miniOrange WordPress plugin authentication method; trap exception if Google service account JSON is malformed

jhpyle · jhpyle · commit a86e4325ec0d · 2025-03-01T11:30:12.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,22 @@
 # Change Log
 
+## [1.6.4] - 2025-03-01
+
+### Added
+- The `allow external auth with multiple methods` Configuration
+  directive.
+- The miniOrange WordPress plugin external authentication method.
+
+### Changed
+- Users who registered with one external authentication method cannot
+  log in using a different authentication method connected to the same
+  email address unless the `allow external auth with multiple methods`
+  Configuration directive is set to `True`.
+
+### Fixed
+- Trapped exception where service account credentials contain invalid
+  JSON.
+
 ## [1.6.3] - 2025-02-16
 
 ### Fixed
diff --git a/Dockerfile b/Dockerfile
@@ -54,7 +54,7 @@ bash -c \
 && cp /usr/local/bin/unoconv /usr/bin/unoconv \
 && python3.10 -m venv --copies /usr/share/docassemble/local3.10 \
 && source /usr/share/docassemble/local3.10/bin/activate \
-&& pip install --upgrade pip==24.3.1 \
+&& pip install --upgrade pip==25.0.1 \
 && pip install --upgrade wheel==0.45.1 \
 && pip install --upgrade mod_wsgi==5.0.2 \
 && pip install --upgrade \
diff --git a/LICENSE.txt b/LICENSE.txt
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2023 Jonathan Pyle
+Copyright (c) 2015-2025 Jonathan Pyle
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/docassemble/LICENSE.txt b/docassemble/LICENSE.txt
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2023 Jonathan Pyle
+Copyright (c) 2015-2025 Jonathan Pyle
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/docassemble_base/LICENSE.txt b/docassemble_base/LICENSE.txt
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2022 Jonathan Pyle
+Copyright (c) 2015-2025 Jonathan Pyle
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/docassemble_base/docassemble/base/data/sources/base-words.yml b/docassemble_base/docassemble/base/data/sources/base-words.yml
@@ -747,6 +747,7 @@
 "Please enter the verification code from the text message we just sent you.": Null
 "Please enter the verification code from your authentication app.": Null
 "Please log in.": Null
+"Please log in to that account.": Null
 "Please select at least %s.": Null
 "Please select exactly %s.": Null
 "Please select no more than %s.": Null
@@ -816,6 +817,7 @@
 "Register with Azure": Null
 "Register with Facebook": Null
 "Register with Google": Null
+"Register with miniOrange": Null
 "Register with Twitter": Null
 "Register with your mobile phone": Null
 "Register with Zitadel": Null
@@ -921,6 +923,7 @@
 "Sign in with Facebook": Null
 "Sign in with Google": Null
 "Sign in with Keycloak": Null
+"Sign in with miniOrange": Null
 "Sign in with Twitter": Null
 "Sign in with your mobile phone": Null
 "Sign in with Zitadel": Null
@@ -1042,6 +1045,7 @@
 "There are no active sessions.": Null
 "There are unsaved changes.  Are you sure you wish to leave this page?": Null
 "The regular expression you provided could not be parsed.": Null
+"There is already an account on the system with the e-mail address": Null
 "There is already a username and password on this system with the e-mail address": Null
 "The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.": Null
 "There was an error.": Null
diff --git a/docassemble_demo/LICENSE.txt b/docassemble_demo/LICENSE.txt
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2023 Jonathan Pyle
+Copyright (c) 2015-2025 Jonathan Pyle
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/docassemble_webapp/LICENSE.txt b/docassemble_webapp/LICENSE.txt
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2023 Jonathan Pyle
+Copyright (c) 2015-2025 Jonathan Pyle
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/docassemble_webapp/docassemble/webapp/google_api.py b/docassemble_webapp/docassemble/webapp/google_api.py
@@ -1,3 +1,4 @@
+import sys
 import logging
 import json
 from google.oauth2 import service_account
@@ -13,7 +14,12 @@
 if credential_json is None:
     credential_info = None
 else:
-    credential_info = json.loads(credential_json, strict=False)
+    try:
+        credential_info = json.loads(credential_json, strict=False)
+    except Exception as err:
+        credential_info = None
+        sys.stderr.write("Unable to load google service account credentials:\n")
+        sys.stderr.write(str(err) + "\n")
 
