From 9a77d1747a915c9bdf71cf35b164d02b123359f4 Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Mon, 28 Aug 2017 16:28:03 +0200 Subject: [PATCH] Implement support for Oauth2 based login integrations This creates Google, Github, Microsoft and Facebook login integrations. Other providers can also be added if needed. Accounts still need to be created in the community auth system, and will be automatically created on first login, when the user also gets to pick a username. Once an account exists, it will be matched on email address from the external systems. No methods are enabled by default, as they all require encryption keys and identities configured in local_settings.py. Review by Stephen Frost, Jonathan Katz and Daniel Gustafsson. --- media/img/misc/btn_login_facebook.png | Bin 0 -> 2315 bytes media/img/misc/btn_login_github.png | Bin 0 -> 2605 bytes media/img/misc/btn_login_google.png | Bin 0 -> 2417 bytes media/img/misc/btn_login_microsoft.png | Bin 0 -> 2243 bytes pgweb/account/forms.py | 40 ++++-- pgweb/account/oauthclient.py | 168 +++++++++++++++++++++++++ pgweb/account/urls.py | 9 +- pgweb/account/views.py | 109 +++++++++++++++- pgweb/settings.py | 1 + requirements.txt | 1 + templates/account/login.html | 21 +++- templates/account/signup_oauth.html | 23 ++++ templates/account/userprofileform.html | 7 +- 13 files changed, 362 insertions(+), 17 deletions(-) create mode 100644 media/img/misc/btn_login_facebook.png create mode 100644 media/img/misc/btn_login_github.png create mode 100644 media/img/misc/btn_login_google.png create mode 100644 media/img/misc/btn_login_microsoft.png create mode 100644 pgweb/account/oauthclient.py create mode 100644 templates/account/signup_oauth.html diff --git a/media/img/misc/btn_login_facebook.png b/media/img/misc/btn_login_facebook.png new file mode 100644 index 0000000000000000000000000000000000000000..df97a7039f326e1c0c51ce75924cdab8097c344d GIT binary patch literal 2315 zcmV+m3H0`fP)w+f;MQl|>1kn|=S_?!Jl!6oiqoAlL zMZ6HY77uPoKtckU{xLY~q6E;;+U@WA;g89W_jxn(hWF#Wmzkm9IF1m?mKMdtr`|7r zByW0-007{1FfMz<(D%IE>?k;npUb`W#kxH@x)_ztpirn<-&u>iiiP!qMhD=}4#(B% zHl?anPDcpECZy^xF&do-?E(PMfI^|tbeM>Os0g95ipMmXE;I@NpeLv_1{ERH)ZBt7 z6le|rKo7?qRA>bNK(7ZK&;$U0-lF$@ltNkPFyqsYrw%qYq|>QNWm``Et#u*aK~n+% ziK9z90vFj>Odvn9m<$1*3+)I1OjWvMIepB_Spxt7BaWUVjm-4|Jdhp~J;ZOz1^MMA8(Ss^XF6R|(F zu0f6vD$a@+Kg<6u>(@#pUDeZ*%8RoiUJYvHkbZ{~1mF!5M_&uu;QFw#cCk-nZJkUc zz}y#DMr>T{zILCsdY86316faOxR+Nz>>qLr0KDso!_V7JkIz8}4H;-i2Db&c5F7bd z@1D&r(#p|H{a|=N@X@Ab1wyE*wlO^Vlt_TR%gr~)$N>I^z+X_0zE!a{A8&6n+1_UI z%iWlW*xO7t)aPsKXv+Uny>y`!i^(89s?~T+ovhO!pU-1Q276ph4@-+*Z#rq@l{29f z3WY|c<|J(vPaK|nz`yWp*r`JSrjtf?HB;!eut)N}gZ0sRdH#aR(V4sB~!Pnj?*<=~gsfBZW2@OtsY;k`QdQNsqrMJ$)5Y%53& ziQo0bm{G<=T#v_z3h}&hCNweTpJb5D(hc%;%1PRse>x<{*NIO5?-cT*567h+-B6Gk zvTyrRePPG-;;?nM`Y*^y+MJubCG@L*@VG3^aT1Hk*c(5&)Fowkl< zL)bAh@#s9s*0_k}9t$k{y)GsBdD)fTtF&_7;=L|*k)xR|gO1~PyIPHLSdMeWJ{u2x z=n!};MH=Yi*wtRTEnL?iFDj`p6OTp+%``PpsoE_}O%OsBrY1LT{X(p{AcW?*hZ9qe zpz!YzLI}ql=ZaSa9-M9;cvO-X=rg~o<%5@h$oLk2=ae4{KXTq;<-ApT<<9nX3p>tt zx!t|;Cl*edq7yQMe4U8k+GVyibuxR8a4Y96HFYv?*I8t$wKgB`=Cjw@Wm`?1Z0)j7 zi1=#vIgRq?^W49-T@w1V`q>)Kxtiky0iSbV$MTC;?;bp!4P6DiyNRRhm#0q4b}m^H zdExTyX_H5#C44n|X6M^RW=t7%;`Ak%yyel;`hD>kloyZZ>FChDiA}3~Qs1gMzo;qizdl<`tWZO%Os>GsdQ7U9*}o79nJAYH}{GxXW1|o%U^PTIG{^MXO4Ze%W|{ zsH-)Omw(8(%ZgoTS=U;XZO>a;;}dfS8+S~C%%;A7Bss4|q0GKm;<92F5u9Zc$?p29t`NvbF&`-ddtZ{to8bWLw+PPx#gkfX{=%Zu0UH0g9*`xTx+?mr%Hmr8c z$hq0+-=Iw1@tU&ohgC2Cs;Z{rjuMrsol5QId0)+ivn~|-c+TN*S%04}%)ui(ga~vUb=$n-ohxxR+0XhkI!^H7Nx&Ctno89?E zA+n|xp&pm$qJ6hESyLyw`{40Px7oMu{#sivzjg1|6>c{7E1r_6LF=MJmmN*c3*MdF z(AccYpy!|NNY)LF&H6&D>VNODtEzqGvSOF4spZvr`swp4pVSjcp}wJsJRLnghxi6v zUx1M-M_t7cLaPH0_U|VQ4_y5D+Ng?$)zDRdmZvIOv^UuEbLW{tJuZz()fZx}j%K;} zrJc$Y-gw}($ePPx8ub@?y_nngh0NUI`Jb5P7L+1{atli5+fK{OyV|bf|>-juZ)Zq-xanhNet{?s(XU{ed zT?QR`3m{Q&93LTG+{2d%zu6i`-@U9@B)}wb{uWM~;6eiM*Bx>6M8fV>&UVw7x;jEV zuFJgXg*VFJDgy93`}2)IL-t74uX6D7wo|mKt`wDRk30!i5dcUW-MIVUG4b>Y005>c z0D%9~5l2*f27EII0O(!fxK>;aO$GpfsR{t#jS>f!!@_Yjv;_d5CvaR%MF@Y~ol0gnviC?bPMiv7<&5(q4!>${%k^Ljqdct7vw6KZ0l&CJBZ1c5-9b#*jMArKlT@cj=16g<7| zs=I<0^pU={2ITC|l}gTv1rkON9V>4L$&(<+;N=YsM%dfP)`%<^(R1y?=$IU^kZN<<_&)xiWT@7hUe z*ug~5oQ8ce$2bp~&Yz+YvSv&rmQiQBN5Y2g0qe-6?UKD=?{4It zStdNp)WSmB(^Jx-z_!u7T!_H>XyZIRJv%qIu9g<`YAoYmk`#ucc(h||zD8wh7ryZ9F>FCP33u)LYeDM^0Cs`Zas ziBk+jg22j_3dH*vXbXB~C~be1F{X~d7=HP7Ou*h+Z(m>Cs|#FCuCB2tPPLF9EIl(b zGu4|-yom-^rFjg?cYtdHgM)?GDdp4SE#n*;L4w~oWna$@k_u_E$~QJDYFb9VUPWD< zjh%h8)Rl{okD^2z!=IhViHL}pSy<3+?2cold{zc%#HxST zU6GQCrKM*vv9amoLImwQIKn z_ir8?9CRe#-U{8?$x@=V!Kxj9*d7xeaw$#hbo5PVDxV6{S68QXaB$Gj((0R-2(O>H zQ!ut1^x;h1D<^554o9hL=DE`|^>1h-{J`e;<4yXcq$JBc^KdPp zoSYoDpVdh|lp&h0c0XRye5rV0aJ0Fta=0w?6T}mg#mT|Z@J1j=$Iy_OSI)h`rId}0 zt!