Merge pull request #56 from devaslanphp/dev

Merge dev into Master

.env.example

@@ -3,6 +3,7 @@ APP_ENV=local
 APP_KEY=
 APP_DEBUG=true
 APP_URL=http://localhost:8000
+APP_FORCE_HTTPS=false
 
 LOG_CHANNEL=daily
 LOG_DEPRECATIONS_CHANNEL=null
@@ -73,3 +74,14 @@ TWITTER_CLIENT_ID=
 TWITTER_CLIENT_SECRET=
 TWITTER_CLIENT_CALLBACK="${APP_URL}/oauth/callback/twitter"
 
+# This example is based on Keycloak as an OIDC provider
+# Make sure you change it based on your own OIDC provider
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_DISCOVERY_ENDPOINT=
+OIDC_REDIRECT_URI="${APP_URL}/oidc/callback"
+OIDC_REALM="myrealm"
+OIDC_URL_AUTHORIZE="${OIDC_DISCOVERY_ENDPOINT}/realms/${OIDC_REALM}/protocol/openid-connect/auth"
+OIDC_URL_ACCESS_TOKEN="${OIDC_DISCOVERY_ENDPOINT}/realms/${OIDC_REALM}/protocol/openid-connect/token"
+OIDC_URL_RESOURCE_OWNER_DETAILS="${OIDC_DISCOVERY_ENDPOINT}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo"
+OIDC_SCOPE="openid"

README.md

@@ -133,6 +133,9 @@ The MIT License (MIT). Please see [License File](LICENSE.md) for more informatio
 - **Release 1.2.2**
     - Dockerize application #23 
     - PR #45 
+- **Release 1.2.3**
+    - Update german language #52
+    - SSO with OpenID (OIDC) #48
 
 ## Support us
 

app/Filament/Pages/ManageGeneralSettings.php

@@ -2,13 +2,15 @@
 
 namespace App\Filament\Pages;
 
+use App\Models\Role;
 use App\Settings\GeneralSettings;
 use Filament\Forms\Components\Card;
 use Filament\Forms\Components\Checkbox;
 use Filament\Forms\Components\FileUpload;
 use Filament\Forms\Components\Grid;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TextInput;
+use Filament\Forms\Components\Toggle;
 use Filament\Pages\Actions\Action;
 use Filament\Pages\SettingsPage;
 use Illuminate\Contracts\Support\Htmlable;
@@ -62,21 +64,33 @@ protected function getFormSchema(): array
                                         ->default(fn() => config('app.name'))
                                         ->required(),
 
-                                    Checkbox::make('enable_registration')
+                                    Toggle::make('enable_registration')
                                         ->label(__('Enable registration?'))
-                                        ->helperText(__('If enabled, any user can create an account in this platform.
-                                                        But an administration need to give them permissions.')),
+                                        ->helperText(__('If enabled, any user can create an account in this platform. But an administration need to give them permissions.')),
 
-                                    Checkbox::make('enable_social_login')
+                                    Toggle::make('enable_social_login')
                                         ->label(__('Enable social login?'))
-                                        ->helperText(__('If enabled, configured users can login via their
-                                                     social accounts.')),
+                                        ->helperText(__('If enabled, configured users can login via their social accounts.')),
+
+                                    Toggle::make('enable_login_form')
+                                        ->label(__('Enable form login?'))
+                                        ->helperText(__('If enabled, a login form will be visible on the login page.')),
+
+                                    Toggle::make('enable_oidc_login')
+                                        ->label(__('Enable OIDC login?'))
+                                        ->helperText(__('If enabled, an OIDC Connect button will be visible on the login page.')),
 
                                     Select::make('site_language')
                                         ->label(__('Site language'))
                                         ->helperText(__('The language used by the platform.'))
                                         ->searchable()
                                         ->options($this->getLanguages()),
+
+                                    Select::make('default_role')
+                                        ->label(__('Default role'))
+                                        ->helperText(__('The platform default role (used mainly in OIDC Connect).'))
+                                        ->searchable()
+                                        ->options(Role::all()->pluck('name', 'id')->toArray()),
                                 ]),
                         ]),
                 ]),

app/Http/Controllers/Auth/OidcAuthController.php

@@ -0,0 +1,86 @@
+<?php
+
+namespace App\Http\Controllers\Auth;
+
+use App\Http\Controllers\Controller;
+use App\Models\Role;
+use App\Models\User;
+use App\Settings\GeneralSettings;
+use Illuminate\Http\Request;
+use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
+use League\OAuth2\Client\Provider\GenericProvider;
+
+class OidcAuthController extends Controller
+{
+    private $client;
+
+    public function __construct()
+    {
+        $this->client = new GenericProvider([
+            'clientId' => config('services.oidc.client_id'),
+            'clientSecret' => config('services.oidc.client_secret'),
+            'redirectUri' => config('services.oidc.redirect_uri'),
+            'urlAuthorize' => config('services.oidc.url_authorize'),
+            'urlAccessToken' => config('services.oidc.url_access_token'),
+            'urlResourceOwnerDetails' => config('services.oidc.url_resource_owner_details'),
+            'scopes' => config('services.oidc.scope')
+        ]);
+    }
+
+    public function redirect()
+    {
+        $authUrl = $this->client->getAuthorizationUrl();
+        return redirect($authUrl);
+    }
+
+    public function callback(Request $request)
+    {
+        try {
+            $accessToken = $this->client->getAccessToken('authorization_code', [
+                'code' => $request->input('code')
+            ]);
+            $user = $this->client->getResourceOwner($accessToken);
+
+            // Perform any additional validation or user creation here
+            if ($user) {
+                $data = $user->toArray();
+                $user = User::where('email', $data['email'])->first();
+                if (!$user) {
+                    $user = User::create([
+                        'name' => $data['given_name'] . ' ' . $data['family_name'],
+                        'email' => $data['email'],
+                        'oidc_username' => $data['preferred_username'],
+                        'email_verified_at' => $data['email_verified'] ? now() : null,
+                        'type' => 'oidc',
+                        'oidc_sub' => $data['sub'],
+                        'password' => null
+                    ]);
+                    $defaultRoleSettings = app(GeneralSettings::class)->default_role;
+                    if ($defaultRoleSettings && $defaultRole = Role::where('id', $defaultRoleSettings)->first()) {
+                        $user->syncRoles([$defaultRole]);
+                    }
+                } else {
+                    $user->update([
+                        'name' => $data['given_name'] . ' ' . $data['family_name'],
+                        'email' => $data['email'],
+                        'oidc_username' => $data['preferred_username'],
+                        'type' => 'oidc',
+                        'oidc_sub' => $data['sub'],
+                        'password' => null
+                    ]);
+                    $user->refresh();
+                }
+
+                // Log the user in
+                auth()->login($user);
+
+                return redirect()->intended();
+            }
+            session()->flash('oidc_error');
+            return redirect()->route('login');
+        } catch (IdentityProviderException $e) {
+            session()->flash('oidc_error');
+            return redirect()->route('login');
+        }
+    }
+}

app/Models/User.php

@@ -34,7 +34,10 @@ class User extends Authenticatable implements MustVerifyEmail, FilamentUser
         'name',
         'email',
         'password',
-        'creation_token'
+        'creation_token',
+        'type',
+        'oidc_username',
+        'email_verified_at',
     ];
 
     /**
@@ -61,12 +64,16 @@ public static function boot()
         parent::boot();
 
         static::creating(function (User $item) {
-            $item->password = bcrypt(uniqid());
-            $item->creation_token = Uuid::uuid4()->toString();
+            if ($item->type == 'db') {
+                $item->password = bcrypt(uniqid());
+                $item->creation_token = Uuid::uuid4()->toString();
+            }
         });
 
         static::created(function (User $item) {
-            $item->notify(new UserCreatedNotification($item));
+            if ($item->type == 'db') {
+                $item->notify(new UserCreatedNotification($item));
+            }
         });
     }
 

app/Providers/AppServiceProvider.php

@@ -4,11 +4,10 @@
 
 use App\Settings\GeneralSettings;
 use Filament\Facades\Filament;
-use Filament\Navigation\UserMenuItem;
 use Illuminate\Database\QueryException;
 use Illuminate\Foundation\Vite;
 use Illuminate\Support\Facades\Config;
-use Illuminate\Support\Facades\Schema;
+use Illuminate\Support\Facades\URL;
 use Illuminate\Support\HtmlString;
 use Illuminate\Support\ServiceProvider;
 
@@ -69,6 +68,11 @@ public function boot()
             __('Security'),
             __('Settings'),
         ]);
+
+        // Force HTTPS over HTTP
+        if (env('APP_FORCE_HTTPS') ?? false) {
+            URL::forceScheme('https');
+        }
     }
 
     private function configureApp(): void
@@ -85,6 +89,8 @@ private function configureApp(): void
             Config::set('filament-breezy.enable_registration', $settings->enable_registration ?? false);
             Config::set('filament-socialite.registration', $settings->enable_registration ?? false);
             Config::set('filament-socialite.enabled', $settings->enable_social_login ?? false);
+            Config::set('system.login_form.is_enabled', $settings->enable_login_form ?? false);
+            Config::set('services.oidc.is_enabled', $settings->enable_oidc_login ?? false);
         } catch (QueryException $e) {
             // Error: No database configured yet
         }

app/Settings/GeneralSettings.php

@@ -12,6 +12,9 @@ class GeneralSettings extends Settings
     public string|null $site_logo;
     public string|null $enable_social_login;
     public string|null $site_language;
+    public string|null $default_role;
+    public string|null $enable_login_form;
+    public string|null $enable_oidc_login;
 
     public static function group(): string
     {

composer.json

@@ -19,6 +19,7 @@
         "laravel/framework": "^9.19",
         "laravel/sanctum": "^3.0",
         "laravel/tinker": "^2.7",
+        "league/oauth2-client": "^2.6",
         "maatwebsite/excel": "^3.1",
         "owenvoke/blade-fontawesome": "^2.1",
         "protonemedia/laravel-verify-new-email": "^1.6",

config/services.php

@@ -55,4 +55,16 @@
         'redirect' => env('TWITTER_CLIENT_CALLBACK')
     ],
 
+    'oidc' => [
+        'is_enabled' => true,
+        'client_id' => env('OIDC_CLIENT_ID'),
+        'client_secret' => env('OIDC_CLIENT_SECRET'),
+        'discovery_endpoint' => env('OIDC_DISCOVERY_ENDPOINT'),
+        'redirect_uri' => env('OIDC_REDIRECT_URI'),
+        'url_authorize' => env('OIDC_URL_AUTHORIZE'),
+        'url_access_token' => env('OIDC_URL_ACCESS_TOKEN'),
+        'url_resource_owner_details' => env('OIDC_URL_RESOURCE_OWNER_DETAILS'),
+        'scope' => explode(",", env('OIDC_SCOPE')),
+    ],
+
 ];

config/system.php

@@ -2,6 +2,14 @@
 
 return [
 
+    // Login form
+    'login_form' => [
+
+        // Enabled
+        'is_enabled' => true
+
+    ],
+
     // Locales
     'locales' => [