b37e15d59a
Phase 18 changes: OAuth/OIDC SSO (Authorization Code + PKCE): - alembic/versions/0015_add_oauth_fields.py: add oauth_sub UNIQUE column, drop NOT NULL on password_hash - src/fabledassistant/services/oauth.py: OIDC discovery (cached), build_auth_url, exchange_code, get_userinfo, find_or_create_oauth_user (sub→email auto-link→create) - src/fabledassistant/routes/auth.py: GET /api/auth/oauth/login and GET /api/auth/oauth/callback; LOCAL_AUTH_ENABLED guards on login/register; /api/auth/status now returns oauth_enabled + local_auth_enabled - src/fabledassistant/config.py: OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_SCOPES, LOCAL_AUTH_ENABLED, oidc_enabled() classmethod - src/fabledassistant/models/user.py: password_hash nullable, oauth_sub field, has_password bool in to_dict() - src/fabledassistant/services/auth.py: create_user accepts password=None + oauth_sub kwarg; authenticate returns None for OAuth-only users; add get_user_by_oauth_sub, link_oauth_sub, update_user_email - frontend: AuthStatus + User types updated; auth store exposes oauthEnabled + localAuthEnabled; LoginView shows SSO button / hides password form accordingly Email change: - PUT /api/auth/email: requires password confirmation for local-auth users, skips check for OAuth-only users; enforces email uniqueness - SettingsView.vue: new Email Address section pre-filled with current email, updates authStore.user in-place on success Docs: - docs/oauth-setup.md: step-by-step Authentik provider setup, example docker-compose env vars, account linking explanation, per-provider issuer URL table Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
246 lines
5.5 KiB
Vue
246 lines
5.5 KiB
Vue
<script setup lang="ts">
|
|
import { ref, computed, onMounted } from "vue";
|
|
import { useRouter, useRoute } from "vue-router";
|
|
import { useAuthStore } from "@/stores/auth";
|
|
import AppLogo from "@/components/AppLogo.vue";
|
|
|
|
const router = useRouter();
|
|
const route = useRoute();
|
|
const authStore = useAuthStore();
|
|
|
|
const username = ref("");
|
|
const password = ref("");
|
|
const error = ref("");
|
|
const submitting = ref(false);
|
|
|
|
const oauthError = computed(() => route.query.error === "oauth");
|
|
|
|
onMounted(async () => {
|
|
await authStore.checkHasUsers();
|
|
if (oauthError.value) {
|
|
error.value = "SSO login failed. Please try again.";
|
|
}
|
|
});
|
|
|
|
async function handleSubmit() {
|
|
error.value = "";
|
|
submitting.value = true;
|
|
try {
|
|
await authStore.login(username.value, password.value);
|
|
const redirect = (route.query.redirect as string) || "/";
|
|
router.push(redirect);
|
|
} catch (e: unknown) {
|
|
if (e && typeof e === "object" && "body" in e) {
|
|
const body = (e as { body?: { error?: string } }).body;
|
|
error.value = body?.error || "Login failed";
|
|
} else {
|
|
error.value = "Login failed";
|
|
}
|
|
} finally {
|
|
submitting.value = false;
|
|
}
|
|
}
|
|
|
|
function loginWithOAuth() {
|
|
window.location.href = "/api/auth/oauth/login";
|
|
}
|
|
</script>
|
|
|
|
<template>
|
|
<main class="auth-page">
|
|
<div class="auth-card">
|
|
<div class="auth-brand"><AppLogo :size="32" /><h1>Sign In</h1></div>
|
|
<p v-if="!authStore.hasUsers" class="auth-hint">
|
|
No accounts yet.
|
|
<router-link to="/register">Create the first account</router-link>
|
|
to get started.
|
|
</p>
|
|
|
|
<p v-if="error" class="error-msg">{{ error }}</p>
|
|
|
|
<form v-if="authStore.localAuthEnabled" @submit.prevent="handleSubmit">
|
|
<div class="field">
|
|
<label for="username">Username</label>
|
|
<input
|
|
id="username"
|
|
v-model="username"
|
|
type="text"
|
|
autocomplete="username"
|
|
required
|
|
class="input"
|
|
/>
|
|
</div>
|
|
<div class="field">
|
|
<label for="password">Password</label>
|
|
<input
|
|
id="password"
|
|
v-model="password"
|
|
type="password"
|
|
autocomplete="current-password"
|
|
required
|
|
class="input"
|
|
/>
|
|
</div>
|
|
<p class="forgot-link">
|
|
<router-link to="/forgot-password">Forgot your password?</router-link>
|
|
</p>
|
|
<button type="submit" class="btn-submit" :disabled="submitting">
|
|
{{ submitting ? "Signing in..." : "Sign In" }}
|
|
</button>
|
|
</form>
|
|
|
|
<div
|
|
v-if="authStore.localAuthEnabled && authStore.oauthEnabled"
|
|
class="divider"
|
|
>
|
|
<span>or</span>
|
|
</div>
|
|
|
|
<button
|
|
v-if="authStore.oauthEnabled"
|
|
class="btn-oauth"
|
|
@click="loginWithOAuth"
|
|
>
|
|
Login with Authentik
|
|
</button>
|
|
|
|
<p v-if="authStore.localAuthEnabled" class="auth-footer">
|
|
Don't have an account?
