feat: Add the option for header authentication to create users (Ombi-app#4841)

sussycatgirl · web-flow · commit e6c9ce5ad005 · 2023-01-04T19:23:47.000Z
* feat: allow SSO to create new users automatically

* feat: apply default user settings to SSO users

* feat: add warnings to header auth toggles
diff --git a/src/Ombi.Settings/Settings/Models/AuthenticationSettings.cs b/src/Ombi.Settings/Settings/Models/AuthenticationSettings.cs
@@ -15,5 +15,6 @@ public class AuthenticationSettings : Settings
         public bool EnableOAuth { get; set; } // Plex OAuth
         public bool EnableHeaderAuth { get; set; } // Header SSO
         public string HeaderAuthVariable { get; set; } // Header SSO
+        public bool HeaderAuthCreateUser { get; set; } // Header SSO
     }
 }
diff --git a/src/Ombi/ClientApp/src/app/interfaces/ISettings.ts b/src/Ombi/ClientApp/src/app/interfaces/ISettings.ts
@@ -247,6 +247,7 @@ export interface IAuthenticationSettings extends ISettings {
   enableOAuth: boolean;
   enableHeaderAuth: boolean;
   headerAuthVariable: string;
+  headerAuthCreateUser: boolean;
 }
 
 export interface ICustomPage extends ISettings {
diff --git a/src/Ombi/ClientApp/src/app/settings/authentication/authentication.component.html b/src/Ombi/ClientApp/src/app/settings/authentication/authentication.component.html
@@ -23,6 +23,9 @@
         <div class="checkbox">
           <mat-slide-toggle id="enableHeaderAuth" name="enableHeaderAuth" formControlName="enableHeaderAuth">Enable Authentication with Header Variable</mat-slide-toggle>
         </div>
+        <div class="alert warning-box">
+          Enabling Header Authentication will allow anyone to bypass authentication unless you are using a properly configured reverse proxy. Use with caution!
+        </div>
       </div>
 
       <div class="form-group" *ngIf="form.controls.enableHeaderAuth.value">
@@ -32,6 +35,15 @@
         </div>
       </div>
 
+      <div class="form-group" *ngIf="form.controls.enableHeaderAuth.value">
+        <div class="checkbox">
+          <mat-slide-toggle id="headerAuthCreateUser" name="headerAuthCreateUser" formControlName="headerAuthCreateUser">SSO creates new users automatically</mat-slide-toggle>
+        </div>
+        <div class="alert warning-box" *ngIf="form.controls.headerAuthCreateUser.value">
+          If the user in the Header Authentication variable does not exist, a new user will be created. You can configure the default permissions for new users in the <a target="_blank" href="/Settings/UserManagement">User Management settings</a>.
+        </div>
+      </div>
+
 
       <div class="form-group">
         <div>
diff --git a/src/Ombi/ClientApp/src/app/settings/authentication/authentication.component.scss b/src/Ombi/ClientApp/src/app/settings/authentication/authentication.component.scss
@@ -12,4 +12,11 @@
 ::ng-deep .dark .btn:hover {
     box-shadow: 0 5px 11px 0 rgba(255, 255, 255, 0.18), 0 4px 15px 0 rgba(255, 255, 255, 0.15);
     color: inherit;
-}
+}
+
+.warning-box {
+    margin: 16px 0;
+    color: white;
+    background-color: $ombi-background-accent;
+    border-color: $warn;
+}
diff --git a/src/Ombi/ClientApp/src/app/settings/authentication/authentication.component.ts b/src/Ombi/ClientApp/src/app/settings/authentication/authentication.component.ts
@@ -28,6 +28,7 @@ export class AuthenticationComponent implements OnInit {
                 enableOAuth: [x.enableOAuth],
                 enableHeaderAuth: [x.enableHeaderAuth],
                 headerAuthVariable: [x.headerAuthVariable],
+                headerAuthCreateUser: [x.headerAuthCreateUser],
             });
             this.form.controls.enableHeaderAuth.valueChanges.subscribe(x => {
                 if (x) {
diff --git a/src/Ombi/Controllers/V1/TokenController.cs b/src/Ombi/Controllers/V1/TokenController.cs
@@ -36,20 +36,23 @@ public class Token
     public class TokenController : ControllerBase
     {
         public TokenController(OmbiUserManager um, ITokenRepository token,
-            IPlexOAuthManager oAuthManager, ILogger<TokenController> logger, ISettingsService<AuthenticationSettings> auth)
+            IPlexOAuthManager oAuthManager, ILogger<TokenController> logger, ISettingsService<AuthenticationSettings> auth,
+            ISettingsService<UserManagementSettings> userManagement)
         {
             _userManager = um;
             _token = token;
             _plexOAuthManager = oAuthManager;
             _log = logger;
             _authSettings = auth;
+            _userManagementSettings = userManagement;
         }
 
         private readonly ITokenRepository _token;
         private readonly OmbiUserManager _userManager;
         private readonly IPlexOAuthManager _plexOAuthManager;
         private readonly ILogger<TokenController> _log;
         private readonly ISettingsService<AuthenticationSettings> _authSettings;
+        private readonly ISettingsService<UserManagementSettings> _userManagementSettings;
 
         /// <summary>
         /// Gets the token.
@@ -305,7 +308,28 @@ public async Task<IActionResult> HeaderAuth()
                     var user = await _userManager.FindByNameAsync(username);
                     if (user == null)
                     {
-                        return new UnauthorizedResult();
+                        if (authSettings.HeaderAuthCreateUser)
+                        {
+                            var defaultSettings = await _userManagementSettings.GetSettingsAsync();
+                            user = new OmbiUser {
+                                UserName = username,
+                                UserType = UserType.LocalUser,
+                                StreamingCountry = defaultSettings.DefaultStreamingCountry ?? "US",
+                                MovieRequestLimit = defaultSettings.MovieRequestLimit,
+                                MovieRequestLimitType = defaultSettings.MovieRequestLimitType,
+                                EpisodeRequestLimit = defaultSettings.EpisodeRequestLimit,
+                                EpisodeRequestLimitType = defaultSettings.EpisodeRequestLimitType,
+                                MusicRequestLimit = defaultSettings.MusicRequestLimit,
+                                MusicRequestLimitType = defaultSettings.MusicRequestLimitType,
+                            };
+
+                            await _userManager.CreateAsync(user);
+                            await _userManager.AddToRolesAsync(user, defaultSettings.DefaultRoles);
+                        }
+                        else
+                        {
+                            return new UnauthorizedResult();
+                        }
                     }
 
                     return await CreateToken(true, user);

Original file line number	Diff line number	Diff line change
`@@ -15,5 +15,6 @@ public class AuthenticationSettings : Settings`
`15`	`15`	`public bool EnableOAuth { get; set; } // Plex OAuth`
`16`	`16`	`public bool EnableHeaderAuth { get; set; } // Header SSO`
`17`	`17`	`public string HeaderAuthVariable { get; set; } // Header SSO`
	`18`	`+ public bool HeaderAuthCreateUser { get; set; } // Header SSO`
`18`	`19`	`}`
`19`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -247,6 +247,7 @@ export interface IAuthenticationSettings extends ISettings {`
`247`	`247`	`enableOAuth: boolean;`
`248`	`248`	`enableHeaderAuth: boolean;`
`249`	`249`	`headerAuthVariable: string;`
	`250`	`+ headerAuthCreateUser: boolean;`
`250`	`251`	`}`
`251`	`252`
`252`	`253`	`export interface ICustomPage extends ISettings {`