}pQZEI`m!|}2w0|NteN@&3b2z0rjL8B>BV7=GndlgIB7$#AU<#gp{(e?XAkpmtWZ zK}g6Y0cHEc?O&j3pFe*dsl}@RqvW7>OWmZsZ)-hi>Tcs@dE-aacr3o^CO^K@{?=U- zN)KSBva*suAhblo3AHo|;^J-Oz{724QnUQHn`|U(biOr~)^?-1T4{E67JlP~sEP_{ zV8E>D9pCueuIo_l%rF`+A|u0DJZb>2TK}3^{Vs=sqGB&)2Z1UHk+3e?Sou;w9kf7i zb}6oJTe0AG$=*vWTsLfmWo2Q{M~g9YUX_V5t}uwFr{{xjxYmqF{6bsYTK=2k z7$e&Mmx%0>v4$8CeXu)bb*vN_FNr{OtUs+GFC4)~lutLbL5e{kgaEREGb!Wc*sURJ zZ0rBy@!wwVU30)U%lJ+PUHQhBZ&TH@GWf-+>R*Yau9Ue(F7(HWii+l$XHuB1kLl?z zL3^RBt;Mci-%S+O%j&;tX{qDtdTn)e74#8147PaB>UgxgtSr8wLLRc%mC_!{E}E$5 zdmU2j*g5-qwD{SczH{lHIt~q)CmUf%4)-}S#|f4v%taSqh~?c4%7rZRd#0u@2VELx zJWNoiF-lSx;Fo}&ojPJ|>`Ek$OdENkw^z~*I}Lg&BR4mknO8O{Hg=BRb2d-OrW*o) zRrSPsYteA8sC_{#Z}-H=551R{mnQ;XJUwmq$?!wd5((c`;@r=`!g3V|$Hq`3DrGFL z-@?ioh5B})vn%%v@jR?JA&*1Ed721&OXT@_x$#KzY5W$JSy z{iR(>-$zBUnwpyKpB}A~-SIPZ=i?=;U)vUlN=yIe&>oL0)l&)BMSw;h7#^lIL8Fbm zyu2bOc|mEEj(!*OzvvcNSXgLiZjL1qjWjgqP@+v_MM;5m|B2m$BM={pieiufyQ#wz zF*tnV+X)dF0Jvm&`bV%m2D7!0fL1QmE6B^!{4(fIxBRgF_09-6nnddEN>RM+F@2|& z>WalSyUAvl=CpKmeFA{&Rz3ix&Do7mYD!CM)0qA>Mrk5AN?xGnEfI=)(cOl{{sQn<__i~Ski=}3`0`SJekW6)*G zIEA3I6W@za+Jb5-)86{jp7Q_!j9yvN;;fUqyCaxye_w=_VW-wk3v!#WlR+EPs^v@8 z+0ZQVl=1RLvaZS&2iT(0$rNgZ(b85Ec5d|BYr&t3v*GWVe|9$VDeV_ zt`nR60l6EioHT&rM)v2=JUxZoY7BxB%c_TQQLqwLHC$u_HLFmKK~h8aIZQ1ijVE=- z9~qXeW5^)bz?ueU@+b4}04yxLB!b8U!PqxQmjBDg-(SHfi#?%TM8X+N{x%6rLi?-! zU&2TvUtBs|&&GzYv9a+1*?(|7bP}8~=(IdMZbnB(+uPgQ-AdXQ;IgI$e{I1vfm0kr NSJOx%U(N32{{WYR3yuH) literal 0 HcmV?d00001 diff --git a/media/img/misc/btn_login_google.png b/media/img/misc/btn_login_google.png new file mode 100644 index 0000000000000000000000000000000000000000..68618ffceaa25f886431755079f4a8a073a39732 GIT binary patch literal 2417 zcmV-%36A!OP)?!n60(zo z009gb6ziP99jpah#-puH-P*dMGK!ul)p{HqYtLz=<96B^wQB1wEgmgk6&H$IPp2pf zI989&wA#^85fo%iLbeyOyq7nB1X2h|z!J0`f1i^-lI!L7e);CU@4NTDd!HD~vh|lQ z-pk20R+Q6b69NDL@CGRoOVoYh=B0-xjmBy(7Tw5PspN6RBtc+Uzz=rIK*a|OL399k z-eFkQL^E|(`_K(riK$#B#H^QcNW2GJ10mF4bA<7@AUXg%@8B55BXACm)m1&hO%E%? zBnhGb0MHdgBw>13fzy;3$3P7L0J;Q$VKimNK?nc-5&!@I#sL68kMji6qJ&gV zhJ|C?AV%NhsHsLy2IK<(Fb?lvT&`r&bn)1U+}?fMg-)}{a<#PS$U(>BM<5~qfN`{g z7e6@sy>&!LsOJbrBo>XGC>rys?yD?){vps20A48k&2b1*#zt=ZyrXNh`D;QlVJab& zfsOzGJr0Br;>Pw1Tak%c*M>1oTI1Q1*8lzNq|BUN(UNhKcmswwYN~2JSjOm^0^?yK zv3$Wh!h|G37UHx}mg`rvUwqE!bqJx@)0ZDiO6q3(fCTXsr;EWczCilcTv5tcGCYE9 zw%97m^~Z9WZ~PG0A2m?l6aaj-R*={wytNJEp01^$4|0c zyX-o#{m}KjDiQ0p+H0x|C-P{WhLFmo)8_@n#?