minors fix, explicite Saml2 return url

Author: Benoit Ngo

.env.dist

@@ -36,6 +36,6 @@ APP_SSO_SERVICEPROVIDER_X509CERT=MIICkDCCAfmgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBlMQs
 APP_SSO_SERVICEPROVIDER_PRIVATEKEY=MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMKCd0hnMKX40MYR+fZNRqMJjSiDpTPTkV9A0bfQKESZ9esPjNt8Janq+2MGLrm6cRcMXRx8yo/x7pfoCmdiu9D7VNhk69nFsNKH0PQp/jf2+vLPHXgKvlcCFvlaOB/Cvg9UnK9mq83H88LPwvrpaNRl4qDrLS5TTByEIohjFUJrAgMBAAECgYEAgLUgBTLzCABa9ZXTl12PDjc1xsdFu8OVgDg+DamZ27sc9Qv3Iw1FRuiMq/vdU1zBlITD4CPbTeDDBpWuvLainACpk4JJK22JozwLpaqnyrrhPNxphBe3XUREe6Tw53q9cM1j9RlD+PwbM2KbudfBmsi+sPvNK0pEAHFJZhogjfECQQDtwqhYQhLUCmgzMMFNU1PYvPJ6+5cdrgxK5JJhQxKJnclUdnjw3zUwdN3XpJk9ggq/GTCAjd/vE8ILV2DXgD6nAkEA0W5pvJx5EG9hekJ3/LaqcIKNH38uqhm4LPrXaLbUOToVyjBsJhlfRVVQojhOT9mAkTs4RhSP0IZy+Xkvh3s6nQJBALPzOnriN2HpJohoBEXEJZfLGjNerDc4ffFJIkke/K7Pj4uvx0V3ishMC4Ok/p6BCCUuqXkC6FQIvjrbPV6dn80CQQDRAZvMe2vmlwF0/fi436Ng/SjRkh+D6n7/hKaM/kj1g55TVdfYfeGyU95QxliBH9NLHQqgBc0wkb0Uc3iXgMeRAkAm30yjx2YPHjXZydKsJFgNtfI0PvoFS8tv1Ljb3FfflzrKEFFBtwfC/kxJXY+oKIKMSW0YxT0EuOkq3K5uIeGd
 # THE SSO APP
 APP_SSO_IDENTITYPROVIDER_X509CERT=MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ==
-APP_SSO_IDENTITYPROVIDER_ENTITYID=http://samltest.${BASE_DOMAIN}/simplesaml/saml2/idp/metadata.php
-APP_SSO_IDENTITYPROVIDER_LOGINURL=http://samltest.${BASE_DOMAIN}/simplesaml/saml2/idp/SSOService.php
-APP_SSO_IDENTITYPROVIDER_LOGOUTURL=http://samltest.${BASE_DOMAIN}/simplesaml/saml2/idp/SSOService.php
+APP_SSO_IDENTITYPROVIDER_ENTITYID=${PROTOCOL}://samltest.${BASE_DOMAIN}/simplesaml/saml2/idp/metadata.php
+APP_SSO_IDENTITYPROVIDER_LOGINURL=${PROTOCOL}://samltest.${BASE_DOMAIN}/simplesaml/saml2/idp/SSOService.php
+APP_SSO_IDENTITYPROVIDER_LOGOUTURL=${PROTOCOL}://samltest.${BASE_DOMAIN}/simplesaml/saml2/idp/SSOService.php

Makefile

@@ -89,6 +89,11 @@ restart: down up
 .PHONY: frestart
 frestart: fdown fup
 
+
+.PHONY: fbuild
+fbuild: ;\
+   docker compose build --no-cache
+
 .PHONY: stop-front
 stop-front: ;\
     DOCKER_BUILDKIT=1 docker compose stop front

apps/back/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker.io/docker/dockerfile:1.4
-ARG IMAGE_VERSION=php:8.1-v4
+ARG IMAGE_VERSION=php:8.2-v4
 ARG APP_ENV=prod
 ARG APP_SOURCE_FILE='./'
 ARG PHP_EXTENSIONS="apcu mysqli pdo_mysql intl gd xdebug"

apps/back/config/services.yaml

@@ -60,6 +60,7 @@ services:
         class: App\Authenticator\Saml2Authenticator
         arguments:
             $checkPath: 'api_login_saml2'
+            $returnTo: "%app.url.base%/api/1.0/auth/sso/saml2/login"
 