 
 def google_api_credentials(scope):
diff --git a/docassemble_webapp/docassemble/webapp/server.py b/docassemble_webapp/docassemble/webapp/server.py
@@ -1036,7 +1036,7 @@ def custom_login():
         if app.config['AUTO_LOGIN'] is True:
             number_of_methods = 0
             the_method = None
-            for login_method in ('USE_PHONE_LOGIN', 'USE_GOOGLE_LOGIN', 'USE_FACEBOOK_LOGIN', 'USE_ZITADEL_LOGIN', 'USE_TWITTER_LOGIN', 'USE_AUTH0_LOGIN', 'USE_KEYCLOAK_LOGIN', 'USE_AZURE_LOGIN'):
+            for login_method in ('USE_PHONE_LOGIN', 'USE_GOOGLE_LOGIN', 'USE_FACEBOOK_LOGIN', 'USE_ZITADEL_LOGIN', 'USE_TWITTER_LOGIN', 'USE_AUTH0_LOGIN', 'USE_KEYCLOAK_LOGIN', 'USE_AZURE_LOGIN', 'USE_MINIORANGE_LOGIN'):
                 if app.config[login_method]:
                     number_of_methods += 1
                     the_method = re.sub(r'USE_(.*)_LOGIN', r'\1', login_method).lower()
@@ -1048,7 +1048,7 @@ def custom_login():
             return redirect(url_for('phone_login'))
         if the_method == 'google':
             return redirect(url_for('google_page', next=request.args.get('next', '')))
-        if the_method in ('facebook', 'twitter', 'auth0', 'keycloak', 'azure'):
+        if the_method in ('facebook', 'twitter', 'auth0', 'keycloak', 'azure', 'zitadel', 'miniorange'):
             return redirect(url_for('oauth_authorize', provider=the_method, next=request.args.get('next', '')))
     response = make_response(user_manager.render_function(user_manager.login_template,
                                                           form=login_form,
@@ -1269,6 +1269,11 @@ def url_for_interview(**args):
 
 app.jinja_env.globals.update(url_for=url_for, url_for_interview=url_for_interview)
 
+if DEBUG_BOOT:
+    boot_log("server: setting up logging")
+
+sys_logger = None
+
 
 def syslog_message(message):
     message = re.sub(r'\n', ' ', message)
@@ -1299,12 +1304,6 @@ def syslog_message(message):
 def syslog_message_with_timestamp(message):
     syslog_message(time.strftime("%Y-%m-%d %H:%M:%S") + " " + message)
 
-if DEBUG_BOOT:
-    boot_log("server: setting up logging")
-
-sys_logger = logging.getLogger('docassemble')
-sys_logger.setLevel(logging.DEBUG)
-
 LOGFORMAT = daconfig.get('log format', 'docassemble: ip=%(clientip)s i=%(yamlfile)s uid=%(session)s user=%(user)s %(message)s')
 
 
@@ -1322,9 +1321,10 @@ def add_log_handler():
             sys_logger.addHandler(stderr_log_handler)
         break
 
-add_log_handler()
-
 if not (in_celery or in_cron):
+    sys_logger = logging.getLogger('docassemble')
+    sys_logger.setLevel(logging.DEBUG)
+    add_log_handler()
     if LOGSERVER is None:
         docassemble.base.logger.set_logmessage(syslog_message_with_timestamp)
     else:
@@ -1505,6 +1505,7 @@ def get_twilio_config():
 app.config['USE_GOOGLE_LOGIN'] = False
 app.config['USE_FACEBOOK_LOGIN'] = False
 app.config['USE_ZITADEL_LOGIN'] = False
+app.config['USE_MINIORANGE_LOGIN'] = False
 app.config['USE_TWITTER_LOGIN'] = False
 app.config['USE_AUTH0_LOGIN'] = False
 app.config['USE_KEYCLOAK_LOGIN'] = False
@@ -1522,6 +1523,7 @@ def get_twilio_config():
     app.config['USE_GOOGLE_LOGIN'] = bool('google' in daconfig['oauth'] and not ('enable' in daconfig['oauth']['google'] and daconfig['oauth']['google']['enable'] is False))
     app.config['USE_FACEBOOK_LOGIN'] = bool('facebook' in daconfig['oauth'] and not ('enable' in daconfig['oauth']['facebook'] and daconfig['oauth']['facebook']['enable'] is False))
     app.config['USE_ZITADEL_LOGIN'] = bool('zitadel' in daconfig['oauth'] and not ('enable' in daconfig['oauth']['zitadel'] and daconfig['oauth']['zitadel']['enable'] is False))
+    app.config['USE_MINIORANGE_LOGIN'] = bool('miniorange' in daconfig['oauth'] and not ('enable' in daconfig['oauth']['zitadel'] and daconfig['oauth']['miniorange']['enable'] is False))
     app.config['USE_TWITTER_LOGIN'] = bool('twitter' in daconfig['oauth'] and not ('enable' in daconfig['oauth']['twitter'] and daconfig['oauth']['twitter']['enable'] is False))
     app.config['USE_AUTH0_LOGIN'] = bool('auth0' in daconfig['oauth'] and not ('enable' in daconfig['oauth']['auth0'] and daconfig['oauth']['auth0']['enable'] is False))
     app.config['USE_KEYCLOAK_LOGIN'] = bool('keycloak' in daconfig['oauth'] and not ('enable' in daconfig['oauth']['keycloak'] and daconfig['oauth']['keycloak']['enable'] is False))
@@ -3441,7 +3443,7 @@ def delete_session_sessions():
 
