reef-technologies · kkowalski-reef · Jul 2, 2024 · May 13, 2024 · May 19, 2024 · May 29, 2024
diff --git a/cookiecutter.json b/cookiecutter.json
@@ -13,6 +13,7 @@
     "use_flower": "n",
     "use_fingerprinting": "n",
     "use_channels": "y",
+    "use_allauth": "n",
     "sentry_dsn": "",
     "csp_enabled": "n",
     "csp_report_only": "y",

diff --git a/{{cookiecutter.repostory_name}}/README.md b/{{cookiecutter.repostory_name}}/README.md
@@ -100,6 +100,39 @@ If one wants to deploy other branch, force may be used to push desired branch to
 ```sh
 git push --force production local-branch-to-deploy:master
 ```
+{% if cookiecutter.use_allauth == 'y' %}
+# External auth (OAuth, OpenID connect etc.)
+To enable an external authentication mechanism, first determine that the service you want to use is either:
+- available as a provider in allauth: https://docs.allauth.org/en/latest/socialaccount/providers/index.html
+- supports OpenID Connect
+
+> Note: this can be configured either statically in settings.py or dynamically via django admin.
+
+## Setting up a specific service
+1. Include the provider for the service in `INSTALLED_APPS` (check out https://docs.allauth.org/en/latest/installation/quickstart.html)
+2. Follow the guide for your provider (e.g. https://docs.allauth.org/en/latest/socialaccount/providers/google.html)
+   - keep in mind the provided config can be created in django admin instead of settings.py
+
+## Setting up a generic OpenID Connect service
+1. Include the `allauth.socialaccount.providers.openid_connect` provider for the service in `INSTALLED_APPS` (should be enabled by default)
+2. Come up with a new `provider_id`
+   - it's just an arbitrary alphanumerical string to identify the provider in the app
+   - it must be unique in the scope of the app
+   - it should not collide with the name of an installed provider type - so don't use `gitlab`, `google` or similar
+   - something like `rt_keycloak` would be OK
+3. Register the app with the provider to acquire a `client_id`, a `secret` and the URL for the openid config (e.g. https://gitlab.com/.well-known/openid-configuration)
+   - When asked for callback / redirect url, use `https://{domain}/accounts/oidc/{provider_id}/login/callback/`
+5. In the app, create a new `openid_connect` provider (django admin / settings.py) 
+   - `name` is just a human-readable name, it will be later shown on login form (Log in with {name}...)
+   - the `settings` object must contain a `server_url` key
+     - This is the config URL **before** the .well-known part, so for https://gitlab.com/.well-known/openid-configuration this is just https://gitlab.com
+
+## Allauth users in django
+1. Allauth does not disable django's authentication. It lives next to it as an alternative. You can still access django admin login.
+2. Allauth "social users" are just an extension to regular django users. When someone logs in via allauth, a django user model will also be created for them.
+3. A "profile" page is available at `/accounts`
+
+{% endif %}
 {% if cookiecutter.monitoring == 'y' %}
 # Monitoring
 

diff --git a/{{cookiecutter.repostory_name}}/app/src/{{cookiecutter.django_project_name}}/settings.py b/{{cookiecutter.repostory_name}}/app/src/{{cookiecutter.django_project_name}}/settings.py
@@ -59,6 +59,13 @@ def wrapped(*args, **kwargs):
 
 ALLOWED_HOSTS = ["*"]
 
+AUTHENTICATION_BACKENDS = [
+    "django.contrib.auth.backends.ModelBackend",
+    {%- if cookiecutter.use_allauth == "y" %}
+    "allauth.account.auth_backends.AuthenticationBackend",
+    {%- endif %}
+]
+
 INSTALLED_APPS = [
     {%- if cookiecutter.use_channels == "y" %}
     "daphne",
@@ -87,9 +94,16 @@ def wrapped(*args, **kwargs):
     "django_probes",
     "django_structlog",
     "constance",
-    {% if cookiecutter.use_fingerprinting == "y" -%}
+    {%- if cookiecutter.use_fingerprinting == "y" %}
     "fingerprint",
-    {% endif -%}
+    {%- endif %}
+    {%- if cookiecutter.use_allauth == "y" %}
+    "allauth",
+    "allauth.account",
+    "allauth.socialaccount",
+    "allauth.socialaccount.providers.openid_connect",
+    # Specific auth providers can be added, see https://docs.allauth.org/en/latest/socialaccount/providers/index.html
+    {%- endif %}
     "{{cookiecutter.django_project_name}}.{{cookiecutter.django_default_app_name}}",
 ]
 
