feat: openid connect support (#2873)

app/controllers/sessions_controller.rb

@@ -4,7 +4,8 @@ class SessionsController < ApplicationController
 
   layout "sub"
 
-  skip_before_action :login_required, only: [:new, :create, :begin_password_reset, :finish_password_reset, :ip, :raise_error]
+  before_action :require_local_authentication, only: [:create, :begin_password_reset, :finish_password_reset]
+  skip_before_action :login_required, only: [:new, :create, :begin_password_reset, :finish_password_reset, :ip, :raise_error, :create_from_oidc, :oauth_failure]
 
   def create
     login(User.authenticate(params[:email_address], params[:password]))
@@ -29,12 +30,16 @@ class SessionsController < ApplicationController
   def begin_password_reset
     return unless request.post?
 
-    if user = User.where(email_address: params[:email_address]).first
-      user.begin_password_reset(params[:return_to])
-      redirect_to login_path(return_to: params[:return_to]), notice: "Please check your e-mail and click the link in the e-mail we've sent you."
-    else
-      redirect_to login_reset_path(return_to: params[:return_to]), alert: "No user exists with that e-mail address. Please check and try again."
+    user_scope = Postal::Config.oidc.enabled? ? User.with_password : User
+    user = user_scope.find_by(email_address: params[:email_address])
+
+    if user.nil?
+      redirect_to login_reset_path(return_to: params[:return_to]), alert: "No local user exists with that e-mail address. Please check and try again."
+      return
     end
+
+    user.begin_password_reset(params[:return_to])
+    redirect_to login_path(return_to: params[:return_to]), notice: "Please check your e-mail and click the link in the e-mail we've sent you."
   end
 
   def finish_password_reset
@@ -49,6 +54,7 @@ class SessionsController < ApplicationController
       flash.now[:alert] = "You must enter a new password"
       return
     end
+
     @user.password = params[:password]
     @user.password_confirmation = params[:password_confirmation]
     return unless @user.save
@@ -61,4 +67,33 @@ class SessionsController < ApplicationController
     render plain: "ip: #{request.ip} remote ip: #{request.remote_ip}"
   end
 
+  def create_from_oidc
+    unless Postal::Config.oidc.enabled?
+      raise Postal::Error, "OIDC cannot be used unless enabled in the configuration"
+    end
+
+    auth = request.env["omniauth.auth"]
+    user = User.find_from_oidc(auth.extra.raw_info, logger: Postal.logger)
+    if user.nil?
+      redirect_to login_path, alert: "No user was found matching your identity. Please contact your administrator."
+      return
+    end
+
+    login(user)
+    flash[:remember_login] = true
+    redirect_to_with_return_to root_path
+  end
+
+  def oauth_failure
+    redirect_to login_path, alert: "An issue occurred while logging you in with OpenID. Please try again later or contact your administrator."
+  end
+
+  private
+
+  def require_local_authentication
+    return if Postal::Config.oidc.local_authentication_enabled?
+
+    redirect_to login_path, alert: "Local authentication is not enabled"
+  end
+
 end

app/controllers/user_controller.rb

@@ -30,23 +30,28 @@ class UserController < ApplicationController
 
   def update
     @user = User.find(current_user.id)
-    @user.attributes = params.require(:user).permit(:first_name, :last_name, :time_zone, :email_address, :password, :password_confirmation)
+    safe_params = [:first_name, :last_name, :time_zone, :email_address]
 
-    if @user.authenticate_with_previous_password_first(params[:password])
-      @password_correct = true
-    else
-      respond_to do |wants|
-        wants.html do
-          flash.now[:alert] = "The current password you have entered is incorrect. Please check and try again."
-          render "edit"
-        end
-        wants.json do
-          render json: { alert: "The current password you've entered is incorrect. Please check and try again" }
+    if @user.password? && Postal::Config.oidc.local_authentication_enabled?
+      safe_params += [:password, :password_confirmation]
+      if @user.authenticate_with_previous_password_first(params[:password])
+        @password_correct = true
+      else
+        respond_to do |wants|
+          wants.html do
+            flash.now[:alert] = "The current password you have entered is incorrect. Please check and try again."
+            render "edit"
+          end
+          wants.json do
+            render json: { alert: "The current password you've entered is incorrect. Please check and try again" }
+          end
         end
+        return
       end
-      return
     end
 
+    @user.attributes = params.require(:user).permit(safe_params)
+
     if @user.save
       redirect_to_with_json settings_path, notice: "Your settings have been updated successfully."
     else