From 8f17883b52db44d4b3a4111c1a01aa786852b616 Mon Sep 17 00:00:00 2001 From: tuxcoder Date: Mon, 13 Nov 2023 15:15:39 +0100 Subject: [PATCH 1/2] fix domain setup --- module.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/module.nix b/module.nix index 8c64fec..027eea0 100644 --- a/module.nix +++ b/module.nix @@ -10,6 +10,10 @@ in services.lenticular-cloud = { enable = mkEnableOption "lenticluar service enable"; domain = mkOption { + type = lib.types.str; + example = "example.com"; + }; + service_domain = mkOption { type = lib.types.str; example = "account.example.com"; }; @@ -68,10 +72,10 @@ in }; services.nginx.enable = true; - services.nginx.virtualHosts."${cfg.domain}" = { + services.nginx.virtualHosts."${cfg.service_domain}" = { addSSL = true; enableACME = true; - serverName = cfg.domain; + serverName = cfg.service_domain; locations."/" = { recommendedProxySettings = true; proxyPass = "http://unix:/run/${username}/web.sock"; From 2ca56b6df7be4457fd4e9d1f717e09e2d79f598a Mon Sep 17 00:00:00 2001 From: tuxcoder Date: Mon, 13 Nov 2023 15:16:41 +0100 Subject: [PATCH 2/2] fix oauth2 secret handling create allways a new one as we have access to the oauth2 server --- lenticular_cloud/config_development.toml | 1 - lenticular_cloud/hydra.py | 13 +++++++++++-- lenticular_cloud/views/oauth2.py | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/lenticular_cloud/config_development.toml b/lenticular_cloud/config_development.toml index ac3d6f1..7776405 100644 --- a/lenticular_cloud/config_development.toml +++ b/lenticular_cloud/config_development.toml @@ -22,7 +22,6 @@ HYDRA_PUBLIC_URL = 'http://127.0.0.1:4444' SUBJECT_PREFIX = 'something random' OAUTH_ID = 'identiy_provider' -OAUTH_SECRET = 'ThisIsNotSafe' [LENTICULAR_CLOUD_SERVICES.jabber] diff --git a/lenticular_cloud/hydra.py b/lenticular_cloud/hydra.py index 155d0bb..91574a0 100644 --- a/lenticular_cloud/hydra.py +++ b/lenticular_cloud/hydra.py @@ -1,9 +1,13 @@ +from secrets import token_hex from flask import Flask from ory_hydra_client import Client from typing import Optional -from ory_hydra_client.api.o_auth_2 import list_o_auth_2_clients, create_o_auth_2_client +from ory_hydra_client.api.o_auth_2 import list_o_auth_2_clients, create_o_auth_2_client, set_o_auth_2_client from ory_hydra_client.models.o_auth_20_client import OAuth20Client +import logging + +logger = logging.getLogger(__name__) class HydraService: @@ -19,7 +23,7 @@ class HydraService: self.set_hydra_client(Client(base_url=app.config['HYDRA_ADMIN_URL'])) client_name = app.config['OAUTH_ID'] - client_secret = app.config['OAUTH_SECRET'] + client_secret = token_hex(16) clients = list_o_auth_2_clients.sync_detailed(_client=self.hydra_client).parsed if clients is None: @@ -45,6 +49,11 @@ class HydraService: ret = create_o_auth_2_client.sync(json_body=client, _client=self.hydra_client) if ret is None: raise RuntimeError("could not crate account") + else: + client.client_secret = client_secret + ret = set_o_auth_2_client.sync(id=client.client_id,json_body=client, _client=self.hydra_client) + if ret is None: + raise RuntimeError("could not crate account") if type(client.client_id) is not str: raise RuntimeError("could not parse client_id from ory-hydra") self.client_id = client.client_id diff --git a/lenticular_cloud/views/oauth2.py b/lenticular_cloud/views/oauth2.py index c8643c3..457438b 100644 --- a/lenticular_cloud/views/oauth2.py +++ b/lenticular_cloud/views/oauth2.py @@ -92,7 +92,7 @@ def init_login_manager(app: Flask) -> None: oauth2.register( name="custom", client_id=hydra_service.client_id, - client_secret=app.config['OAUTH_SECRET'], + client_secret=hydra_service.client_secret, server_metadata_url=f'{base_url}/.well-known/openid-configuration', access_token_url=f"{base_url}/oauth2/token", authorize_url=f"{base_url}/oauth2/auth",