-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Oauth Login #279
Open
uvulpos
wants to merge
29
commits into
main
Choose a base branch
from
feat/add-oauth
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Add Oauth Login #279
Changes from 17 commits
Commits
Show all changes
29 commits
Select commit
Hold shift + click to select a range
51f2820
feat: add oauth
uvulpos 27624ce
resolve issues
uvulpos b556ca8
Merge branch 'main' into feat/add-oauth
uvulpos ad8b079
fix styling issues
uvulpos 3bd236c
.
uvulpos d863557
.
uvulpos 66582a0
.
uvulpos 561e2d7
update git assets
uvulpos d808fbb
.
uvulpos 6404e89
Merge remote-tracking branch 'origin/main' into feat/add-oauth
uvulpos d7275bb
.
uvulpos b43c6e3
.
uvulpos 063b894
.
uvulpos 4dd6b2a
.
uvulpos 12bb9f6
Merge branch 'main' into feat/add-oauth
uvulpos a9461a8
.
uvulpos 269609f
Merge branch 'feat/add-oauth' of github.com:uvulpos/golang-sveltekit-…
uvulpos 5bfedfd
.
uvulpos 6238830
.
uvulpos 0be0412
.
uvulpos 2b52ce4
.
uvulpos f654319
.
uvulpos 36d9d92
fix tests
uvulpos c428fdf
.
uvulpos 01de14b
.
uvulpos af9ce38
Merge branch 'main' into feat/add-oauth
uvulpos 2a1d9af
wip
uvulpos 66901ca
-
uvulpos 8de4340
.
uvulpos File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,6 +55,9 @@ services: | |
AUTHENTIK_POSTGRESQL__NAME: ${APP_DATABASE_DATABASE}-authentik | ||
AUTHENTIK_POSTGRESQL__PASSWORD: ${APP_DATABASE_PASSWORD} | ||
AUTHENTIK_SECRET_KEY: RHRNhMc30ePTXymUm7RXlcs6J7gnK6qXM2+sK+QSLUTpFhbMmMgpNEJgIRRUFPuS/E2sIROIq+5X4ahJ | ||
AUTHENTIK_BOOTSTRAP_EMAIL: [email protected] | ||
AUTHENTIK_BOOTSTRAP_PASSWORD: test | ||
AUTHENTIK_BOOTSTRAP_TOKEN: test | ||
|
||
# volumes: | ||
# - ./media:/media | ||
|
@@ -88,6 +91,11 @@ services: | |
AUTHENTIK_POSTGRESQL__NAME: ${APP_DATABASE_DATABASE}-authentik | ||
AUTHENTIK_POSTGRESQL__PASSWORD: ${APP_DATABASE_PASSWORD} | ||
AUTHENTIK_SECRET_KEY: RHRNhMc30ePTXymUm7RXlcs6J7gnK6qXM2+sK+QSLUTpFhbMmMgpNEJgIRRUFPuS/E2sIROIq+5X4ahJ | ||
|
||
AUTHENTIK_BOOTSTRAP_EMAIL: [email protected] | ||
AUTHENTIK_BOOTSTRAP_PASSWORD: test | ||
AUTHENTIK_BOOTSTRAP_TOKEN: test | ||
|
||
user: root | ||
volumes: | ||
- /var/run/docker.sock:/var/run/docker.sock | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
@goimports = go run golang.org/x/tools/cmd/goimports | ||
|
||
src/**/* !src/assets/frontend/**/* { | ||
src/**/* /app/go_app_modules/**/* !src/assets/frontend/**/* { | ||
prep: swag fmt -g src/web-app/app.go && swag init -g src/web-app/app.go -o swagger-docs | ||
daemon +sigterm: go run src/main.go run | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
8 changes: 8 additions & 0 deletions
8
services/backend/src/migrator/migration-files/2_add_user.down.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
ALTER TABLE user_sessions DROP CONSTRAINT IF EXISTS created_ip_addr_not_empty_string; | ||
ALTER TABLE user_sessions DROP CONSTRAINT IF EXISTS last_jwt_refresh_ip_addr_not_empty_string; | ||
|
||
DROP TABLE IF EXISTS user_sessions; | ||
DROP TABLE IF EXISTS user_identities; | ||
DROP TABLE IF EXISTS users; | ||
|
||
DROP TYPE IF EXISTS identity_provider; | ||
uvulpos marked this conversation as resolved.
