Cognito update 323

app/.env.docker-example

@@ -33,8 +33,10 @@ DATABASE=postgres
 # SQL_PORT=
 # DATABASE=
 
-COGNITO_DOMAIN=peopledepot
-COGNITO_AWS_REGION=us-west-2
-COGNITO_USER_POOL=us-west-2_Fn4rkZpuB
-
+# COGNITO_DOMAIN=peopledepot
+# COGNITO_AWS_REGION=us-west-2
+# COGNITO_USER_POOL=us-west-2_Fn4rkZpuB
+# COGNITO_CLIENT_ID=xxxxxxx
+# COGNITO_CLIENT_SECRET=
+# COGNITO_CALLBACK_URL=http://localhost:8000/accounts/amazon-cognito/login/callback/
 PEOPLE_DEPOT_API_SECRET=people-depot-api-secret

app/peopledepot/settings.py

@@ -36,16 +36,21 @@
 # For example: 'DJANGO_ALLOWED_HOSTS=localhost 127.0.0.1 [::1]'
 ALLOWED_HOSTS = os.environ.get("DJANGO_ALLOWED_HOSTS").split(" ")
 
+# Single sign on
+LOGIN_REDIRECT_URL = "/admin/"
+
 # Cognito stuff
 COGNITO_AWS_REGION = os.environ.get("COGNITO_AWS_REGION", default=None)
 COGNITO_USER_POOL = os.environ.get("COGNITO_USER_POOL", default=None)
+COGNITO_DOMAIN = os.environ.get("COGNITO_DOMAIN", default=None)
 # Provide this value if `id_token` is used for authentication (it contains 'aud' claim).
 # `access_token` doesn't have it, in this case keep the COGNITO_AUDIENCE empty
-COGNITO_AUDIENCE = None
+COGNITO_AUDIENCE = os.environ.get("COGNITO_CLIENT_ID", default=None)
 COGNITO_POOL_URL = (
     None  # will be set few lines of code later, if configuration provided
 )
-
+COGNITO_CLIENT_ID = os.environ.get("COGNITO_CLIENT_ID")
+COGNITO_CLIENT_SECRET = os.environ.get("COGNITO_CLIENT_SECRET`") or ""
 rsa_keys = {}
 # To avoid circular imports, we keep this logic here.
 # On django init we download jwks public keys which are used to validate jwt tokens.
@@ -77,8 +82,29 @@
     # Local
     "core",
     "data",
+    # allauth requirements
+    "allauth",
+    "allauth.account",
+    "allauth.socialaccount",
+    # ... include the providers you want to enable:
+    "allauth.socialaccount.providers.amazon_cognito",
 ]
 
+SOCIALACCOUNT_PROVIDERS = {
+    "amazon_cognito": {
+        "DOMAIN": "https://peopledepot.auth.us-east-2.amazoncognito.com",
+        "APP": {
+            "client_id": f"{COGNITO_CLIENT_ID}",
+            "client_secret": f"{COGNITO_CLIENT_SECRET}",
+            "secret": "",
+            "key": "",
+        },
+        "AUTH_PARAMS": {
+            "scope": "openid profile email",
+        },
+        "OAUTH2_CLIENT_CLASS": "allauth.socialaccount.providers.oauth2.client.OAuth2Client",
+    }
+}
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
@@ -88,21 +114,26 @@
     "django.contrib.auth.middleware.RemoteUserMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "allauth.account.middleware.AccountMiddleware",
 ]
 
 ROOT_URLCONF = "peopledepot.urls"
 
 TEMPLATES = [
     {
         "BACKEND": "django.template.backends.django.DjangoTemplates",
-        "DIRS": [],
+        # next comment is to ignore flake8 error for the following line when pre-commit runs
+        # flake8: noqa
+        "DIRS": [os.path.join(BASE_DIR, "templates")],
         "APP_DIRS": True,
         "OPTIONS": {
             "context_processors": [
                 "django.template.context_processors.debug",
                 "django.template.context_processors.request",
                 "django.contrib.auth.context_processors.auth",
                 "django.contrib.messages.context_processors.messages",
+                # `allauth` needs this from django
+                "django.template.context_processors.request",
             ],
         },
     },
@@ -159,7 +190,6 @@
 
