JDM170/spotizerr-dev
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implemented SSO for google and github

Browse Source
This commit is contained in:
Xoconoch
2025-08-04 10:01:07 -06:00
parent 1da75a3fbc
commit 66ec587e5b
16 changed files with 1006 additions and 337 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.env.example
View File

@@ -1,3 +1,4 @@
# Docker Compose environment variables# Delete all comments of this when deploying (everything that is )
# Redis connection (external or internal)
@@ -18,13 +19,22 @@ PGID=1000
# Optional: Sets the default file permissions for newly created files within the container.
UMASK=0022
# Auth
# Basic Authentication
ENABLE_AUTH=true
# JWT Configuration
JWT_SECRET=your-super-secret-jwt-key-change-in-production
JWT_EXPIRATION_HOURS=24
# Default Admin User (created automatically if no users exist)
DEFAULT_ADMIN_USERNAME=admin
DEFAULT_ADMIN_PASSWORD=admin123
DEFAULT_ADMIN_PASSWORD=admin123
# SSO Configuration
SSO_ENABLED=true
SSO_BASE_REDIRECT_URI=http://127.0.0.1:7171/api/auth/sso/callback
FRONTEND_URL=http://127.0.0.1:7171
# Google SSO (get from Google Cloud Console)
GOOGLE_CLIENT_ID=1054877638335-fube9mge425k2gnpprjcf8fvm5a0tefc.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=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
# GitHub SSO (get from GitHub Developer Settings)
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=