Show resolved
Hide resolved
|
41 changes: 41 additions & 0 deletions
41
services/backend/src/migrator/migration-files/2_add_user.up.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
CREATE TYPE identity_provider IF NOT EXISTS AS ENUM (); | ||
ALTER TYPE enum_type ADD VALUE 'Authentik'; | ||
|
||
CREATE TABLE users ( | ||
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), | ||
username VARCHAR UNIQUE NOT NULL, | ||
display_name VARCHAR NOT NULL, | ||
email VARCHAR NOT NULL, | ||
email_verified VARCHAR NOT NULL | ||
); | ||
|
||
CREATE TABLE user_identities ( | ||
provider identity_provider NOT NULL, | ||
provider_user_id VARCHAR NOT NULL, | ||
user_id UUID NOT NULL, | ||
PRIMARY KEY (provider, provider_user_id), | ||
FOREIGN KEY (user_id) REFERENCES users (id), | ||
UNIQUE (provider, provider_user_id, user_id) | ||
); | ||
|
||
CREATE TABLE user_sessions ( | ||
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), | ||
user_id UUID NOT NULL, | ||
useragent_hash VARCHAR CHECK (useragent_hash != ''), -- to prevent at least a bit session hijacking | ||
created TIMESTAMP NOT NULL DEFAULT NOW(), | ||
created_ip_addr VARCHAR DEFAULT NULL, | ||
last_jwt_refresh TIMESTAMP NOT NULL DEFAULT NOW(), | ||
last_jwt_refresh_ip_addr VARCHAR DEFAULT NULL, | ||
FOREIGN KEY (user_id) REFERENCES users (id), | ||
UNIQUE (id, user_id) | ||
); | ||
|
||
-- Value can be null, but not empty string | ||
ALTER TABLE user_sessions | ||
ADD CONSTRAINT created_ip_addr_not_empty_string | ||
CHECK (created_ip_addr IS NULL OR (created_ip_addr != '')); | ||
|
||
-- Value can be null, but not empty string | ||
ALTER TABLE user_sessions | ||
ADD CONSTRAINT last_jwt_refresh_ip_addr_not_empty_string | ||
CHECK (last_jwt_refresh_ip_addr IS NULL OR (last_jwt_refresh_ip_addr != '')); |
Empty file.
62 changes: 62 additions & 0 deletions
62
services/backend/src/migrator/migration-files/3_add_permissions.up.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
CREATE TABLE IF NOT EXISTS roles ( | ||
id UUID DEFAULT uuid_generate_v4() PRIMARY KEY, | ||
name VARCHAR UNIQUE NOT NULL, | ||
inherit_from UUID, | ||
FOREIGN KEY (inherit_from) REFERENCES roles(id) ON DELETE SET NULL, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. could be also an array, to inherit from multiple roles (like an admin) |
||
CHECK (inherit_from != id) | ||
); | ||
|
||
CREATE TABLE IF NOT EXISTS permissions ( | ||
id UUID DEFAULT uuid_generate_v4() PRIMARY KEY, | ||
name VARCHAR UNIQUE NOT NULL, | ||
description VARCHAR NOT NULL, | ||
identifier VARCHAR UNIQUE NOT NULL | ||
CHECK (identifier != '') | ||
); | ||
|
||
CREATE TABLE IF NOT EXISTS role_permissions ( | ||
role_id UUID, | ||
permission_id UUID, | ||
FOREIGN KEY (role_id) REFERENCES roles(id) ON DELETE CASCADE, | ||
FOREIGN KEY (permission_id) REFERENCES permissions(id) ON DELETE CASCADE, | ||
PRIMARY KEY (role_id, permission_id) | ||
); | ||
|
||
CREATE TABLE IF NOT EXISTS user_roles ( | ||
user_id UUID, | ||
role_id UUID, | ||
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE, | ||
FOREIGN KEY (role_id) REFERENCES roles(id) ON DELETE CASCADE, | ||
PRIMARY KEY (user_id, role_id) | ||
); | ||
|
||
CREATE OR REPLACE FUNCTION get_user_permissions(p_user_id UUID) | ||
RETURNS JSONB AS $$ | ||
BEGIN | ||
RETURN ( | ||
WITH RECURSIVE role_hierarchy AS ( | ||
-- Base case: Get all roles directly assigned to the user | ||
SELECT | ||
ur.user_id, | ||
r.id AS role_id | ||
FROM user_roles ur | ||
JOIN roles r ON ur.role_id = r.id | ||
WHERE ur.user_id = p_user_id | ||
UNION | ||
|
||
-- Recursive case: Get all roles that are inherited from other roles | ||
SELECT | ||
rh.user_id, | ||
r2.id AS role_id | ||
FROM role_hierarchy rh | ||
JOIN roles r1 ON rh.role_id = r1.id | ||
JOIN roles r2 ON r1.inherit_from = r2.id | ||
) | ||
SELECT | ||
jsonb_agg(DISTINCT p.identifier) AS permissions | ||
FROM role_hierarchy rh | ||
JOIN role_permissions rp ON rh.role_id = rp.role_id | ||
JOIN permissions p ON rp.permission_id = p.id | ||
); | ||
END; | ||
$$ LANGUAGE plpgsql; |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use better jwt secret / certificate