Add support for SSO authentication

This commit is contained in:
miruka 2020-07-25 23:31:13 -04:00
parent d7907db547
commit 157ea2ffb2
11 changed files with 405 additions and 147 deletions

View File

@ -1,7 +1,5 @@
# TODO # TODO
- fallback page
- SSO page
- sever list - sever list
- cursor shape in HBox/HTabbedBox pages over fields - cursor shape in HBox/HTabbedBox pages over fields
- login with account already added → infinite spinner in room list - login with account already added → infinite spinner in room list
@ -208,10 +206,8 @@
- `m.id.thirdparty` - `m.id.thirdparty`
- `m.id.phone` - `m.id.phone`
- `m.login.recaptcha` (need browser, just use fallback?) - `m.login.recaptcha` (need browser, just use fallback?)
- `m.login.oauth2`
- `m.login.email.identity` - `m.login.email.identity`
- `m.login.msisdn` (phone) - `m.login.msisdn` (phone)
- `m.login.sso` + `m.login.token`
- `m.login.dummy` - `m.login.dummy`
- Web page fallback - Web page fallback

View File

@ -22,6 +22,7 @@ from .models.items import Account, Event
from .models.model import Model from .models.model import Model
from .models.model_store import ModelStore from .models.model_store import ModelStore
from .presence import Presence from .presence import Presence
from .sso_server import SSOServer
from .user_files import Accounts, History, Theme, UISettings, UIState from .user_files import Accounts, History, Theme, UISettings, UIState
# Logging configuration # Logging configuration
@ -103,6 +104,9 @@ class Backend:
self.clients: Dict[str, MatrixClient] = {} self.clients: Dict[str, MatrixClient] = {}
self._sso_server: Optional[SSOServer] = None
self._sso_server_task: Optional[asyncio.Future] = None
self.profile_cache: Dict[str, nio.ProfileGetResponse] = {} self.profile_cache: Dict[str, nio.ProfileGetResponse] = {}
self.get_profile_locks: DefaultDict[str, asyncio.Lock] = \ self.get_profile_locks: DefaultDict[str, asyncio.Lock] = \
DefaultDict(asyncio.Lock) # {user_id: lock} DefaultDict(asyncio.Lock) # {user_id: lock}
@ -153,21 +157,57 @@ class Backend:
await client.close() await client.close()
async def login_client(self, async def password_auth(
user: str, self, user: str, password: str, homeserver: str,
password: str,
device_id: Optional[str] = None,
homeserver: str = "https://matrix.org",
order: Optional[int] = None,
) -> str: ) -> str:
"""Create and register a `MatrixClient`, login and return a user ID.""" """Create & register a `MatrixClient`, login using the password
and return the user ID we get.
"""
client = MatrixClient( client = MatrixClient(self, user=user, homeserver=homeserver)
self, user=user, homeserver=homeserver, device_id=device_id, return await self._do_login(client, password=password)
)
async def start_sso_auth(self, homeserver: str) -> str:
"""Start SSO server and return URL to open in the user's browser.
See the `sso_server.SSOServer` class documentation.
Once the returned URL has been opened in the user's browser
(done from QML), `MatrixClient.continue_sso_auth()` should be called.
"""
server = SSOServer(homeserver)
self._sso_server = server
self._sso_server_task = asyncio.ensure_future(server.wait_for_token())
return server.url_to_open
async def continue_sso_auth(self) -> str:
"""Wait for the started SSO server to get a token, then login.
`MatrixClient.start_sso_auth()` must be called first.
Creates and register a `MatrixClient` for logging in.
Returns the user ID we get from logging in.
"""
if not self._sso_server or not self._sso_server_task:
raise RuntimeError("Must call Backend.start_sso_auth() first")
await self._sso_server_task
homeserver = self._sso_server.for_homeserver
token = self._sso_server_task.result()
self._sso_server_task = None
self._sso_server = None
client = MatrixClient(self, homeserver=homeserver)
return await self._do_login(client, token=token)
async def _do_login(self, client: MatrixClient, **login_kwargs) -> str:
"""Create and register the `MatrixClient`, login and return user ID."""
try: try:
await client.login(password, order=order) await client.login(**login_kwargs)
except MatrixError: except MatrixError:
await client.close() await client.close()
raise raise
@ -178,7 +218,6 @@ class Backend:
return client.user_id return client.user_id
self.clients[client.user_id] = client self.clients[client.user_id] = client
return client.user_id return client.user_id
@ -187,7 +226,7 @@ class Backend:
user_id: str, user_id: str,
token: str, token: str,
device_id: str, device_id: str,
homeserver: str = "https://matrix.org", homeserver: str,
state: str = "online", state: str = "online",
status_msg: str = "", status_msg: str = "",
) -> None: ) -> None:

