Merge branch 'master' of https://github.com/plankanban/planka

.github/workflows/build-and-push-docker-image-dev.yml

@@ -0,0 +1,39 @@
+name: Build and push Docker DEV image
+
+on:
+  push:
+    paths-ignore:
+      - '.github/**'
+      - 'charts/**'
+      - 'docker-*.sh'
+      - '*.md'
+    branches: [master]
+
+jobs:
+  build-and-push-docker-image-dev:
+    runs-on: self-hosted
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: |
+            ghcr.io/plankanban/planka:dev

.github/workflows/helm-chart-release.yml

@@ -38,5 +38,6 @@ jobs:
         uses: helm/chart-releaser-action@v1.5.0
         with:
           charts_dir: charts
+          mark_as_latest: false
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

Dockerfile.base

@@ -1,27 +1,22 @@
-FROM node:lts-alpine
+FROM node:18-alpine
 
-ARG ALPINE_VERSION=3.16
+ARG VIPS_VERSION=8.14.5
-ARG VIPS_VERSION=8.13.3
 
 RUN apk -U upgrade \
   && apk add \
-  bash giflib glib lcms2 libexif \
+  bash pkgconf \
-  libgsf libjpeg-turbo libpng librsvg libwebp \
+  libjpeg-turbo libexif librsvg cgif tiff libspng libimagequant \
-  orc pango tiff \
-  --repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/community/ \
-  --repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/main/ \
   --no-cache \
   && apk add \
-  build-base giflib-dev glib-dev lcms2-dev libexif-dev \
+  build-base gobject-introspection-dev meson \
-  libgsf-dev libjpeg-turbo-dev libpng-dev librsvg-dev libwebp-dev \
+  libjpeg-turbo-dev libexif-dev librsvg-dev cgif-dev tiff-dev libspng-dev libimagequant-dev \
-  orc-dev pango-dev tiff-dev \
   --virtual vips-dependencies \
-  --repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/community/ \
-  --repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/main/ \
   --no-cache \
-  && wget -O- https://github.com/libvips/libvips/releases/download/v${VIPS_VERSION}/vips-${VIPS_VERSION}.tar.gz | tar xzC /tmp \
+  && wget -O- https://github.com/libvips/libvips/releases/download/v${VIPS_VERSION}/vips-${VIPS_VERSION}.tar.xz | tar xJC /tmp \
   && cd /tmp/vips-${VIPS_VERSION} \
-  && ./configure \
+  && meson setup build-dir \
-  && make \
+  && cd build-dir \
-  && make install-strip \
+  && ninja \
+  && ninja test \
+  && ninja install \
   && rm -rf /tmp/vips-${VIPS_VERSION}

README.md

@@ -20,10 +20,9 @@
 
 ## How to deploy Planka
 
-There are 2 types of installation:
+There are many ways to install Planka
-- [Without Docker](https://docs.planka.cloud/docs/installl-planka/Debian%20&%20Ubuntu) ([for Windows](https://docs.planka.cloud/docs/installl-planka/Windows))
+
-- [Dockerized](https://docs.planka.cloud/docs/installl-planka/Docker%20Compose)
+[Check them out](https://docs.planka.cloud/docs/intro)
-- [Automated installation](https://github.com/plankanban/planka-installer)
 
 For configuration, please see the [configuration section](https://docs.planka.cloud/docs/category/configuration).
 

charts/planka/Chart.yaml

@@ -15,16 +15,16 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.1.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.12.0"
+appVersion: "1.15.0"
 
 dependencies:
-- alias: postgresql
+  - alias: postgresql
     condition: postgresql.enabled
     name: postgresql
     repository: &bitnami-repo https://charts.bitnami.com/bitnami

charts/planka/README.md

@@ -21,7 +21,11 @@ git clone https://github.com/Chris-Greaves/planka-helm-chart.git
 cd planka-helm-chart
 helm dependency build
 export SECRETKEY=$(openssl rand -hex 64)
-helm install planka . --set secretkey=$SECRETKEY
+helm install planka . --set secretkey=$SECRETKEY  \
+--set admin_email="demo@demo.demo"  \
+--set admin_password="demo"  \
+--set admin_name="Demo Demo" \
+--set admin_username="demo"
 ```
 
 > **NOTE:** The command `openssl rand -hex 64` is needed to create a random hexadecimal key for planka. On Windows you can use Git Bash to run that command.
@@ -39,11 +43,19 @@ To access Planka externally you can use the following configuration
 ```bash
 # HTTP only
 helm install planka . --set secretkey=$SECRETKEY \
+--set admin_email="demo@demo.demo"  \
+--set admin_password="demo"  \
+--set admin_name="Demo Demo" \
+--set admin_username="demo"
 --set ingress.enabled=true \
 --set ingress.hosts[0].host=planka.example.dev \
 
