SSO Support

crates/api/src/local_user/change_password.rs

@@ -28,11 +28,13 @@ pub async fn change_password(
   }
 
   // Check the old password
-  let valid: bool = verify(
-    &data.old_password,
-    &local_user_view.local_user.password_encrypted,
-  )
-  .unwrap_or(false);
+  let valid: bool = if let Some(password_encrypted) = &local_user_view.local_user.password_encrypted
+  {
+    verify(&data.old_password, password_encrypted).unwrap_or(false)
+  } else {
+    data.old_password.is_empty()
+  };
+
   if !valid {
     Err(LemmyErrorType::IncorrectLogin)?
   }

crates/api/src/local_user/login.rs

@@ -1,4 +1,4 @@
-use crate::{check_totp_2fa_valid, local_user::check_email_verified};
+use crate::check_totp_2fa_valid;
 use actix_web::{
   web::{Data, Json},
   HttpRequest,
@@ -8,12 +8,7 @@ use lemmy_api_common::{
   claims::Claims,
   context::LemmyContext,
   person::{Login, LoginResponse},
-  utils::check_user_valid,
-};
-use lemmy_db_schema::{
-  source::{local_site::LocalSite, registration_application::RegistrationApplication},
-  utils::DbPool,
-  RegistrationMode,
+  utils::{check_email_verified, check_registration_application, check_user_valid},
 };
 use lemmy_db_views::structs::{LocalUserView, SiteView};
 use lemmy_utils::error::{LemmyErrorType, LemmyResult};
@@ -34,11 +29,12 @@ pub async fn login(
       .ok_or(LemmyErrorType::IncorrectLogin)?;
 
   // Verify the password
-  let valid: bool = verify(
-    &data.password,
-    &local_user_view.local_user.password_encrypted,
-  )
-  .unwrap_or(false);
+  let valid: bool = local_user_view
+    .local_user
+    .password_encrypted
+    .as_ref()
+    .and_then(|password_encrypted| verify(&data.password, password_encrypted).ok())
+    .unwrap_or(false);
   if !valid {
     Err(LemmyErrorType::IncorrectLogin)?
   }
@@ -65,28 +61,3 @@ pub async fn login(
     registration_created: false,
   }))
 }
-
-async fn check_registration_application(
-  local_user_view: &LocalUserView,
-  local_site: &LocalSite,
-  pool: &mut DbPool<'_>,
-) -> LemmyResult<()> {
-  if (local_site.registration_mode == RegistrationMode::RequireApplication
-    || local_site.registration_mode == RegistrationMode::Closed)
-    && !local_user_view.local_user.accepted_application
-    && !local_user_view.local_user.admin
-  {
-    // Fetch the registration application. If no admin id is present its still pending. Otherwise it
-    // was processed (either accepted or denied).
-    let local_user_id = local_user_view.local_user.id;
-    let registration = RegistrationApplication::find_by_local_user_id(pool, local_user_id)
-      .await?
-      .ok_or(LemmyErrorType::CouldntFindRegistrationApplication)?;
-    if registration.admin_id.is_some() {
-      Err(LemmyErrorType::RegistrationDenied(registration.deny_reason))?
-    } else {
-      Err(LemmyErrorType::RegistrationApplicationIsPending)?
-    }
-  }
-  Ok(())
-}

crates/api/src/local_user/mod.rs

@@ -1,6 +1,3 @@
-use lemmy_db_views::structs::{LocalUserView, SiteView};
-use lemmy_utils::{error::LemmyResult, LemmyErrorType};
-
 pub mod add_admin;
 pub mod ban_person;
 pub mod block;
@@ -20,15 +17,3 @@ pub mod save_settings;
 pub mod update_totp;
 pub mod validate_auth;
 pub mod verify_email;
-
-/// Check if the user's email is verified if email verification is turned on
-/// However, skip checking verification if the user is an admin
-fn check_email_verified(local_user_view: &LocalUserView, site_view: &SiteView) -> LemmyResult<()> {
-  if !local_user_view.local_user.admin
-    && site_view.local_site.require_email_verification
-    && !local_user_view.local_user.email_verified
-  {
-    Err(LemmyErrorType::EmailNotVerified)?
-  }
-  Ok(())
-}

crates/api/src/local_user/reset_password.rs

@@ -1,9 +1,8 @@
-use crate::local_user::check_email_verified;
 use actix_web::web::{Data, Json};
 use lemmy_api_common::{
   context::LemmyContext,
   person::PasswordReset,
-  utils::send_password_reset_email,
+  utils::{check_email_verified, send_password_reset_email},
   SuccessResponse,
 };
 use lemmy_db_views::structs::{LocalUserView, SiteView};

crates/api/src/site/leave_admin.rs

@@ -7,6 +7,7 @@ use lemmy_db_schema::{
     local_site_url_blocklist::LocalSiteUrlBlocklist,
     local_user::{LocalUser, LocalUserUpdateForm},
     moderator::{ModAdd, ModAddForm},
+    oauth_provider::OAuthProvider,
     tagline::Tagline,
   },
   traits::Crud,
@@ -63,6 +64,7 @@ pub async fn leave_admin(
   let taglines = Tagline::get_all(&mut context.pool(), site_view.local_site.id).await?;
   let custom_emojis =
     CustomEmojiView::get_all(&mut context.pool(), site_view.local_site.id).await?;
+  let oauth_providers = OAuthProvider::get_all_public(&mut context.pool()).await?;
   let blocked_urls = LocalSiteUrlBlocklist::get_all(&mut context.pool()).await?;
 