View File

@ -191,6 +191,7 @@ class MatrixClient(nio.AsyncClient):
self.upload_tasks: Dict[UUID, asyncio.Task] = {} self.upload_tasks: Dict[UUID, asyncio.Task] = {}
self.send_message_tasks: Dict[UUID, asyncio.Task] = {} self.send_message_tasks: Dict[UUID, asyncio.Task] = {}
self._presence: str = ""
self.first_sync_done: asyncio.Event = asyncio.Event() self.first_sync_done: asyncio.Event = asyncio.Event()
self.first_sync_date: Optional[datetime] = None self.first_sync_date: Optional[datetime] = None
self.last_sync_error: Optional[Exception] = None self.last_sync_error: Optional[Exception] = None
@ -212,6 +213,33 @@ class MatrixClient(nio.AsyncClient):
) )
@property
def healthy(self) -> bool:
"""Return whether we're syncing and last sync was successful."""
task = self.sync_task
if not task or not self.first_sync_date or self.last_sync_error:
return False
return not task.done()
@property
def default_device_name(self) -> str:
"""Device name to set at login if the user hasn't set a custom one."""
os_name = platform.system()
if not os_name: # unknown OS
return __display_name__
# On Linux, the kernel version is returned, so for a one-time-set
# device name it would quickly be outdated.
os_ver = platform.release() if os_name == "Windows" else ""
return f"{__display_name__} on {os_name} {os_ver}".rstrip()
async def _send(self, *args, **kwargs) -> nio.Response: async def _send(self, *args, **kwargs) -> nio.Response:
"""Raise a `MatrixError` subclass for any `nio.ErrorResponse`. """Raise a `MatrixError` subclass for any `nio.ErrorResponse`.
@ -228,53 +256,37 @@ class MatrixClient(nio.AsyncClient):
return response return response
@staticmethod
def default_device_name() -> str:
"""Device name to set at login if the user hasn't set a custom one."""
os_name = platform.system()
if not os_name: # unknown OS
return __display_name__
# On Linux, the kernel version is returned, so for a one-time-set
# device name it would quickly be outdated.
os_ver = platform.release() if os_name == "Windows" else ""
return f"{__display_name__} on {os_name} {os_ver}".rstrip()
async def login( async def login(
self, self, password: Optional[str] = None, token: Optional[str] = None,
password: str,
device_name: str = "",
order: Optional[int] = None,
) -> None: ) -> None:
"""Login to the server using the account's password.""" """Login to server using `m.login.password` or `m.login.token` flows.
await super().login( Login can be done with the account's password (if the server supports
password, device_name or self.default_device_name(), this flow) OR a token obtainable through various means.
)
saved = await self.backend.saved_accounts.read() One of the way to obtain a token is to follow the `m.login.sso` flow
first, see `Backend.start_sso_auth()` & `Backend.continue_sso_auth()`.
"""
await super().login(password, self.default_device_name, token)
if order is None and not saved.values():
order = 0 order = 0
elif order is None: saved_accounts = await self.backend.saved_accounts.read()
if saved_accounts:
order = max( order = max(
account.get("order", i) account.get("order", i)
for i, account in enumerate(saved.values()) for i, account in enumerate(saved_accounts.values())
) + 1 ) + 1
# Get or create account model # We need to create account model item here, because _start() needs it
# We need to create account model in here, because _start() needs it item = self.models["accounts"].setdefault(
account = self.models["accounts"].setdefault(
self.user_id, Account(self.user_id, order), self.user_id, Account(self.user_id, order),
) )
# TODO: set presence on login # TODO: be abke to set presence before logging in
self._presence: str = "online" item.set_fields(presence=Presence.State.online, connecting=True)
account.presence = Presence.State.online self._presence = "online"
account.connecting = True
self.start_task = asyncio.ensure_future(self._start()) self.start_task = asyncio.ensure_future(self._start())
@ -326,17 +338,6 @@ class MatrixClient(nio.AsyncClient):
await self.close() await self.close()
@property
def healthy(self) -> bool:
"""Return whether we're syncing and last sync was successful."""
task = self.sync_task
if not task or not self.first_sync_date or self.last_sync_error:
return False
return not task.done()
async def _start(self) -> None: async def _start(self) -> None:
"""Fetch our user profile, server config and enter the sync loop.""" """Fetch our user profile, server config and enter the sync loop."""