 # HTTPS
 helm install planka . --set secretkey=$SECRETKEY \
+--set admin_email="demo@demo.demo"  \
+--set admin_password="demo"  \
+--set admin_name="Demo Demo" \
+--set admin_username="demo"
 --set ingress.enabled=true \
 --set ingress.hosts[0].host=planka.example.dev \
 --set ingress.tls[0].secretName=planka-tls \
@@ -54,6 +66,16 @@ or create a values.yaml file like:
 
 ```yaml
 secretkey: "<InsertSecretKey>"
+# The admin section needs to be present for new instances of Planka, after the first start you can remove the lines starting with admin_. If you want the admin user to be unchangeable admin_email: has to stay
+# After changing the config you have to run ```helm upgrade  planka . -f values.yaml```
+
+# Admin user
+admin_email: "demo@demo.demo" # Do not remove if you want to prevent this user from being edited/deleted
+admin_password: "demo"
+admin_name: "Demo Demo"
+admin_username: "demo"
+# Admin user
+
 ingress:
   enabled: true
   hosts:

charts/planka/templates/deployment.yaml

@@ -35,7 +35,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
-              containerPort: {{ .Values.service.port }}
+              containerPort: {{ .Values.service.containerPort | default 1337 }}
               protocol: TCP
           livenessProbe:
             httpGet:
@@ -75,6 +75,45 @@ spec:
               value: {{ required "A secret key needs to be generated using 'openssl rand -hex 64' and assigned to secretkey." .Values.secretkey }}
             - name: TRUST_PROXY
               value: "0"
+            - name: DEFAULT_ADMIN_EMAIL
+              value: {{ .Values.admin_email }}
+            - name: DEFAULT_ADMIN_PASSWORD
+              value: {{ .Values.admin_password }}
+            - name: DEFAULT_ADMIN_NAME
+              value: {{ .Values.admin_name }}
+            - name: DEFAULT_ADMIN_USERNAME
+              value: {{ .Values.admin_username }}
+          {{ range $k, $v := .Values.env }}
+            - name: {{ $k | quote }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- if .Values.oidc.enabled }}
+          {{- $secretName := default (printf "%s-oidc" (include "planka.fullname" .)) .Values.oidc.existingSecret }}
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  key:  clientId
+                  name: {{ $secretName }}
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key:  clientSecret
+                  name: {{ $secretName }}
+            - name: OIDC_ISSUER
+              value: {{ required "issuerUrl is required when configuring OIDC" .Values.oidc.issuerUrl | quote }}
+            - name: OIDC_SCOPES
+              value: {{ join " " .Values.oidc.scopes | default "openid profile email" | quote }}
+          {{- if .Values.oidc.admin.roles }}
+            - name: OIDC_ADMIN_ROLES
+              value: {{ join "," .Values.oidc.admin.roles | quote }}
+          {{- end }}
+            - name: OIDC_ROLES_ATTRIBUTE
+              value: {{ .Values.oidc.admin.rolesAttribute | default "groups" | quote }}
+          {{- if .Values.oidc.admin.ignoreRoles }}
+            - name: OIDC_IGNORE_ROLES
+              value: {{ .Values.oidc.admin.ignoreRoles | quote }}
+          {{- end }}
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/planka/templates/secret-oidc.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.oidc.enabled }}
+{{- if eq (and (not (empty .Values.oidc.clientId)) (not (empty .Values.oidc.clientSecret))) (not (empty .Values.oidc.existingSecret)) -}}
+  {{- fail "Either specify inline `clientId` and `clientSecret` or refer to them via `existingSecret`" -}}
+{{- end }}
+{{- if (and (and (not (empty .Values.oidc.clientId)) (not (empty .Values.oidc.clientSecret))) (empty .Values.oidc.existingSecret)) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "planka.fullname" . }}-oidc
+  labels:
+    {{- include "planka.labels" . | nindent 4 }}
+type: Opaque
+data:
+  clientId: {{ .Values.oidc.clientId | b64enc | quote }}
+  clientSecret: {{ .Values.oidc.clientSecret | b64enc | quote }}
+{{- end }}
+{{- end }}

charts/planka/values.yaml

@@ -46,6 +46,10 @@ securityContext: {}
 service:
   type: ClusterIP
   port: 1337
+  ## @param service.containerPort Planka HTTP container port
+  ## If empty will default to 1337
+  ##
+  containerPort: 1337
 
 ingress:
   enabled: false
@@ -109,3 +113,68 @@ persistence:
 
   accessMode: ReadWriteOnce
   size: 10Gi
+
+## OpenID Identity Management configuration
+##
+## Example:
+## ---------------
+## oidc:
+##   enabled: true
+##   clientId: sxxaAIAxVXlCxTmc1YLHBbQr8NL8MqLI2DUbt42d
+##   clientSecret: om4RTMRVHRszU7bqxB7RZNkHIzA8e4sGYWxeCwIMYQXPwEBWe4SY5a0wwCe9ltB3zrq5f0dnFnp34cEHD7QSMHsKvV9AiV5Z7eqDraMnv0I8IFivmuV5wovAECAYreSI
+##   issuerUrl: https://auth.local/application/o/planka/
+##   admin:
+##     roles:
+##       - planka-admin
+##
+## ---------------
+## NOTE: A minimal configuration requires setting `clientId`, `clientSecret` and `issuerUrl`. (plus `admin.roles` for administrators)
+## ref: https://docs.planka.cloud/docs/Configuration/OIDC
+##
+oidc:
+  ## @param oidc.enabled Enable single sign-on (SSO) with OpenID Connect (OIDC)
+  ##
+  enabled: false
+
+  ## OIDC credentials
+  ## @param oidc.clientId A string unique to the provider that identifies your app.
+  ## @param oidc.clientSecret A secret string that the provider uses to confirm ownership of a client ID.
+  ##
+  ## NOTE: Either specify inline `clientId` and `clientSecret` or refer to them via `existingSecret`
+  ##
+  clientId: ""
+  clientSecret: ""
+
+  ## @param oidc.existingSecret Name of an existing secret containing OIDC credentials
+  ## NOTE: Must contain key `clientId` and `clientSecret`
+  ## NOTE: When it's set, the `clientId` and `clientSecret` parameters are ignored
+  ##
+  existingSecret: ""
+
+  ## @param oidc.issuerUrl The OpenID connect metadata document endpoint
+  ##
+  issuerUrl: ""
+
+  ## @param oidc.scopes A list of scopes required for OIDC client.
+  ## If empty will default to `openid`, `profile` and `email`
+  ## NOTE: Planka needs the email and name claims
+  ##
+  scopes: []
+
+  ## Admin permissions configuration
+  admin:
+    ## @param oidc.admin.ignoreRoles If set to true, the admin roles will be ignored.
+    ## It is useful if you want to use OIDC for authentication but not for authorization.
+    ## If empty will default to `false`
+    ##
+    ignoreRoles: false
+
+    ## @param oidc.admin.rolesAttribute The name of a custom group claim that you have configured in your OIDC provider
+    ## If empty will default to `groups`
+    ##
+    rolesAttribute: groups
+
+    ## @param oidc.admin.roles The names of the admin groups
+    ##
+    roles: []
+      # - planka-admin

client/.env

@@ -1 +1 @@
-REACT_APP_VERSION=1.12.0
+REACT_APP_VERSION=1.15.0

client/package.json

@@ -60,14 +60,15 @@
     "dequal": "^2.0.3",
     "easymde": "^2.18.0",
     "history": "^5.3.0",
-    "i18next": "^22.5.1",
+    "oidc-client-ts": "^2.4.0",
+    "i18next": "^23.7.6",
     "i18next-browser-languagedetector": "^7.2.0",
     "initials": "^3.1.2",
     "js-cookie": "^3.0.5",
-    "jwt-decode": "^3.1.2",
+    "jwt-decode": "^4.0.0",
     "lodash": "^4.17.21",
-    "node-sass": "^8.0.0",
+    "nanoid": "^5.0.3",
-    "oidc-client-ts": "^2.4.0",
+    "node-sass": "^9.0.0",
     "photoswipe": "^5.4.2",
     "prop-types": "^15.8.1",
     "react": "^18.2.0",
@@ -76,13 +77,13 @@
     "react-datepicker": "^4.21.0",
     "react-dom": "^18.2.0",
     "react-dropzone": "^14.2.3",
-    "react-i18next": "^12.3.1",
+    "react-oidc-context": "^2.3.1",
+    "react-i18next": "^13.5.0",
     "react-input-mask": "^2.0.4",
     "react-markdown": "^8.0.7",
-    "react-oidc-context": "^2.3.1",
     "react-photoswipe-gallery": "^2.2.7",
     "react-redux": "^8.1.3",
-    "react-router-dom": "^6.18.0",
+    "react-router-dom": "^6.19.0",
     "react-scripts": "5.0.1",
     "react-simplemde-editor": "^5.2.0",
     "react-textarea-autosize": "^8.5.3",
@@ -90,11 +91,11 @@
     "redux-logger": "^3.0.6",
     "redux-orm": "^0.16.2",
     "redux-saga": "^1.2.3",
-    "remark-breaks": "^3.0.3",
+    "semantic-ui-css": "^2.5.0",
-    "remark-gfm": "^3.0.1",
+    "remark-breaks": "^4.0.0",
+    "remark-gfm": "^4.0.0",
     "reselect": "^4.1.8",
     "sails.io.js": "^1.2.1",
-    "semantic-ui-css": "^2.5.0",
     "semantic-ui-react": "^2.1.4",
     "socket.io-client": "^2.5.0",
     "validator": "^13.11.0",
@@ -102,9 +103,9 @@
     "zxcvbn": "^4.4.2"
   },
   "devDependencies": {
-    "@testing-library/jest-dom": "^5.17.0",
+    "@testing-library/jest-dom": "^6.1.4",
-    "@testing-library/react": "^13.4.0",
+    "@testing-library/react": "^14.1.0",
-    "@testing-library/user-event": "^13.5.0",
+    "@testing-library/user-event": "^14.5.1",
     "babel-preset-airbnb": "^5.0.0",
     "chai": "^4.3.10",
     "eslint": "^8.53.0",

client/src/actions/core.js

@@ -39,6 +39,14 @@ const initializeCore = (
   },
 });
 
+// TODO: with success?
+initializeCore.fetchConfig = (config) => ({
+  type: ActionTypes.CORE_INITIALIZE__CONFIG_FETCH,
+  payload: {
+    config,
+  },
+});
+
 const logout = () => ({
   type: ActionTypes.LOGOUT,
   payload: {},

client/src/actions/login.js

@@ -1,5 +1,12 @@
 import ActionTypes from '../constants/ActionTypes';
 
+const initializeLogin = (config) => ({
+  type: ActionTypes.LOGIN_INITIALIZE,
+  payload: {
+    config,
+  },
+});
+
 const authenticate = (data) => ({
   type: ActionTypes.AUTHENTICATE,
   payload: {
@@ -21,12 +28,33 @@ authenticate.failure = (error) => ({
   },
 });
 
+const authenticateUsingOidc = () => ({
+  type: ActionTypes.USING_OIDC_AUTHENTICATE,
+  payload: {},
+});
+
+authenticateUsingOidc.success = (accessToken) => ({
+  type: ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS,
+  payload: {
+    accessToken,
+  },
+});
+
+authenticateUsingOidc.failure = (error) => ({
+  type: ActionTypes.USING_OIDC_AUTHENTICATE__FAILURE,
+  payload: {
+    error,
+  },
+});
+
 const clearAuthenticateError = () => ({
   type: ActionTypes.AUTHENTICATE_ERROR_CLEAR,
   payload: {},
 });
 
 export default {
+  initializeLogin,
   authenticate,
+  authenticateUsingOidc,
   clearAuthenticateError,
 };

client/src/api/access-tokens.js

@@ -4,14 +4,15 @@ import socket from './socket';
 /* Actions */
 
 const createAccessToken = (data, headers) => http.post('/access-tokens', data, headers);
-const exchangeOidcToken = (accessToken, headers) =>
+
-  http.post('/access-tokens/exchange', { token: accessToken }, headers);
+const exchangeForAccessTokenUsingOidc = (data, headers) =>
+  http.post('/access-tokens/exchange-using-oidc', data, headers);
 
 const deleteCurrentAccessToken = (headers) =>
   socket.delete('/access-tokens/me', undefined, headers);
 
 export default {
   createAccessToken,
+  exchangeForAccessTokenUsingOidc,
   deleteCurrentAccessToken,
-  exchangeOidcToken,
 };

client/src/api/http.js

@@ -5,9 +5,11 @@ import Config from '../constants/Config';
 const http = {};
 
 // TODO: add all methods
-['POST'].forEach((method) => {
+['GET', 'POST'].forEach((method) => {
   http[method.toLowerCase()] = (url, data, headers) => {
