fix(login, inpn): fix login via inpn cas

Co-authored-by: jacquesfize <jacques.fize@ecrins-parcnational.fr> Co-authored-by: Pierre Narcisi <pierre.narcisi@mnhn.fr>
PnX-SI · Apr 23, 2024 · 4af79a4 · 4af79a4
1 parent af7ffbe
commit 4af79a4
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 9 deletions.
diff --git a/backend/dependencies/UsersHub-authentification-module b/backend/dependencies/UsersHub-authentification-module
diff --git a/backend/geonature/core/auth/routes.py b/backend/geonature/core/auth/routes.py
@@ -19,9 +19,12 @@
     session,
     Response,
 )
+from flask_login import login_user
+import sqlalchemy as sa
 from sqlalchemy import select
 from utils_flask_sqla.response import json_resp
 
+from pypnusershub.db import models
 from pypnusershub.db.models import User, Organisme, Application
 from pypnusershub.db.tools import encode_token
 from pypnusershub.routes import insert_or_update_organism, insert_or_update_role
@@ -94,7 +97,9 @@ def loginCas():
                 .id_application
             )
             token = encode_token(data)
-            response.set_cookie("token", token, expires=cookie_exp)
+
+            token_exp = datetime.datetime.now(datetime.timezone.utc)
+            token_exp += datetime.timedelta(seconds=current_app.config["COOKIE_EXPIRATION"])
 
             # User cookie
             organism_id = info_user["codeOrganisme"]
@@ -111,7 +116,15 @@ def loginCas():
                 "id_role": data["id_role"],
                 "id_organisme": organism_id,
             }
-            response.set_cookie("current_user", str(current_user), expires=cookie_exp)
+
+            # Log the user in
+            user = db.session.execute(
+                sa.select(models.User)
+                .where(models.User.identifiant == current_user["user_login"])
+                .where(models.User.filter_by_app())
+            ).scalar_one()
+            login_user(user)
+
             return response
         else:
             log.info("Erreur d'authentification lié au CAS, voir log du CAS")

diff --git a/frontend/src/app/app.module.ts b/frontend/src/app/app.module.ts
@@ -51,7 +51,7 @@ export function createTranslateLoader(http: HttpClient) {
 import { UserDataService } from './userModule/services/user-data.service';
 import { NotificationDataService } from './components/notification/notification-data.service';
 
-import { UserPublicGuard } from '@geonature/modules/login/routes-guard.service';
+import { UserCasGuard, UserPublicGuard } from '@geonature/modules/login/routes-guard.service';
 
 export function loadConfig(injector) {
   const configService = injector.get(ConfigService);
@@ -111,6 +111,7 @@ export function initApp(injector) {
   ],
   providers: [
     AuthService,
+    UserCasGuard,
     AuthGuard,
     ModuleService,
     ToastrService,

diff --git a/frontend/src/app/components/auth/auth.service.ts b/frontend/src/app/components/auth/auth.service.ts
@@ -156,7 +156,7 @@ export class AuthService {
   }
 
   isAuthenticated(): boolean {
-    return this._cookie.get('token') !== null;
+    return this._cookie.check('gn_id_token') && this._cookie.get('gn_id_token') !== null;
   }
 
   handleLoginError() {

diff --git a/frontend/src/app/modules/login/login/login.component.ts b/frontend/src/app/modules/login/login/login.component.ts
@@ -3,6 +3,7 @@ import { UntypedFormGroup } from '@angular/forms';
 
 import { CommonService } from '@geonature_common/service/common.service';
 