   Ok(Json(GetSiteResponse {
@@ -74,6 +76,8 @@ pub async fn leave_admin(
     discussion_languages,
     taglines,
     custom_emojis,
+    oauth_providers: Some(oauth_providers),
+    admin_oauth_providers: None,
     blocked_urls,
   }))
 }

crates/api_common/src/lib.rs

@@ -7,6 +7,7 @@ pub mod community;
 #[cfg(feature = "full")]
 pub mod context;
 pub mod custom_emoji;
+pub mod oauth_provider;
 pub mod person;
 pub mod post;
 pub mod private_message;

crates/api_common/src/oauth_provider.rs

@@ -0,0 +1,69 @@
+use lemmy_db_schema::newtypes::OAuthProviderId;
+use serde::{Deserialize, Serialize};
+use serde_with::skip_serializing_none;
+#[cfg(feature = "full")]
+use ts_rs::TS;
+use url::Url;
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+#[cfg_attr(feature = "full", derive(TS))]
+#[cfg_attr(feature = "full", ts(export))]
+/// Create an external auth method.
+pub struct CreateOAuthProvider {
+  pub display_name: String,
+  pub issuer: String,
+  pub authorization_endpoint: String,
+  pub token_endpoint: String,
+  pub userinfo_endpoint: String,
+  pub id_claim: String,
+  pub client_id: String,
+  pub client_secret: String,
+  pub scopes: String,
+  pub auto_verify_email: bool,
+  pub account_linking_enabled: bool,
+  pub enabled: bool,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+#[cfg_attr(feature = "full", derive(TS))]
+#[cfg_attr(feature = "full", ts(export))]
+/// Edit an external auth method.
+pub struct EditOAuthProvider {
+  pub id: OAuthProviderId,
+  pub display_name: Option<String>,
+  pub authorization_endpoint: Option<String>,
+  pub token_endpoint: Option<String>,
+  pub userinfo_endpoint: Option<String>,
+  pub id_claim: Option<String>,
+  pub client_secret: Option<String>,
+  pub scopes: Option<String>,
+  pub auto_verify_email: Option<bool>,
+  pub account_linking_enabled: Option<bool>,
+  pub enabled: Option<bool>,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone, Default)]
+#[cfg_attr(feature = "full", derive(TS))]
+#[cfg_attr(feature = "full", ts(export))]
+/// Delete an external auth method.
+pub struct DeleteOAuthProvider {
+  pub id: OAuthProviderId,
+}
+
+#[skip_serializing_none]
+#[derive(Debug, Serialize, Deserialize, Clone)]
+#[cfg_attr(feature = "full", derive(TS))]
+#[cfg_attr(feature = "full", ts(export))]
+/// Logging in with an OAuth 2.0 authorization
+pub struct AuthenticateWithOauth {
+  pub code: String,
+  #[cfg_attr(feature = "full", ts(type = "string"))]
+  pub oauth_provider_id: OAuthProviderId,
+  #[cfg_attr(feature = "full", ts(type = "string"))]
+  pub redirect_uri: Url,
+  pub show_nsfw: Option<bool>,
+  /// Username is mandatory at registration time
+  pub username: Option<String>,
+  /// An answer is mandatory if require application is enabled on the server
+  pub answer: Option<String>,
+}

crates/api_common/src/request.rs

@@ -44,6 +44,7 @@ pub fn client_builder(settings: &Settings) -> ClientBuilder {
     .user_agent(user_agent.clone())
     .timeout(REQWEST_TIMEOUT)
     .connect_timeout(REQWEST_TIMEOUT)
+    .use_rustls_tls()
 }
 
 /// Fetches metadata for the given link and optionally generates thumbnail.