-    const formData = Object.keys(data).reduce((result, key) => {
+    const formData =
+      data &&
+      Object.keys(data).reduce((result, key) => {
         result.append(key, data[key]);
 
         return result;

client/src/api/index.js

@@ -1,5 +1,6 @@
 import http from './http';
 import socket from './socket';
+import root from './root';
 import accessTokens from './access-tokens';
 import users from './users';
 import projects from './projects';
@@ -20,6 +21,7 @@ import notifications from './notifications';
 export { http, socket };
 
 export default {
+  ...root,
   ...accessTokens,
   ...users,
   ...projects,

client/src/api/root.js

@@ -0,0 +1,9 @@
+import http from './http';
+
+/* Actions */
+
+const getConfig = (headers) => http.get('/config', undefined, headers);
+
+export default {
+  getConfig,
+};

client/src/components/CardModal/CardModal.jsx

@@ -217,6 +217,7 @@ const CardModal = React.memo(
                         onUserSelect={onUserAdd}
                         onUserDeselect={onUserRemove}
                       >
+                        {/* eslint-disable-next-line jsx-a11y/control-has-associated-label */}
                         <button
                           type="button"
                           aria-label="add user to card"
@@ -267,6 +268,7 @@ const CardModal = React.memo(
                         onMove={onLabelMove}
                         onDelete={onLabelDelete}
                       >
+                        {/* eslint-disable-next-line jsx-a11y/control-has-associated-label */}
                         <button
                           type="button"
                           aria-label="add label to card"
@@ -316,11 +318,12 @@ const CardModal = React.memo(
                       )}
                     </span>
                     {canEdit && (
+                      // eslint-disable-next-line jsx-a11y/control-has-associated-label
                       <button
-                        onClick={handleToggleStopwatchClick}
                         type="button"
                         aria-label="toggle stopwatch"
                         className={classNames(styles.attachment, styles.dueDate)}
+                        onClick={handleToggleStopwatchClick}
                       >
                         <Icon
                           name={stopwatch.startedAt ? 'pause' : 'play'}

client/src/components/CardModal/Tasks/Tasks.jsx

@@ -48,6 +48,8 @@ const Tasks = React.memo(({ items, canEdit, onCreate, onUpdate, onMove, onDelete
   return (
     <>
       {items.length > 0 && (
+        <>
+          <span className={styles.progressWrapper}>
             <Progress
               autoSuccess
               value={completedItems.length}
@@ -56,6 +58,11 @@ const Tasks = React.memo(({ items, canEdit, onCreate, onUpdate, onMove, onDelete
               size="tiny"
               className={styles.progress}
             />
+          </span>
+          <span className={styles.count}>
+            {completedItems.length}/{items.length}
+          </span>
+        </>
       )}
       <DragDropContext onDragStart={handleDragStart} onDragEnd={handleDragEnd}>
         <Droppable droppableId="tasks" type={DroppableTypes.TASK}>

client/src/components/CardModal/Tasks/Tasks.module.scss

@@ -3,6 +3,23 @@
     margin: 0 0 16px;
   }
 
+  .progressWrapper {
+    display: inline-block;
+    padding: 3px 0;
+    vertical-align: top;
+    width: calc(100% - 50px);
+  }
+
+  .count {
+    color: #8c8c8c;
+    display: inline-block;
+    font-size: 14px;
+    line-height: 14px;
+    text-align: right;
+    vertical-align: top;
+    width: 50px;
+  }
+
   .taskButton {
     background: transparent;
     border: none;

client/src/components/Header/Header.jsx

@@ -3,7 +3,6 @@ import PropTypes from 'prop-types';
 import classNames from 'classnames';
 import { Link } from 'react-router-dom';
 import { Button, Icon, Menu } from 'semantic-ui-react';
-import { useAuth } from 'react-oidc-context';
 import { usePopup } from '../../lib/popup';
 
 import Paths from '../../constants/Paths';
@@ -30,7 +29,6 @@ const Header = React.memo(
     onUserSettingsClick,
     onLogout,
   }) => {
-    const auth = useAuth();
     const handleProjectSettingsClick = useCallback(() => {
       if (canEditProject) {
         onProjectSettingsClick();
@@ -40,11 +38,6 @@ const Header = React.memo(
     const NotificationsPopup = usePopup(NotificationsStep, POPUP_PROPS);
     const UserPopup = usePopup(UserStep, POPUP_PROPS);
 
-    const onFullLogout = () => {
-      auth.signoutSilent();
-      onLogout();
-    };
-
     return (
       <div className={styles.wrapper}>
         {!project && (
@@ -95,7 +88,7 @@ const Header = React.memo(
             <UserPopup
               isLogouting={isLogouting}
               onSettingsClick={onUserSettingsClick}
-              onLogout={onFullLogout}
+              onLogout={onLogout}
             >
               <Menu.Item className={classNames(styles.item, styles.itemHoverable)}>
                 {user.name}

client/src/components/Login/Login.jsx

@@ -1,10 +1,9 @@
 import isEmail from 'validator/lib/isEmail';
 import React, { useCallback, useEffect, useMemo, useRef } from 'react';
-import { useAuth } from 'react-oidc-context';
 import PropTypes from 'prop-types';
 import classNames from 'classnames';
 import { useTranslation } from 'react-i18next';
-import { Form, Grid, Header, Message } from 'semantic-ui-react';
+import { Button, Form, Grid, Header, Message } from 'semantic-ui-react';
 import { useDidUpdate, usePrevious, useToggle } from '../../lib/hooks';
 import { Input } from '../../lib/custom-ui';
 
@@ -29,6 +28,21 @@ const createMessage = (error) => {
         type: 'error',
         content: 'common.invalidPassword',
       };
+    case 'Use single sign-on':
+      return {
+        type: 'error',
+        content: 'common.useSingleSignOn',
+      };
+    case 'Email already in use':
+      return {
+        type: 'error',
+        content: 'common.emailAlreadyInUse',
+      };
+    case 'Username already in use':
+      return {
+        type: 'error',
+        content: 'common.usernameAlreadyInUse',
+      };
     case 'Failed to fetch':
       return {
         type: 'warning',
@@ -48,8 +62,16 @@ const createMessage = (error) => {
 };
 
 const Login = React.memo(
-  ({ defaultData, isSubmitting, error, onAuthenticate, onMessageDismiss }) => {
+  ({
-    const auth = useAuth();
+    defaultData,
+    isSubmitting,
+    isSubmittingUsingOidc,
+    error,
+    withOidc,
+    onAuthenticate,
+    onAuthenticateUsingOidc,
+    onMessageDismiss,
+  }) => {
     const [t] = useTranslation();
     const wasSubmitting = usePrevious(isSubmitting);
 
@@ -170,12 +192,19 @@ const Login = React.memo(
                         content={t('action.logIn')}
                         floated="right"
                         loading={isSubmitting}
-                        disabled={isSubmitting}
+                        disabled={isSubmitting || isSubmittingUsingOidc}
                       />
                     </Form>
-                    <Form.Button type="button" onClick={() => auth.signinRedirect()}>
+                    {withOidc && (
-                      Log in with SSO
+                      <Button
-                    </Form.Button>
+                        type="button"
+                        loading={isSubmittingUsingOidc}
+                        disabled={isSubmitting || isSubmittingUsingOidc}
+                        onClick={onAuthenticateUsingOidc}
+                      >
+                        {t('action.logInWithSSO')}
+                      </Button>
+                    )}
                   </div>
                 </div>
               </Grid.Column>
@@ -206,10 +235,15 @@ const Login = React.memo(
 );
 
 Login.propTypes = {
-  defaultData: PropTypes.object.isRequired, // eslint-disable-line react/forbid-prop-types
+  /* eslint-disable react/forbid-prop-types */
+  defaultData: PropTypes.object.isRequired,
+  /* eslint-enable react/forbid-prop-types */
   isSubmitting: PropTypes.bool.isRequired,
+  isSubmittingUsingOidc: PropTypes.bool.isRequired,
   error: PropTypes.object, // eslint-disable-line react/forbid-prop-types
+  withOidc: PropTypes.bool.isRequired,
   onAuthenticate: PropTypes.func.isRequired,
+  onAuthenticateUsingOidc: PropTypes.func.isRequired,
   onMessageDismiss: PropTypes.func.isRequired,
 };
 

client/src/components/LoginWrapper.jsx

@@ -0,0 +1,19 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+import { Loader } from 'semantic-ui-react';
+
+import LoginContainer from '../containers/LoginContainer';
+
+const LoginWrapper = React.memo(({ isInitializing }) => {
+  if (isInitializing) {
+    return <Loader active size="massive" />;
+  }
+
+  return <LoginContainer />;
+});
+
+LoginWrapper.propTypes = {
+  isInitializing: PropTypes.bool.isRequired,
+};
+
+export default LoginWrapper;

client/src/components/OIDC/OidcLogin.jsx

@@ -1,19 +0,0 @@
-import { useAuth } from 'react-oidc-context';
-import PropTypes from 'prop-types';
-import React from 'react';
-
-let isLoggingIn = true;
-const OidcLogin = React.memo(({ onAuthenticate }) => {
-  const auth = useAuth();
-  if (isLoggingIn && auth.user) {
-    isLoggingIn = false;
-    const { user } = auth;
-    onAuthenticate(user);
-  }
-});
-
-OidcLogin.propTypes = {
-  onAuthenticate: PropTypes.func.isRequired,
-};
-
-export default OidcLogin;

client/src/components/OIDC/index.js

@@ -1,3 +0,0 @@
-import OidcLogin from './OidcLogin';
-
-export default OidcLogin;

client/src/components/Root.jsx

@@ -1,12 +1,11 @@
 import React from 'react';
 import PropTypes from 'prop-types';
-import { AuthProvider } from 'react-oidc-context';
 import { Provider } from 'react-redux';
 import { Route, Routes } from 'react-router-dom';
 import { ReduxRouter } from '../lib/redux-router';
 
 import Paths from '../constants/Paths';
-import LoginContainer from '../containers/LoginContainer';
+import LoginWrapperContainer from '../containers/LoginWrapperContainer';
 import CoreContainer from '../containers/CoreContainer';
 import NotFound from './NotFound';
 
@@ -15,24 +14,14 @@ import 'photoswipe/dist/photoswipe.css';
 import 'easymde/dist/easymde.min.css';
 import '../lib/custom-ui/styles.css';
 import '../styles.module.scss';
-import OidcLoginContainer from '../containers/OidcLoginContainer';
 
-function Root({ store, history, config }) {
+function Root({ store, history }) {
   return (
-    <AuthProvider
-      authority={config.authority}
-      client_id={config.clientId}
-      redirect_uri={config.redirectUri}
-      scope={config.scopes}
-      onSigninCallback={() => {
-        window.history.replaceState({}, document.title, window.location.pathname);
-      }}
-    >
     <Provider store={store}>
       <ReduxRouter history={history}>
         <Routes>
-            <Route path={Paths.LOGIN} element={<LoginContainer />} />
+          <Route path={Paths.LOGIN} element={<LoginWrapperContainer />} />
-            <Route path={Paths.OIDC_LOGIN} element={<OidcLoginContainer />} />
+          <Route path={Paths.OIDC_CALLBACK} element={<LoginWrapperContainer />} />
