(feat) OAuth: add third-party OAuth2 login procedure

(feat) OAuth: disable login without binding

Add Twitter and Line OAuth login

(fix) wrong layout in OAuth Login management page

(fix) oauth: shrink scope requested in Google

Author: ClearlyClaire

.devcontainer/compose.yaml

@@ -24,6 +24,9 @@ services:
       LIBRE_TRANSLATE_ENDPOINT: http://libretranslate:5000
       LOCAL_DOMAIN: ${LOCAL_DOMAIN:-localhost:3000}
       VITE_DEV_SERVER_PUBLIC: ${VITE_DEV_SERVER_PUBLIC:-localhost:3036}
+      OAUTH_GOOGLE_ENABLED: 'true'
+      OAUTH_GOOGLE_CLIENT_ID: '100000000000000000000'
+      OAUTH_GOOGLE_CLIENT_SECRET: '100000000000000000000'
     # Overrides default command so things don't shut down after the process ends.
     command: sleep infinity
     ports:

.envrc

@@ -0,0 +1 @@
+use flake

Gemfile

@@ -39,9 +39,14 @@ gem 'net-ldap', '~> 0.18'
 
 gem 'omniauth', '~> 2.0'
 gem 'omniauth-cas', '~> 3.0.0.beta.1'
+gem 'omniauth-line', '~> 0.1.0'
 gem 'omniauth_openid_connect', '~> 0.8.0'
 gem 'omniauth-rails_csrf_protection', '~> 1.0'
 gem 'omniauth-saml', '~> 2.0'
+gem 'omniauth-twitter', github: 'arunagw/omniauth-twitter'
+
+# OAuth2 login
+gem 'omniauth-google-oauth2'
 
 gem 'color_diff', '~> 0.1'
 gem 'csv', '~> 3.2'

Gemfile.lock

@@ -1,3 +1,12 @@
+GIT
+  remote: https://github.com/arunagw/omniauth-twitter.git
+  revision: e898df6857bd2e31b7bd1efe0e7a09c97b0041f0
+  specs:
+    omniauth-twitter (1.4.0)
+      cgi
+      omniauth-oauth (~> 1.1)
+      rack
+
 GIT
   remote: https://github.com/mastodon/webpush.git
   revision: 9631ac63045cfabddacc69fc06e919b4c13eb913
@@ -449,6 +458,8 @@ GEM
     minitest (5.26.0)
     msgpack (1.8.0)
     multi_json (1.17.0)
+    multi_xml (0.9.1)
+      bigdecimal (>= 3.1, < 5)
     mutex_m (0.3.0)
     net-http (0.6.0)
       uri
@@ -468,6 +479,21 @@ GEM
     nokogiri (1.19.2)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
+    oauth (1.1.3)
+      base64 (~> 0.1)
+      oauth-tty (~> 1.0, >= 1.0.6)
+      snaky_hash (~> 2.0)
+      version_gem (~> 1.1, >= 1.1.9)
+    oauth-tty (1.0.6)
+      version_gem (~> 1.1, >= 1.1.9)
+    oauth2 (2.0.18)
+      faraday (>= 0.17.3, < 4.0)
+      jwt (>= 1.0, < 4.0)
+      logger (~> 1.2)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0, >= 2.0.3)
+      version_gem (~> 1.1, >= 1.1.9)
     oj (3.16.11)
       bigdecimal (>= 3.0)
       ostruct (>= 0.2)
@@ -480,6 +506,21 @@ GEM
       addressable (~> 2.8)
       nokogiri (~> 1.12)
       omniauth (~> 2.1)
+    omniauth-google-oauth2 (1.2.2)
+      jwt (>= 2.9.2)
+      oauth2 (~> 2.0)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.8)
+    omniauth-line (0.1.0)
+      json (>= 2.3.0)
+      omniauth-oauth2 (~> 1.3)
+    omniauth-oauth (1.2.1)
+      oauth
+      omniauth (>= 1.0, < 3)
+      rack (>= 1.6.2, < 4)
+    omniauth-oauth2 (1.9.0)
+      oauth2 (>= 2.0.2, < 3)
+      omniauth (~> 2.0)
     omniauth-rails_csrf_protection (1.0.2)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
@@ -835,6 +876,9 @@ GEM
     simplecov-html (0.13.2)
     simplecov-lcov (0.9.0)
     simplecov_json_formatter (0.1.4)
+    snaky_hash (2.0.3)
+      hashie (>= 0.1.0, < 6)
+      version_gem (>= 1.1.8, < 3)
     stackprof (0.2.27)
     starry (0.2.0)
       base64
@@ -891,6 +935,7 @@ GEM
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
+    version_gem (1.1.9)
     vite_rails (3.0.19)
       railties (>= 5.1, < 9)
       vite_ruby (~> 3.0, >= 3.2.2)
@@ -1008,8 +1053,11 @@ DEPENDENCIES
   oj (~> 3.14)
   omniauth (~> 2.0)
   omniauth-cas (~> 3.0.0.beta.1)
+  omniauth-google-oauth2
+  omniauth-line (~> 0.1.0)
   omniauth-rails_csrf_protection (~> 1.0)
   omniauth-saml (~> 2.0)
+  omniauth-twitter!
   omniauth_openid_connect (~> 0.8.0)
   opentelemetry-api (~> 1.7.0)
   opentelemetry-exporter-otlp (~> 0.31.0)