 
 def delete_session_info():
-    for key in ('i', 'uid', 'key_logged', 'tempuser', 'user_id', 'encrypted', 'chatstatus', 'observer', 'monitor', 'variablefile', 'doing_sms', 'playgroundfile', 'playgroundtemplate', 'playgroundstatic', 'playgroundsources', 'playgroundmodules', 'playgroundpackages', 'taskwait', 'phone_number', 'otp_secret', 'validated_user', 'github_next', 'next', 'sessions', 'alt_session', 'zitadel_verifier'):
+    for key in ('i', 'uid', 'key_logged', 'tempuser', 'user_id', 'encrypted', 'chatstatus', 'observer', 'monitor', 'variablefile', 'doing_sms', 'playgroundfile', 'playgroundtemplate', 'playgroundstatic', 'playgroundsources', 'playgroundmodules', 'playgroundpackages', 'taskwait', 'phone_number', 'otp_secret', 'validated_user', 'github_next', 'next', 'sessions', 'alt_session', 'zitadel_verifier', 'miniorange_verifier'):
         if key in session:
             del session[key]
 
@@ -4721,6 +4723,9 @@ def __init__(self, provider_name):
     def authorize(self):
         pass
 
+    def enabled(self):
+        return app.config.get(f"USE_{self.provider_name.upper()}_LOGIN", False)
+
     def callback(self):
         pass
 
@@ -4918,6 +4923,57 @@ def callback(self):
         )
 
 
+class MiniOrangeOAuthSignIn(OAuthSignIn):
+
+    def __init__(self):
+        super().__init__('miniorange')
+        self.service = OAuth2Service(
+            name='azure',
+            client_id=self.consumer_id,
+            client_secret=self.consumer_secret,
+            authorize_url='https://' + str(self.consumer_domain) + '/wp-json/moserver/authorize',
+            access_token_url='https://' + str(self.consumer_domain) + '/wp-json/moserver/token',
+            base_url='https://' + str(self.consumer_domain)
+        )
+
+    def authorize(self):
+        session['miniorange_verifier'] = random_alphanumeric(43)
+        return redirect(self.service.get_authorize_url(
+            response_type='code',
+            client_id=self.consumer_id,
+            redirect_uri=self.get_callback_url(),
+            scope='openid profile email',
+            state=session['miniorange_verifier'])
+        )
+
+    def callback(self):
+        if 'code' not in request.args or 'miniorange_verifier' not in session:
+            return None, None, None, None
+        the_state = request.args.get('state', '')
+        if the_state != session['miniorange_verifier']:
+            del session['miniorange_verifier']
+            return None, None, None, None
+        the_data = {'code': request.args['code'],
+                    'grant_type': 'authorization_code',
+                    'client_id': self.consumer_id,
+                    'client_secret': self.consumer_secret,
+                    'redirect_uri': self.get_callback_url()}
+        oauth_session = self.service.get_auth_session(
+            decoder=safe_json_loads,
+            data=the_data
+        )
+        me = oauth_session.get('wp-json/moserver/resource').json()
+        del session['miniorange_verifier']
+        return (
+            'miniorange$' + str(me['id']),
+            me.get('email').split('@')[0],
+            me.get('email'),
+            {'first_name': me.get('first_name', None),
+             'last_name': me.get('last_name', None),
+             'name': (me.get('first_name', '') + ' ' + me.get('last_name', '')).strip()}
+        )
+
+
 def safe_json_loads(data):
     return json.loads(data.decode("utf-8", "strict"))
 
