LAB/rommapp_romm
1
0
Fork 0
mirror of https://github.com/rommapp/romm.git synced 2026-05-04 00:01:30 +08:00
Code Issues Packages Projects Releases Wiki Activity
9,325 Commits 46 Branches 175 Tags
Commit Graph

76 Commits

Author SHA1 Message Date
Georges-Antoine Assi
997e2c44aa
start pre-4.8 cleanup 2026-03-12 23:02:12 -04:00
nendo
ea5b7546aa refactor: address PR #3114 review feedback 
- Use atomic getdel for pairing code exchange
- Add cascade="all, delete-orphan" to User.client_tokens
- Move generate/hash_client_token into AuthHandler as static methods
- Extract endpoint helpers to utils/client_tokens.py
 2026-03-11 10:56:35 +09:00
nendo
e0b25fbc6c feat(client-tokens): add client API tokens with QR pairing flow 
Long-lived, revocable, scope-restricted tokens for external clients
(mobile apps, retro handhelds, third-party tools). Includes:

- Backend: model, migration, DB handler, auth integration (rmm_ prefix
  routing in HybridAuthBackend), CRUD + pairing + exchange endpoints,
  rate limiting, scope intersection enforcement, admin oversight
- Frontend: settings page with token management table, stepped
  create/deliver dialog (config -> copy/pair), QR code with RomM logo,
  admin token table, standalone /pair page for QR scan landing
- /pair page supports custom-scheme callbacks for app deep linking,
  falls back to displaying code for manual entry
- 33 backend tests across 5 classes (CRUD, auth, isolation, pairing,
  admin)
 2026-03-11 10:56:35 +09:00
HydroSulphide
b9ea937373
Merge branch 'master' into fix-oauth-token-expiry-and-refresh-rotation 2026-03-10 08:51:44 +01:00
HydroSulphide
fd788684b9 fix: TOCTOU race condition allows duplicate refresh token use 2026-03-10 08:38:32 +01:00
HydroSulphide
02336974a6 Implemented greptile suggestions 2026-03-10 08:04:07 +01:00
HydroSulphide
8758cb31b7 Tried to fix everything the bot complained about and the failed pytests. 
Three tests were also implemented to check initial implementation that now invalidates expired access and refresh tokens and also rotating refresh tokens.

Since I introduced wrapper functions for create_oauth_token to distinguish between access and refresh token there is no need to set the token type in the data dict, since the type is now enforced in the wrapper functions create_access_token and create_refresh_token.

By convention I renamed create_oauth_token to _create_oauth_token as it is considered a private helper function now.
 2026-03-10 07:22:02 +01:00
copilot-swe-agent[bot]
2a7c86e304 Fix OIDC login downgrading existing user roles when no claims provided 
Co-authored-by: pacnpal <183241239+pacnpal@users.noreply.github.com>
 2026-03-09 18:26:49 +00:00
HydroSulphide
41f64eb42b fix: oauth token invalidation on expiration date and rotating refresh token 2026-03-09 17:03:29 +01:00
Georges-Antoine Assi
e2ece6b938
run fmt 2026-03-08 22:54:58 -04:00
copilot-swe-agent[bot]
53b0b9021b Switch invite token expiration unit from minutes to seconds 
Co-authored-by: gantoine <3247106+gantoine@users.noreply.github.com>
 2026-03-09 02:48:21 +00:00
copilot-swe-agent[bot]
5f309639af Make invite token expiration configurable via env var and UI 
Co-authored-by: gantoine <3247106+gantoine@users.noreply.github.com>
 2026-03-09 01:43:53 +00:00
Georges-Antoine Assi
baddeea972
type ignore 2025-12-08 12:58:01 -05:00
Georges-Antoine Assi
85bf51d088
raise error is prefered username is none 2025-12-08 12:57:20 -05:00
Georges-Antoine Assi
50ddb42c25
[ROMM-2748] Add OIDC_USERNAME_ATTRIBUTE 2025-12-08 10:27:15 -05:00
Georges-Antoine Assi
f2774b9395
Merge pull request #2716 from rommapp/redis-backed-sessions 
Add redis-backed session middleware
 2025-11-22 18:40:43 -05:00
Georges-Antoine Assi
615e3132e4
changes from bot review 2025-11-22 10:55:14 -05:00
Georges-Antoine Assi
27e02fa2a2
consume the token as soon as its read 2025-11-22 10:51:41 -05:00
Georges-Antoine Assi
ec6bb24662
Add new redis-backed session middleware 2025-11-22 10:47:59 -05:00
Tarow
cb2015fc4d fix: type error when role claim is null 2025-10-19 11:49:31 +02:00
Georges-Antoine Assi
154df816cf
only set algos on decode calls 2025-10-03 12:54:42 -04:00
Georges-Antoine Assi
d863ca9e90
Explicitly set supported algorithms on jwt encode/decode 2025-10-03 11:18:01 -04:00
Michon van Dooren
240f348f92
Add support for OIDC role claim 2025-09-29 22:27:10 +02:00
Michael Manganiello
e4e3928d1b
misc: Apply import sorting 2025-09-04 11:17:00 -03:00
Georges-Antoine Assi
9079954a3c
fix tests 2025-07-19 22:27:05 -04:00
Michael Manganiello
252722e3bc
misc: Apply pyupgrade changes for Python 3.12 compatibility 
Command applied:
```
find ./backend/ -type f -name "*.py" -exec pyupgrade --py312-plus {} \;
```
 2025-06-29 12:27:16 -03:00
mjmfighter
c709b8ae2e fix: correct user creation logic in OpenIDHandler 2025-05-21 23:07:53 -05:00
zurdi
0d09f510de
feat: implement invite link creation with role assignment and user registration 2025-05-13 22:28:46 +00:00
zurdi
1c7f8fff88
feat: add InviteLink dialog and update invite link handling in user table 2025-05-13 17:52:33 +00:00
zurdi
500ff5e67f
add: endpoint to generate invite link token 2025-05-13 17:40:07 +00:00
zurdi
1103700d00
feat: implement one-time use for password reset tokens with Redis 2025-05-13 09:36:14 +00:00
zurdi
d27f4d626b
feat: Reset forgotten password added 2025-05-13 09:35:53 +00:00
zurdi
14761c2c83
refactor: enhance logging with highlighted output for improved readability 2025-05-09 09:05:59 +00:00
Michael Manganiello
7fedaca59a
fix: Improve OIDC email verified check 
The OIDC email verified check now fails if the email is explicitly
unverified, or if the `email_verified` claim is supported and the email
is not explicitly verified.