           <Route path={Paths.ROOT} element={<CoreContainer />} />
           <Route path={Paths.PROJECTS} element={<CoreContainer />} />
           <Route path={Paths.BOARDS} element={<CoreContainer />} />
@@ -41,14 +30,13 @@ function Root({ store, history, config }) {
         </Routes>
       </ReduxRouter>
     </Provider>
-    </AuthProvider>
   );
 }
+
 Root.propTypes = {
   /* eslint-disable react/forbid-prop-types */
   store: PropTypes.object.isRequired,
   history: PropTypes.object.isRequired,
-  config: PropTypes.object.isRequired,
   /* eslint-enable react/forbid-prop-types */
 };
 

client/src/components/UserSettingsModal/UserSettingsModal.jsx

@@ -16,8 +16,8 @@ const UserSettingsModal = React.memo(
     phone,
     organization,
     language,
-    isLocked,
     subscribeToOwnCards,
+    isLocked,
     isAvatarUpdating,
     usernameUpdateForm,
     emailUpdateForm,
@@ -106,8 +106,8 @@ UserSettingsModal.propTypes = {
   phone: PropTypes.string,
   organization: PropTypes.string,
   language: PropTypes.string,
-  isLocked: PropTypes.bool.isRequired,
   subscribeToOwnCards: PropTypes.bool.isRequired,
+  isLocked: PropTypes.bool.isRequired,
   isAvatarUpdating: PropTypes.bool.isRequired,
   /* eslint-disable react/forbid-prop-types */
   usernameUpdateForm: PropTypes.object.isRequired,

client/src/components/UsersModal/Item/ActionsStep.jsx

@@ -153,12 +153,14 @@ const ActionsStep = React.memo(
                     context: 'title',
                   })}
                 </Menu.Item>
+              </>
+            )}
+            {!user.isDeletionLocked && (
               <Menu.Item className={styles.menuItem} onClick={handleDeleteClick}>
                 {t('action.deleteUser', {
                   context: 'title',
                 })}
               </Menu.Item>
-              </>
             )}
           </Menu>
         </Popup.Content>

client/src/components/UsersModal/Item/Item.jsx

@@ -18,6 +18,8 @@ const Item = React.memo(
     phone,
     isAdmin,
     isLocked,
+    isRoleLocked,
+    isDeletionLocked,
     emailUpdateForm,
     passwordUpdateForm,
     usernameUpdateForm,
@@ -47,7 +49,7 @@ const Item = React.memo(
         <Table.Cell>{username || '-'}</Table.Cell>
         <Table.Cell>{email}</Table.Cell>
         <Table.Cell>
-          <Radio toggle checked={isAdmin} disabled={isLocked} onChange={handleIsAdminChange} />
+          <Radio toggle checked={isAdmin} disabled={isRoleLocked} onChange={handleIsAdminChange} />
         </Table.Cell>
         <Table.Cell textAlign="right">
           <ActionsPopup
@@ -59,6 +61,7 @@ const Item = React.memo(
               phone,
               isAdmin,
               isLocked,
+              isDeletionLocked,
               emailUpdateForm,
               passwordUpdateForm,
               usernameUpdateForm,
@@ -91,6 +94,8 @@ Item.propTypes = {
   phone: PropTypes.string,
   isAdmin: PropTypes.bool.isRequired,
   isLocked: PropTypes.bool.isRequired,
+  isRoleLocked: PropTypes.bool.isRequired,
+  isDeletionLocked: PropTypes.bool.isRequired,
   /* eslint-disable react/forbid-prop-types */
   emailUpdateForm: PropTypes.object.isRequired,
   passwordUpdateForm: PropTypes.object.isRequired,

client/src/components/UsersModal/UsersModal.jsx

@@ -111,6 +111,8 @@ const UsersModal = React.memo(
                   phone={item.phone}
                   isAdmin={item.isAdmin}
                   isLocked={item.isLocked}
+                  isRoleLocked={item.isRoleLocked}
+                  isDeletionLocked={item.isDeletionLocked}
                   emailUpdateForm={item.emailUpdateForm}
                   passwordUpdateForm={item.passwordUpdateForm}
                   usernameUpdateForm={item.usernameUpdateForm}

client/src/constants/ActionTypes.js

@@ -12,14 +12,19 @@ export default {
 
   /* Login */
 
+  LOGIN_INITIALIZE: 'LOGIN_INITIALIZE',
   AUTHENTICATE: 'AUTHENTICATE',
   AUTHENTICATE__SUCCESS: 'AUTHENTICATE__SUCCESS',
   AUTHENTICATE__FAILURE: 'AUTHENTICATE__FAILURE',
+  USING_OIDC_AUTHENTICATE: 'USING_OIDC_AUTHENTICATE',
+  USING_OIDC_AUTHENTICATE__SUCCESS: 'USING_OIDC_AUTHENTICATE__SUCCESS',
+  USING_OIDC_AUTHENTICATE__FAILURE: 'USING_OIDC_AUTHENTICATE__FAILURE',
   AUTHENTICATE_ERROR_CLEAR: 'AUTHENTICATE_ERROR_CLEAR',
 
   /* Core */
 
   CORE_INITIALIZE: 'CORE_INITIALIZE',
+  CORE_INITIALIZE__CONFIG_FETCH: 'CORE_INITIALIZE__CONFIG_FETCH',
   LOGOUT: 'LOGOUT',
   LOGOUT__ACCESS_TOKEN_INVALIDATE: 'LOGOUT__ACCESS_TOKEN_INVALIDATE',
 

client/src/constants/EntryActionTypes.js

@@ -11,11 +11,11 @@ export default {
   /* Login */
 
   AUTHENTICATE: `${PREFIX}/AUTHENTICATE`,
+  USING_OIDC_AUTHENTICATE: `${PREFIX}/USING_OIDC_AUTHENTICATE`,
   AUTHENTICATE_ERROR_CLEAR: `${PREFIX}/AUTHENTICATE_ERROR_CLEAR`,
 
   /* Core */
 
-  CORE_INITIALIZE: `${PREFIX}/CORE_INITIALIZE`,
   LOGOUT: `${PREFIX}/LOGOUT`,
 
   /* Modals */

client/src/constants/Paths.js

@@ -2,7 +2,7 @@ import Config from './Config';
 
 const ROOT = `${Config.BASE_PATH}/`;
 const LOGIN = `${Config.BASE_PATH}/login`;
-const OIDC_LOGIN = `${Config.BASE_PATH}/oidclogin`;
+const OIDC_CALLBACK = `${Config.BASE_PATH}/oidc-callback`;
 const PROJECTS = `${Config.BASE_PATH}/projects/:id`;
 const BOARDS = `${Config.BASE_PATH}/boards/:id`;
 const CARDS = `${Config.BASE_PATH}/cards/:id`;
@@ -10,8 +10,8 @@ const CARDS = `${Config.BASE_PATH}/cards/:id`;
 export default {
   ROOT,
   LOGIN,
+  OIDC_CALLBACK,
   PROJECTS,
   BOARDS,
   CARDS,
-  OIDC_LOGIN,
 };

client/src/containers/CoreContainer.js

@@ -4,18 +4,18 @@ import selectors from '../selectors';
 import Core from '../components/Core';
 
 const mapStateToProps = (state) => {
-  const isCoreInitializing = selectors.selectIsCoreInitializing(state);
+  const isInitializing = selectors.selectIsInitializing(state);
   const isSocketDisconnected = selectors.selectIsSocketDisconnected(state);
   const currentModal = selectors.selectCurrentModal(state);
   const currentProject = selectors.selectCurrentProject(state);
   const currentBoard = selectors.selectCurrentBoard(state);
 
   return {
+    isInitializing,
     isSocketDisconnected,
     currentModal,
     currentProject,
     currentBoard,
-    isInitializing: isCoreInitializing,
   };
 };
 

client/src/containers/LoginContainer.js

@@ -1,23 +1,33 @@
 import { bindActionCreators } from 'redux';
 import { connect } from 'react-redux';
 
+import selectors from '../selectors';
 import entryActions from '../entry-actions';
 import Login from '../components/Login';
 
-const mapStateToProps = ({
+const mapStateToProps = (state) => {
+  const oidcConfig = selectors.selectOidcConfig(state);
+
+  const {
     ui: {
-    authenticateForm: { data: defaultData, isSubmitting, error },
+      authenticateForm: { data: defaultData, isSubmitting, isSubmittingUsingOidc, error },
     },
-}) => ({
+  } = state;
+
+  return {
     defaultData,
     isSubmitting,
+    isSubmittingUsingOidc,
     error,
-});
+    withOidc: !!oidcConfig,
+  };
+};
 
 const mapDispatchToProps = (dispatch) =>
   bindActionCreators(
     {
       onAuthenticate: entryActions.authenticate,
+      onAuthenticateUsingOidc: entryActions.authenticateUsingOidc,
       onMessageDismiss: entryActions.clearAuthenticateError,
     },
     dispatch,

client/src/containers/LoginWrapperContainer.js

@@ -0,0 +1,14 @@
+import { connect } from 'react-redux';
+
+import selectors from '../selectors';
+import LoginWrapper from '../components/LoginWrapper';
+
+const mapStateToProps = (state) => {
+  const isInitializing = selectors.selectIsInitializing(state);
+
+  return {
+    isInitializing,
+  };
+};
+
+export default connect(mapStateToProps)(LoginWrapper);

client/src/containers/OidcLoginContainer.js

@@ -1,26 +0,0 @@
-import { bindActionCreators } from 'redux';
-import { connect } from 'react-redux';
-
-import entryActions from '../entry-actions';
-import OidcLogin from '../components/OIDC';
-
-const mapStateToProps = ({
-  ui: {
-    authenticateForm: { data: defaultData, isSubmitting, error },
-  },
-}) => ({
-  defaultData,
-  isSubmitting,
-  error,
-});
-
-const mapDispatchToProps = (dispatch) =>
-  bindActionCreators(
-    {
-      onAuthenticate: entryActions.authenticate,
-      onMessageDismiss: entryActions.clearAuthenticateError,
-    },
-    dispatch,
-  );
-
-export default connect(mapStateToProps, mapDispatchToProps)(OidcLogin);

client/src/containers/UserSettingsModalContainer.js

@@ -14,8 +14,8 @@ const mapStateToProps = (state) => {
     phone,
     organization,
     language,
-    isLocked,
     subscribeToOwnCards,
+    isLocked,
     isAvatarUpdating,
     emailUpdateForm,
     passwordUpdateForm,
@@ -30,8 +30,8 @@ const mapStateToProps = (state) => {
     phone,
     organization,
     language,
-    isLocked,
     subscribeToOwnCards,
+    isLocked,
     isAvatarUpdating,
     emailUpdateForm,
     passwordUpdateForm,

client/src/entry-actions/core.js

@@ -1,16 +1,10 @@
 import EntryActionTypes from '../constants/EntryActionTypes';
 
-const initializeCore = () => ({
-  type: EntryActionTypes.CORE_INITIALIZE,
-  payload: {},
-});
-
 const logout = () => ({
   type: EntryActionTypes.LOGOUT,
   payload: {},
 });
 
 export default {
-  initializeCore,
   logout,
 };

client/src/entry-actions/login.js

@@ -7,6 +7,11 @@ const authenticate = (data) => ({
   },
 });
 
+const authenticateUsingOidc = () => ({
+  type: EntryActionTypes.USING_OIDC_AUTHENTICATE,
+  payload: {},
+});
+
 const clearAuthenticateError = () => ({
   type: EntryActionTypes.AUTHENTICATE_ERROR_CLEAR,
   payload: {},
@@ -14,5 +19,6 @@ const clearAuthenticateError = () => ({
 
 export default {
   authenticate,
+  authenticateUsingOidc,
   clearAuthenticateError,
 };

client/src/index.js

@@ -1,15 +1,11 @@
 import React from 'react';
 import ReactDOM from 'react-dom/client';
 
-import Config from './constants/Config';
 import store from './store';
 import history from './history';
 import Root from './components/Root';
+
 import './i18n';
 
-fetch(`${Config.SERVER_BASE_URL}/api/appconfig`).then((response) => {
+const root = ReactDOM.createRoot(document.getElementById('root'));
-  response.json().then((config) => {
+root.render(React.createElement(Root, { store, history }));
-    const root = ReactDOM.createRoot(document.getElementById('root'));
-    root.render(React.createElement(Root, { store, history, config }));
-  });
-});

client/src/locales/en/login.js

@@ -11,10 +11,12 @@ export default {
       projectManagement: 'Project management',
       serverConnectionFailed: 'Server connection failed',
       unknownError: 'Unknown error, try again later',
+      useSingleSignOn: 'Use single sign-on',
     },
 
     action: {
       logIn: 'Log in',
+      logInWithSSO: 'Log in with SSO',
     },
   },
 };

client/src/locales/ja/core.js

@@ -8,7 +8,7 @@ export default {
     time: 'HH:mm',
     dateTime: '$t(format:date) $t(format:time)',
     longDate: 'MMMMd日',
-    longDateTime: "MMMMd'日 ' HH:MM",
+    longDateTime: "MMMMd'日 ' HH:mm",
   },
 
   translation: {

client/src/models/User.js

@@ -43,16 +43,14 @@ export default class extends BaseModel {