99
src/backend/sso_server.py Normal file
View File

@ -0,0 +1,99 @@
# SPDX-License-Identifier: LGPL-3.0-or-later
import asyncio
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import parse_qs, quote, urlparse
from . import __display_name__
_SUCCESS_HTML_PAGE = """<!DOCTYPE html>
<html>
<head>
<title>""" + __display_name__ + """</title>
<meta charset="utf-8">
<style>
body { background: hsl(0, 0%, 90%); }
@keyframes appear {
0% { transform: scale(0); }
45% { transform: scale(0); }
80% { transform: scale(1.6); }
100% { transform: scale(1); }
}
.circle {
width: 90px;
height: 90px;
position: absolute;
top: 50%;
left: 50%;
margin: -45px 0 0 -45px;
border-radius: 50%;
font-size: 60px;
line-height: 90px;
text-align: center;
background: hsl(203, 51%, 15%);
color: hsl(162, 56%, 42%, 1);
animation: appear 0.4s linear;
}
</style>
</head>
<body><div class="circle"></div></body>
</html>"""
class _SSORequestHandler(BaseHTTPRequestHandler):
def do_GET(self) -> None:
parameters = parse_qs(urlparse(self.path).query)
if "loginToken" in parameters:
self.server._token = parameters["loginToken"][0] # type: ignore
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(_SUCCESS_HTML_PAGE.encode())
else:
self.send_error(400, "missing loginToken parameter")
self.close_connection = True
class SSOServer(HTTPServer):
"""Local HTTP server to retrieve a SSO login token.
Call `SSOServer.wait_for_token()` in a background task to start waiting
for a SSO login token from the Matrix homeserver.
Once the task is running, the user must open `SSOServer.url_to_open` in
their browser, where they will be able to complete the login process.
Once they are done, the homeserver will call us back with a login token
and the `SSOServer.wait_for_token()` task will return.
"""
def __init__(self, for_homeserver: str) -> None:
self.for_homeserver: str = for_homeserver
self._token: str = ""
# Pick the first available port
super().__init__(("127.0.0.1", 0), _SSORequestHandler)
@property
def url_to_open(self) -> str:
"""URL for the user to open in their browser, to do the SSO process."""
return "%s/_matrix/client/r0/login/sso/redirect?redirectUrl=%s" % (
self.for_homeserver,
quote(f"http://{self.server_address[0]}:{self.server_port}/"),
)
async def wait_for_token(self) -> str:
"""Wait until the homeserver gives us a login token and return it."""
loop = asyncio.get_event_loop()
while not self._token:
await loop.run_in_executor(None, self.handle_request)
return self._token