Previously, the OIDC implementation failed for any OIDC provider that
did not include the `email_verified` claim in the userinfo response.
Providers like Synology do not include this claim, so the check always
failed with error "Email is not verified."

I haven't found a formal specification for the `email_verified` claim,
and how it should be handled, but this implementation should be more
robust and work with more OIDC providers.

Fixes #1446.
 2025-01-09 00:55:20 -03:00
Michael Manganiello
865370ec13
misc: Move auth constants to separate file 
This simplifies avoiding circular imports when trying to use auth
handlers.
 2025-01-08 22:16:31 -03:00
Georges-Antoine Assi
4473b6e498
fix formatting and tests 2024-12-28 10:11:36 -05:00
Anthony Uk
d96f11d56f Fix preferred_username 2024-12-28 07:11:23 +01:00
Anthony Uk
920aee5095 Rework OIDC base_handler 2024-12-28 07:05:29 +01:00
zurdi
f6673dd707
fix: Use preferred_username for new user creation instead of email prefix 2024-12-27 15:43:37 +00:00
zurdi
ff03d8e125
refactor: Remove OIDC_CREATE_USER configuration and generate an uuid in a OIDC created user password 2024-12-27 14:49:23 +00:00
zurdi
ffbebc2f46
fix: Rename CREATE_OIDC_USER to OIDC_CREATE_USER for consistency 2024-12-27 12:32:49 +00:00
zurdi
e52ebcbc5a
feat: Add CREATE_OIDC_USER configuration to enable automatic user creation 2024-12-27 12:04:49 +00:00
Georges-Antoine Assi
dbb3b6083b
only json() once 2024-12-23 14:03:24 -05:00
Georges-Antoine Assi
8332c7b27b
fetch jwks_url from server metadata endppoint 2024-12-23 09:34:38 -05:00
Georges-Antoine Assi
37db255328
refactor oidc handler and fix tests 2024-12-18 10:49:45 -05:00
Georges-Antoine Assi
34d49e6494
changes from self review 2024-12-13 11:33:39 -05:00
Georges-Antoine Assi
2d5bc34e9c
add tests for oidc handler 2024-12-12 17:37:30 -05:00
Georges-Antoine Assi
82ac766c9e
oidc login using email 2024-12-12 10:08:27 -05:00
Georges-Antoine Assi
0e2866f0f5
dont setup OIDC if disabled 2024-12-11 23:20:21 -05:00
Georges-Antoine Assi
cae4089ccf
add email field 2024-12-09 19:57:13 -05:00