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/4.0/howto/static-files/
-
 STATIC_URL = "static/"
 
 # Default primary key field type
@@ -168,10 +198,12 @@
 DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
 
 AUTH_USER_MODEL = "core.User"
-
 AUTHENTICATION_BACKENDS = [
     "django.contrib.auth.backends.RemoteUserBackend",
+    # Needed to login by username in Django admin, regardless of `allauth`
     "django.contrib.auth.backends.ModelBackend",
+    # `allauth` specific authentication methods, such as login by email
+    "allauth.account.auth_backends.AuthenticationBackend",
 ]
 
 REST_FRAMEWORK = {
@@ -183,8 +215,8 @@
 }
 
 JWT_AUTH = {
-    "JWT_PAYLOAD_GET_USERNAME_HANDLER": "core.utils.jwt.get_username_from_payload_handler",
-    "JWT_DECODE_HANDLER": "core.utils.jwt.cognito_jwt_decode_handler",
+    "JWT_PAYLOAD_GET_USERNAME_HANDLER": "core.utils.jwt_handler.get_username_from_payload_handler",
+    "JWT_DECODE_HANDLER": "core.utils.jwt_handler.cognito_jwt_decode_handler",
     "JWT_PUBLIC_KEY": rsa_keys,
     "JWT_ALGORITHM": "RS256",
     "JWT_AUDIENCE": COGNITO_AUDIENCE,

app/peopledepot/url_methods.py

@@ -0,0 +1,27 @@
+import os
+
+from django.shortcuts import render
+
+
+def cognito_redirect_login(request):
+    cognito_domain = os.getenv(
+        "COGNITO_DOMAIN", "default_value"
+    )  # Replace 'default_value' with a default value or leave it empty
+    cognito_client_id = os.getenv("COGNITO_CLIENT_ID", "default_value")
+    cognito_redirect_uri = os.getenv("COGNITO_REDIRECT_URI", "default_value")
+    cognito_callback_url = os.getenv("COGNITO_CALLBACK_URL", "default_value")
+    cognito_aws_region = os.getenv("COGNITO_AWS_REGION", "default_value")
+
+    error_message = None
+    return render(
+        request,
+        "accounts/cognito_redirect_login.html",
+        {
+            "cognito_domain": cognito_domain,
+            "cognito_client_id": cognito_client_id,
+            "cognito_redirect_uri": cognito_redirect_uri,
+            "cognito_aws_region": cognito_aws_region,
+            "cognito_callback_url": cognito_callback_url,
+            "error_message": error_message,
+        },
+    )

app/peopledepot/urls.py

@@ -5,7 +5,11 @@
 from drf_spectacular.views import SpectacularRedocView
 from drf_spectacular.views import SpectacularSwaggerView
 
+from peopledepot.url_methods import cognito_redirect_login
+
 urlpatterns = [
+    path("accounts/login/", cognito_redirect_login, name="cognito_redirect_login"),
+    path("accounts/", include("allauth.urls")),
     path("admin/", admin.site.urls),
     path("api/v1/", include("core.api.urls")),
     path("api/schema/", SpectacularAPIView.as_view(), name="schema"),

app/requirements.txt

@@ -14,6 +14,10 @@ coverage==7.4.3
 cryptography==42.0.5
     # via pyjwt
 django==4.2.11
+# kb changes
+django-allauth==0.58.2
+django-autocomplete-light==3.9.7
+django-cors-headers==4.3.1
     # via
     #   django-extensions
     #   django-linear-migrations
@@ -25,6 +29,7 @@ django==4.2.11
 django-extensions==3.2.3
 django-linear-migrations==2.12.0
 django-phonenumber-field==7.3.0
+django-querysetsequence==0.17.0
 django-timezone-field==6.1.0
 djangorestframework==3.14.0
     # via

app/templates/accounts/cognito_redirect_login.html

@@ -0,0 +1,7 @@
+{% comment %}
+Default account login screen unnecessary has local login option and forces user to have
+to hit two buttons to log in to Amazon Cognito.  The snippet below redirects the user
+to the Amazon Cognito login screen with one button that navigates directly to
+Cognito.
+{% endcomment %}
+<meta http-equiv="REFRESH" content="0;url=../amazon-cognito/login">