View File

@ -7,8 +7,12 @@ import "../../Base"
HSwipeView { HSwipeView {
id: swipeView id: swipeView
clip: true clip: true
interactive: currentIndex !== 0 || signIn.serverUrl interactive: serverBrowser.acceptedUrl
onCurrentItemChanged: if (currentIndex === 0) serverBrowser.takeFocus() onCurrentItemChanged:
currentIndex === 0 ?
serverBrowser.takeFocus() :
signInLoader.takeFocus()
Component.onCompleted: serverBrowser.takeFocus() Component.onCompleted: serverBrowser.takeFocus()
HPage { HPage {
@ -26,6 +30,8 @@ HSwipeView {
HPage { HPage {
id: tabPage id: tabPage
enabled: swipeView.currentItem === this
HTabbedBox { HTabbedBox {
anchors.centerIn: parent anchors.centerIn: parent
width: Math.min(implicitWidth, tabPage.availableWidth) width: Math.min(implicitWidth, tabPage.availableWidth)
@ -37,13 +43,34 @@ HSwipeView {
HTabButton { text: qsTr("Reset") } HTabButton { text: qsTr("Reset") }
} }
SignIn { HLoader {
id: signIn id: signInLoader
readonly property Component signInPassword: SignInPassword {
serverUrl: serverBrowser.acceptedUrl serverUrl: serverBrowser.acceptedUrl
displayUrl: serverBrowser.acceptedUserUrl displayUrl: serverBrowser.acceptedUserUrl
onExitRequested: swipeView.currentIndex = 0 onExitRequested: swipeView.currentIndex = 0
} }
readonly property Component signInSso: SignInSso {
serverUrl: serverBrowser.acceptedUrl
displayUrl: serverBrowser.acceptedUserUrl
onExitRequested: swipeView.currentIndex = 0
}
function takeFocus() { if (item) item.takeFocus() }
sourceComponent:
serverBrowser.loginFlows.includes("m.login.password") ?
signInPassword :
serverBrowser.loginFlows.includes("m.login.sso") &&
serverBrowser.loginFlows.includes("m.login.token") ?
signInSso :
null
}
Register {} Register {}
Reset {} Reset {}
} }

View File

@ -11,7 +11,7 @@ HBox {
property string acceptedUserUrl: "" property string acceptedUserUrl: ""
property string acceptedUrl: "" property string acceptedUrl: ""
property var loginFlows: ["m.login.password"] property var loginFlows: []
property string saveName: "serverBrowser" property string saveName: "serverBrowser"
property var saveProperties: ["acceptedUserUrl"] property var saveProperties: ["acceptedUserUrl"]
@ -30,8 +30,20 @@ HBox {
connectFuture = py.callCoro("server_info", args, ([url, flows]) => { connectFuture = py.callCoro("server_info", args, ([url, flows]) => {
connectTimeout.stop() connectTimeout.stop()
errorMessage.text = "" errorMessage.text = ""
connectFuture = null connectFuture = null
if (! (
flows.includes("m.login.password") ||
(
flows.includes("m.login.sso") &&
flows.includes("m.login.token")
)
)) {
errorMessage.text =
qsTr("No supported sign-in method for this homeserver.")
return
}
acceptedUrl = url acceptedUrl = url
acceptedUserUrl = args[0] acceptedUserUrl = args[0]
loginFlows = flows loginFlows = flows