 
     OneLogin\Saml2\Auth:

apps/back/src/Authenticator/Saml2Authenticator.php

@@ -4,7 +4,6 @@
 
 namespace App\Authenticator;
 
-use App\Exception\SsoConsumerAuthNException;
 use App\Exception\SsoConsumerException;
 use OneLogin\Saml2\Auth;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -27,6 +26,8 @@ public function __construct(
         private readonly HttpUtils $httpUtils,
         private readonly string $checkPath,
         private readonly Auth $auth,
+        private readonly string $returnTo,
+        private readonly \Psr\Log\LoggerInterface $logger,
     ) {
     }
 
@@ -44,10 +45,6 @@ public function authenticate(Request $request): Passport
     {
         $session = $request->getSession();
         $authNRequestId = $session->get('AuthNRequestID', null);
-        if (! \is_string($authNRequestId)) {
-            throw new SsoConsumerAuthNException();
-        }
-
         $auth   = $this->auth;
         $auth->setStrict(false);
         $auth->processResponse($authNRequestId);
@@ -99,10 +96,12 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
     public function start(Request $request, AuthenticationException|null $authException = null)
     {
         $session        = $request->getSession();
+        $this->logger->error('Starting auth');
         $auth           = $this->auth;
-        $url            = $auth->login(null, [], false, false, true);
+        $url            = $auth->login($this->returnTo, [], false, false, true);
         $authNRequestId = $auth->getLastRequestID();
         $session->set('AuthNRequestID', $authNRequestId);
+        $this->logger->error("Need redirect to $url");
 
         return new JsonResponse(['url' => $url], Response::HTTP_UNAUTHORIZED);
     }

apps/front/nuxt.config.ts

@@ -10,7 +10,7 @@ export default defineNuxtConfig({
       // @see https://getbootstrap.com/docs/5.0/getting-started/introduction/#starter-template
       charset: "utf-8",
       viewport: "width=device-width, initial-scale=1",
-      title: "KB Backbone",
+      title: "Boilerplate SF - Nuxt",
       meta: [
         // <meta name="description" content="My amazing site">
         //  { name: 'description', content: 'My amazing site.' }

apps/front/src/app.vue

@@ -1,7 +1,7 @@
 <template>
   <div>
     <NuxtErrorBoundary @error="mHandleError">
-      <NuxtLayout>
+      <NuxtLayout v-if="shouldRender">
         <NuxtPage />
       </NuxtLayout>
     </NuxtErrorBoundary>
@@ -15,19 +15,28 @@ const authStore = useAuthUser();
 
 const route = useRoute();
 
-const mHandleError = (e: unknown) => {
+const mHandleError = (e: any) => {
   logger.error("Primary error boundary", e);
 };
-const isPendingValue = computed(() => authStore.isPending);
+const shouldRender = computed(
+  () => authStore.isPending
+);
 // Doing this here instead than in the middleware allow reactivity on the auth user
 watchEffect(async () => {
-  if (isPendingValue.value) {
+  logger.info("pending");
+  if (authStore.isPending) {
     return;
   }
+  logger.info("resolved pending");
   const shouldRedirectToLogin =
     !authStore.isAuthenticated &&
     authStore.authUrl &&
     route.name !== "auth-login";
+  logger.info("shouldRedirectToLogin");
+  logger.info(authStore.isAuthenticated);
+  logger.info(authStore.authUrl);
+  logger.info(route.name);
+  logger.info(shouldRedirectToLogin);
   if (shouldRedirectToLogin) {
     await navigateTo(authStore.authUrl, { external: true });
   }
@@ -38,3 +47,4 @@ watchEffect(async () => {
   }
 });
 </script>
+cd

