feat: add custom login URL (#979)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go

@@ -123,6 +123,9 @@ message Auth {
     string client_id = 2;
     string client_secret = 3;
     string redirect_url_scheme = 4;
+    // Optional login URL that will be used by the CLI to start the OIDC flow
+    // If not provided, it will default to [controlplane domain]/login
+    string login_url_override = 5;
   }
 
   message AllowList {

app/controlplane/internal/conf/controlplane/config/v1/conf.proto

@@ -80,7 +80,7 @@ func NewAuthService(userUC *biz.UserUseCase, orgUC *biz.OrganizationUseCase, mUC
 	}
 
 	// Craft Auth related endpoints
-	authURLs, err := getAuthURLs(serverConfig.GetHttp())
+	authURLs, err := getAuthURLs(serverConfig.GetHttp(), authConfig.GetOidc().GetLoginUrlOverride())
 	if err != nil {
 		return nil, fmt.Errorf("failed to get auth URLs: %w", err)
 	}
@@ -107,22 +107,29 @@ type AuthURLs struct {
 }
 
 // urlScheme is deprecated, now it will be inferred from the serverConfig externalURL
-func getAuthURLs(serverConfig *conf.Server_HTTP) (*AuthURLs, error) {
+func getAuthURLs(serverConfig *conf.Server_HTTP, loginURLOverride string) (*AuthURLs, error) {
 	host := serverConfig.Addr
 
-	// New mode using FQDN ExternalURL
+	// Calculate it based on local server configuration
+	urls := craftAuthURLs("http", host, "")
+
+	// If needed, use the external URL
 	if ea := serverConfig.GetExternalUrl(); ea != "" {
 		// x must be a valid absolute URI (via RFC 3986)
 		url, err := url.ParseRequestURI(ea)
 		if err != nil {
 			return nil, fmt.Errorf("validation error: %w", err)
 		}
 
-		return craftAuthURLs(url.Scheme, url.Host, url.Path), nil
+		urls = craftAuthURLs(url.Scheme, url.Host, url.Path)
+	}
+
+	// Override the login URL if needed
+	if loginURLOverride != "" {
+		urls.Login = loginURLOverride
 	}
 
-	// Fallback no external URL
-	return craftAuthURLs("http", host, ""), nil
+	return urls, nil
 }
 
 func craftAuthURLs(scheme, host, path string) *AuthURLs {

app/controlplane/internal/service/auth.go

@@ -25,10 +25,11 @@ import (
 func TestGetAuthURLs(t *testing.T) {
 	internalServer := &conf.Server_HTTP{Addr: "1.2.3.4"}
 	testCases := []struct {
-		name    string
-		config  *conf.Server_HTTP
-		want    *AuthURLs
-		wantErr bool
+		name             string
+		config           *conf.Server_HTTP
+		loginURLOverride string
+		want             *AuthURLs
+		wantErr          bool
 	}{
 		{
 			name:   "neither external url nor externalAddr set",
@@ -60,11 +61,23 @@ func TestGetAuthURLs(t *testing.T) {
 			config:  &conf.Server_HTTP{Addr: "1.2.3.4", ExternalUrl: "localhost.com"},
 			wantErr: true,
 		},
+		{
+			name:             "external with override",
+			config:           &conf.Server_HTTP{Addr: "1.2.3.4", ExternalUrl: "https://foo.com"},
+			loginURLOverride: "https://foo.override.com/auth/login",
+			want:             &AuthURLs{callback: "https://foo.com/auth/callback", Login: "https://foo.override.com/auth/login"},
+		},
+		{
+			name:             "internal with override",
+			config:           internalServer,
+			loginURLOverride: "https://foo.override.com/auth/login",
+			want:             &AuthURLs{callback: "http://1.2.3.4/auth/callback", Login: "https://foo.override.com/auth/login"},
+		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			got, err := getAuthURLs(tc.config)
+			got, err := getAuthURLs(tc.config, tc.loginURLOverride)
 			if tc.wantErr {
 				assert.Error(t, err)
 				return