Merge pull request #19 from jfro/jtk/oidc-auth

OIDC Auth support

Author: jfro

.env.sample

@@ -11,3 +11,10 @@ MAILER_ADAPTER="mailgun"
 MAILGUN_API_KEY="apikey"
 MAILGUN_DOMAIN="mailer.example.com"
 EMAIL_FROM_ADDRESS="fuzzy_catalog@example.com"
+
+# OIDC Configuration (optional)
+# Configure these to enable OIDC authentication
+OIDC_CLIENT_ID=""
+OIDC_CLIENT_SECRET=""
+OIDC_BASE_URL=""
+OIDC_REDIRECT_URI="http://localhost:4000/auth/oidc/callback"

config/runtime.exs

@@ -202,4 +202,12 @@ if config_env() == :prod do
     from_address: System.get_env("EMAIL_FROM_ADDRESS", "noreply@localhost")
 end
 
+# Configure OIDC
+config :fuzzy_catalog, :oidc,
+  client_id: System.get_env("OIDC_CLIENT_ID"),
+  client_secret: System.get_env("OIDC_CLIENT_SECRET"),
+  base_url: System.get_env("OIDC_BASE_URL"),
+  redirect_uri: System.get_env("OIDC_REDIRECT_URI") || "http://localhost:4000/auth/oidc/callback",
+  authorization_params: [scope: "openid profile email"]
+
 # end if prod

lib/fuzzy_catalog/accounts.ex

@@ -26,6 +26,23 @@ defmodule FuzzyCatalog.Accounts do
     Repo.get_by(User, email: email)
   end
 
+  @doc """
+  Gets a user by provider and provider UID.
+
+  ## Examples
+
+      iex> get_user_by_provider("oidc", "123456")
+      %User{}
+
+      iex> get_user_by_provider("oidc", "unknown")
+      nil
+
+  """
+  def get_user_by_provider(provider, provider_uid)
+      when is_binary(provider) and is_binary(provider_uid) do
+    Repo.get_by(User, provider: provider, provider_uid: provider_uid)
+  end
+
   @doc """
   Gets a user by email and password.
 
@@ -113,6 +130,38 @@ defmodule FuzzyCatalog.Accounts do
     |> Repo.insert()
   end
 
+  @doc """
+  Creates a user from a changeset.
+  """
+  def create_user_from_changeset(changeset) do
+    Repo.insert(changeset)
+  end
+
+  @doc """
+  Returns true if there are no users in the system.
+  """
+  def first_user? do
+    Repo.aggregate(User, :count) == 0
+  end
+
+  @doc """
+  Ensures the first user in the system is marked as admin.
+  This function should be called after user creation.
+  """
+  def ensure_first_user_is_admin do
+    import Ecto.Query
+    # Get the first user (oldest by insertion)
+    first_user = Repo.one(from u in User, order_by: [asc: u.inserted_at], limit: 1)
+
+    if first_user && first_user.role != "admin" do
+      first_user
+      |> User.admin_changeset(%{role: "admin"})
+      |> Repo.update()
+    else
+      {:ok, first_user}
+    end
+  end
+
   ## Settings
 
   @doc """
@@ -383,30 +432,6 @@ defmodule FuzzyCatalog.Accounts do
     User.admin_changeset(user, attrs)
   end
 
-  @doc """
-  Ensures the first user gets admin role.
-  """
-  def ensure_first_user_is_admin do
-    case Repo.aggregate(User, :count, :id) do
-      0 ->
-        :no_users
-
-      1 ->
-        case Repo.one(from u in User, limit: 1) do
-          %User{role: "admin"} = user ->
-            {:ok, user}
-
-          %User{} = user ->
-            user
-            |> User.admin_changeset(%{role: "admin"})
-            |> Repo.update()
-        end
-
-      _ ->
-        :multiple_users
-    end
-  end
-
   ## Token helper
 
   defp update_user_and_delete_all_tokens(changeset) do

lib/fuzzy_catalog/accounts/user.ex

@@ -10,6 +10,9 @@ defmodule FuzzyCatalog.Accounts.User do
     field :authenticated_at, :utc_datetime, virtual: true
     field :role, :string, default: "user"
     field :status, :string, default: "active"
+    field :provider, :string
+    field :provider_uid, :string
+    field :provider_token, :string
 
     timestamps(type: :utc_datetime)
   end
@@ -165,4 +168,23 @@ defmodule FuzzyCatalog.Accounts.User do
   """
   def active?(%__MODULE__{status: "active"}), do: true
   def active?(_), do: false
+
+  @doc """
+  A user changeset for OIDC registration.
+  """
+  def oidc_registration_changeset(user, attrs, opts \\ []) do
+    user
+    |> cast(attrs, [:email, :provider, :provider_uid, :provider_token, :role, :status])
+    |> validate_required([:email, :provider, :provider_uid])
+    |> validate_email(opts)
+    |> validate_inclusion(:role, ["user", "admin"])
+    |> validate_inclusion(:status, ["active", "disabled"])
+    |> unique_constraint([:provider, :provider_uid])
+  end
+
+  @doc """
+  Returns true if the user was created via OIDC.
+  """
+  def oidc_user?(%__MODULE__{provider: provider}) when not is_nil(provider), do: true
+  def oidc_user?(_), do: false
 end