app/controllers/auth/omniauth_callbacks_controller.rb

@@ -7,14 +7,39 @@ class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   def self.provides_callback_for(provider)
     define_method provider do
       @provider = provider
-      @user = User.find_for_omniauth(request.env['omniauth.auth'], current_user)
+      # | =identity= | =current_user= | Action                          |
+      # |------------+-----------------+---------------------------------|
+      # | Exist      | Exist           | Report error                     |
+      # | Exist      | Absence         | Login                           |
+      # | Absence    | Exist           | Bind                            |
+      # | Absence    | Absence         | Register or login (depend on ENV) |
+      auth = request.env['omniauth.auth']
+      if ENV['OAUTH_DISABLE_AUTO_REGISTER'] == 'true'
+        uid = auth.uid
+        uid = uid[0][:uid] || uid[0][:user] if uid.is_a? Hashie::Array
+        identity = Identity.find_or_create_by(provider: provider, uid: uid)
+        @user = identity&.user
+        if @user.blank? # Identity is fresh: just created, no user binded yet
+          if current_user.present?
+            @user = current_user
+            identity.user = @user
+            identity.save!
+          else
+            identity.destroy!
+            flash[:alert] = I18n.t('settings.identities.cannot_login_without_register') if is_navigational_format?
+            return redirect_to new_user_session_url
+          end
+        end
+      else
+        @user = User.find_for_omniauth(auth, current_user)
+      end
 
       if @user.persisted?
         record_login_activity
         sign_in_and_redirect @user, event: :authentication
         set_flash_message(:notice, :success, kind: label_for_provider) if is_navigational_format?
       else
-        session["devise.#{provider}_data"] = request.env['omniauth.auth']
+        session["devise.#{provider}_data"] = auth
         redirect_to new_user_registration_url
       end
     rescue ActiveRecord::RecordInvalid

app/controllers/settings/identities_controller.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+class Settings::IdentitiesController < Settings::BaseController
+  layout 'admin'
+  before_action :authenticate_user!
+  before_action :set_identity, only: [:destroy]
+
+  content_security_policy do |p|
+    p.form_action(false)
+  end
+
+  def index
+    @identities = current_user.identities
+    @all_providers = {}
+    Devise.omniauth_configs.each_key do |platform|
+      @all_providers[platform] = @identities.find { |i| i.provider == platform.to_s }
+    end
+  end
+
+  def destroy
+    if @identity&.destroy
+      redirect_to({ action: :index }, success: t('settings.identities.oauth_binding_removed'))
+    else
+      redirect_to({ action: :index }, alert: t('settings.identities.oauth_binding_remove_failed'))
+    end
+  end
+
+  private
+
+  def set_identity
+    @identity = current_user.identities.find(params[:id])
+  end
+end