+import { CookieService } from 'ng2-cookies';
 import { AuthService } from '../../../components/auth/auth.service';
 import { ConfigService } from '@geonature/services/config.service';
 import { ModuleService } from '@geonature/services/module.service';
@@ -34,7 +35,8 @@ export class LoginComponent implements OnInit {
     private moduleService: ModuleService,
     private router: Router,
     private route: ActivatedRoute,
-    private _routingService: RoutingService
+    private _routingService: RoutingService,
+    private _cookie: CookieService
   ) {
     this.enablePublicAccess = this.config.PUBLIC_ACCESS_USERNAME;
     this.APP_NAME = this.config.appName;
@@ -49,7 +51,9 @@ export class LoginComponent implements OnInit {
     if (this.config.CAS_PUBLIC.CAS_AUTHENTIFICATION) {
       // if token not here here, redirection to CAS login page
       const url_redirection_cas = `${this.config.CAS_PUBLIC.CAS_URL_LOGIN}?service=${this.config.API_ENDPOINT}/gn_auth/login_cas`;
-      document.location.href = url_redirection_cas;
+      if (!this._authService.isLoggedIn()) {
+        document.location.href = url_redirection_cas;
+      }
     }
   }
 

diff --git a/frontend/src/app/modules/login/routes-guard.service.ts b/frontend/src/app/modules/login/routes-guard.service.ts
@@ -1,8 +1,17 @@
+import { HttpClient } from '@angular/common/http';
 import { Injectable } from '@angular/core';
-import { CanActivate, Router } from '@angular/router';
+import {
+  ActivatedRouteSnapshot,
+  CanActivate,
+  CanActivateChild,
+  Router,
+  RouterStateSnapshot,
+  UrlTree,
+} from '@angular/router';
 
 import { AuthService } from '@geonature/components/auth/auth.service';
 import { ConfigService } from '@geonature/services/config.service';
+import { Observable } from 'rxjs';
 
 @Injectable()
 export class SignUpGuard implements CanActivate {
@@ -62,3 +71,38 @@ export class UserPublicGuard implements CanActivate {
     return true;
   }
 }
+
+@Injectable()
+export class UserCasGuard implements CanActivate, CanActivateChild {
+  /*
+  A guard used to prevent public user from accessing certain routes :
+  - Used to prevent public user from accessing the "/user" route in which the user can see and change its own information
+  */
+
+  constructor(
+    private _router: Router,
+    public authService: AuthService,
+    public _configService: ConfigService,
+    private _httpclient: HttpClient
+  ) {}
+  canActivateChild(
+    childRoute: ActivatedRouteSnapshot,
+    state: RouterStateSnapshot
+  ): boolean | UrlTree | Observable<boolean | UrlTree> | Promise<boolean | UrlTree> {
+    return this.canActivate();
+  }
+
+  async canActivate(): Promise<boolean> {
+    let res: boolean = false;
+    if (this._configService.CAS_PUBLIC.CAS_AUTHENTIFICATION) {
+      let data = await this._httpclient
+        .get(`${this._configService.API_ENDPOINT}/auth/get_current_user`)
+        .toPromise();
+      data = { ...data };
+      this.authService.manageUser(data);
+      res = this.authService.isLoggedIn();
+      return res;
+    }
+    return true;
+  }
+}
diff --git a/frontend/src/app/routing/app-routing.module.ts b/frontend/src/app/routing/app-routing.module.ts
@@ -4,7 +4,11 @@ import { HomeContentComponent } from '../components/home-content/home-content.co
 import { PageNotFoundComponent } from '../components/page-not-found/page-not-found.component';
 import { AuthGuard } from '@geonature/routing/auth-guard.service';
 import { ModuleGuardService } from '@geonature/routing/module-guard.service';
-import { SignUpGuard, UserPublicGuard } from '@geonature/modules/login/routes-guard.service';
+import {
+  SignUpGuard,
+  UserCasGuard,
+  UserPublicGuard,
+} from '@geonature/modules/login/routes-guard.service';
 import { SignUpComponent } from '../modules/login/sign-up/sign-up.component';
 
 import { UserManagementGuard } from '@geonature/modules/login/routes-guard.service';
@@ -36,6 +40,7 @@ const defaultRoutes: Routes = [
   {
     path: '',
     component: NavHomeComponent,
+    canActivate: [UserCasGuard],
     canActivateChild: [AuthGuard],
     children: [
       {