View File

@ -12,66 +12,42 @@ HFlickableColumnPage {
property string serverUrl property string serverUrl
property string displayUrl: serverUrl property string displayUrl: serverUrl
property var loginFuture: null
signal exitRequested() property var loginFuture: null
readonly property int security: readonly property int security:
serverUrl.startsWith("https://") ? serverUrl.startsWith("https://") ?
SignIn.Security.Secure : SignInBase.Security.Secure :
["//localhost", "//127.0.0.1", "//:1"].includes( ["//localhost", "//127.0.0.1", "//:1"].includes(
serverUrl.split(":")[1], serverUrl.split(":")[1],
) ? ) ?
SignIn.Security.LocalHttp : SignInBase.Security.LocalHttp :
SignIn.Security.Insecure SignInBase.Security.Insecure
function takeFocus() { idField.item.forceActiveFocus() } default property alias innerData: inner.data
readonly property alias rememberAccount: rememberAccount
readonly property alias errorMessage: errorMessage
readonly property alias applyButton: applyButton
function signIn() { signal exitRequested()
if (page.loginFuture) page.loginFuture.cancel()
errorMessage.text = "" function finishSignIn(receivedUserId) {
const args = [
idField.item.text.trim(), passwordField.item.text,
undefined, page.serverUrl,
]
page.loginFuture = py.callCoro("login_client", args, userId => {
errorMessage.text = "" errorMessage.text = ""
page.loginFuture = null page.loginFuture = null
print(rememberAccount.checked)
py.callCoro( py.callCoro(
rememberAccount.checked ? rememberAccount.checked ?
"saved_accounts.add": "saved_accounts.delete", "saved_accounts.add":
"saved_accounts.delete",
[userId] [receivedUserId]
) )
pageLoader.showPage( pageLoader.showPage(
"AccountSettings/AccountSettings", {userId} "AccountSettings/AccountSettings", {userId: receivedUserId}
) )
}, (type, args, error, traceback, uuid) => {
page.loginFuture = null
let txt = qsTr(
"Invalid request, login type or unknown error: %1",
).arg(type)
type === "MatrixForbidden" ?
txt = qsTr("Invalid username or password") :
type === "MatrixUserDeactivated" ?
txt = qsTr("This account was deactivated") :
utils.showError(type, traceback, uuid)
errorMessage.text = txt
})
} }
function cancel() { function cancel() {
@ -91,12 +67,11 @@ HFlickableColumnPage {
footer: AutoDirectionLayout { footer: AutoDirectionLayout {
ApplyButton { ApplyButton {
id: applyButton id: applyButton
enabled: idField.item.text.trim() && passwordField.item.text
text: qsTr("Sign in") text: qsTr("Sign in")
icon.name: "sign-in" icon.name: "sign-in"
loading: page.loginFuture !== null loading: page.loginFuture !== null
disableWhileLoading: false disableWhileLoading: false
onClicked: page.signIn()
} }
CancelButton { CancelButton {
@ -104,27 +79,28 @@ HFlickableColumnPage {
} }
} }
onKeyboardAccept: if (applyButton.enabled) page.signIn() onKeyboardAccept: if (applyButton.enabled) applyButton.clicked()
onKeyboardCancel: page.cancel() onKeyboardCancel: page.cancel()
Component.onDestruction: if (loginFuture) loginFuture.cancel()
HButton { HButton {
icon.name: "sign-in-" + ( icon.name: "sign-in-" + (
page.security === SignIn.Security.Insecure ? "insecure" : page.security === SignInBase.Security.Insecure ? "insecure" :
page.security === SignIn.Security.LocalHttp ? "local-http" : page.security === SignInBase.Security.LocalHttp ? "local-http" :
"secure" "secure"
) )
icon.color: icon.color:
page.security === SignIn.Security.Insecure ? page.security === SignInBase.Security.Insecure ?
theme.colors.negativeBackground : theme.colors.negativeBackground :
page.security === SignIn.Security.LocalHttp ? page.security === SignInBase.Security.LocalHttp ?
theme.colors.middleBackground : theme.colors.middleBackground :
theme.colors.positiveBackground theme.colors.positiveBackground
text: text:
page.security === SignIn.Security.Insecure ? page.security === SignInBase.Security.Insecure ?
page.serverUrl : page.serverUrl :
page.displayUrl.replace(/^(https?:\/\/)?(www\.)?/, "") page.displayUrl.replace(/^(https?:\/\/)?(www\.)?/, "")
@ -134,27 +110,9 @@ HFlickableColumnPage {
Layout.maximumWidth: parent.width Layout.maximumWidth: parent.width
} }
HLabeledItem { HColumnLayout {
id: idField id: inner
label.text: qsTr("Username:") spacing: page.column.spacing
Layout.fillWidth: true
HTextField {
width: parent.width
}
}
HLabeledItem {
id: passwordField
label.text: qsTr("Password:")
Layout.fillWidth: true
HTextField {
width: parent.width
echoMode: HTextField.Password
}
} }
HCheckBox { HCheckBox {

