feat: added OAuth login#200
Conversation
9d0357e to
da04a22
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR implements OAuth (specifically OIDC) login functionality for the sun-ui application. It adds comprehensive support for authenticating users through an external OIDC provider (like Logto or My Nethesis) as an alternative to traditional username/password authentication.
Key Changes:
- Added OIDC client-side integration with login button and callback handling
- Implemented secure backend OIDC authentication flow with state validation and token exchange
- Added comprehensive error handling and internationalization support
Reviewed Changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| sun/sun-ui/src/styles/main.css | Added CSS styles for OIDC login UI components including buttons, separators, and responsive design |
| sun/sun-ui/src/services/login.js | Added OIDC login methods for initiating authentication and fetching provider configuration |
| sun/sun-ui/src/routes/router.js | Added login callback route handler for processing OIDC authentication responses |
| sun/sun-ui/src/i18n/locale-it.json | Added Italian translations for OIDC login messages and error states |
| sun/sun-ui/src/i18n/locale-en.json | Added English translations for OIDC login messages and error states |
| sun/sun-ui/src/App.vue | Updated login UI to include OIDC authentication option and error handling |
| sun/sun-api/methods/authentication.go | Implemented complete OIDC authentication backend with secure state management and token exchange |
| sun/sun-api/main.go | Added OIDC API endpoints to the router configuration |
| sun/sun-api/configuration/configuration.go | Added OIDC configuration structure for provider settings |
| go.mod | Added required OIDC and OAuth2 dependencies |
| deploy/ansible/roles/sun/templates/sun-api-conf.j2 | Added OIDC configuration template for deployment |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 11 out of 12 changed files in this pull request and generated 5 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 11 out of 12 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Fixes CVE-2025-22868 (golang.org/x/oauth2) and the go-jose CVEs pulled in by go-oidc v3.5.0. CI updated to Go 1.25 accordingly.
Login with My Nethesis now works at company level: users holding the Admin global role in a My reseller organization log in as the Icaro account linked through the new accounts.logto_org_id column (never matched by email). Super admins keep mapping to the Icaro admin. Flow hardening: state bound to the browser via HttpOnly cookie, nonce and PKCE S256 on the authorization request, capped state store, cached OIDC provider, crypto/rand session tokens, no error details leaked to clients, audit of the actual My user in the token description. First login of an unlinked reseller organization is verified against the My API and provisions the company account just in time (default subscription plan, org name/email), replacing the legacy My "Get credentials" action. scripts/ contains the one-time bootstrap that links existing accounts, with its runbook.
Units obtain a session token through the browser OIDC login without sharing an origin with the frontend: /auth/oidc/device/start creates a pairing (secret device_code held by the unit + public pair_id), the login flow carries ?pair= and the callback attaches the minted token to the pairing instead of redirecting to the SPA, rendering a themed result page with account, user and unit. The unit polls /auth/oidc/device/poll and receives the token exactly once; callback failures reach the poll instead of timing out. Pairing tokens record the unit name in the token description for auditing.
|
Added OIDC device pairing for NethSecurity units ( |
The login button uses the My Nethesis 'n mark (new static asset) with an outlined style matching the NethSecurity UI; the device pairing result page gets the Poppins font, a wider card and a cleaner details list (regular-weight copy, dividers only).
GET /api/userinfo returns aggregate stats for the company of the authenticated My user (hotspots, units, guests, devices, sessions, managers, SMS quota), plus a generic widget.items payload the My dashboard renders like the NethShop one. The caller sends the user's Logto ID token: it is verified against the same issuer as the OIDC login, the audience is checked against the configured My app id (userinfo_audience), and the company is resolved through the organization claims and logto_org_id, never by email. Every non-data case answers 200 with an empty widget so the dashboard never shows an error banner. CORS gains the Authorization header.
GetOIDCConfig now returns login_button separately from enabled, and the Sun login page keys the button off it. Setting show_login_button (env OIDC_SHOW_LOGIN_BUTTON) to false hides the button while the OIDC endpoints stay fully functional, so the flow remains reachable from the My dashboard but is not advertised on Sun during a soft launch. Defaults to shown.
The My dashboard widget calls /api/userinfo cross-origin from the browser with the user's Logto ID token. Give the endpoint its own CORS allowlist (the My origins, per environment) handled before the global Sun-frontend CORS: reflect the matched origin (never *), answer the OPTIONS preflight with 204, and keep the global middleware from rejecting those origins. Token verification is unchanged.
Reference: