fix oauth2 secret handling

create allways a new one as we have access to the oauth2 server
fix domain setup
2023-11-13 15:16:41 +01:00 · 2023-11-13 15:15:39 +01:00
4 changed files with 18 additions and 6 deletions
--- a/lenticular_cloud/config_development.toml
+++ b/lenticular_cloud/config_development.toml
@ -22,7 +22,6 @@ HYDRA_PUBLIC_URL = 'http://127.0.0.1:4444'
 SUBJECT_PREFIX = 'something random'

 OAUTH_ID = 'identiy_provider'
-OAUTH_SECRET = 'ThisIsNotSafe'


 [LENTICULAR_CLOUD_SERVICES.jabber]
--- a/lenticular_cloud/hydra.py
+++ b/lenticular_cloud/hydra.py
@ -1,9 +1,13 @@
+from secrets import token_hex
 from flask import Flask
 from ory_hydra_client import Client
 from typing import Optional
-from ory_hydra_client.api.o_auth_2 import list_o_auth_2_clients, create_o_auth_2_client
+from ory_hydra_client.api.o_auth_2 import list_o_auth_2_clients, create_o_auth_2_client, set_o_auth_2_client
 from ory_hydra_client.models.o_auth_20_client import OAuth20Client

+import logging
+
+logger = logging.getLogger(__name__)

 class HydraService:

@ -19,7 +23,7 @@ class HydraService:
        self.set_hydra_client(Client(base_url=app.config['HYDRA_ADMIN_URL']))

        client_name = app.config['OAUTH_ID']
-        client_secret = app.config['OAUTH_SECRET']
+        client_secret = token_hex(16)

        clients = list_o_auth_2_clients.sync_detailed(_client=self.hydra_client).parsed
        if clients is None:
@ -45,6 +49,11 @@ class HydraService:
            ret = create_o_auth_2_client.sync(json_body=client, _client=self.hydra_client)
            if ret is None:
                raise RuntimeError("could not crate account")
+        else:
+            client.client_secret = client_secret
+            ret = set_o_auth_2_client.sync(id=client.client_id,json_body=client, _client=self.hydra_client)
+            if ret is None:
+                raise RuntimeError("could not crate account")
        if type(client.client_id) is not str:
            raise RuntimeError("could not parse client_id from ory-hydra")
        self.client_id = client.client_id
--- a/lenticular_cloud/views/oauth2.py
+++ b/lenticular_cloud/views/oauth2.py
@ -92,7 +92,7 @@ def init_login_manager(app: Flask) -> None:
    oauth2.register(
        name="custom",
        client_id=hydra_service.client_id,
-        client_secret=app.config['OAUTH_SECRET'],
+        client_secret=hydra_service.client_secret,
        server_metadata_url=f'{base_url}/.well-known/openid-configuration',
        access_token_url=f"{base_url}/oauth2/token",
        authorize_url=f"{base_url}/oauth2/auth",
--- a/module.nix
+++ b/module.nix
@ -10,6 +10,10 @@ in
    services.lenticular-cloud = {
      enable = mkEnableOption "lenticluar service enable";
      domain = mkOption {
+        type = lib.types.str;
+        example = "example.com";
+      };
+      service_domain = mkOption {
        type = lib.types.str;
        example = "account.example.com";
      };
@ -68,10 +72,10 @@ in
    };

    services.nginx.enable = true;
-    services.nginx.virtualHosts."${cfg.domain}" = {
+    services.nginx.virtualHosts."${cfg.service_domain}" = {
      addSSL = true;
      enableACME = true;
-      serverName = cfg.domain;
+      serverName = cfg.service_domain;
      locations."/" = {
        recommendedProxySettings = true;
        proxyPass = "http://unix:/run/${username}/web.sock";
Author	SHA1	Message	Date
tuxcoder	2ca56b6df7	fix oauth2 secret handling create allways a new one as we have access to the oauth2 server	2023-11-13 15:16:41 +01:00
tuxcoder	8f17883b52	fix domain setup	2023-11-13 15:15:39 +01:00