Implement logging in via external identity providers

[thepaperpilot]

Description

Implements #2930. I believe #489 is a duplicate of that issue, and would also be considered implemented by this. Note that this does NOT make lemmy itself an identity provider, and thus does NOT implement #1368.

External auth methods can be added via the admin settings, and then buttons are shown on the login page to use those auth methods instead of "basic" auth (username + password). The implementation supports both OAuth or OIDC auth methods, and can register non-existent users as well (if a new setting is explicitly turned on).

Other frontends that wish to support these external auth methods can use the changes in lemmy-ui as a reference. They'll need to show the buttons to go to the authorization URL with the appropriate redirect URI, and then implement the endpoint at that URI that takes the auth cookie and navigates to the redirect URI param it was passed. Optionally, frontends can also implement the new admin settings.

Future Work

Most of these are not implemented because my understanding is lemmy-ui is getting replaced soon-ish anyways and these are tasks that would take awhile to implement which is probably not worth it imo.

• Make frontends have convenient presets for common identity providers (like Google, Github, Discord, etc.) that hides the well-known fields (i.e. just show client ID and secret).
• PKCE support (more secure version of OAuth)
• If auto-registration is disabled, bring non-existent users to modified version of the signup page where the email is pre-filled and readonly, and the password field is hidden
• Improve error handling/messaging (for example if an external auth method fails to save due to a non-unique client ID)

Related PRs

• lemmy
• lemmy-ui
• lemmy-js-client

Screenshots

[thepaperpilot]

Woodpecker is failing but it works for me locally. I'm not totally sure how to handle the error it's giving. Could one of the reviewers help me out?

[Nutomic]

CI seems to fail because there is a mismatch between the sql schema and the db struct defined in crates/db_schema/src/source/external_auth.rs. Try running diesel migration redo to get the exact db state defined in your migration, if that doesnt help wipe the db first.

Anyway we are currently busy preparing for the Lemmy 0.19 release, so this will have to wait a while for review.

[Nutomic]

This view seems totally pointless if it only has one field. Why not move the methods into crates/db_schema?

[Nutomic]

Looks like the password field should be nullable/optional then.

[Nutomic]

Why not use ? for error handling? You can customize the response headers based on the error type in crates/utils/src/error.rs. Or make a helper function and use .map_err(). In any case you shouldnt repeat the same error handling over and over, this isnt Go :P

[dessalines]

We'll be able to look at this in greater detail after the new year. The failing lint means you need to run cargo +nightly fmt

[thepaperpilot]

Thanks! I plan on also addressing the rest of nutomic's feedback, just haven't been rushing since it's way too late to get into this release.

Would it make sense to add that cargo command as a pre commit step?

[dessalines]

Cool, no rush.

Would it make sense to add that cargo command as a pre commit step?

We used to use Cargo husky to do that (both fmt and clippy), but stopped using it because

• It couldn't run on nightly
• Sometimes takes a long time to run clippy
• It requires you to run cargo test locally to set up the hooks, which a lot of ppl starting new PRs don't do.

So now we just let CI tell you the errors. You can set up your own git pre-commit hook tho.

[Nutomic]

Dont do this, it will slow down compilation. Instead move anything that you need from api_crud into api_common.

[Nutomic]

Can you add comments what all these fields mean? Or a link to documentation?

[Nutomic]

You can remove this and rely on the trait impl for delete.

[Nutomic]

Outdated, feel free to reopen when you work on it again.