{name} // undef);
 }
--- a/src/root/auth.tt
+++ b/src/root/auth.tt
@ -0,0 +1,108 @@
 [% IF c.user_exists  %]
  <script>
    function finishSignOut() {
      $.post("[% c.uri_for('/logout') %]")
        .done(function(data) {
          window.location.reload();
        })
        .fail(function() { bootbox.alert("Server request failed!"); });
    }
    function signOut() {
      [% IF c.user.type == 'google' %]
        gapi.load('auth2', function() {
          gapi.auth2.init();
          var auth2 = gapi.auth2.getAuthInstance();
          auth2.then(function () {
            auth2.signOut().then(finishSignOut, finishSignOut);
          });
        });
      [% ELSE %]
        finishSignOut();
      [% END %]
    }
  </script>
 [% ELSE %]
  <div id="hydra-signin" class="modal hide fade" tabindex="-1" role="dialog" aria-hidden="true">
    <form class="form-horizontal">
      <div class="modal-body">
        <div class="control-group">
          <label class="control-label">User name</label>
          <div class="controls">
            <input type="text" class="span3" name="username" value=""/>
          </div>
        </div>
        <div class="control-group">
          <label class="control-label">Password</label>
          <div class="controls">
            <input type="password" class="span3" name="password" value=""/>
          </div>
        </div>
      </div>
      <div class="modal-footer">
        <button id="do-signin" class="btn btn-primary">Sign in</button>
        <button class="btn" data-dismiss="modal" aria-hidden="true">Cancel</button>
      </div>
    </form>
  </div>
  <script>
    function finishSignOut() { }
    $("#do-signin").click(function() {
      requestJSON({
        url: "[% c.uri_for('/login') %]",
        data: $(this).parents("form").serialize(),
        type: 'POST',
        success: function(data) {
          window.location.reload();
        }
      });
      return false;
    });
  </script>
  [% IF c.config.enable_google_login %]
    <script>
      function onGoogleSignIn(googleUser) {
        requestJSON({
          url: "[% c.uri_for('/google-login') %]",
          data: "id_token=" + googleUser.getAuthResponse().id_token,
          type: 'POST',
          success: function(data) {
            window.location.reload();
          }
        });
        return false;
      };
    </script>
  [% END %]
 [% END %]
 [% IF c.config.enable_persona %]
  <script src="https://login.persona.org/include.js"></script>
  <script>
    navigator.id.watch({
      onlogin: function(assertion) {
        requestJSON({
          url: "[% c.uri_for('/persona-login') %]",
          data: "assertion=" + assertion,
          type: 'POST',
          success: function(data) { window.location.reload(); },
          postError: function() { navigator.id.logout(); }
        });
      }
    });
    $("#persona-signin").click(function() {
      navigator.id.request({ siteName: 'Hydra' });
    });
  </script>
 [% END %]
--- a/src/root/layout.tt
+++ b/src/root/layout.tt
@ -36,6 +36,11 @@
    <script type="text/javascript" src="[% c.uri_for("/static/js/common.js") %]"></script>
    [% IF c.config.enable_google_login %]
      <meta name="google-signin-client_id" content="[% c.config.google_client_id %]">
      <script src="https://apis.google.com/js/platform.js" async="1" defer="1"></script>
    [% END %]
    [% tracker %]
  </head>
@ -94,95 +99,16 @@
        <small>
          <em><a href="http://nixos.org/hydra" target="_blank">Hydra</a> [% HTML.escape(version) %] (using [% HTML.escape(nixVersion) %]).</em>
          [% IF c.user_exists %]
-          You are signed in as <tt>[% HTML.escape(c.user.username) %]</tt>[% IF c.user.type == 'persona' %] via Persona[% END %].
+          You are signed in as <tt>[% HTML.escape(c.user.username) %]</tt>
            [%- IF c.user.type == 'persona' %] via Persona
            [%- ELSIF c.user.type == 'google' %] via Google[% END %].
