feat: openid connect support (#2873)

app/views/sessions/new.html.haml

@@ -6,13 +6,19 @@
 .subPageBox__content
   = form_tag login_path, :class => 'loginForm' do
     = hidden_field_tag 'return_to', params[:return_to]
-    - if params[:return_to] && params[:return_to] =~ /\/join\//
-      %p.loginForm__invite.warningBox.u-margin Login to your existing account to accept your invitation.
 
-    %p.loginForm__input= text_field_tag 'email_address', '', :type => 'email', :autocomplete => 'off', :spellcheck => 'false', :class => 'input input--text input--onWhite', :placeholder => "Your e-mail address", :autofocus => true, :tabindex => 1
-    %p.loginForm__input= password_field_tag 'password', '', :class => 'input input--text input--onWhite', :placeholder => "Your password", :tabindex => 2
-    .loginForm__submit
-      %ul.loginForm__links
-        %li= link_to "Forgotten your password?", login_reset_path(:return_to => params[:return_to])
-      %p= submit_tag "Login", :class => 'button button--positive', :tabindex => 3
+    - if Postal::Config.oidc.enabled?
+      .loginForm__oidcButton
+        = link_to "Login with #{Postal::Config.oidc.name}", "/auth/oidc", method: :post, class: 'button button--full'
 
+    - if Postal::Config.oidc.enabled? && Postal::Config.oidc.local_authentication_enabled?
+      .loginForm__divider
+      %p.loginForm__localTitle or login with a local user
+
+    - if Postal::Config.oidc.local_authentication_enabled?
+      %p.loginForm__input= text_field_tag 'email_address', '', :type => 'email', :spellcheck => 'false', :class => 'input input--text input--onWhite', :placeholder => "Your e-mail address", :autofocus => !Postal::Config.oidc.enabled?, :tabindex => 1
+      %p.loginForm__input= password_field_tag 'password', '', :class => 'input input--text input--onWhite', :placeholder => "Your password", :tabindex => 2
+      .loginForm__submit
+        %ul.loginForm__links
+          %li= link_to "Forgotten your password?", login_reset_path(:return_to => params[:return_to])
+        %p= submit_tag "Login", :class => 'button button--positive', :tabindex => 3

app/views/user/edit.html.haml

@@ -6,15 +6,16 @@
   = form_for @user, :url => settings_path, :remote => true do |f|
     = f.error_messages
     %fieldset.fieldSet
-      .fieldSet__field
-        = label_tag :password, 'Your Password', :class => 'fieldSet__label'
-        .fieldSet__input
-          = password_field_tag :password, params[:password], :autofocus => @password_correct.nil?, :disabled => @password_correct, :class => 'input input--text', :placeholder => "Enter your current password to change your details"
-          - if @password_correct
-            = hidden_field_tag :password, params[:password]
-          %p.fieldSet__text
-            In order to protect your account, you need to enter your current password in the field above
-            to authenticate the change of your details.
+      - if @user.password? && Postal::Config.oidc.local_authentication_enabled?
+        .fieldSet__field
+          = label_tag :password, 'Your Password', :class => 'fieldSet__label'
+          .fieldSet__input
+            = password_field_tag :password, params[:password], :autofocus => @password_correct.nil?, :disabled => @password_correct, :class => 'input input--text', :placeholder => "Enter your current password to change your details"
+            - if @password_correct
+              = hidden_field_tag :password, params[:password]
+            %p.fieldSet__text
+              In order to protect your account, you need to enter your current password in the field above
+              to authenticate the change of your details.
 
       .fieldSet__title
         Your details
@@ -41,14 +42,15 @@
             Choose the time zone that you'd like times to be displayed to you when you use our
             web interface. By default, times are displayed in UTC.
 
-      .fieldSet__title
-        Change your password?
-      .fieldSet__field
-        = f.label :password, "New Password", :class => 'fieldSet__label'
-        .fieldSet__input
-          .inputPair
-            = f.password_field :password, :class => 'input input--text', :placeholder => "•••••••••••", :value => @user.password
-            = f.password_field :password_confirmation, :class => 'input input--text', :placeholder => "and confirm it", :value => @user.password_confirmation
+      - if @user.password? && Postal::Config.oidc.local_authentication_enabled?
+        .fieldSet__title
+          Change your password?
+        .fieldSet__field
+          = f.label :password, "New Password", :class => 'fieldSet__label'
+          .fieldSet__input
+            .inputPair
+              = f.password_field :password, :class => 'input input--text', :placeholder => "•••••••••••", :value => @user.password
+              = f.password_field :password_confirmation, :class => 'input input--text', :placeholder => "and confirm it", :value => @user.password_confirmation
 
 
     %p.fieldSetSubmit.buttonSet

app/views/users/_form.html.haml

@@ -11,11 +11,25 @@
       .fieldSet__input= f.text_field :last_name, :class => 'input input--text'
     .fieldSet__field
       = f.label :email_address, :class => 'fieldSet__label'
-      .fieldSet__input= f.text_field :email_address, :class => 'input input--text', autocomplete: 'one-time-code'
-    - unless @user.persisted?
+      .fieldSet__input
+        = f.text_field :email_address, :class => 'input input--text', autocomplete: 'one-time-code'
+        - if Postal::Config.oidc.enabled?
+          %p.fieldSet__text
+            This e-mail address should match the address provided by your OpenID Connect identity provider.
+
+    
+    - if Postal::Config.oidc.local_authentication_enabled? && !@user.persisted?
       .fieldSet__field
         = f.label :password, :class => 'fieldSet__label'
-        .fieldSet__input= f.password_field :password, :class => 'input input--text', :placeholder => '•••••••••••', autocomplete: 'one-time-code'
+        .fieldSet__input
+          = f.password_field :password, :class => 'input input--text', :placeholder => '•••••••••••', autocomplete: 'one-time-code'
+          - if Postal::Config.oidc.enabled?
+            %p.fieldSet__text
+              You have enabled OIDC which means a password is not required. If you do not provide
+              a password this user will be matched to an OIDC identity based on the e-mail address
+              provided above. You may, however, enter a password and this user will be permitted to
+              use that password until they have successfully logged in with OIDC.
+        
       .fieldSet__field
         = f.label :password_confirmation, "Confirm".html_safe, :class => 'fieldSet__label'
         .fieldSet__input= f.password_field :password_confirmation, :class => 'input input--text', :placeholder => '•••••••••••', autocomplete: 'one-time-code'

app/views/users/index.html.haml

@@ -7,15 +7,20 @@
   %ul.userList.u-margin
     - for user in @users
       %li.userList__item
-        = image_tag user.avatar_url, :class => 'userList__avatar'
         .userList__details
           %p.userList__name
             = user.name
             - if user.admin?
-              %span.userList__admin.label Admin
+              %span.userList__tag.label.label--blue Admin
+            - if Postal::Config.oidc.enabled?
+              - if user.oidc?
+                %span.userList__tag.label.label--green OIDC
+              - elsif !Postal::Config.oidc.local_authentication_enabled?
+                %span.userList__tag.label.label--orange Pending
+              
           %p.userList__email= user.email_address
         %ul.userList__actions
-          %li= link_to "Edit permissions", [:edit, user]
+          %li= link_to "Edit user", [:edit, user]
           %li= link_to "Delete user", user, :method => :delete, :data => {:confirm => "Are you sure you wish to revoke #{user.name}'s access?", :disable_with => "Deleting..."}, :remote => true, :class => 'userList__revoke'
 
   %p.u-center= link_to "Add a new user", :new_user, :class => 'button button--positive'