     organization: attr(),
     language: attr(),
     subscribeToOwnCards: attr(),
+    isAdmin: attr(),
+    isLocked: attr(),
+    isRoleLocked: attr(),
+    isDeletionLocked: attr(),
+    deletedAt: attr(),
     createdAt: attr({
       getDefault: () => new Date(),
     }),
-    deletedAt: attr(),
-    isAdmin: attr({
-      getDefault: () => false,
-    }),
-    isLocked: attr({
-      getDefault: () => false,
-    }),
     isAvatarUpdating: attr({
       getDefault: () => false,
     }),

client/src/reducers/auth.js

@@ -10,6 +10,7 @@ const initialState = {
 export default (state = initialState, { type, payload }) => {
   switch (type) {
     case ActionTypes.AUTHENTICATE__SUCCESS:
+    case ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS:
       return {
         ...state,
         accessToken: payload.accessToken,

client/src/reducers/core.js

@@ -4,7 +4,6 @@ import ActionTypes from '../constants/ActionTypes';
 import ModalTypes from '../constants/ModalTypes';
 
 const initialState = {
-  isInitializing: true,
   isLogouting: false,
   currentModal: null,
 };
@@ -18,11 +17,6 @@ export default (state = initialState, { type, payload }) => {
         ...state,
         currentModal: null,
       };
-    case ActionTypes.CORE_INITIALIZE:
-      return {
-        ...state,
-        isInitializing: false,
-      };
     case ActionTypes.LOGOUT__ACCESS_TOKEN_INVALIDATE:
       return {
         ...state,

client/src/reducers/index.js

@@ -3,6 +3,7 @@ import { combineReducers } from 'redux';
 import router from './router';
 import socket from './socket';
 import orm from './orm';
+import root from './root';
 import auth from './auth';
 import core from './core';
 import ui from './ui';
@@ -11,6 +12,7 @@ export default combineReducers({
   router,
   socket,
   orm,
+  root,
   auth,
   core,
   ui,

client/src/reducers/root.js

@@ -0,0 +1,36 @@
+import ActionTypes from '../constants/ActionTypes';
+
+const initialState = {
+  isInitializing: true,
+  config: null,
+};
+
+// eslint-disable-next-line default-param-last
+export default (state = initialState, { type, payload }) => {
+  switch (type) {
+    case ActionTypes.LOGIN_INITIALIZE:
+      return {
+        ...state,
+        isInitializing: false,
+        config: payload.config,
+      };
+    case ActionTypes.AUTHENTICATE__SUCCESS:
+    case ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS:
+      return {
+        ...state,
+        isInitializing: true,
+      };
+    case ActionTypes.CORE_INITIALIZE:
+      return {
+        ...state,
+        isInitializing: false,
+      };
+    case ActionTypes.CORE_INITIALIZE__CONFIG_FETCH:
+      return {
+        ...state,
+        config: payload.config,
+      };
+    default:
+      return state;
+  }
+};

client/src/reducers/ui/authenticate-form.js

@@ -1,4 +1,7 @@
+import { LOCATION_CHANGE_HANDLE } from '../../lib/redux-router';
+
 import ActionTypes from '../../constants/ActionTypes';
+import Paths from '../../constants/Paths';
 
 const initialState = {
   data: {
@@ -6,12 +9,22 @@ const initialState = {
     password: '',
   },
   isSubmitting: false,
+  isSubmittingUsingOidc: false,
   error: null,
 };
 
 // eslint-disable-next-line default-param-last
 export default (state = initialState, { type, payload }) => {
   switch (type) {
+    case LOCATION_CHANGE_HANDLE:
+      if (payload.location.pathname === Paths.OIDC_CALLBACK) {
+        return {
+          ...state,
+          isSubmittingUsingOidc: true,
+        };
+      }
+
+      return state;
     case ActionTypes.AUTHENTICATE:
       return {
         ...state,
@@ -22,6 +35,7 @@ export default (state = initialState, { type, payload }) => {
         isSubmitting: true,
       };
     case ActionTypes.AUTHENTICATE__SUCCESS:
+    case ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS:
       return initialState;
     case ActionTypes.AUTHENTICATE__FAILURE:
       return {
@@ -29,6 +43,12 @@ export default (state = initialState, { type, payload }) => {
         isSubmitting: false,
         error: payload.error,
       };
+    case ActionTypes.USING_OIDC_AUTHENTICATE__FAILURE:
+      return {
+        ...state,
+        isSubmittingUsingOidc: false,
+        error: payload.error,
+      };
     case ActionTypes.AUTHENTICATE_ERROR_CLEAR:
       return {
         ...state,

client/src/sagas/core/index.js

@@ -1,7 +1,8 @@
-import { all, apply, fork, take } from 'redux-saga/effects';
+import { all, apply, fork, select, take } from 'redux-saga/effects';
 
 import watchers from './watchers';
 import services from './services';
+import selectors from '../../selectors';
 import { socket } from '../../api';
 import ActionTypes from '../../constants/ActionTypes';
 import Paths from '../../constants/Paths';
@@ -14,5 +15,12 @@ export default function* coreSaga() {
 
   yield take(ActionTypes.LOGOUT);
 
+  const oidcConfig = yield select(selectors.selectOidcConfig);
+
+  if (oidcConfig && oidcConfig.endSessionUrl !== null) {
+    // Redirect the user to the IDP to log out.
+    window.location.href = oidcConfig.endSessionUrl;
+  } else {
     window.location.href = Paths.LOGIN;
+  }
 }

client/src/sagas/core/services/core.js

@@ -1,13 +1,23 @@
-import { call, put, take } from 'redux-saga/effects';
+import { call, put, select, take } from 'redux-saga/effects';
 
 import request from '../request';
 import requests from '../requests';
+import selectors from '../../../selectors';
 import actions from '../../../actions';
 import api from '../../../api';
 import i18n from '../../../i18n';
 import { removeAccessToken } from '../../../utils/access-token-storage';
 
 export function* initializeCore() {
+  const currentConfig = yield select(selectors.selectConfig); // TODO: add boolean selector?
+
+  let config;
+  if (!currentConfig) {
+    ({ item: config } = yield call(api.getConfig)); // TODO: handle error
+
+    yield put(actions.initializeCore.fetchConfig(config));
+  }
+
   const {
     user,
     board,

client/src/sagas/core/services/router.js

@@ -33,15 +33,16 @@ export function* handleLocationChange() {
 
   switch (pathsMatch.pattern.path) {
     case Paths.LOGIN:
+    case Paths.OIDC_CALLBACK:
       yield call(goToRoot);
 
-      break;
+      return;
     default:
   }
 
-  const isCoreInitializing = yield select(selectors.selectIsCoreInitializing);
+  const isInitializing = yield select(selectors.selectIsInitializing);
 
-  if (isCoreInitializing) {
+  if (isInitializing) {
     yield take(ActionTypes.CORE_INITIALIZE);
   }
 

client/src/sagas/core/watchers/core.js

@@ -4,8 +4,5 @@ import services from '../services';
 import EntryActionTypes from '../../../constants/EntryActionTypes';
 
 export default function* coreWatchers() {
-  yield all([
+  yield all([takeEvery(EntryActionTypes.LOGOUT, () => services.logout())]);
-    takeEvery(EntryActionTypes.CORE_INITIALIZE, () => services.initializeCore()),
-    takeEvery(EntryActionTypes.LOGOUT, () => services.logout()),
-  ]);
 }

client/src/sagas/login/index.js

@@ -7,7 +7,9 @@ import ActionTypes from '../../constants/ActionTypes';
 export default function* loginSaga() {
   const watcherTasks = yield all(watchers.map((watcher) => fork(watcher)));
 
-  yield take(ActionTypes.AUTHENTICATE__SUCCESS);
+  yield fork(services.initializeLogin);
+
+  yield take([ActionTypes.AUTHENTICATE__SUCCESS, ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS]);
 
   yield cancel(watcherTasks);
   yield call(services.goToRoot);

client/src/sagas/login/services/login.js

@@ -1,19 +1,25 @@
-import { call, put } from 'redux-saga/effects';
+import { nanoid } from 'nanoid';
+import { call, put, select } from 'redux-saga/effects';
+import { replace } from '../../../lib/redux-router';
 
+import selectors from '../../../selectors';
 import actions from '../../../actions';
 import api from '../../../api';
 import { setAccessToken } from '../../../utils/access-token-storage';
+import Paths from '../../../constants/Paths';
+
+export function* initializeLogin() {
+  const { item: config } = yield call(api.getConfig); // TODO: handle error
+
+  yield put(actions.initializeLogin(config));
+}
 
 export function* authenticate(data) {
   yield put(actions.authenticate(data));
 
-  let accessToken = data.access_token;
+  let accessToken;
   try {
-    if (accessToken) {
-      ({ item: accessToken } = yield call(api.exchangeOidcToken, accessToken));
-    } else {
     ({ item: accessToken } = yield call(api.createAccessToken, data));
-    }
   } catch (error) {
     yield put(actions.authenticate.failure(error));
     return;
@@ -23,11 +29,76 @@ export function* authenticate(data) {
   yield put(actions.authenticate.success(accessToken));
 }
 
+export function* authenticateUsingOidc() {
+  const oidcConfig = yield select(selectors.selectOidcConfig);
+
+  const nonce = nanoid();
+  window.sessionStorage.setItem('oidc-nonce', nonce);
+  window.location.href = `${oidcConfig.authorizationUrl}&nonce=${encodeURIComponent(nonce)}`;
+}
+
+export function* authenticateUsingOidcCallback() {
+  // https://github.com/plankanban/planka/issues/511#issuecomment-1771385639
+  const params = new URLSearchParams(window.location.hash.substring(1) || window.location.search);
+
+  yield put(replace(Paths.LOGIN));
+
+  if (params.get('error') !== null) {
+    yield put(
+      actions.authenticateUsingOidc.failure(
+        new Error(
+          `OIDC Authorization error: ${params.get('error')}: ${params.get('error_description')}`,
+        ),
+      ),
+    );
+    return;
+  }
+
+  const nonce = window.sessionStorage.getItem('oidc-nonce');
+  if (nonce === null) {
+    yield put(
+      actions.authenticateUsingOidc.failure(
+        new Error('Unable to process OIDC response: no nonce issued'),
+      ),
+    );
+    return;
+  }
+
+  const code = params.get('code');
+  if (code === null) {
+    yield put(
+      actions.authenticateUsingOidc.failure(new Error('Invalid OIDC response: no code parameter')),
+    );
+    return;
+  }
+
+  window.sessionStorage.removeItem('oidc-nonce');
+
+  if (code !== null) {
+    let accessToken;
+    try {
+      ({ item: accessToken } = yield call(api.exchangeForAccessTokenUsingOidc, {
+        code,
+        nonce,
+      }));
+    } catch (error) {
+      yield put(actions.authenticateUsingOidc.failure(error));
+      return;
+    }
+
+    yield call(setAccessToken, accessToken);
+    yield put(actions.authenticateUsingOidc.success(accessToken));
+  }
+}
+
 export function* clearAuthenticateError() {
   yield put(actions.clearAuthenticateError());
 }
 
 export default {
+  initializeLogin,
   authenticate,
+  authenticateUsingOidc,
+  authenticateUsingOidcCallback,
   clearAuthenticateError,
 };

client/src/sagas/login/services/router.js

@@ -1,7 +1,9 @@
-import { call, put, select } from 'redux-saga/effects';
+import { call, put, select, take } from 'redux-saga/effects';
 import { push } from '../../../lib/redux-router';
 
+import { authenticateUsingOidcCallback } from './login';
 import selectors from '../../../selectors';
+import ActionTypes from '../../../constants/ActionTypes';