app/models/user.rb

@@ -87,6 +87,7 @@ class User < ApplicationRecord
   has_many :markers, inverse_of: :user, dependent: :destroy
   has_many :webauthn_credentials, dependent: :destroy
   has_many :ips, class_name: 'UserIp', inverse_of: :user, dependent: nil
+  has_many :identities, dependent: :destroy
 
   has_one :invite_request, class_name: 'UserInviteRequest', inverse_of: :user, dependent: :destroy
   accepts_nested_attributes_for :invite_request, reject_if: ->(attributes) { attributes['text'].blank? && !Setting.require_invite_text }

app/views/settings/identities/index.html.haml

@@ -0,0 +1,23 @@
+- content_for :page_title do
+  = t('settings.identities.title')
+
+%table.table
+  %thead
+    %tr
+      %th= t('settings.identities.provider')
+      %th= t('settings.identities.uid')
+      %th= t('settings.identities.action')
+  %tbody
+    - @all_providers.each do |provider, identity|
+      %tr
+        %td= t("settings.identities.platforms.#{provider}")
+
+        - if identity.present?
+          %td= identity.uid
+        - else
+          %td= t('settings.identities.not_binded')
+
+        - if identity.blank?
+          %td= link_to t('settings.identities.link'), omniauth_authorize_path(:user, provider), method: :post
+        - else
+          %td= link_to t('settings.identities.unlink'), settings_identity_path(identity), method: :delete, data: { confirm: t('settings.identities.confirm_unlink') }

config/initializers/3_omniauth.rb

@@ -105,4 +105,25 @@
     oidc_options[:security][:assume_email_is_verified] = ENV['OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED'] == 'true' # OPTIONAL
     config.omniauth :openid_connect, oidc_options
   end
+
+  if ENV['OAUTH_GOOGLE_ENABLED'] == 'true'
+    options = {
+      scope: 'profile',
+      prompt: 'select_account',
+      image_aspect_ratio: 'square',
+      image_size: 200,
+    }
+    config.omniauth :google_oauth2, ENV.fetch('OAUTH_GOOGLE_CLIENT_ID', nil), ENV.fetch('OAUTH_GOOGLE_CLIENT_SECRET', nil), options
+  end
+
+  if ENV['OAUTH_TWITTER_ENABLED'] == 'true'
+    options = {
+      secure_image_url: true,
+      x_auth_access_type: 'read',
+      use_authorize: true,
+    }
+    config.omniauth :twitter, ENV.fetch('OAUTH_TWITTER_API_KEY', nil), ENV.fetch('OAUTH_TWITTER_API_SECRET', nil), options
+  end
+
+  config.omniauth :line, ENV.fetch('OAUTH_LINE_CHANNEL_ID', nil), ENV.fetch('OAUTH_LINE_CHANNEL_SECRET', nil) if ENV['OAUTH_LINE_ENABLED'] == 'true'
 end

config/locales/en.yml

@@ -1882,6 +1882,21 @@ en:
     edit_profile: Edit profile
     export: Export
     featured_tags: Featured hashtags
+    identities:
+      action: Action
+      cannot_login_without_register: You cannot login with this account because you have not registered yet.
+      confirm_unlink: Are you sure you want to unlink this OAuth binding?
+      link: Link
+      menu_title: OAuth Login
+      not_binded: "(Not binded)"
+      oauth_binding_remove_failed: Failed to remove OAuth binding
+      oauth_binding_removed: OAuth binding removed
+      platforms:
+        google_oauth2: Google
+      provider: Provider
+      title: OAuth Binding Management
+      uid: UID
+      unlink: Unlink
     import: Import
     import_and_export: Import and export
     migrate: Account migration