apps/front/src/middleware/auth.global.ts

@@ -5,6 +5,7 @@ export default defineNuxtRouteMiddleware(async () => {
   // We refresh the data information
   // If the syncMe result in a 401, the component RedirectToLogin will be triggered,
   // so no need to wait the sync
+  logger.info("------ in middleware");
   const mePromise = authStore.syncMe();
   /**
    *   We still wait if the user is not authenticated because that may mean

apps/front/src/plugins/appFetch.ts

@@ -8,20 +8,28 @@ export default defineNuxtPlugin(() => {
   const event = useRequestEvent();
   const headers: {
     [key: string]: string;
-  } = useRequestHeaders(["cookie"]) as {
-    [key: string]: string;
+  } = {
+    ...(useRequestHeaders(["cookie"]) as {
+      [key: string]: string;
+    }),
+    ...{
+      accept: "application/json",
+    },
   };
-
   const handleException = (e: any) => {
+    logger.info("in catch");
     // Check if 401 so remove auth info
     if (e && e.response && e.response.status === 401 && store.isAuthenticated) {
       logger.error("401 error, removing authentication informations");
       store.resetAuth();
     }
-
+    if (!e?.response?.headers) {
+      throw e;
+    }
     const cookies = (e.response.headers.get("set-cookie") || "").split(",");
+    logger.info("setting header");
     if (process.server && cookies) {
-      event.res.setHeader("set-cookie", cookies);
+      event.node.res.setHeader("set-cookie", cookies);
     }
     throw e;
   };
@@ -36,7 +44,7 @@ export default defineNuxtPlugin(() => {
 
     const cookies = (res.headers.get("set-cookie") || "").split(",");
     if (process.server && cookies) {
-      event.res.setHeader("set-cookie", cookies);
+      event.node.res.setHeader("set-cookie", cookies);
     }
     return res;
   };
@@ -47,12 +55,13 @@ export default defineNuxtPlugin(() => {
   ) => {
     const res = await $fetch.raw<T>(request, {
       headers,
+
       ...opts,
     });
 
     const cookies = (res.headers.get("set-cookie") || "").split(",");
     if (process.server && cookies) {
-      event.res.setHeader("set-cookie", cookies);
+      event.node.res.setHeader("set-cookie", cookies);
     }
     return res._data;
   };

apps/front/src/server/api/[...].ts

@@ -33,6 +33,9 @@ export default defineEventHandler(async (event: H3Event) => {
     headers: {
       host: target.host,
     },
+    fetchOptions: {
+      redirect: "manual",
+    },
   });
   return ret;
 });

apps/front/src/store/auth.ts

@@ -51,28 +51,35 @@ export const useAuthUser = defineStore({
       if (this.isPending) {
         return { data: null, error: null, isPending: this.isPending };
       }
+      this.startPending();
       // Our session is based on the PHPSESSID cookie
       const me = useMe();
       try {
-        this.startPending();
         const authUser = await me();
         this.setAuthUser(authUser);
         this.endPending();
         return { data: authUser, error: null, isPending: this.isPending };
-      } catch (exception: any) {
+      } catch (e: any) {
+        const is401 = e?.response?.status === HTTP_UNAUTHORIZED;
+        // eslint-disable-next-line no-underscore-dangle
+        const ret = e.response._data;
         this.endPending();
-        const is401 = exception?.response?.status === HTTP_UNAUTHORIZED;
+        logger.info("in catch syncMe");
+        this.authUrl = ret?.url || "";
         if (!is401) {
           // TODO error store in appFetch
-          throw exception;
+          return {
+            data: this.authUser,
+            error: e,
+            isPending: this.isPending,
+            errorData: ret,
+          };
         }
-
-        const ret = await exception.response._data;
-        this.authUrl = ret?.url || "";
         return {
           data: null,
           error: ret,
           isPending: this.isPending,
+          errorData: ret,
         };
       }
     },

docker-compose.yml

@@ -42,7 +42,7 @@ services:
     working_dir: /home/node/app
     environment:
       # This is used only per the proxy
-      - NUXT_API_URL=http://${API_DOMAIN}/
+      - NUXT_API_URL=${PROTOCOL}://${API_DOMAIN}/
   proxy:
     image: traefik:3.0
     container_name: tcm_proxy