 import Paths from '../../../constants/Paths';
 
 export function* goToLogin() {
@@ -27,6 +29,17 @@ export function* handleLocationChange() {
       yield call(goToLogin);
 
       break;
+    case Paths.OIDC_CALLBACK: {
+      const isInitializing = yield select(selectors.selectIsInitializing);
+
+      if (isInitializing) {
+        yield take(ActionTypes.LOGIN_INITIALIZE);
+      }
+
+      yield call(authenticateUsingOidcCallback);
+
+      break;
+    }
     default:
   }
 }

client/src/sagas/login/watchers/login.js

@@ -8,6 +8,7 @@ export default function* loginWatchers() {
     takeEvery(EntryActionTypes.AUTHENTICATE, ({ payload: { data } }) =>
       services.authenticate(data),
     ),
+    takeEvery(EntryActionTypes.USING_OIDC_AUTHENTICATE, () => services.authenticateUsingOidc()),
     takeEvery(EntryActionTypes.AUTHENTICATE_ERROR_CLEAR, () => services.clearAuthenticateError()),
   ]);
 }

client/src/selectors/core.js

@@ -6,8 +6,6 @@ import Config from '../constants/Config';
 
 export const selectAccessToken = ({ auth: { accessToken } }) => accessToken;
 
-export const selectIsCoreInitializing = ({ core: { isInitializing } }) => isInitializing;
-
 export const selectIsLogouting = ({ core: { isLogouting } }) => isLogouting;
 
 const nextPosition = (items, index, excludedId) => {
@@ -115,7 +113,6 @@ export const selectNextTaskPosition = createSelector(
 
 export default {
   selectAccessToken,
-  selectIsCoreInitializing,
   selectIsLogouting,
   selectNextBoardPosition,
   selectNextLabelPosition,

client/src/selectors/index.js

@@ -1,5 +1,6 @@
 import router from './router';
 import socket from './socket';
+import root from './root';
 import core from './core';
 import modals from './modals';
 import users from './users';
@@ -16,6 +17,7 @@ import attachments from './attachments';
 export default {
   ...router,
   ...socket,
+  ...root,
   ...core,
   ...modals,
   ...users,

client/src/selectors/root.js

@@ -0,0 +1,11 @@
+export const selectIsInitializing = ({ root: { isInitializing } }) => isInitializing;
+
+export const selectConfig = ({ root: { config } }) => config;
+
+export const selectOidcConfig = (state) => selectConfig(state).oidc;
+
+export default {
+  selectIsInitializing,
+  selectConfig,
+  selectOidcConfig,
+};

client/src/utils/access-token-storage.js

@@ -1,5 +1,5 @@
 import Cookies from 'js-cookie';
-import jwtDecode from 'jwt-decode';
+import { jwtDecode } from 'jwt-decode';
 
 import Config from '../constants/Config';
 

docker-compose-db.yml

@@ -0,0 +1,16 @@
+version: '3'
+
+services:
+  postgres:
+    image: postgres:alpine
+    restart: unless-stopped
+    volumes:
+      - db-data:/var/lib/postgresql/data
+    ports:
+      - 5432:5432
+    environment:
+      - POSTGRES_DB=planka
+      - POSTGRES_HOST_AUTH_METHOD=trust
+
+volumes:
+  db-data:

docker-compose-dev.yml

@@ -1,16 +1,65 @@
 version: '3'
 
 services:
+  planka:
+    image: ghcr.io/plankanban/planka:dev
+    command: >
+      bash -c
+        "for i in `seq 1 30`; do
+          ./start.sh &&
+          s=$$? && break || s=$$?;
+          echo \"Tried $$i times. Waiting 5 seconds...\";
+          sleep 5;
+        done; (exit $$s)"
+    restart: unless-stopped
+    volumes:
+      - user-avatars:/app/public/user-avatars
+      - project-background-images:/app/public/project-background-images
+      - attachments:/app/private/attachments
+    ports:
+      - 3000:1337
+    environment:
+      - BASE_URL=http://localhost:3000
+      - DATABASE_URL=postgresql://postgres@postgres/planka
+      - SECRET_KEY=notsecretkey
+
+      # - TRUST_PROXY=0
+      # - TOKEN_EXPIRES_IN=365 # In days
+
+      # related: https://github.com/knex/knex/issues/2354
+      # As knex does not pass query parameters from the connection string we
+      # have to use environment variables in order to pass the desired values, e.g.
+      # - PGSSLMODE=<value>
+
+      # Configure knex to accept SSL certificates
+      # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
+
+      # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
+      # - DEFAULT_ADMIN_PASSWORD=demo
+      # - DEFAULT_ADMIN_NAME=Demo Demo
+      # - DEFAULT_ADMIN_USERNAME=demo
+
+      # - OIDC_ISSUER=
+      # - OIDC_CLIENT_ID=
+      # - OIDC_CLIENT_SECRET=
+      # - OIDC_SCOPES=openid email profile
+      # - OIDC_ADMIN_ROLES=admin
+      # - OIDC_ROLES_ATTRIBUTE=groups
+      # - OIDC_IGNORE_ROLES=true
+    depends_on:
+      - postgres
+
   postgres:
-    image: postgres:alpine
+    image: postgres:14-alpine
     restart: unless-stopped
     volumes:
       - db-data:/var/lib/postgresql/data
-    ports:
-      - 5432:5432
     environment:
       - POSTGRES_DB=planka
       - POSTGRES_HOST_AUTH_METHOD=trust
 
 volumes:
+  user-avatars:
+  project-background-images:
+  attachments:
   db-data:

docker-compose.yml

@@ -20,15 +20,11 @@ services:
       - 3000:1337
     environment:
       - BASE_URL=http://localhost:3000
-      - TRUST_PROXY=0
       - DATABASE_URL=postgresql://postgres@postgres/planka
       - SECRET_KEY=notsecretkey
 
-      # Can be removed after installation
+      # - TRUST_PROXY=0
-      - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
+      # - TOKEN_EXPIRES_IN=365 # In days
-      - DEFAULT_ADMIN_PASSWORD=demo
-      - DEFAULT_ADMIN_NAME=Demo Demo
-      - DEFAULT_ADMIN_USERNAME=demo
 
       - MAIL_HOST=smtp.gmail.com
 
@@ -40,6 +36,19 @@ services:
 
       # Configure knex to accept SSL certificates
       # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
+
+      # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
+      # - DEFAULT_ADMIN_PASSWORD=demo
+      # - DEFAULT_ADMIN_NAME=Demo Demo
+      # - DEFAULT_ADMIN_USERNAME=demo
+
+      # - OIDC_ISSUER=
+      # - OIDC_CLIENT_ID=
+      # - OIDC_CLIENT_SECRET=
+      # - OIDC_SCOPES=openid email profile
+      # - OIDC_ADMIN_ROLES=admin
+      # - OIDC_ROLES_ATTRIBUTE=groups
+      # - OIDC_IGNORE_ROLES=true
     depends_on:
       - postgres
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "planka",
-  "version": "1.12.0",
+  "version": "1.15.0",
   "private": true,
   "homepage": "https://plankanban.github.io/planka",
   "repository": {
@@ -56,17 +56,17 @@
     }
   },
   "dependencies": {
-    "concurrently": "^7.6.0",
-    "husky": "^8.0.2",
-    "lint-staged": "^13.0.3",
     "nodemailer": "^6.9.7",
     "nodemailer-direct-transport": "^3.3.2",
-    "nodemailer-smtp-transport": "^2.7.4"
+    "nodemailer-smtp-transport": "^2.7.4",
+    "concurrently": "^8.2.2",
+    "husky": "^8.0.3",
+    "lint-staged": "^15.1.0"
   },
   "devDependencies": {
-    "eslint": "^8.28.0",
+    "eslint": "^8.53.0",
-    "eslint-config-prettier": "^8.5.0",
+    "eslint-config-prettier": "^9.0.0",
-    "eslint-plugin-prettier": "^4.2.1",
+    "eslint-plugin-prettier": "^5.0.1",
-    "prettier": "^2.7.1"
+    "prettier": "^3.1.0"
   }
 }

server/.env.sample

@@ -4,13 +4,6 @@ BASE_URL=http://localhost:1337
 DATABASE_URL=postgresql://postgres@localhost/planka
 SECRET_KEY=notsecretkey
 
-## Can be removed after installation
-
-DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
-DEFAULT_ADMIN_PASSWORD=demo
-DEFAULT_ADMIN_NAME=Demo Demo
-DEFAULT_ADMIN_USERNAME=demo
-
 ## Optional
 
 # TRUST_PROXY=0
@@ -24,6 +17,19 @@ DEFAULT_ADMIN_USERNAME=demo
 # Configure knex to accept SSL certificates
 # KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
 
+# DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
+# DEFAULT_ADMIN_PASSWORD=demo
+# DEFAULT_ADMIN_NAME=Demo Demo
+# DEFAULT_ADMIN_USERNAME=demo
+
+# OIDC_ISSUER=
+# OIDC_CLIENT_ID=
+# OIDC_CLIENT_SECRET=
+# OIDC_SCOPES=openid email profile
+# OIDC_ADMIN_ROLES=admin
+# OIDC_ROLES_ATTRIBUTE=groups
+# OIDC_IGNORE_ROLES=true
+
 ## Do not edit this
 
 TZ=UTC

server/api/controllers/access-tokens/create.js

@@ -10,6 +10,9 @@ const Errors = {
   INVALID_PASSWORD: {
     invalidPassword: 'Invalid password',
   },
+  USE_SINGLE_SIGN_ON: {
+    useSingleSignOn: 'Use single sign-on',
+  },
 };
 
 const emailOrUsernameValidator = (value) =>
@@ -37,6 +40,9 @@ module.exports = {
     invalidPassword: {
       responseType: 'unauthorized',
     },
+    useSingleSignOn: {
+      responseType: 'forbidden',
+    },
   },
 
   async fn(inputs) {
@@ -51,6 +57,10 @@ module.exports = {
       throw Errors.INVALID_EMAIL_OR_USERNAME;
     }
 
+    if (user.isSso) {
+      throw Errors.USE_SINGLE_SIGN_ON;
+    }
+
     if (!bcrypt.compareSync(inputs.password, user.password)) {
       sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);
       throw Errors.INVALID_PASSWORD;

server/api/controllers/access-tokens/exchange-using-oidc.js

@@ -0,0 +1,71 @@
+const { getRemoteAddress } = require('../../../utils/remoteAddress');
+
+const Errors = {
+  INVALID_CODE_OR_NONCE: {
+    invalidCodeOrNonce: 'Invalid code or nonce',
+  },
+  EMAIL_ALREADY_IN_USE: {
+    emailAlreadyInUse: 'Email already in use',
+  },
+  USERNAME_ALREADY_IN_USE: {
+    usernameAlreadyInUse: 'Username already in use',
+  },
+  MISSING_VALUES: {
+    missingValues: 'Unable to retrieve required values (email, name)',
+  },
+};
+
+module.exports = {
+  inputs: {
+    code: {
+      type: 'string',
+      required: true,
+    },
+    nonce: {
+      type: 'string',
+      required: true,
+    },
+  },
+
+  exits: {
+    invalidCodeOrNonce: {
+      responseType: 'unauthorized',
+    },
+    emailAlreadyInUse: {
+      responseType: 'conflict',
+    },
+    usernameAlreadyInUse: {
+      responseType: 'conflict',
+    },
+    missingValues: {
+      responseType: 'unprocessableEntity',
+    },
+  },
+
+  async fn(inputs) {
+    const remoteAddress = getRemoteAddress(this.req);
+
+    const user = await sails.helpers.users
+      .getOrCreateOneUsingOidc(inputs.code, inputs.nonce)
+      .intercept('invalidCodeOrNonce', () => {
+        sails.log.warn(`Invalid code or nonce! (IP: ${remoteAddress})`);
+        return Errors.INVALID_CODE_OR_NONCE;
+      })
+      .intercept('emailAlreadyInUse', () => Errors.EMAIL_ALREADY_IN_USE)
+      .intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE)
+      .intercept('missingValues', () => Errors.MISSING_VALUES);
+
+    const accessToken = sails.helpers.utils.createToken(user.id);
+
+    await Session.create({
+      accessToken,
+      remoteAddress,
+      userId: user.id,
+      userAgent: this.req.headers['user-agent'],
+    });
+
+    return {
+      item: accessToken,
+    };
+  },
+};

server/api/controllers/access-tokens/exchange.js

@@ -1,177 +0,0 @@
-const jwt = require('jsonwebtoken');
-const jwksClient = require('jwks-rsa');
-const openidClient = require('openid-client');
-const { getRemoteAddress } = require('../../../utils/remoteAddress');
-
-const Errors = {
-  INVALID_TOKEN: {
-    invalidToken: 'Access Token is invalid',
-  },
-  MISSING_VALUES: {
-    missingValues:
-      'Unable to retrieve required values. Verify the access token or UserInfo endpoint has email, username and name claims',
-  },
-};
-
-const jwks = jwksClient({
-  jwksUri: sails.config.custom.oidcJwksUri,
-  requestHeaders: {}, // Optional
