oauth2

2026-06-18 18:26:40 +02:00
parent 7da4109584
commit 42bab82960
25 changed files with 1250 additions and 5 deletions
--- a/config/development.yaml
+++ b/config/development.yaml
@@ -125,3 +125,30 @@ settings:
  # Bank-transfer payment details shown on the order confirmation.
  bank_iban: {{ get_env(name="BANK_IBAN", default="SK00 0000 0000 0000 0000 0000") }}
  bank_account_name: {{ get_env(name="BANK_ACCOUNT_NAME", default="Kompress s.r.o.") }}
+
+# loco-oauth2: social login. Credentials come from .env (create them in the
+# Google Cloud console and register the redirect_url below as an authorized
+# redirect URI). Until OAUTH_CLIENT_ID/SECRET are set, the "Continue with
+# Google" button will fail at the consent screen — the rest of auth is unaffected.
+initializers:
+  oauth2:
+    # Key for the loco-oauth2 private cookie jar (>= 64 bytes). Override in prod.
+    secret_key: {{ get_env(name="OAUTH_PRIVATE_KEY", default="144, 76, 183, 1, 15, 184, 233, 174, 214, 251, 190, 186, 122, 61, 74, 84, 225, 110, 189, 115, 10, 251, 133, 128, 52, 46, 15, 66, 85, 1, 245, 73, 27, 113, 189, 15, 209, 205, 61, 100, 73, 31, 18, 58, 235, 105, 141, 36, 70, 92, 231, 151, 27, 32, 243, 117, 30, 244, 110, 89, 233, 196, 137, 130") }}
+    authorization_code:
+      - client_identifier: google
+        client_credentials:
+          client_id: {{ get_env(name="OAUTH_CLIENT_ID", default="oauth_client_id") }}
+          client_secret: {{ get_env(name="OAUTH_CLIENT_SECRET", default="oauth_client_secret") }}
+        url_config:
+          auth_url: {{ get_env(name="OAUTH_AUTH_URL", default="https://accounts.google.com/o/oauth2/auth") }}
+          token_url: {{ get_env(name="OAUTH_TOKEN_URL", default="https://www.googleapis.com/oauth2/v3/token") }}
+          redirect_url: {{ get_env(name="OAUTH_REDIRECT_URL", default="http://localhost:5150/api/oauth2/google/callback/cookie") }}
+          profile_url: {{ get_env(name="OAUTH_PROFILE_URL", default="https://openidconnect.googleapis.com/v1/userinfo") }}
+          scopes:
+            - "https://www.googleapis.com/auth/userinfo.email"
+            - "https://www.googleapis.com/auth/userinfo.profile"
+        cookie_config:
+          # After loco-oauth2 sets its session cookie it redirects here, where we
+          # mint our own auth_token cookie (see controllers/oauth2.rs::complete).
+          protected_url: {{ get_env(name="OAUTH_PROTECTED_URL", default="http://localhost:5150/api/oauth2/protected") }}
+        timeout_seconds: 600
--- a/config/production.yaml
+++ b/config/production.yaml
@@ -55,3 +55,25 @@ auth:
 settings:
  admin_email: "{{ get_env(name="ADMIN_EMAIL", default="") }}"
  uploads_root: "{{ get_env(name="UPLOADS_ROOT", default="data/uploads") }}"
+
+# loco-oauth2 social login. All values must come from the environment in prod;
+# OAUTH_REDIRECT_URL / OAUTH_PROTECTED_URL must use the real public origin.
+initializers:
+  oauth2:
+    secret_key: "{{ get_env(name="OAUTH_PRIVATE_KEY") }}"
+    authorization_code:
+      - client_identifier: google
+        client_credentials:
+          client_id: "{{ get_env(name="OAUTH_CLIENT_ID") }}"
+          client_secret: "{{ get_env(name="OAUTH_CLIENT_SECRET") }}"
+        url_config:
+          auth_url: "{{ get_env(name="OAUTH_AUTH_URL", default="https://accounts.google.com/o/oauth2/auth") }}"
+          token_url: "{{ get_env(name="OAUTH_TOKEN_URL", default="https://www.googleapis.com/oauth2/v3/token") }}"
+          redirect_url: "{{ get_env(name="OAUTH_REDIRECT_URL") }}"
+          profile_url: "{{ get_env(name="OAUTH_PROFILE_URL", default="https://openidconnect.googleapis.com/v1/userinfo") }}"
+          scopes:
+            - "https://www.googleapis.com/auth/userinfo.email"
+            - "https://www.googleapis.com/auth/userinfo.profile"
+        cookie_config:
+          protected_url: "{{ get_env(name="OAUTH_PROTECTED_URL") }}"
+        timeout_seconds: 600