OAuth Login for Staging

.env.development

@@ -30,3 +30,6 @@ OIDC_SECRET_KEY=oidc-development-secret
 PAYPAL_BASE_URL=https://api-m.sandbox.paypal.com
 WCA_REGISTRATIONS_URL=http://localhost:8000
 WCA_REGISTRATIONS_BACKEND_URL=http://wca_registration_handler:3000
+STAGING_OAUTH_URL=https://staging.worldcubeassociation.org
+STAGING_OAUTH_CLIENT=example-application-id
+STAGING_OAUTH_SECRET=example-secret

.env.test

@@ -29,3 +29,6 @@ PAYPAL_CLIENT_SECRET=EIknLp919Gbuj2CYmEWECyKH5HwJTWQNuqFuCr1qFMrGNzwkF8dD0VkwzwI
 PAYPAL_ATTRIBUTION_CODE=FLAVORsb-noyt529176316_MP
 PAYPAL_BASE_URL=https://api-m.sandbox.paypal.com
 WCA_REGISTRATIONS_BACKEND_URL=http://wca_registration_handler:3000
+STAGING_OAUTH_URL=https://staging.worldcubeassociation.org
+STAGING_OAUTH_CLIENT=example-application-id
+STAGING_OAUTH_SECRET=example-secret

app/controllers/sessions_controller.rb

@@ -8,6 +8,54 @@ class SessionsController < Devise::SessionsController
   # Make sure this happens always before any before_action
   protect_from_forgery with: :exception, prepend: true
 
+  def staging_oauth_login
+    return if EnvConfig.WCA_LIVE_SITE?
+
+    client = OAuth2::Client.new(AppSecrets.STAGING_OAUTH_CLIENT, AppSecrets.STAGING_OAUTH_SECRET,
+                                site: EnvConfig.STAGING_OAUTH_URL)
+    redirect_uri = staging_login_url
+
+    unless params[:code].present?
+      return redirect_to client.auth_code.authorize_url(
+        redirect_uri: redirect_uri,
+      ), allow_other_host: true
+    end
+
+    access_token = client.auth_code.get_token(
+      params[:code], redirect_uri: redirect_uri
+    ).token
+
+    # Get /me to figure out which user we are
+    connection = Faraday.new(
+      url: EnvConfig.STAGING_OAUTH_URL,
+      headers: {
+        'Authorization' => "Bearer #{access_token}",
+        'Content-Type' => 'application/json',
+      },
+    ) do |builder|
+      # Sets headers and parses jsons automatically
+      builder.request :json
+      builder.response :json
+
+      # Raises an error on 4xx and 5xx responses.
+      builder.response :raise_error
+
+      # Logs requests and responses.
+      # By default, it only logs the request method and URL, and the request/response headers.
+      builder.response :logger, ::Logger.new($stdout), bodies: true if Rails.env.development?
+    end
+
+    results = connection.get("/api/v0/me").body
+
+    user = User.find(results["me"]["id"])
+    if user
+      sign_in(user)
+      redirect_to root_url, notice: "Successfully logged in as #{user.wca_id}"
+    else
+      redirect_to root_url, alert: "Couldn't find your user"
+    end
+  end
+
   def new
     super
     # Remove any lingering user data from previous login attempt

app/views/devise/sessions/new.html.erb

@@ -40,6 +40,12 @@
           <%= f.submit t('devise.sessions.new.sign_in'), class: "btn btn-primary", tabindex: "3" %>
           <%= t 'wca.devise.no_account' %> <%= link_to t('devise.shared.links.sign_up'), new_user_registration_path %>!
         <% end %>
+        <% unless EnvConfig.WCA_LIVE_SITE? %>
+          <div>
+            or <br>
+            <button class="ui button primary"><%= link_to 'Sign in through Main WCA Page', staging_login_url, style: "color: white" %></button>
+          </div>
+        <% end %>
       </div>
     </div>
   <% end %>

app_secrets.rb

@@ -80,6 +80,12 @@ def vault_file(secret_name, file_path, refresh: true)
     vault :OIDC_SECRET_KEY
     vault :SLACK_WST_BOT_TOKEN
     vault :TNOODLE_PUBLIC_KEY
+
+    # To allow logging in to staging with your prod account
+    unless ActiveModel::Type::Boolean.new.cast(ENV.fetch("WCA_LIVE_SITE", false))
+      vault :STAGING_OAUTH_CLIENT
+      vault :STAGING_OAUTH_SECRET
+    end
   else
     mandatory :DATABASE_PASSWORD, :string
     mandatory :GOOGLE_MAPS_API_KEY, :string
@@ -96,6 +102,8 @@ def vault_file(secret_name, file_path, refresh: true)
     mandatory :STRIPE_PUBLISHABLE_KEY, :string
     mandatory :JWT_KEY, :string
     mandatory :OIDC_SECRET_KEY, :string
+    mandatory :STAGING_OAUTH_CLIENT, :string
+    mandatory :STAGING_OAUTH_SECRET, :string
 
     optional :AWS_ACCESS_KEY_ID, :string, ''
     optional :AWS_SECRET_ACCESS_KEY, :string, ''

config/routes.rb

@@ -27,6 +27,7 @@
   #  https://github.com/plataformatec/devise/wiki/How-To:-Disable-user-from-destroying-their-account
   devise_for :users, skip: :registrations, controllers: { sessions: "sessions" }
   devise_scope :user do
+    get 'staging_login', to: 'sessions#staging_oauth_login' unless EnvConfig.WCA_LIVE_SITE?
     resource :registration,
              only: [:new, :create],
              path: 'users',
@@ -39,6 +40,7 @@
     post 'users/authenticate-sensitive' => 'users#authenticate_user_for_sensitive_edit'
     delete 'users/sign-out-other' => 'sessions#destroy_other', as: :destroy_other_user_sessions
   end
+
   # TODO: This can be removed after deployment, this is so we don't have any users error out if they click on pay
   # while the deployment happens
   get 'registration/:id/payment-completion' => 'registrations#payment_completion_legacy', as: :registration_payment_completion_legacy

env_config.rb

@@ -78,4 +78,9 @@
 
   # For server status
   optional :BUILD_TAG, :string, "local"
+
+  # To allow logging in to staging with your prod account
+  unless ActiveModel::Type::Boolean.new.cast(ENV.fetch("WCA_LIVE_SITE", false))
+    mandatory :STAGING_OAUTH_URL, :string
+  end
 end

infra/wca_on_rails/staging/main.tf

@@ -32,6 +32,10 @@ locals {
       name = "SIDEKIQ_REDIS_URL"
       value = "redis://redis-main-staging-001.iebvzt.0001.usw2.cache.amazonaws.com:6379"
     },
+    {
+      name = "STAGING_OAUTH_URL"
+      value = "https://www.worldcubeassociation.org"
+    },
     {
       name = "STORAGE_AWS_BUCKET"
       value = aws_s3_bucket.storage-bucket.id