Browse Source

add auto launch

pull/2659/head
Bernd Storath 1 month ago
parent
commit
10c068ba12
  1. 34
      docs/content/advanced/config/external-authentication.md
  2. 24
      src/app/pages/login/index.vue
  3. 1
      src/server/api/auth/methods.get.ts
  4. 14
      src/server/utils/config.ts

34
docs/content/advanced/config/external-authentication.md

@ -4,7 +4,7 @@ title: External Authentication
## OAuth ## OAuth
### Providers ### Setup
To enable OAuth set the env var `OAUTH_PROVIDERS` to any of the following providers: To enable OAuth set the env var `OAUTH_PROVIDERS` to any of the following providers:
@ -65,28 +65,44 @@ You can allow multiple domains by separating them with a comma:
e.g. `example.com,example.org` e.g. `example.com,example.org`
### Google ### Auto Launch
To automatically launch the OAuth login flow when visiting the login page, set the following environment variable to the provider you want to launch:
| Env | Required | Default | Description |
| ------------------- | -------- | ------- | ----------------------------- |
| `OAUTH_AUTO_LAUNCH` | ✖️ | - | Auto launch an OAuth provider |
When enabled:
- Visiting the login page will automatically redirect to the selected provider's login page
- The user can still access the normal login page by visiting `/login?auto_launch=false`
- You can auto launch any provider by visiting `/login?auto_launch=<provider>`
#### Provider Configuration
#### Google
| Env | Required | Description | | Env | Required | Description |
| ---------------------------- | -------- | -------------------- | | ---------------------------- | -------- | -------------------- |
| `OAUTH_GOOGLE_CLIENT_ID` | ✔️ | Google Client ID | | `OAUTH_GOOGLE_CLIENT_ID` | ✔️ | Google Client ID |
| `OAUTH_GOOGLE_CLIENT_SECRET` | ✔️ | Google Client Secret | | `OAUTH_GOOGLE_CLIENT_SECRET` | ✔️ | Google Client Secret |
#### Setup ##### Setup
1. Go to [Google Cloud Console](https://console.cloud.google.com/apis/credentials) 1. Go to [Google Cloud Console](https://console.cloud.google.com/apis/credentials)
2. Create an OAuth 2.0 Client ID (Web application) 2. Create an OAuth 2.0 Client ID (Web application)
3. Add Authorized redirect URI: See [Redirect URIs](#redirect-uris) 3. Add Authorized redirect URI: See [Redirect URIs](#redirect-uris)
4. Copy the Client ID and Client Secret to the environment variables 4. Copy the Client ID and Client Secret to the environment variables
### GitHub #### GitHub
| Env | Required | Description | | Env | Required | Description |
| ---------------------------- | -------- | -------------------- | | ---------------------------- | -------- | -------------------- |
| `OAUTH_GITHUB_CLIENT_ID` | ✔️ | GitHub Client ID | | `OAUTH_GITHUB_CLIENT_ID` | ✔️ | GitHub Client ID |
| `OAUTH_GITHUB_CLIENT_SECRET` | ✔️ | GitHub Client Secret | | `OAUTH_GITHUB_CLIENT_SECRET` | ✔️ | GitHub Client Secret |
#### Setup ##### Setup
1. Go to [GitHub Developer Settings](https://github.com/settings/developers) 1. Go to [GitHub Developer Settings](https://github.com/settings/developers)
2. Create a new OAuth App 2. Create a new OAuth App
@ -94,7 +110,7 @@ e.g. `example.com,example.org`
4. Create a new client secret 4. Create a new client secret
5. Copy the Client ID and Client Secret to the environment variables 5. Copy the Client ID and Client Secret to the environment variables
### Generic OIDC #### Generic OIDC
This supports generic OIDC providers like Authelia, Authentik, etc. This supports generic OIDC providers like Authelia, Authentik, etc.
@ -113,7 +129,7 @@ The provider needs to be available with HTTPS and have a valid certificate.
| `OAUTH_OIDC_CLIENT_SECRET` | ✔️ | - | - | OIDC Client Secret | | `OAUTH_OIDC_CLIENT_SECRET` | ✔️ | - | - | OIDC Client Secret |
| `OAUTH_OIDC_NAME` | ✖️ | OIDC | `Authelia` | Provider Name | | `OAUTH_OIDC_NAME` | ✖️ | OIDC | `Authelia` | Provider Name |
#### Authelia Setup ##### Authelia Setup
Generate Client ID and Secret: Generate Client ID and Secret:
@ -141,11 +157,11 @@ docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --
token_endpoint_auth_method: client_secret_post token_endpoint_auth_method: client_secret_post
``` ```
### Generic OAuth #### Generic OAuth
Not currently supported Not currently supported
### Disable Password Authentication #### Disable Password Authentication
To disable password-based authentication and only allow login via OAuth providers, set the following environment variable to `true`: To disable password-based authentication and only allow login via OAuth providers, set the following environment variable to `true`:

24
src/app/pages/login/index.vue

@ -69,6 +69,7 @@
<script setup lang="ts"> <script setup lang="ts">
const toast = useToast(); const toast = useToast();
const { t } = useI18n(); const { t } = useI18n();
const route = useRoute();
const authenticating = ref(false); const authenticating = ref(false);
const remember = ref(false); const remember = ref(false);
@ -77,6 +78,29 @@ const password = ref<string>('');
const { data: authMethods } = await useFetch('/api/auth/methods'); const { data: authMethods } = await useFetch('/api/auth/methods');
watchEffect(() => {
const autoLauchQuery =
typeof route.query.auto_launch === 'string' && !!route.query.auto_launch
? route.query.auto_launch
: undefined;
if (authMethods.value?.autoLaunchProvider && !autoLauchQuery) {
navigateTo(`/api/auth/${authMethods.value.autoLaunchProvider}`, {
external: true,
});
}
if (
autoLauchQuery &&
autoLauchQuery !== 'false' &&
authMethods.value?.providers?.[autoLauchQuery as OAUTH_PROVIDER]
) {
navigateTo(`/api/auth/${autoLauchQuery}`, {
external: true,
});
}
});
const _submit = useSubmit( const _submit = useSubmit(
(data) => (data) =>
$fetch('/api/auth/password', { $fetch('/api/auth/password', {

1
src/server/api/auth/methods.get.ts

@ -13,5 +13,6 @@ export default defineEventHandler(() => {
oauthEnabled: oauthEnabled:
WG_ENV.OAUTH_PROVIDERS !== undefined && WG_ENV.OAUTH_PROVIDERS.length > 0, WG_ENV.OAUTH_PROVIDERS !== undefined && WG_ENV.OAUTH_PROVIDERS.length > 0,
passwordDisabled: WG_ENV.DISABLE_PASSWORD_AUTH, passwordDisabled: WG_ENV.DISABLE_PASSWORD_AUTH,
autoLaunchProvider: WG_ENV.OAUTH_AUTO_LAUNCH,
}; };
}); });

14
src/server/utils/config.ts

@ -30,6 +30,11 @@ const detectAwg = async (): Promise<'awg' | 'wg'> => {
} else return 'wg'; } else return 'wg';
}; };
const oauthProviders = process.env.OAUTH_PROVIDERS?.split(',')
.map((v) => v.trim())
.filter((v) => isValidOauthProvider(v))
.filter((v) => isConfiguredOauthProvider(OAUTH_PROVIDERS[v]));
export const WG_ENV = { export const WG_ENV = {
/** UI is hosted on HTTP instead of HTTPS */ /** UI is hosted on HTTP instead of HTTPS */
INSECURE: process.env.INSECURE === 'true', INSECURE: process.env.INSECURE === 'true',
@ -40,16 +45,16 @@ export const WG_ENV = {
WG_EXECUTABLE: await detectAwg(), WG_EXECUTABLE: await detectAwg(),
DISABLE_VERSION_CHECK: process.env.DISABLE_VERSION_CHECK === 'true', DISABLE_VERSION_CHECK: process.env.DISABLE_VERSION_CHECK === 'true',
/** List of enabled OAuth providers */ /** List of enabled OAuth providers */
OAUTH_PROVIDERS: process.env.OAUTH_PROVIDERS?.split(',') OAUTH_PROVIDERS: oauthProviders,
.map((v) => v.trim())
.filter((v) => isValidOauthProvider(v))
.filter((v) => isConfiguredOauthProvider(OAUTH_PROVIDERS[v])),
/** List of allowed OAuth domains */ /** List of allowed OAuth domains */
OAUTH_ALLOWED_DOMAINS: process.env.OAUTH_ALLOWED_DOMAINS?.split(',').map( OAUTH_ALLOWED_DOMAINS: process.env.OAUTH_ALLOWED_DOMAINS?.split(',').map(
(v) => v.trim() (v) => v.trim()
), ),
/** Automatically register users that log in with an OAuth provider */ /** Automatically register users that log in with an OAuth provider */
OAUTH_AUTO_REGISTER: process.env.OAUTH_AUTO_REGISTER === 'true', OAUTH_AUTO_REGISTER: process.env.OAUTH_AUTO_REGISTER === 'true',
/** Which OAuth provider to automatically launch */
OAUTH_AUTO_LAUNCH:
oauthProviders?.find((p) => p === process.env.OAUTH_AUTO_LAUNCH) ?? null,
/** Disable password authentication */ /** Disable password authentication */
DISABLE_PASSWORD_AUTH: process.env.DISABLE_PASSWORD_AUTH === 'true', DISABLE_PASSWORD_AUTH: process.env.DISABLE_PASSWORD_AUTH === 'true',
}; };
@ -60,6 +65,7 @@ Enabled OAuth providers: ${WG_ENV.OAUTH_PROVIDERS.join(', ')}
Allowed OAuth domains: ${WG_ENV.OAUTH_ALLOWED_DOMAINS?.join(', ') ?? 'All'} Allowed OAuth domains: ${WG_ENV.OAUTH_ALLOWED_DOMAINS?.join(', ') ?? 'All'}
OAuth auto register: ${WG_ENV.OAUTH_AUTO_REGISTER ? 'Enabled' : 'Disabled'} OAuth auto register: ${WG_ENV.OAUTH_AUTO_REGISTER ? 'Enabled' : 'Disabled'}
Password authentication: ${WG_ENV.DISABLE_PASSWORD_AUTH ? 'Disabled' : 'Enabled'} Password authentication: ${WG_ENV.DISABLE_PASSWORD_AUTH ? 'Disabled' : 'Enabled'}
Auto launch OAuth provider: ${WG_ENV.OAUTH_AUTO_LAUNCH ?? 'None'}
`); `);
} }

Loading…
Cancel
Save