Add Okta authentication and a home page

CruGlobal · Jan 7, 2025 · 817c4d3 · 817c4d3
1 parent 7ff719c
commit 817c4d3
Show file tree

Hide file tree

Showing 9 changed files with 114 additions and 2 deletions.
diff --git a/.env b/.env
@@ -4,6 +4,8 @@ SESSION_SECRET=fake
 OKTA_ISSUER="https://signon.okta.com/oauth2/default"
 OKTA_CLIENT_ID=fake
 OKTA_CLIENT_SECRET=fake
+OKTA_REDIRECT_URI=http://localhost:3000/auth/oktaoauth/callback
+OKTA_AUTH_SERVER_ID=
 OKTA_GROUP_ID=fake
 OKTA_GROUP_NAME=fake
 APP_BASE_URL="https://localhost:3000"

diff --git a/app/assets/stylesheets/application.css b/app/assets/stylesheets/application.css
@@ -8,3 +8,27 @@
  *
  * Consider organizing styles into separate files for maintainability.
  */
+
+.beside {
+    display: inline-block;
+    vertical-align: middle;
+    margin-right: .8rem;
+}
+.big {
+    font-size: 1.2rem;
+}
+.btn {
+    background-color: #007bff;
+    color: #ffffff;
+    border: none;
+    margin: 0 auto;
+    display: block;
+    padding: 10px 20px;
+    cursor: pointer;
+    text-decoration: none;
+}
+.btn-help {
+    background-color: lightgrey;
+    color: black;
+    padding: 5px 10px;
+}
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,4 +1,18 @@
 class ApplicationController < ActionController::Base
   # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
   allow_browser versions: :modern
+
+  before_action :authenticate_user
+
+  protected
+
+  def signed_in?
+    session[:id_token].present?
+  end
+
+  def authenticate_user
+    unless signed_in?
+      redirect_to new_session_path
+    end
+  end
 end
diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb
@@ -0,0 +1,4 @@
+class HomeController < ApplicationController
+  def index
+  end
+end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -0,0 +1,38 @@
+class SessionsController < ApplicationController
+  skip_before_action :authenticate_user
+  def new
+    redirect_to root_path if signed_in?
+  end
+
+  def create
+    unless okta_signed_in?
+      redirect_to new_session_path,
+                  flash: {error: "Sorry, the okta login failed."}
+      return
+    end
+
+    session[:id_token] = omniauth.dig("extra", "id_token")
+    session[:omniauth_hash] = omniauth
+    redirect_to root_path
+  end
+
+  def destroy
+    id_token = session[:id_token]
+    session.clear
+    if id_token.present?
+      redirect_to "#{ENV.fetch("OKTA_ISSUER")}/v1/logout?id_token_hint=#{id_token}&post_logout_redirect_uri=#{request.base_url}", allow_other_host: true
+    else
+      redirect_to root_path
+    end
+  end
+
+  private
+
+  def okta_signed_in?
+    omniauth&.extra&.raw_info&.email.present?
+  end
+
+  def omniauth
+    @omniauth ||= request.env["omniauth.auth"]
+  end
+end
diff --git a/app/views/home/index.html.erb b/app/views/home/index.html.erb
@@ -0,0 +1 @@
+Placeholder for the home page.
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <title><%= content_for(:title) || "Fl Pos Admin" %></title>
+    <title><%= content_for(:title) || "Family Life POS Admin" %></title>
     <meta name="viewport" content="width=device-width,initial-scale=1">
     <meta name="apple-mobile-web-app-capable" content="yes">
     <meta name="mobile-web-app-capable" content="yes">
@@ -23,6 +23,16 @@
   </head>
 
   <body>
+    <div class="beside big"><%= "Welcome to the Family Life POS Admin Tool (#{Rails.env.upcase})"%></div>
+    <div class="beside"><%= link_to 'Logout', logout_path, class: "btn btn-help" %></div>
+    <br/>
+    <% flash.each do |type, msg| %>
+      <% msg.split("\n\n").compact_blank.each do |m| %>
+        <div class="alert alert-danger">
+          <%= m %>
+        </div>
+      <% end %>
+    <% end %>
     <%= yield %>
   </body>
 </html>
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
@@ -0,0 +1,15 @@
+<!-- because of https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284, we need to do a post to /auth/oktaoauth, so this page will do it seamlessly without being visible to the user -->
+<html>
+<head>
+  <script>
+    document.addEventListener('DOMContentLoaded', (event) => {
+      document.getElementById('auth_form').submit();
+    })
+  </script>
+</head>
+
+<body>
+<%= form_tag "/auth/oktaoauth", id: "auth_form" do %>
+<% end %>
+</body>
+</html>
diff --git a/config/routes.rb b/config/routes.rb
@@ -14,7 +14,11 @@
   # get "service-worker" => "rails/pwa#service_worker", as: :pwa_service_worker
 
   # Defines the root path route ("/")
-  # root "posts#index"
+  root "home#index"
+
+  match "/logout", to: "sessions#destroy", as: :logout, via: [:get, :post, :delete]
+  get "auth/:provider/callback", to: "sessions#create"
+  resource :session, only: %i[new create destroy]
 
   constraints ->(request) { user_constraint(request) } do
     mount Sidekiq::Web => "/sidekiq"