lib/fuzzy_catalog_web/controllers/oidc_controller.ex

@@ -0,0 +1,211 @@
+defmodule FuzzyCatalogWeb.OIDCController do
+  use FuzzyCatalogWeb, :controller
+  require Logger
+
+  alias FuzzyCatalog.Accounts
+  alias FuzzyCatalog.Accounts.User
+  alias FuzzyCatalogWeb.UserAuth
+
+  def authorize(conn, _params) do
+    config = Application.get_env(:fuzzy_catalog, :oidc)
+    
+    Logger.info("OIDC authorize initiated with config: #{inspect(config, pretty: true)}")
+    
+    case Assent.Strategy.OIDC.authorize_url(config) do
+      {:ok, %{url: url, session_params: session_params}} ->
+        Logger.info("OIDC authorize successful, redirecting to: #{url}")
+        Logger.info("Session params to store: #{inspect(session_params, pretty: true)}")
+        
+        conn
+        |> put_session(:oidc_state, session_params["state"])
+        |> put_session(:oidc_nonce, session_params["nonce"])
+        |> put_session(:oidc_session_params, session_params)  # Store full session params as backup
+        |> redirect(external: url)
+
+      {:error, error} ->
+        Logger.error("OIDC authorize failed: #{inspect(error, pretty: true)}")
+        conn
+        |> put_flash(:error, "Authentication service is currently unavailable. Please try again later or contact support.")
+        |> redirect(to: ~p"/users/log-in")
+    end
+  end
+
+  def callback(conn, params) do
+    config = Application.get_env(:fuzzy_catalog, :oidc)
+    
+    # Try to get session params from different sources
+    state = get_session(conn, :oidc_state)
+    nonce = get_session(conn, :oidc_nonce)
+    stored_session_params = get_session(conn, :oidc_session_params)
+    
+    Logger.info("OIDC callback received with params: #{inspect(Map.drop(params, ["code"]), pretty: true)}")
+    Logger.info("Retrieved session state: #{inspect(state)}")
+    Logger.info("Retrieved session nonce: #{inspect(nonce)}")
+    Logger.info("Stored session params: #{inspect(stored_session_params, pretty: true)}")
+    
+    # Use stored session params if individual values are missing, or fallback to params
+    session_params = cond do
+      state && nonce ->
+        %{
+          "state" => state,
+          "nonce" => nonce
+        }
+      stored_session_params ->
+        # Convert atom keys to string keys if needed
+        stored_session_params
+        |> Enum.map(fn 
+          {k, v} when is_atom(k) -> {Atom.to_string(k), v}
+          {k, v} -> {k, v}
+        end)
+        |> Enum.into(%{})
+      params["state"] ->
+        # Fallback: use state from callback params if session is lost
+        Logger.warning("Using state from callback params as fallback - session may have been lost")
+        %{
+          "state" => params["state"],
+          "nonce" => nil
+        }
+      true ->
+        %{}
+    end
+    
+    Logger.info("Final session params for callback: #{inspect(session_params, pretty: true)}")
+    
+    # Check if we have required state parameter
+    state_value = session_params["state"]
+    if is_nil(state_value) do
+      Logger.error("OIDC callback missing state parameter - possible session issue")
+      conn
+      |> put_flash(:error, "Authentication session expired. Please try signing in again.")
+      |> redirect(to: ~p"/users/log-in")
+    else
+      # Convert session_params to atom keys for Assent compatibility
+      session_params_atoms = session_params
+      |> Enum.map(fn 
+        {"state", v} -> {:state, v}
+        {"nonce", v} -> {:nonce, v}
+        {k, v} -> {String.to_atom(k), v}
+      end)
+      |> Enum.into(%{})
+      
+      # Merge session_params into config for Assent
+      config_with_session = Keyword.put(config, :session_params, session_params_atoms)
+      Logger.info("Config with session params (atom keys): #{inspect(config_with_session, pretty: true)}")
+      
+      case Assent.Strategy.OIDC.callback(config_with_session, params) do
+        {:ok, %{user: user_info, token: token}} ->
+          Logger.info("OIDC callback successful for user: #{inspect(user_info["email"])}")
+          handle_successful_auth(conn, user_info, token)
+
+        {:error, error} ->
+          Logger.error("OIDC callback failed: #{inspect(error, pretty: true)}")
+          
+          error_message = case error do
+            %Assent.MissingConfigError{key: :session_params} ->
+              "Authentication session expired. Please try signing in again."
+            %{error: "invalid_grant"} -> 
+              "Authentication expired or invalid. Please try signing in again."
+            %{error: "access_denied"} -> 
+              "Access was denied. Please try again or contact support."
+            %{error: error_type} when is_binary(error_type) -> 
+              "Authentication failed: #{String.replace(error_type, "_", " ")}. Please try again."
+            _ -> 
+              "Authentication failed. Please try again or contact support if the problem persists."
+          end
+          
+          conn
+          |> put_flash(:error, error_message)
+          |> redirect(to: ~p"/users/log-in")
+      end
+    end
+  end
+
+  defp handle_successful_auth(conn, user_info, token) do
+    email = user_info["email"]
+    provider_uid = user_info["sub"]
+    provider = "oidc"
+    
+    Logger.info("Handling successful OIDC auth for email: #{email}, provider_uid: #{provider_uid}")
+    
+    case find_or_create_user(email, provider, provider_uid, token) do
+      {:ok, user} ->
+        Logger.info("OIDC user login successful for user ID: #{user.id}")
+        conn
+        |> delete_session(:oidc_state)
+        |> delete_session(:oidc_nonce)
+        |> delete_session(:oidc_session_params)
+        |> UserAuth.log_in_user(user)
+
+      {:error, :email_taken} ->
+        Logger.warning("OIDC login blocked - email #{email} already exists with different provider")
+        conn
+        |> put_flash(:error, "An account with this email already exists. Please log in with your existing account.")
+        |> redirect(to: ~p"/users/log-in")
+
+      {:error, changeset} ->
+        Logger.error("OIDC user creation failed: #{inspect(changeset.errors, pretty: true)}")
+        conn
+        |> put_flash(:error, "Failed to create your account. Please try again or contact support.")
+        |> redirect(to: ~p"/users/log-in")
+    end
+  end
+
+  defp find_or_create_user(email, provider, provider_uid, token) do
+    Logger.debug("Finding or creating user for email: #{email}, provider: #{provider}, provider_uid: #{provider_uid}")
+    
+    case Accounts.get_user_by_provider(provider, provider_uid) do
+      %User{} = user ->
+        Logger.debug("Found existing OIDC user: #{user.id}")
+        {:ok, user}
+
+      nil ->
+        Logger.debug("No existing OIDC user found, checking for email conflicts")
+        case Accounts.get_user_by_email(email) do
+          %User{provider: nil} ->
+            Logger.debug("Email exists with local account, blocking OIDC registration")
+            {:error, :email_taken}
+
+          %User{} = user ->
+            Logger.debug("Email exists with OIDC account, using existing user: #{user.id}")
+            {:ok, user}
+
+          nil ->
+            Logger.debug("Creating new OIDC user")
+            create_oidc_user(email, provider, provider_uid, token)
+        end
+    end
+  end
+
+  defp create_oidc_user(email, provider, provider_uid, token) do
+    # Check if this is the first user (should be admin)
+    is_first_user = Accounts.first_user?()
+    role = if is_first_user, do: "admin", else: "user"
+    
+    Logger.info("Creating OIDC user - first user: #{is_first_user}, role: #{role}")
+    
+    attrs = %{
+      email: email,
+      provider: provider,
+      provider_uid: provider_uid,
+      provider_token: token["access_token"],
+      role: role,
+      status: "active",
+      confirmed_at: DateTime.utc_now(:second)
+    }
+
+    Logger.debug("Creating OIDC user with attrs: #{inspect(Map.drop(attrs, [:provider_token]), pretty: true)}")
+
+    result = %User{}
+    |> User.oidc_registration_changeset(attrs)
+    |> Accounts.create_user_from_changeset()
+
+    case result do
+      {:ok, user} ->
+        Logger.info("Successfully created OIDC user: #{user.id}")
+        {:ok, user}
+      {:error, changeset} ->
+        Logger.error("Failed to create OIDC user: #{inspect(changeset.errors, pretty: true)}")
+        {:error, changeset}
+    end
+  end
+end

lib/fuzzy_catalog_web/controllers/user_session_html.ex

@@ -6,4 +6,9 @@ defmodule FuzzyCatalogWeb.UserSessionHTML do
   defp local_mail_adapter? do
     Application.get_env(:fuzzy_catalog, FuzzyCatalog.Mailer)[:adapter] == Swoosh.Adapters.Local
   end
+
+  defp oidc_enabled? do
+    config = Application.get_env(:fuzzy_catalog, :oidc, [])
+    config[:client_id] && config[:client_secret] && config[:base_url]
+  end
 end

lib/fuzzy_catalog_web/controllers/user_session_html/new.html.heex

@@ -70,5 +70,16 @@
         Log in only this time
       </.button>
     </.form>
+
+    <%= if oidc_enabled?() do %>
+      <div class="divider">or</div>
+      
+      <.link
+        href={~p"/auth/oidc"}
+        class="btn btn-primary btn-outline w-full"
+      >
+        Sign in with OIDC <span aria-hidden="true">→</span>
+      </.link>
+    <% end %>
   </div>
 </Layouts.app>