@@ -131,6 +145,9 @@ def wrapped(*args, **kwargs):
     "django_prometheus.middleware.PrometheusAfterMiddleware",
     {%- endif %}
     "django_structlog.middlewares.RequestMiddleware",
+    {%- if cookiecutter.use_allauth == "y" -%}
+    "allauth.account.middleware.AccountMiddleware",
+    {%- endif %}
 ]
 
 
@@ -189,6 +206,9 @@ def wrapped(*args, **kwargs):
                 "django.template.context_processors.request",
                 "django.contrib.auth.context_processors.auth",
                 "django.contrib.messages.context_processors.messages",
+                {%- if cookiecutter.use_allauth == "y" %}
+                "django.template.context_processors.request",
+                {%- endif %}
             ],
         },
     },
@@ -297,6 +317,8 @@ def wrapped(*args, **kwargs):
 CELERY_RESULT_SERIALIZER = "json"
 CELERY_WORKER_PREFETCH_MULTIPLIER = env.int("CELERY_WORKER_PREFETCH_MULTIPLIER", default=10)
 CELERY_BROKER_POOL_LIMIT = env.int("CELERY_BROKER_POOL_LIMIT", default=50)
+
+DJANGO_STRUCTLOG_CELERY_ENABLED = True
 {%- endif %}
 
 EMAIL_BACKEND = env("EMAIL_BACKEND")
@@ -335,7 +357,6 @@ def wrapped(*args, **kwargs):
         },
     },
 }
-DJANGO_STRUCTLOG_CELERY_ENABLED = True
 
 
 def configure_structlog():
@@ -362,7 +383,9 @@ def configure_structlog():
 # Sentry
 if SENTRY_DSN := env("SENTRY_DSN", default=""):
     import sentry_sdk
+    {% if cookiecutter.use_celery == "y" -%}
     from sentry_sdk.integrations.celery import CeleryIntegration
+    {% endif -%}
     from sentry_sdk.integrations.django import DjangoIntegration
     from sentry_sdk.integrations.logging import LoggingIntegration, ignore_logger
     from sentry_sdk.integrations.redis import RedisIntegration
@@ -372,7 +395,9 @@ def configure_structlog():
         environment=ENV,
         integrations=[
             DjangoIntegration(),
+            {% if cookiecutter.use_celery == "y" -%}
             CeleryIntegration(),
+            {% endif -%}
             RedisIntegration(),
             LoggingIntegration(
                 level=logging.INFO,  # Capture info and above as breadcrumbs

diff --git a/{{cookiecutter.repostory_name}}/app/src/{{cookiecutter.django_project_name}}/urls.py b/{{cookiecutter.repostory_name}}/app/src/{{cookiecutter.django_project_name}}/urls.py
@@ -25,6 +25,9 @@
     path("business-metrics", metrics_manager.view, name="prometheus-business-metrics"),
     path("healthcheck/", include("health_check.urls")),
     {%- endif %}
+    {%- if cookiecutter.use_allauth == "y" %}
+    path('accounts/', include('allauth.urls')),
+    {%- endif %}
 ]
 
 {%- if cookiecutter.use_channels == "y" %}

diff --git a/{{cookiecutter.repostory_name}}/pyproject.toml b/{{cookiecutter.repostory_name}}/pyproject.toml
@@ -42,6 +42,9 @@ dependencies = [
     "uvicorn[standard]==0.29",
     "pydantic~=2.0",
     {% endif -%}
+    {% if cookiecutter.use_allauth == "y" -%}
+    "django-allauth[socialaccount]==0.63.1",
+    {% endif -%}
 ]
 
 [build-system]