View File

@ -0,0 +1,69 @@
// SPDX-License-Identifier: LGPL-3.0-or-later
import QtQuick 2.12
import QtQuick.Layouts 1.12
import "../../Base"
import "../../Base/Buttons"
SignInBase {
id: page
function takeFocus() { idField.item.forceActiveFocus() }
function signIn() {
if (page.loginFuture) page.loginFuture.cancel()
errorMessage.text = ""
page.loginFuture = py.callCoro(
"password_auth",
[idField.item.text.trim(), passField.item.text, page.serverUrl],
page.finishSignIn,
(type, args, error, traceback, uuid) => {
page.loginFuture = null
let txt = qsTr(
"Invalid request, login type or unknown error: %1",
).arg(type)
type === "MatrixForbidden" ?
txt = qsTr("Invalid username or password") :
type === "MatrixUserDeactivated" ?
txt = qsTr("This account was deactivated") :
utils.showError(type, traceback, uuid)
page.errorMessage.text = txt
},
)
}
applyButton.enabled: idField.item.text.trim() && passField.item.text
applyButton.onClicked: page.signIn()
HLabeledItem {
id: idField
label.text: qsTr("Username:")
Layout.fillWidth: true
HTextField {
width: parent.width
}
}
HLabeledItem {
id: passField
label.text: qsTr("Password:")
Layout.fillWidth: true
HTextField {
width: parent.width
echoMode: HTextField.Password
}
}
}

View File

@ -0,0 +1,55 @@
// SPDX-License-Identifier: LGPL-3.0-or-later
import QtQuick 2.12
import QtQuick.Layouts 1.12
import "../../Base"
import "../../Base/Buttons"
SignInBase {
id: page
function takeFocus() { urlField.forceActiveFocus() }
function startSignIn() {
errorMessage.text = ""
page.loginFuture = py.callCoro("start_sso_auth", [serverUrl], url => {
urlField.text = url
urlField.cursorPosition = 0
Qt.openUrlExternally(url)
page.loginFuture = py.callCoro("continue_sso_auth", [], userId => {
page.loginFuture = null
page.finishSignIn(userId)
})
})
}
applyButton.text: qsTr("Waiting")
applyButton.loading: true
Component.onCompleted: page.startSignIn()
HLabel {
wrapMode: HLabel.Wrap
text: qsTr(
"Complete the single sign-on process in your web browser to " +
"continue.\n\n" +
"If no page appeared, you can also manually open this address:"
)
Layout.fillWidth: true
}
HTextArea {
id: urlField
width: parent.width
readOnly: true
radius: 0
wrapMode: HTextArea.WrapAnywhere
Layout.fillWidth: true
Layout.fillHeight: true
}
}

View File

@ -86,6 +86,7 @@ HMxcImage {
gesturePolicy: TapHandler.ReleaseWithinBounds gesturePolicy: TapHandler.ReleaseWithinBounds
onTapped: { onTapped: {
print(loader.mediaUrl, loader.singleMediaInfo.media_http_url)
if (eventList.selectedCount) { if (eventList.selectedCount) {
eventDelegate.toggleChecked() eventDelegate.toggleChecked()
return return

View File

@ -10,6 +10,7 @@ import "MainPane"
Item { Item {
id: mainUI id: mainUI
enabled: ! window.anyPopup
property bool accountsPresent: property bool accountsPresent:
ModelStore.get("accounts").count > 0 || py.startupAnyAccountsSaved ModelStore.get("accounts").count > 0 || py.startupAnyAccountsSaved