@@ -5174,6 +5230,8 @@ def oauth_callback(provider):
     # for argument in request.args:
     #     logmessage("argument " + str(argument) + " is " + str(request.args[argument]))
     oauth = OAuthSignIn.get_provider(provider)
+    if not oauth.enabled():
+        abort(403)
     social_id, username, email, name_data = oauth.callback()
     if not verify_email(email):
         flash(word('E-mail addresses with this domain are not authorized to register for accounts on this system.'), 'error')
@@ -5183,7 +5241,10 @@ def oauth_callback(provider):
         return redirect(url_for('interview_list', from_login='1'))
     user = db.session.execute(select(UserModel).options(db.joinedload(UserModel.roles)).filter_by(social_id=social_id)).scalar()
     if not user:
-        user = db.session.execute(select(UserModel).options(db.joinedload(UserModel.roles)).filter_by(email=email)).scalar()
+        user = db.session.execute(select(UserModel).options(db.joinedload(UserModel.roles)).where(UserModel.email.ilike(email))).scalar()
+        if user and not user.social_id.startswith('local') and not daconfig.get('allow external auth with multiple methods', False) and social_id.split('$')[0] != user.social_id.split('$')[0]:
+            flash(word('There is already an account on the system with the e-mail address') + " " + str(email) + ".  " + word("Please log in to that account."), 'error')
+            return redirect(url_for('user.login'))
     if user and user.social_id is not None and user.social_id.startswith('local'):
         flash(word('There is already a username and password on this system with the e-mail address') + " " + str(email) + ".  " + word("Please log in."), 'error')
         return redirect(url_for('user.login'))
diff --git a/docassemble_webapp/docassemble/webapp/static/app/miniorange-logo.png b/docassemble_webapp/docassemble/webapp/static/app/miniorange-logo.png
diff --git a/docassemble_webapp/docassemble/webapp/templates/flask_user/login.html b/docassemble_webapp/docassemble/webapp/templates/flask_user/login.html
@@ -83,7 +83,7 @@ <h1>{{ get_part('login page heading', word('Sign in')) }}</h1>
               {{ render_submit_field(form.submit) }}
             </div>
           </form>
-          {%- if config['USE_GOOGLE_LOGIN'] or config['USE_FACEBOOK_LOGIN'] or config['USE_ZITADEL_LOGIN'] or config['USE_TWITTER_LOGIN'] or config['USE_AUTH0_LOGIN'] or config['USE_KEYCLOAK_LOGIN'] or config['USE_AZURE_LOGIN'] or config['USE_PHONE_LOGIN'] %}
+          {%- if config['USE_GOOGLE_LOGIN'] or config['USE_FACEBOOK_LOGIN'] or config['USE_ZITADEL_LOGIN'] or config['USE_TWITTER_LOGIN'] or config['USE_AUTH0_LOGIN'] or config['USE_KEYCLOAK_LOGIN'] or config['USE_AZURE_LOGIN'] or config['USE_MINIORANGE_LOGIN'] or config['USE_PHONE_LOGIN'] %}
           <p style="padding: 15px 15px 5px 15px;"><strong>{{ word('or') }}</strong></p>
           {%- endif %}
           {%- endif %}
@@ -122,6 +122,11 @@ <h1>{{ get_part('login page heading', word('Sign in')) }}</h1>
             <div class="daiconbox col-md-7"><a role="button" class="danohover" href="{{ url_for('oauth_authorize', provider='zitadel', next=request.args.get('next', '')) }}"><table><tbody><tr><td style="padding-left:4px;vertical-align:middle;"><img alt="" src="{{ url_for('static', filename='app/zitadel-logo.png', v=config['DA_VERSION']) }}"></td><td style="width:100%;vertical-align:middle;text-align:center;">{{ word('Sign in with Zitadel') }}</td></tr></tbody></table></a></div>
           </div>
           {%- endif %}
+          {%- if config['USE_MINIORANGE_LOGIN'] %}
+          <div class="row danomargin">