|
|
<router-link to="/register">Register</router-link>
|
|
</p>
|
|
</div>
|
|
</main>
|
|
</template>
|
|
|
|
<style scoped>
|
|
.auth-page {
|
|
display: flex;
|
|
align-items: center;
|
|
justify-content: center;
|
|
min-height: 100vh;
|
|
padding: 1rem;
|
|
}
|
|
.auth-card {
|
|
width: 100%;
|
|
max-width: 400px;
|
|
background: var(--color-bg-card);
|
|
border: 1px solid var(--color-border);
|
|
border-radius: var(--radius-md);
|
|
padding: 2rem;
|
|
}
|
|
.auth-brand {
|
|
display: flex;
|
|
align-items: center;
|
|
justify-content: center;
|
|
gap: 0.5rem;
|
|
margin-bottom: 1.5rem;
|
|
}
|
|
.auth-card h1 {
|
|
margin: 0;
|
|
text-align: center;
|
|
}
|
|
.auth-hint {
|
|
text-align: center;
|
|
font-size: 0.9rem;
|
|
color: var(--color-text-secondary);
|
|
margin-bottom: 1rem;
|
|
}
|
|
.auth-hint a {
|
|
color: var(--color-primary);
|
|
}
|
|
.field {
|
|
margin-bottom: 1rem;
|
|
}
|
|
.field label {
|
|
display: block;
|
|
font-size: 0.9rem;
|
|
font-weight: 600;
|
|
margin-bottom: 0.35rem;
|
|
}
|
|
.input {
|
|
width: 100%;
|
|
padding: 0.5rem 0.75rem;
|
|
border: 1px solid var(--color-border);
|
|
border-radius: var(--radius-sm);
|
|
font-size: 0.95rem;
|
|
background: var(--color-bg);
|
|
color: var(--color-text);
|
|
box-sizing: border-box;
|
|
}
|
|
.input:focus {
|
|
outline: none;
|
|
border-color: var(--color-primary);
|
|
}
|
|
.error-msg {
|
|
color: var(--color-danger);
|
|
font-size: 0.9rem;
|
|
margin: 0 0 0.75rem;
|
|
}
|
|
.btn-submit {
|
|
width: 100%;
|
|
padding: 0.6rem;
|
|
background: var(--color-primary);
|
|
color: #fff;
|
|
border: none;
|
|
border-radius: var(--radius-sm);
|
|
cursor: pointer;
|
|
font-size: 0.95rem;
|
|
font-weight: 600;
|
|
}
|
|
.btn-submit:disabled {
|
|
opacity: 0.6;
|
|
cursor: default;
|
|
}
|
|
.btn-submit:hover:not(:disabled) {
|
|
opacity: 0.9;
|
|
}
|
|
.divider {
|
|
display: flex;
|
|
align-items: center;
|
|
gap: 0.75rem;
|
|
margin: 1.25rem 0;
|
|
color: var(--color-text-secondary);
|
|
font-size: 0.85rem;
|
|
}
|
|
.divider::before,
|
|
.divider::after {
|
|
content: "";
|
|
flex: 1;
|
|
border-top: 1px solid var(--color-border);
|
|
}
|
|
.btn-oauth {
|
|
width: 100%;
|
|
padding: 0.6rem;
|
|
background: transparent;
|
|
color: var(--color-text);
|
|
border: 1px solid var(--color-border);
|
|
border-radius: var(--radius-sm);
|
|
cursor: pointer;
|
|
font-size: 0.95rem;
|
|
font-weight: 600;
|
|
}
|
|
.btn-oauth:hover {
|
|
background: var(--color-bg-hover, var(--color-border));
|
|
}
|
|
.auth-footer {
|
|
text-align: center;
|
|
font-size: 0.9rem;
|
|
color: var(--color-text-secondary);
|
|
margin: 1rem 0 0;
|
|
}
|
|
.auth-footer a {
|
|
color: var(--color-primary);
|
|
}
|
|
.forgot-link {
|
|
text-align: right;
|
|
margin: -0.5rem 0 0.75rem;
|
|
font-size: 0.85rem;
|
|
}
|
|
.forgot-link a {
|
|
color: var(--color-text-secondary);
|
|
}
|
|
.forgot-link a:hover {
|
|
color: var(--color-primary);
|
|
}
|
|
</style>
|