-  timeout: 30000, // Defaults to 30s
-});
-
-const getJwtVerificationOptions = () => {
-  const options = {};
-  if (sails.config.custom.oidcIssuer) {
-    options.issuer = sails.config.custom.oidcIssuer;
-  }
-  if (sails.config.custom.oidcAudience) {
-    options.audience = sails.config.custom.oidcAudience;
-  }
-  return options;
-};
-
-const validateAndDecodeToken = async (accessToken, options) => {
-  const keys = await jwks.getSigningKeys();
-  let validToken = {};
-
-  const isTokenValid = keys.some((signingKey) => {
-    try {
-      const key = signingKey.getPublicKey();
-      validToken = jwt.verify(accessToken, key, options);
-      return 'true';
-    } catch (error) {
-      sails.log.error(error);
-    }
-    return false;
-  });
-
-  if (!isTokenValid) {
-    const tokenForLogging = jwt.decode(accessToken);
-    const remoteAddress = getRemoteAddress(this.req);
-
-    sails.log.warn(
-      `invalid token: sub: "${tokenForLogging.sub}" issuer: "${tokenForLogging.iss}" audience: "${tokenForLogging.aud}" exp: ${tokenForLogging.exp} (IP: ${remoteAddress})`,
-    );
-    throw Errors.INVALID_TOKEN;
-  }
-  return validToken;
-};
-
-const getUserInfo = async (accessToken, options) => {
-  if (sails.config.custom.oidcSkipUserInfo) {
-    return {};
-  }
-  const issuer = await openidClient.Issuer.discover(options.issuer);
-  const oidcClient = new issuer.Client({
-    client_id: 'irrelevant',
-  });
-  const userInfo = await oidcClient.userinfo(accessToken);
-  return userInfo;
-};
-const mergeUserData = (validToken, userInfo) => {
-  const oidcUser = { ...validToken, ...userInfo };
-  return oidcUser;
-};
-const getOrCreateUser = async (newUser) => {
-  const user = await User.findOne({
-    where: {
-      username: newUser.username,
-    },
-  });
-  if (user) {
-    return user;
-  }
-  return User.create(newUser).fetch();
-};
-module.exports = {
-  inputs: {
-    token: {
-      type: 'string',
-      required: true,
-    },
-  },
-
-  exits: {
-    invalidToken: {
-      responseType: 'unauthorized',
-    },
-    missingValues: {
-      responseType: 'unauthorized',
-    },
-  },
-
-  async fn(inputs) {
-    const options = getJwtVerificationOptions();
-    const validToken = await validateAndDecodeToken(inputs.token, options);
-    const userInfo = await getUserInfo(inputs.token, options);
-    const oidcUser = mergeUserData(validToken, userInfo);
-
-    const now = new Date();
-    let isAdmin = false;
-    if (sails.config.custom.oidcAdminRoles.includes('*')) isAdmin = true;
-    else if (Array.isArray(oidcUser[sails.config.custom.oidcRolesAttribute])) {
-      const userRoles = new Set(oidcUser[sails.config.custom.oidcRolesAttribute]);
-      isAdmin = sails.config.custom.oidcAdminRoles.findIndex((role) => userRoles.has(role)) > -1;
-    }
-
-    const newUser = {
-      email: oidcUser.email,
-      isAdmin,
-      name: oidcUser.name,
-      username: oidcUser.preferred_username,
-      subscribeToOwnCards: false,
-      createdAt: now,
-      updatedAt: now,
-      locked: true,
-    };
-
-    if (!newUser.email || !newUser.username || !newUser.name) {
-      sails.log.error(Errors.MISSING_VALUES.missingValues);
-      throw Errors.MISSING_VALUES;
-    }
-
-    const identityProviderUser = await IdentityProviderUser.findOne({
-      where: {
-        issuer: oidcUser.iss,
-        sub: oidcUser.sub,
-      },
-    }).populate('userId');
-
-    let user = identityProviderUser ? identityProviderUser.userId : {};
-    if (!identityProviderUser) {
-      user = await getOrCreateUser(newUser);
-      await IdentityProviderUser.create({
-        issuer: oidcUser.iss,
-        sub: oidcUser.sub,
-        userId: user.id,
-      });
-    }
-
-    const controlledFields = ['email', 'password', 'isAdmin', 'name', 'username'];
-    const updateFields = {};
-    controlledFields.forEach((field) => {
-      if (user[field] !== newUser[field]) {
-        updateFields[field] = newUser[field];
-      }
-    });
-
-    if (Object.keys(updateFields).length > 0) {
-      updateFields.updatedAt = now;
-      await User.updateOne({ id: user.id }).set(updateFields);
-    }
-
-    const plankaToken = sails.helpers.utils.createToken(user.id);
-
-    const remoteAddress = getRemoteAddress(this.req);
-    await Session.create({
-      accessToken: plankaToken,
-      remoteAddress,
-      userId: user.id,
-      userAgent: this.req.headers['user-agent'],
-    });
-
-    return {
-      item: plankaToken,
-    };
-  },
-};

server/api/controllers/appconfig/index.js

@@ -1,11 +0,0 @@
-module.exports = {
-  async fn() {
-    const config = {
-      authority: sails.config.custom.oidcIssuer,
-      clientId: sails.config.custom.oidcClientId,
-      redirectUri: sails.config.custom.oidcredirectUri,
-      scopes: sails.config.custom.oidcScopes,
-    };
-    return config;
-  },
-};

server/api/controllers/show-config.js

@@ -0,0 +1,22 @@
+module.exports = {
+  fn() {
+    let oidc = null;
+    if (sails.hooks.oidc.isActive()) {
+      const oidcClient = sails.hooks.oidc.getClient();
+
+      oidc = {
+        authorizationUrl: oidcClient.authorizationUrl({
+          scope: sails.config.custom.oidcScopes,
+          response_mode: 'fragment',
+        }),
+        endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
+      };
+    }
+
+    return {
+      item: {
+        oidc,
+      },
+    };
+  },
+};

server/api/controllers/users/delete.js

@@ -1,4 +1,7 @@
 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
   USER_NOT_FOUND: {
     userNotFound: 'User not found',
   },
@@ -14,6 +17,9 @@ module.exports = {
   },
 
   exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
     userNotFound: {
       responseType: 'notFound',
     },
@@ -27,7 +33,7 @@ module.exports = {
     }
 
     if (user.email === sails.config.custom.defaultAdminEmail) {
-      throw Errors.USER_NOT_FOUND; // Forbidden
+      throw Errors.NOT_ENOUGH_RIGHTS;
     }
 
     user = await sails.helpers.users.deleteOne.with({

server/api/controllers/users/update-email.js

@@ -1,6 +1,9 @@
 const bcrypt = require('bcrypt');
 
 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
   USER_NOT_FOUND: {
     userNotFound: 'User not found',
   },
@@ -31,6 +34,9 @@ module.exports = {
   },
 
   exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
     userNotFound: {
       responseType: 'notFound',
     },
@@ -59,8 +65,8 @@ module.exports = {
       throw Errors.USER_NOT_FOUND;
     }
 
-    if (user.email === sails.config.custom.defaultAdminEmail) {
+    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
-      throw Errors.USER_NOT_FOUND; // Forbidden
+      throw Errors.NOT_ENOUGH_RIGHTS;
     }
 
     if (

server/api/controllers/users/update-password.js

@@ -4,6 +4,9 @@ const zxcvbn = require('zxcvbn');
 const { getRemoteAddress } = require('../../../utils/remoteAddress');
 
 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
   USER_NOT_FOUND: {
     userNotFound: 'User not found',
   },
@@ -33,6 +36,9 @@ module.exports = {
   },
 
   exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
     userNotFound: {
       responseType: 'notFound',
     },
@@ -58,8 +64,8 @@ module.exports = {
       throw Errors.USER_NOT_FOUND;
     }
 
-    if (user.email === sails.config.custom.defaultAdminEmail) {
+    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
-      throw Errors.USER_NOT_FOUND; // Forbidden
+      throw Errors.NOT_ENOUGH_RIGHTS;
     }
 
     if (

server/api/controllers/users/update-username.js

@@ -1,6 +1,9 @@
 const bcrypt = require('bcrypt');
 
 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
   USER_NOT_FOUND: {
     userNotFound: 'User not found',
   },
@@ -33,6 +36,9 @@ module.exports = {
   },
 
   exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
     userNotFound: {
       responseType: 'notFound',
     },
@@ -61,8 +67,8 @@ module.exports = {
       throw Errors.USER_NOT_FOUND;
     }
 
-    if (user.email === sails.config.custom.defaultAdminEmail) {
+    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
-      throw Errors.USER_NOT_FOUND; // Forbidden
+      throw Errors.NOT_ENOUGH_RIGHTS;
     }
 
     if (

server/api/controllers/users/update.js

@@ -72,6 +72,12 @@ module.exports = {
       delete inputs.isAdmin;
       delete inputs.name;
       /* eslint-enable no-param-reassign */
+    } else if (user.isSso) {
+      if (!sails.config.custom.oidcIgnoreRoles) {
+        delete inputs.isAdmin; // eslint-disable-line no-param-reassign
+      }
+
+      delete inputs.name; // eslint-disable-line no-param-reassign
     }
 
     const values = {

server/api/helpers/users/create-one.js

@@ -9,7 +9,7 @@ const valuesValidator = (value) => {
     return false;
   }
 
-  if (!_.isString(value.password)) {
+  if (!_.isNil(value.password) && !_.isString(value.password)) {
     return false;
   }
 
@@ -40,6 +40,10 @@ module.exports = {
   async fn(inputs) {
     const { values } = inputs;
 
+    if (values.password) {
+      values.password = bcrypt.hashSync(values.password, 10);
+    }
+
     if (values.username) {
       values.username = values.username.toLowerCase();
     }
@@ -47,7 +51,6 @@ module.exports = {
     const user = await User.create({
       ...values,
       email: values.email.toLowerCase(),
-      password: bcrypt.hashSync(values.password, 10),
     })
       .intercept(
         {

server/api/helpers/users/delete-one.js

@@ -10,6 +10,10 @@ module.exports = {
   },
 
   async fn(inputs) {
+    await IdentityProviderUser.destroy({
+      userId: inputs.record.id,
+    });
+
     await ProjectManager.destroy({
       userId: inputs.record.id,
     });

server/api/helpers/users/get-or-create-one-using-oidc.js

@@ -0,0 +1,113 @@
+module.exports = {
+  inputs: {
+    code: {
+      type: 'string',
+      required: true,
+    },
+    nonce: {
+      type: 'string',
+      required: true,
+    },
+  },
+
+  exits: {
+    invalidCodeOrNonce: {},
+    missingValues: {},
+    emailAlreadyInUse: {},
+    usernameAlreadyInUse: {},
+  },
+
+  async fn(inputs) {
+    const client = sails.hooks.oidc.getClient();
+
+    let userInfo;
+    try {
+      const tokenSet = await client.callback(
+        sails.config.custom.oidcRedirectUri,
+        { code: inputs.code },
+        { nonce: inputs.nonce },
+      );
+      userInfo = await client.userinfo(tokenSet);
+    } catch (e) {
+      sails.log.warn(`Error while exchanging OIDC code: ${e}`);
+      throw 'invalidCodeOrNonce';
+    }
+
+    if (!userInfo.email || !userInfo.name) {
+      throw 'missingValues';
+    }
+
+    let isAdmin = false;
+    if (sails.config.custom.oidcAdminRoles.includes('*')) {
+      isAdmin = true;
+    } else {
+      const roles = userInfo[sails.config.custom.oidcRolesAttribute];
+      if (Array.isArray(roles)) {
+        // Use a Set here to avoid quadratic time complexity
+        const userRoles = new Set(userInfo[sails.config.custom.oidcRolesAttribute]);
+        isAdmin = sails.config.custom.oidcAdminRoles.findIndex((role) => userRoles.has(role)) > -1;
+      }
+    }
+
+    const values = {
+      isAdmin,
+      email: userInfo.email,