`#Pm%J*r#rOQNtuK% zj|{AF0Kl`E;}9kP!TnydYtz%Y^XjOol+H}Uc>I>nPA8+&xG$kC>53)Fk2b4M7OVCj z}Hg%Ubt9CUp4+F*#>?=ba5(wH6nN{g-=Jqy5N8v2=Az?iqFd_ll*f5o}5V zdek_0@q=A&><{kRE6dydQ&8XjUSC{wTsKo`_;kG>A*pxXxrmQ2H{;uu* zorm)$*Jdsco;nlbauLfSCqoED;@2kEZCG77`&C0>zGBIHJ`dAbWk#>F{`V(gLJ~qq zI6MW>v|xBLLP#(?*?Rk?duUdbF$W>^U{X@!wv7lO#Ilmtrqr%mRWWP4q2P#Osh0#u zWhCSGi6`>3x1A-XSjvv)C?2859DyHkpcm43f;CzZ`*=LLyL#%~LRuZ%LC zKPMb9+FW!_n3znJUho~0)E?N$Xf^&4U=fDltVa(BA(sImgoGnT*1W&OX*MB*45yDp zZOLlss`x1PsYaVVPWAEyPLmNKWH^-{wPk-(ZWc6ppr?!jBZ!u!&d^NOUyRFUgBB0;pm8uwT2dK>5aLAi>S`n>(|y-yi}mLpalXJaG0H?pWv)|{ z6B*q@qA)s*t>V6H?qb`$+f0+zcJH<3tz|)!Iu-?7hGTG5T-Zf3=rs9n;ZC|$5nvR<4 zZlRK7b~V0_af*x;L4EtPHf!^b*ERdL25P6w^9ZN` zJgXjuKjT0M1y7z4vS^u~6^FJvx9UFmkZHYH_%w$q002BIKMHXejCAzO|Uet$nb^m3p*p-em5kj@c!9-7uO7|!R9YH!fgiw@TX=1XCYVk1;3=*8dyTL;q@ETURRckg2tyL{ z#&Qz}uzkAI%~j(EAf6+uXKM47n@ZR7=hm3Bl64k+r~wt({Jr~+iIZr4ZpV2=Hb49c zCT!!t1Xa_%v1;M%)6GcjdO5x*lgBFoxmV%1Uu6AOFNiRElXGCIeR@`Xy+_&b`_Pou z#3lB7_a74{&Ha2d|ITLI3L^aMX?57f8AH_pDaI|leYU)0$oQ9MNSggFx`SY;(jj=Z z7xT&|F1KF+fEuT~cCW{x@6h*XdUm1jOr$BGDd@pdm3BF}rK^GBSi;cvtqTSXb^aUi z?z)3u#?c}8x<;Bmj?=KAkFo+c8sxAX-l!oT%+(iX@`uw*BYHE189X6CQ*bujJp2hJ zC&gHl$sbHLj_A!qt0vksw&=;lEdEg=6+B#VCU4Y`;6+}xp10^p(9gkCV|No(kC>-a-UO)X0j08mkI@PhEWQC!oOv#ars>#}4>Ap-i=dU(rCF=}asH~effIXaMD$eBhr5K0) zIP}NR(wJ32MK<3>Pb#wciflftI|$Nggd^o2uIKx*`D^%(7Z~P^f#{xi7Kc?WSSnE=PW|K1OgT=+t&)fi@C@^c7`lSyWo?d4E_@pmd15R8NM)zTY zgGa0ilKQbH%7m6?snfLO)#C6K_DzSp=`%yZq*aqCgVl51cMe)=2Y^>5X`EhpQbyei zYwN1(nj ze)h)tyo-U6y_q9#m?jTm!)!+PVLmsOn`xrL2MeHj3F;VE{{`Nr}6SpXQ*kIgM=Y|Uqm*XEG@0oZxYZ?#a-Wb06oFyk3D z08AgEK3XEkN(8g#`m%pJ>GKM3v_zQkPJM7A$HKcuyw!EGC<6eDdy3t5+VAu!Zojha zv_GhB08s0a$MRF@nTwj3ax$H==22rRZ%`zWO%Mio1fVfqQIFS(Q{) z<=c9~H}*+(#SHC%3%C3so3vDeS7|D3ntye@K2+BPB%s>59n`w<;UeMH$r=Mkp7{wg zIkRqms>#5SVZE4@yF9JZE>5EAAX_xw!H!7cSjA*YNMJ1AET<>%EFuOJgf@bRa`j$3FON1$d)t~44X^PBwF79YaC{{Zb$A6UPJ5nrE+9jH5 z!#F10K``UEpS-olJupF)lVU2$&c7%XYz`^!q7cm>YoDiQSNh9z^TG+5 zWjiA4%f?)9Vt3W?H_b=VOz|3OV{WLx+>q;C{G#SU2LJYK-J3V}jbk)Br4DdSg zn~_}pl>nYa1nCfC937eTf4Z0dT$egc>klYrF9+7_#z_YVg2K@j<<(O1yG}f92-4w% zWBE?Em8TOdw6(>P^$3C>k%ePN{w?z(c^$D@Xe&>bRf)WgGHQvH$5lBH1cjqj>~6*G z77MP50C4%b@5AFhxVd^@Fe_=kdLRZAK~OlN;%QXMtEKYlTc!#zG%)yNHiA3^PLog in +