crates/api_common/src/site.rs

@@ -16,6 +16,7 @@ use lemmy_db_schema::{
     instance::Instance,
     language::Language,
     local_site_url_blocklist::LocalSiteUrlBlocklist,
+    oauth_provider::{OAuthProvider, PublicOAuthProvider},
     person::Person,
     tagline::Tagline,
   },
@@ -200,6 +201,7 @@ pub struct CreateSite {
   pub blocked_instances: Option<Vec<String>>,
   pub taglines: Option<Vec<String>>,
   pub registration_mode: Option<RegistrationMode>,
+  pub oauth_registration: Option<bool>,
   pub content_warning: Option<String>,
   pub default_post_listing_mode: Option<PostListingMode>,
 }
@@ -282,6 +284,8 @@ pub struct EditSite {
   /// A list of taglines shown at the top of the front page.
   pub taglines: Option<Vec<String>>,
   pub registration_mode: Option<RegistrationMode>,
+  /// Whether or not external auth methods can auto-register users.
+  pub oauth_registration: Option<bool>,
   /// Whether to email admins for new reports.
   pub reports_email_admins: Option<bool>,
   /// If present, nsfw content is visible by default. Should be displayed by frontends/clients
@@ -316,6 +320,9 @@ pub struct GetSiteResponse {
   pub taglines: Vec<Tagline>,
   /// A list of custom emojis your site supports.
   pub custom_emojis: Vec<CustomEmojiView>,
+  /// A list of external auth methods your site supports.
+  pub oauth_providers: Option<Vec<PublicOAuthProvider>>,
+  pub admin_oauth_providers: Option<Vec<OAuthProvider>>,
   pub blocked_urls: Vec<LocalSiteUrlBlocklist>,
 }
 

crates/api_common/src/utils.rs

@@ -23,18 +23,21 @@ use lemmy_db_schema::{
     local_site::LocalSite,
     local_site_rate_limit::LocalSiteRateLimit,
     local_site_url_blocklist::LocalSiteUrlBlocklist,
+    oauth_account::OAuthAccount,
     password_reset_request::PasswordResetRequest,
     person::{Person, PersonUpdateForm},
     person_block::PersonBlock,
     post::{Post, PostRead},
+    registration_application::RegistrationApplication,
     site::Site,
   },
   traits::Crud,
   utils::DbPool,
+  RegistrationMode,
 };
 use lemmy_db_views::{
   comment_view::CommentQuery,
-  structs::{LocalImageView, LocalUserView},
+  structs::{LocalImageView, LocalUserView, SiteView},
 };
 use lemmy_db_views_actor::structs::{
   CommunityModeratorView,
@@ -192,6 +195,46 @@ pub fn check_user_valid(person: &Person) -> LemmyResult<()> {
   }
 }
 
+/// Check if the user's email is verified if email verification is turned on
+/// However, skip checking verification if the user is an admin
+pub fn check_email_verified(
+  local_user_view: &LocalUserView,
+  site_view: &SiteView,
+) -> LemmyResult<()> {
+  if !local_user_view.local_user.admin
+    && site_view.local_site.require_email_verification
+    && !local_user_view.local_user.email_verified
+  {
+    Err(LemmyErrorType::EmailNotVerified)?
+  }
+  Ok(())
+}
+
+pub async fn check_registration_application(
+  local_user_view: &LocalUserView,
+  local_site: &LocalSite,
+  pool: &mut DbPool<'_>,
+) -> LemmyResult<()> {
+  if (local_site.registration_mode == RegistrationMode::RequireApplication
+    || local_site.registration_mode == RegistrationMode::Closed)
+    && !local_user_view.local_user.accepted_application
+    && !local_user_view.local_user.admin
+  {
+    // Fetch the registration application. If no admin id is present its still pending. Otherwise it
+    // was processed (either accepted or denied).
+    let local_user_id = local_user_view.local_user.id;
+    let registration = RegistrationApplication::find_by_local_user_id(pool, local_user_id)
+      .await?
+      .ok_or(LemmyErrorType::CouldntFindRegistrationApplication)?;
+    if registration.admin_id.is_some() {
+      Err(LemmyErrorType::RegistrationDenied(registration.deny_reason))?
+    } else {
+      Err(LemmyErrorType::RegistrationApplicationIsPending)?
+    }
+  }
+  Ok(())
+}
+
 /// Checks that a normal user action (eg posting or voting) is allowed in a given community.
 ///
 /// In particular it checks that neither the user nor community are banned or deleted, and that
@@ -852,6 +895,11 @@ pub async fn purge_user_account(person_id: PersonId, context: &LemmyContext) ->
   // Leave communities they mod
   CommunityModerator::leave_all_communities(pool, person_id).await?;
 
+  // Delete the oauth accounts linked to the local user
+  if let Ok(Some(local_user)) = LocalUserView::read_person(pool, person_id).await {
+    OAuthAccount::delete_user_accounts(pool, local_user.local_user.id).await?;
+  }
+
   Person::delete_account(pool, person_id).await?;
 
   Ok(())

crates/api_crud/Cargo.toml

@@ -29,6 +29,9 @@ moka.workspace = true
 anyhow.workspace = true
 webmention = "0.6.0"
 accept-language = "3.1.0"
+serde_json = { workspace = true }
+serde = { workspace = true }
+serde_with = { workspace = true }
 
 [package.metadata.cargo-machete]
 ignored = ["futures"]

crates/api_crud/src/lib.rs

@@ -1,6 +1,7 @@
 pub mod comment;
 pub mod community;
 pub mod custom_emoji;
+pub mod oauth_provider;
 pub mod post;
 pub mod private_message;
 pub mod site;