+      isSso: true,
+      name: userInfo.name,
+      username: userInfo.preferred_username,
+      subscribeToOwnCards: false,
+    };
+
+    let user;
+    // This whole block technically needs to be executed in a transaction
+    // with SERIALIZABLE isolation level (but Waterline does not support
+    // that), so this will result in errors if for example users are deleted
+    // concurrently with logging in via OIDC.
+    let identityProviderUser = await IdentityProviderUser.findOne({
+      issuer: sails.config.custom.oidcIssuer,
+      sub: userInfo.sub,
+    });
+
+    if (identityProviderUser) {
+      user = await sails.helpers.users.getOne(identityProviderUser.userId);
+    } else {
+      // If no IDP/User mapping exists, search for the user by email.
+      user = await sails.helpers.users.getOne({
+        email: values.email.toLowerCase(),
+      });
+
+      // Otherwise, create a new user.
+      if (!user) {
+        user = await sails.helpers.users
+          .createOne(values)
+          .intercept('usernameAlreadyInUse', 'usernameAlreadyInUse');
+      }
+
+      identityProviderUser = await IdentityProviderUser.create({
+        userId: user.id,
+        issuer: sails.config.custom.oidcIssuer,
+        sub: userInfo.sub,
+      });
+    }
+
+    const updateFieldKeys = ['email', 'isSso', 'name', 'username'];
+    if (!sails.config.custom.oidcIgnoreRoles) {
+      updateFieldKeys.push('isAdmin');
+    }
+
+    const updateValues = {};
+    // eslint-disable-next-line no-restricted-syntax
+    for (const k of updateFieldKeys) {
+      if (values[k] !== user[k]) updateValues[k] = values[k];
+    }
+
+    if (Object.keys(updateValues).length > 0) {
+      user = await sails.helpers.users
+        .updateOne(user, updateValues, {}) // FIXME: hack for last parameter
+        .intercept('emailAlreadyInUse', 'emailAlreadyInUse')
+        .intercept('usernameAlreadyInUse', 'usernameAlreadyInUse');
+    }
+
+    return user;
+  },
+};

server/api/hooks/oidc/index.js

@@ -0,0 +1,33 @@
+const openidClient = require('openid-client');
+
+module.exports = function oidcServiceHook(sails) {
+  let client = null;
+
+  return {
+    /**
+     * Runs when this Sails app loads/lifts.
+     */
+
+    async initialize() {
+      if (sails.config.custom.oidcIssuer) {
+        const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);
+
+        client = new issuer.Client({
+          client_id: sails.config.custom.oidcClientId,
+          client_secret: sails.config.custom.oidcClientSecret,
+          redirect_uris: [sails.config.custom.oidcRedirectUri],
+          response_types: ['code'],
+        });
+        sails.log.info('OIDC hook has been loaded successfully');
+      }
+    },
+
+    getClient() {
+      return client;
+    },
+
+    isActive() {
+      return client !== null;
+    },
+  };
+};

server/api/models/User.js

@@ -24,6 +24,11 @@ module.exports = {
       defaultsTo: false,
       columnName: 'is_admin',
     },
+    isSso: {
+      type: 'boolean',
+      defaultsTo: false,
+      columnName: 'is_sso',
+    },
     name: {
       type: 'string',
       required: true,
@@ -67,10 +72,6 @@ module.exports = {
       type: 'ref',
       columnName: 'password_changed_at',
     },
-    locked: {
-      type: 'boolean',
-      columnName: 'locked',
-    },
 
     //  ╔═╗╔╦╗╔╗ ╔═╗╔╦╗╔═╗
     //  ║╣ ║║║╠╩╗║╣  ║║╚═╗
@@ -109,12 +110,16 @@ module.exports = {
   tableName: 'user_account',
 
   customToJSON() {
+    const isDefaultAdmin = this.email === sails.config.custom.defaultAdminEmail;
+
     return {
-      ..._.omit(this, ['password', 'avatar', 'passwordChangedAt']),
+      ..._.omit(this, ['password', 'isSso', 'avatar', 'passwordChangedAt']),
+      isLocked: this.isSso || isDefaultAdmin,
+      isRoleLocked: (this.isSso && !sails.config.custom.oidcIgnoreRoles) || isDefaultAdmin,
+      isDeletionLocked: isDefaultAdmin,
       avatarUrl:
         this.avatar &&
         `${sails.config.custom.userAvatarsUrl}/${this.avatar.dirname}/square-100.${this.avatar.extension}`,
-      isLocked: this.email === sails.config.custom.defaultAdminEmail,
     };
   },
 };

server/config/custom.js

@@ -31,18 +31,20 @@ module.exports.custom = {
   attachmentsPath: path.join(sails.config.appPath, 'private', 'attachments'),
   attachmentsUrl: `${process.env.BASE_URL}/attachments`,
 
+  defaultAdminEmail: process.env.DEFAULT_ADMIN_EMAIL,
+
   oidcIssuer: process.env.OIDC_ISSUER,
-  oidcAudience: process.env.OIDC_AUDIENCE,
   oidcClientId: process.env.OIDC_CLIENT_ID,
-  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
+  oidcClientSecret: process.env.OIDC_CLIENT_SECRET,
+  oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
   oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
-  oidcredirectUri: process.env.OIDC_REDIRECT_URI,
+  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
-  oidcJwksUri: process.env.OIDC_JWKS_URI,
+  oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',
-  oidcScopes: process.env.OIDC_SCOPES || 'openid profile email',
-  oidcSkipUserInfo: process.env.OIDC_SKIP_USER_INFO === 'true',
-
-  defaultAdminEmail: process.env.DEFAULT_ADMIN_EMAIL,
 
+  // TODO: move client base url to environment variable?
+  oidcRedirectUri: `${
+    sails.config.environment === 'production' ? process.env.BASE_URL : 'http://localhost:3000'
+  }/oidc-callback`,
   mailConnectorHost: process.env.MAIL_HOST,
   mailConnectorPort: process.env.MAIL_PORT || 25,
   mailConnectorEmail: 'Planka <planka-noreplay@test.com>',

server/config/policies.js

@@ -23,8 +23,8 @@ module.exports.policies = {
 
   'projects/create': ['is-authenticated', 'is-admin'],
 
+  'show-config': true,
   'access-tokens/create': true,
-  'access-tokens/exchange': true,
+  'access-tokens/exchange-using-oidc': true,
-  'appconfig/index': true,
   'mail/index': true,
 };

server/config/routes.js

@@ -9,12 +9,12 @@
  */
 
 module.exports.routes = {
-  'GET /api/appconfig': 'appconfig/index',
+  'GET /api/config': 'show-config',
 
   'POST /api/mail': 'mail/index',
 
   'POST /api/access-tokens': 'access-tokens/create',
-  'POST /api/access-tokens/exchange': 'access-tokens/exchange',
+  'POST /api/access-tokens/exchange-using-oidc': 'access-tokens/exchange-using-oidc',
   'DELETE /api/access-tokens/me': 'access-tokens/delete',
 
   'GET /api/users': 'users/index',

server/db/migrations/20230809022050_create_identity_provider_user.js

@@ -1,24 +0,0 @@
-module.exports.up = (knex) =>
-  knex.schema.createTable('identity_provider_user', (table) => {
-    /* Columns */
-
-    table.bigInteger('id').primary().defaultTo(knex.raw('next_id()'));
-    table.timestamp('created_at', true);
-    table.timestamp('updated_at', true);
-
-    table
-      .bigInteger('user_id')
-      .notNullable()
-      .references('id')
-      .inTable('user_account')
-      .onDelete('CASCADE');
-
-    table.text('issuer').notNullable();
-    table.text('sub').notNullable();
-
-    /* Indexes */
-
-    table.index('user_id');
-  });
-
-module.exports.down = (knex) => knex.schema.dropTable('identity_provider_user');

server/db/migrations/20230809022050_oidc_with_pkce_flow.js

@@ -0,0 +1,44 @@
+module.exports.up = async (knex) => {
+  await knex.schema.createTable('identity_provider_user', (table) => {
+    /* Columns */
+
+    table.bigInteger('id').primary().defaultTo(knex.raw('next_id()'));
+
+    table.bigInteger('user_id').notNullable();
+
+    table.text('issuer').notNullable();
+    table.text('sub').notNullable();
+
+    table.timestamp('created_at', true);
+    table.timestamp('updated_at', true);
+
+    /* Indexes */
+
+    table.unique(['issuer', 'sub']);
+    table.index('user_id');
+  });
+
+  await knex.schema.table('user_account', (table) => {
+    /* Columns */
+
+    table.boolean('is_sso').notNullable().default(false);
+
+    /* Modifications */
+
+    table.setNullable('password');
+  });
+
+  return knex.schema.alterTable('user_account', (table) => {
+    table.boolean('is_sso').notNullable().alter();
+  });
+};
+
+module.exports.down = async (knex) => {
+  await knex.schema.dropTable('identity_provider_user');
+
+  return knex.schema.table('user_account', (table) => {
+    table.dropColumn('is_sso');
+
+    table.dropNullable('password');
+  });
+};

server/db/migrations/20230809024146_all_null_password_field.js

@@ -1,11 +0,0 @@
-module.exports.up = async (knex) => {
-  return knex.schema.table('user_account', (table) => {
-    table.setNullable('password');
-  });
-};
-
-module.exports.down = async (knex) => {
-  return knex.schema.table('user_account', (table) => {
-    table.dropNullable('password');
-  });
-};

server/db/migrations/20230809025904_add_lock_to_user_account.js

@@ -1,11 +0,0 @@
-module.exports.up = async (knex) => {
-  return knex.schema.table('user_account', (table) => {
-    table.boolean('locked').default(false);
-  });
-};
-
-module.exports.down = async (knex) => {
-  return knex.schema.table('user_account', (table) => {
-    table.dropColumn('locked');
-  });
-};

server/db/seeds/default.js

@@ -3,6 +3,7 @@ const bcrypt = require('bcrypt');
 const buildData = () => {
   const data = {
     isAdmin: true,
+    isSso: false,
   };
 
   if (process.env.DEFAULT_ADMIN_PASSWORD) {
@@ -33,10 +34,6 @@ exports.seed = async (knex) => {
       createdAt: new Date().toISOString(),
     });
   } catch (error) {
-    if (Object.keys(data).length === 0) {
-      return;
-    }
-
     await knex('user_account').update(data).where('email', process.env.DEFAULT_ADMIN_EMAIL);
   }
 };

server/package.json

@@ -27,40 +27,39 @@
     }
   },
   "dependencies": {
-    "bcrypt": "^5.1.0",
+    "bcrypt": "^5.1.1",
-    "dotenv": "^16.0.3",
+    "dotenv": "^16.3.1",
-    "dotenv-cli": "^6.0.0",
+    "dotenv-cli": "^7.3.0",
     "filenamify": "^4.3.0",
-    "jsonwebtoken": "^9.0.0",
+    "jsonwebtoken": "^9.0.2",
-    "jwks-rsa": "^3.0.1",
+    "knex": "^3.0.1",
-    "knex": "^2.3.0",
     "lodash": "^4.17.21",
     "moment": "^2.29.4",
     "move-file": "^2.1.0",
     "nodemailer": "^6.9.7",
-    "openid-client": "^5.4.3",
+    "openid-client": "^5.6.1",
-    "rimraf": "^3.0.2",
+    "rimraf": "^5.0.5",
-    "sails": "^1.5.3",
+    "sails": "^1.5.7",
     "sails-hook-orm": "^4.0.2",
-    "sails-hook-sockets": "^2.0.3",
+    "sails-hook-sockets": "^2.0.4",
     "sails-postgresql-redacted": "^1.0.2-9",
-    "sharp": "^0.31.2",
+    "sharp": "^0.32.6",
     "stream-to-array": "^2.3.0",
-    "uuid": "^9.0.0",
+    "uuid": "^9.0.1",
-    "validator": "^13.7.0",
+    "validator": "^13.11.0",
-    "winston": "^3.8.2",
+    "winston": "^3.11.0",
     "zxcvbn": "^4.4.2"
   },
   "devDependencies": {
-    "chai": "^4.3.7",
+    "chai": "^4.3.10",
-    "eslint": "^8.28.0",
+    "eslint": "^8.53.0",
     "eslint-config-airbnb-base": "^15.0.0",
-    "eslint-plugin-import": "^2.26.0",
+    "eslint-plugin-import": "^2.29.0",
-    "mocha": "^10.1.0",
+    "mocha": "^10.2.0",
-    "nodemon": "^2.0.20",
+    "nodemon": "^3.0.1",
-    "supertest": "^6.3.1"
+    "supertest": "^6.3.3"
   },
   "engines": {
-    "node": "^12.10"
+    "node": ">=18"
   }
 }