Merge pull request #5019 from kobotoolbox/sso-auth-issue-zip-exports

Fix session authentication bug which blocks media and legacy exports
kobotoolbox · Jul 30, 2024 · 6d3db49 · 6d3db49
2 parents c50dd64 + a320ea7
commit 6d3db49
Show file tree

Hide file tree

Showing 4 changed files with 133 additions and 22 deletions.
diff --git a/kobo/apps/accounts/adapter.py b/kobo/apps/accounts/adapter.py
@@ -2,7 +2,7 @@
 from allauth.account.forms import SignupForm
 from constance import config
 from django.conf import settings
-from django.contrib.auth import REDIRECT_FIELD_NAME
+from django.contrib.auth import REDIRECT_FIELD_NAME, login
 from django.db import transaction
 from django.shortcuts import resolve_url
 from django.template.response import TemplateResponse
@@ -17,6 +17,14 @@
 
 class AccountAdapter(DefaultAccountAdapter):
 
+    def is_open_for_signup(self, request):
+        return config.REGISTRATION_OPEN
+
+    def login(self, request, user):
+        # Override django-allauth login method to use specified authentication backend
+        user.backend = settings.AUTHENTICATION_BACKENDS[0]
+        super().login(request, user)
+
     def pre_login(self, request, user, **kwargs):
 
         if parent_response := super().pre_login(request, user, **kwargs):
@@ -61,9 +69,6 @@ def pre_login(self, request, user, **kwargs):
                 context=context,
             )
 
-    def is_open_for_signup(self, request):
-        return config.REGISTRATION_OPEN
-
     def save_user(self, request, user, form, commit=True):
         # Compare allauth SignupForm with our custom field
         standard_fields = set(SignupForm().fields.keys())

diff --git a/kobo/apps/accounts/tests/constants.py b/kobo/apps/accounts/tests/constants.py
@@ -0,0 +1,15 @@
+SOCIALACCOUNT_PROVIDERS = {
+    'openid_connect': {
+        'SERVERS': [
+            {
+                'id': 'test-app',
+                'name': 'Test App',
+                'server_url': 'http://testserver/oauth',
+                'APP': {
+                    'client_id': 'test.service.id',
+                    'secret': 'test.service.secret',
+                },
+            }
+        ]
+    }
+}
diff --git a/kobo/apps/accounts/tests/test_backend.py b/kobo/apps/accounts/tests/test_backend.py
@@ -0,0 +1,106 @@
+import json
+from mock import patch
+
+import responses
+from allauth.socialaccount.models import SocialAccount, SocialApp
+from django.conf import settings
+from django.test.utils import override_settings
+from django.test import TestCase
+from django.urls import reverse
+from rest_framework import status
+
+# TODO Replace this two lines with the two commented out below when merge with
+#   release 2.024.25
+from django.contrib.auth import get_user_model
+User = get_user_model()
+
+# from kobo.apps.openrosa.apps.main.models import UserProfile
+# from kobo.apps.kobo_auth.shortcuts import User
+from .constants import SOCIALACCOUNT_PROVIDERS
+
+
+class SSOLoginTest(TestCase):
+
+    def setUp(self):
+        # Create a user for the test
+        testuser = User.objects.create_user(
+            username='testuser',
+            email='testuser@testserver',
+            password='password',
+        )
+
+        # Will be needed when merged in release/2.024.25
+        # UserProfile.objects.create(user=testuser)
+
+        # Delete any social app that could be added by migration
+        # `0007_add_providers_from_environment_to_db`
+        SocialApp.objects.all().delete()
+
+        self.extra_data = {
+            'username': 'testuser',
+            'sub': 'testuser',  # `sub` is required by django allauth
+            'preferred_username': 'testuser',
+            'email': 'testuser@testserver',
+        }
+
+        # Create a social account for user
+        self.social_account = SocialAccount.objects.create(
+            user=testuser,
+            provider='test-app',
+            uid='testuser',
+            extra_data=self.extra_data,
+        )
+
+    @override_settings(SOCIALACCOUNT_PROVIDERS=SOCIALACCOUNT_PROVIDERS)
+    @responses.activate
+    @patch('allauth.socialaccount.models.SocialLogin.verify_and_unstash_state')
+    def test_keep_django_auth_backend_with_sso(self, mock_verify_and_unstash_state):
+        mock_verify_and_unstash_state.return_value = {'process': 'login'}
+
+        # Mock `requests` responses to fool django-allauth
+        responses.add(
+            responses.GET,
+            'http://testserver/oauth/.well-known/openid-configuration',
+            status=status.HTTP_200_OK,
+            content_type='application/json',
+            body=json.dumps({
+                'token_endpoint': 'http://testserver/oauth/token',
+                'authorization_endpoint': 'http://testserver/oauth/authorize',
+                'userinfo_endpoint': 'http://testserver/oauth/userinfo',
+            }),
+        )
+
+        responses.add(
+            responses.POST,
+            'http://testserver/oauth/token',
+            status=status.HTTP_200_OK,
+            content_type='application/json',
+            body=json.dumps({
+                'access_token': 'mock_access_token',
+                'refresh_token': 'mock_refresh_token'
+            }),
+        )
+
+        responses.add(
+            responses.GET,
+            'http://testserver/oauth/userinfo',
+            status=status.HTTP_200_OK,
+            content_type='application/json',
+            body=json.dumps(self.extra_data),
+        )
+
+        # Get SSO provider callback URL
+        sso_login_url = reverse(
+            'openid_connect_callback', args=('openid_connect',)
+        )
+
+        # Simulate GET request to SSO provider
+        mock_sso_response = {'code': 'foobar'}
+        response = self.client.get(sso_login_url, data=mock_sso_response)
+
+        # Ensure user is logged in
+        self.assertEqual(response.status_code, status.HTTP_302_FOUND)
+        self.assertRedirects(response, reverse(settings.LOGIN_REDIRECT_URL))
+
+        self.assertTrue(response.wsgi_request.user.is_authenticated)
+        assert response.wsgi_request.user.backend == settings.AUTHENTICATION_BACKENDS[0]
diff --git a/kobo/apps/accounts/tests/test_templatetags.py b/kobo/apps/accounts/tests/test_templatetags.py
@@ -1,24 +1,9 @@
-from django.test import TestCase, override_settings
 from allauth.socialaccount.models import SocialApp
+from django.test import TestCase, override_settings
+
 from kobo.apps.accounts.models import SocialAppCustomData
 from kobo.apps.accounts.templatetags.get_provider_appname import get_social_apps
-
-# example app setup for testing
-SOCIALACCOUNT_PROVIDERS = {
-    "openid_connect": {
-        "SERVERS": [
-            {
-                "id": "test-app",
-                "name": "Test App",
-                "server_url": "https://example.org/oauth",
-                "APP": {
-                    "client_id": "test.service.id",
-                    "secret": "test.service.secret",
-                },
-            }
-        ]
-    }
-}
+from .constants import SOCIALACCOUNT_PROVIDERS
 
 
 @override_settings(SOCIALACCOUNT_PROVIDERS=SOCIALACCOUNT_PROVIDERS)