+            <div class="daiconbox col-md-7"><a role="button" class="danohover" href="{{ url_for('oauth_authorize', provider='miniorange', next=request.args.get('next', '')) }}"><table><tbody><tr><td style="padding-left:4px;vertical-align:middle;"><img alt="" src="{{ url_for('static', filename='app/miniorange-logo.png', v=config['DA_VERSION']) }}"></td><td style="width:100%;vertical-align:middle;text-align:center;">{{ word('Sign in with miniOrange') }}</td></tr></tbody></table></a></div>
+          </div>
+          {%- endif %}
           {%- if config['USE_AZURE_LOGIN'] %}
           <div class="row danomargin">
             <div class="daiconbox col-md-7"><a role="button" class="danohover" href="{{ url_for('oauth_authorize', provider='azure', next=request.args.get('next', '')) }}"><table style="height:100%"><tbody><tr><td style="padding-left:4px;vertical-align:middle;"><img alt="" src="{{ url_for('static', filename='app/azure-logo.png', v=config['DA_VERSION']) }}"></td><td style="width:100%;vertical-align:middle;text-align:center;">{{ word('Sign in with Azure') }}</td></tr></tbody></table></a></div>
diff --git a/docassemble_webapp/docassemble/webapp/templates/flask_user/register.html b/docassemble_webapp/docassemble/webapp/templates/flask_user/register.html
@@ -68,7 +68,7 @@ <h1>{{ get_part('register page heading', word('Register')) }}</h1>
               {{ render_submit_field(form.submit) }}
             </div>
           </form>
-          {%- if config['USE_GOOGLE_LOGIN'] or config['USE_FACEBOOK_LOGIN'] or config['USE_ZITADEL_LOGIN'] or config['USE_TWITTER_LOGIN'] or config['USE_AUTH0_LOGIN'] or config['USE_AZURE_LOGIN'] or config['USE_PHONE_LOGIN'] %}
+          {%- if config['USE_GOOGLE_LOGIN'] or config['USE_FACEBOOK_LOGIN'] or config['USE_ZITADEL_LOGIN'] or config['USE_TWITTER_LOGIN'] or config['USE_AUTH0_LOGIN'] or config['USE_AZURE_LOGIN'] or config['USE_MINIORANGE_LOGIN'] or config['USE_PHONE_LOGIN'] %}
           <p style="padding: 15px 15px 5px 15px;"><strong>{{ word('or') }}</strong></p>
           {%- endif %}
           {%- endif %}
@@ -102,6 +102,11 @@ <h1>{{ get_part('register page heading', word('Register')) }}</h1>
             <div class="daiconbox col-md-7"><a role="button" class="danohover" href="{{ url_for('oauth_authorize', provider='zitadel') }}"><table><tbody><tr><td style="padding-left:4px;vertical-align:middle;"><img alt="" src="{{ url_for('static', filename='app/zitadel-logo.png', v=config['DA_VERSION']) }}"></td><td style="width:100%;vertical-align:middle;text-align:center;">{{ word('Register with Zitadel') }}</td></tr></tbody></table></a></div>
           </div>
           {%- endif %}
+          {%- if config['USE_MINIORANGE_LOGIN'] %}
+          <div class="row danomargin">
+            <div class="daiconbox col-md-7"><a role="button" class="danohover" href="{{ url_for('oauth_authorize', provider='miniorange') }}"><table><tbody><tr><td style="padding-left:4px;vertical-align:middle;"><img alt="" src="{{ url_for('static', filename='app/miniorange-logo.png', v=config['DA_VERSION']) }}"></td><td style="width:100%;vertical-align:middle;text-align:center;">{{ word('Register with miniOrange') }}</td></tr></tbody></table></a></div>
+          </div>
+          {%- endif %}
           {%- if config['USE_AZURE_LOGIN'] %}
           <div class="row danomargin">
             <div class="daiconbox col-md-7"><a role="button" class="danohover" href="{{ url_for('oauth_authorize', provider='azure') }}"><table style="height:100%"><tbody><tr><td style="padding-left:4px;vertical-align:middle;"><img alt="" src="{{ url_for('static', filename='app/azure-logo.png', v=config['DA_VERSION']) }}"></td><td style="width:100%;vertical-align:middle;text-align:center;">{{ word('Register with Azure') }}</td></tr></tbody></table></a></div>