          [% END %]
        </small>
      </footer>
    </div>
-    <script>
+    [% PROCESS auth.tt %]
      function doLogout() {
        [% IF c.user_exists %]
          $.post("[% c.uri_for('/logout') %]")
            .done(function(data) {
              window.location.reload();
            })
            .fail(function() { bootbox.alert("Server request failed!"); });
        [% END %]
      }
    </script>
    [% IF c.user_exists && c.user.type == 'hydra' %]
      <script>
        $("#persona-signout").click(doLogout);
      </script>
    [% ELSIF personaEnabled %]
      <script src="https://login.persona.org/include.js"></script>
      <script>
        navigator.id.watch({
          loggedInUser: [% c.user_exists ? '"' _ HTML.escape(c.user.username) _ '"' : "null" %],
          onlogin: function(assertion) {
            requestJSON({
              url: "[% c.uri_for('/persona-login') %]",
              data: "assertion=" + assertion,
              type: 'POST',
              success: function(data) { window.location.reload(); },
              postError: function() { navigator.id.logout(); }
            });
          },
          onlogout: doLogout
        });
        $("#persona-signin").click(function() {
          navigator.id.request({ siteName: 'Hydra' });
        });
        $("#persona-signout").click(function() {
          navigator.id.logout();
        });
      </script>
    [% END %]
    [% IF !c.user_exists %]
      <div id="hydra-signin" class="modal hide fade" tabindex="-1" role="dialog" aria-hidden="true">
        <form class="form-horizontal">
          <div class="modal-body">
            <div class="control-group">
              <label class="control-label">User name</label>
              <div class="controls">
                <input type="text" class="span3" name="username" value=""/>
              </div>
            </div>
            <div class="control-group">
              <label class="control-label">Password</label>
              <div class="controls">
                <input type="password" class="span3" name="password" value=""/>
              </div>
            </div>
          </div>
          <div class="modal-footer">
            <button id="do-signin" class="btn btn-primary">Sign in</button>
            <button class="btn" data-dismiss="modal" aria-hidden="true">Cancel</button>
          </div>
        </form>
      </div>
      <script>
          $("#do-signin").click(function() {
            requestJSON({
              url: "[% c.uri_for('/login') %]",
              data: $(this).parents("form").serialize(),
              type: 'POST',
              success: function(data) {
                window.location.reload();
              }
            });
            return false;
          });
      </script>
    [% END %]
  </body>
--- a/src/root/topbar.tt
+++ b/src/root/topbar.tt
@ -127,24 +127,26 @@
  [% IF c.user_exists %]
    [% INCLUDE menuItem uri = c.uri_for(c.controller('User').action_for('edit'), [c.user.username]) title = "Preferences" %]
    <li>
-      <a href="#" id="persona-signout">Sign out</a>
+      <a href="#" onclick="signOut();">Sign out</a>
    </li>
  [% ELSE %]
-    [% IF personaEnabled %]
+    [% WRAPPER makeSubMenu title="Sign in" %]
-      [% WRAPPER makeSubMenu title="Sign in" %]
+      [% IF c.config.enable_google_login %]
        <li>
          <a><div class="g-signin2" data-onsuccess="onGoogleSignIn" data-theme="dark"></div></a>
        </li>
        <li class="divider"></li>
      [% END %]
      [% IF c.config.enable_persona %]
        <li>
          <a href="#" id="persona-signin">
            <img src="[% c.uri_for("/static/images/persona_sign_in_blue.png") %]" alt="Sign in with Persona" />
          </a>
        </li>
        <li class="divider"></li>
        <li>
          <a href="#hydra-signin" data-toggle="modal">Sign in with a Hydra account</a>
        </li>
      [% END %]
    [% ELSE %]
      <li>
-        <a href="#hydra-signin" data-toggle="modal">Sign in</a>
+        <a href="#hydra-signin" data-toggle="modal">Sign in with a Hydra account</a>
      </li>
    [% END %]
  [% END %]
--- a/src/root/user.tt
+++ b/src/root/user.tt
@ -53,7 +53,7 @@
    <div class="control-group">
      <label class="control-label">Email</label>
      <div class="controls">
-        <input type="text" class="span3" name="emailaddress" [% IF !create && user.type == 'persona' %]disabled="disabled"[% END %] [%+ HTML.attributes(value => user.emailaddress) %]/>
+        <input type="text" class="span3" name="emailaddress" [% IF !create && user.username.search('@') %]disabled="disabled"[% END %] [%+ HTML.attributes(value => user.emailaddress) %]/>
      </div>
    </div>