Sign in

{%if sitename%} The website you are trying to log in to ({{sitename}}) is using the @@ -15,7 +15,14 @@ Please log in to your community account to reach this area.

If you do not already have an account, -you may sign up for one now. If you have one but have lost your +you can either create +a dedicated account, or use one of the third party sign-in systems below. +

+ +

Community account sign-in

+

+If you have a postgresql.org community account with a password, please +use the form below to sign in. If you have one but have lost your password, you can use the password reset form.

@@ -34,10 +41,18 @@ password, you can use the password reset form.
- +
+{%if oauth_providers%} +

Third party sign in

+{%for p,d in oauth_providers%} +

Sign in with {{p|capfirst}}

+{%endfor%} +{%endif%} + + diff --git a/templates/account/signup_oauth.html b/templates/account/signup_oauth.html new file mode 100644 index 00000000..c8b21363 --- /dev/null +++ b/templates/account/signup_oauth.html @@ -0,0 +1,23 @@ +{%extends "base/form.html"%} +{%block pre_form_header%} +

+ We find no account associated with your email address {{email}}. +

+ +

+ If your account is under a different name, please + cancel this sign-in and sign in with the + appropriate account instead. +

+ +

+ If you wish to sign up for a new account, please select a username + and verify the other details: +

+{% endblock %} + +{%block post_form%} +

+ +

+{%endblock%} diff --git a/templates/account/userprofileform.html b/templates/account/userprofileform.html index 51dd5668..d1e77f3d 100644 --- a/templates/account/userprofileform.html +++ b/templates/account/userprofileform.html @@ -16,7 +16,12 @@ Email - {{user.email}} (change) + {{user.email}} {%if can_change_email%}(change){%else%} +

+The email address of this account cannot be changed, because the account does +not have a local password, most likely because it's connected to a third +party system (such as Google or Facebook). +{%endif%} {%for field in userform%} {%if field.errors %} -- 2.39.5