374
AUTH_SETUP.md
View File

@@ -1,280 +1,168 @@
# Spotizerr Authentication System
# Authentication Setup
## Overview
Spotizerr now includes a modern, JWT-based authentication system that can be enabled or disabled via environment variables. The system supports username/password authentication with **session persistence across browser refreshes** and is designed to be easily extensible for future SSO implementations.
This document outlines how to configure authentication for Spotizerr, including both traditional username/password authentication and SSO (Single Sign-On) with Google and GitHub.
## Features
- 🔐 **JWT-based authentication** with secure token management
- 👤 **User registration and login** with password validation
- 🛡️ **Role-based access control** (user/admin roles)
- 🎛️ **Environment-controlled** - easily enable/disable
- 📱 **Responsive UI** - beautiful login screen with dark mode support
- 🔄 **Auto token refresh** and secure logout
- 💾 **Session persistence** - remember me across browser restarts
- 🔗 **Multi-tab sync** - logout/login reflected across all tabs
- 🎨 **Seamless integration** - existing app works unchanged when auth is disabled
## Environment Variables
## Session Management
### Basic Authentication
- `ENABLE_AUTH`: Enable/disable authentication system (default: false)
- `DISABLE_REGISTRATION`: Disable public registration (default: false)
- `JWT_SECRET`: Secret key for JWT token signing (required in production)
- `JWT_ALGORITHM`: JWT algorithm (default: HS256)
- `JWT_EXPIRATION_HOURS`: JWT token expiration time in hours (default: 24)
- `DEFAULT_ADMIN_USERNAME`: Default admin username (default: admin)
- `DEFAULT_ADMIN_PASSWORD`: Default admin password (default: admin123)
### Remember Me Functionality
The authentication system supports two types of sessions:
### SSO Configuration
- `SSO_ENABLED`: Enable/disable SSO functionality (default: true)
- `SSO_BASE_REDIRECT_URI`: Base redirect URI for SSO callbacks (default: http://localhost:8000/api/auth/sso/callback)
- `FRONTEND_URL`: Frontend URL for post-authentication redirects (default: http://localhost:3000)
1. **Persistent Sessions** (Remember Me = ON)
- Token stored in `localStorage`
- Session survives browser restarts
- Green indicator in user menu
- Default option for better UX
#### Google SSO
- `GOOGLE_CLIENT_ID`: Google OAuth2 client ID
- `GOOGLE_CLIENT_SECRET`: Google OAuth2 client secret
2. **Session-Only** (Remember Me = OFF)
- Token stored in `sessionStorage`
- Session cleared when browser closes
- Orange indicator in user menu
- More secure for shared computers
#### GitHub SSO
- `GITHUB_CLIENT_ID`: GitHub OAuth2 client ID
- `GITHUB_CLIENT_SECRET`: GitHub OAuth2 client secret
### Session Restoration
- **Automatic**: Sessions are automatically restored on page refresh
- **Validation**: Stored tokens are validated against the server
- **Graceful Degradation**: Invalid/expired tokens are cleared automatically
- **Visual Feedback**: Loading screen shows "Restoring your session..."
## Setup Instructions
### Multi-Tab Synchronization
- Login/logout actions are synced across all open tabs
- Uses browser `storage` events for real-time synchronization
- Prevents inconsistent authentication states
### 1. Traditional Authentication Only
## Environment Configuration
1. Set environment variables:
```bash
ENABLE_AUTH=true
JWT_SECRET=your-super-secret-jwt-key-change-in-production
DEFAULT_ADMIN_USERNAME=admin
DEFAULT_ADMIN_PASSWORD=your-secure-password
```
### Enable Authentication
Set the following environment variables:
2. Start the application - a default admin user will be created automatically.
### 2. Google SSO Setup
1. Go to [Google Cloud Console](https://console.cloud.google.com/)
2. Create a new project or select existing one
3. Enable Google+ API
4. Go to "Credentials" → "Create Credentials" → "OAuth 2.0 Client IDs"
5. Configure OAuth consent screen with your application details
6. Set authorized redirect URIs:
- `http://localhost:8000/api/auth/sso/callback/google` (development)
- `https://yourdomain.com/api/auth/sso/callback/google` (production)
7. Copy Client ID and Client Secret to environment variables:
```bash
# Enable the authentication system
ENABLE_AUTH=true
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
```
# JWT Configuration
### 3. GitHub SSO Setup
1. Go to GitHub Settings → Developer settings → OAuth Apps
2. Click "New OAuth App"
3. Fill in application details:
- Application name: Your app name
- Homepage URL: Your app URL
- Authorization callback URL:
- `http://localhost:8000/api/auth/sso/callback/github` (development)
- `https://yourdomain.com/api/auth/sso/callback/github` (production)
4. Copy Client ID and Client Secret to environment variables:
```bash
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret
```
### 4. Complete Environment Configuration
Create a `.env` file with all required variables:
```bash
# Basic Authentication
ENABLE_AUTH=true
JWT_SECRET=your-super-secret-jwt-key-change-in-production
JWT_EXPIRATION_HOURS=24
# Default Admin User (created automatically if no users exist)
DEFAULT_ADMIN_USERNAME=admin
DEFAULT_ADMIN_PASSWORD=admin123
DEFAULT_ADMIN_PASSWORD=your-secure-password
# SSO Configuration
SSO_ENABLED=true
SSO_BASE_REDIRECT_URI=http://localhost:8000/api/auth/sso/callback
FRONTEND_URL=http://localhost:3000
# Google SSO (optional)
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
# GitHub SSO (optional)
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret
```
### Disable Authentication
```bash
# Disable authentication (default)
ENABLE_AUTH=false
```
## Backend Dependencies
The following Python packages are required:
```
bcrypt==4.2.1
PyJWT==2.10.1
python-multipart==0.0.17
```
## Usage
### When Authentication is Enabled
1. **First Time Setup**: When enabled with no existing users, a default admin account is created
- Username: `admin` (or `DEFAULT_ADMIN_USERNAME`)
- Password: `admin123` (or `DEFAULT_ADMIN_PASSWORD`)
- **⚠️ Change the default password immediately!**
2. **User Registration**: First user to register becomes an admin, subsequent users are regular users
3. **Login Screen**: Users see a beautiful login/registration form
- Username/password login
- **Remember Me checkbox** with session type indicator
- Optional email field for registration
- Form validation and error handling
- Responsive design with dark mode support
4. **Session Indicators**: Users can see their session type
- **Green dot**: Persistent session (survives browser restart)
- **Orange dot**: Session-only (cleared when browser closes)
- Tooltip and dropdown show session details
5. **User Management**: Admin users can:
- View all users
- Delete users (except themselves)
- Change user roles
- Access config and credential management
### When Authentication is Disabled
- **No Changes**: App works exactly as before
- **Full Access**: All features available without login
- **No UI Changes**: No login screens or user menus
## Session Storage Details
### Token Storage Locations
```javascript
// Persistent sessions (Remember Me = true)
localStorage.setItem("auth_token", token);
localStorage.setItem("auth_remember", "true");
// Session-only (Remember Me = false)
sessionStorage.setItem("auth_token", token);
// No localStorage entries
```
### Session Validation Flow
1. **App Start**: Check for stored token in localStorage → sessionStorage
2. **Token Found**: Validate token with `/api/auth/status`
3. **Valid Token**: Restore user session automatically
4. **Invalid Token**: Clear storage, show login screen
5. **No Token**: Show login screen (if auth enabled)
## API Endpoints
### Authentication Endpoints
```
GET /api/auth/status # Check auth status & validate token
POST /api/auth/login # User login
POST /api/auth/register # User registration
POST /api/auth/logout # User logout
GET /api/auth/profile # Get current user profile
PUT /api/auth/profile/password # Change password
```
### Authentication Status
- `GET /api/auth/status` - Get authentication status and available SSO providers
### Admin Endpoints
```
GET /api/auth/users # List all users
DELETE /api/auth/users/{username} # Delete user
PUT /api/auth/users/{username}/role # Update user role
```
### Traditional Authentication
- `POST /api/auth/login` - Login with username/password
- `POST /api/auth/register` - Register new user (if enabled)
- `POST /api/auth/logout` - Logout current user
## Protected Routes
When authentication is enabled, the following routes require authentication:
- `/api/config/*` - Configuration management
- `/api/credentials/*` - Credential management
- `/api/auth/users/*` - User management (admin only)
- `/api/auth/profile/*` - Profile management
### SSO Authentication
- `GET /api/auth/sso/status` - Get SSO status and providers
- `GET /api/auth/sso/login/google` - Initiate Google SSO login
- `GET /api/auth/sso/login/github` - Initiate GitHub SSO login
- `GET /api/auth/sso/callback/google` - Google SSO callback (automatic)
- `GET /api/auth/sso/callback/github` - GitHub SSO callback (automatic)
- `POST /api/auth/sso/unlink/{provider}` - Unlink SSO provider from account
## Frontend Components
### User Management (Admin only)
- `GET /api/auth/users` - List all users
- `POST /api/auth/users/create` - Create new user
- `DELETE /api/auth/users/{username}` - Delete user
- `PUT /api/auth/users/{username}/role` - Update user role
### LoginScreen
- Modern, responsive login/registration form
- **Remember Me checkbox** with visual indicators
- Client-side validation
- Smooth animations and transitions
- Dark mode support
## Security Considerations
### UserMenu
- Shows current user info
- **Session type indicator** (persistent/session-only)
- Dropdown with logout option
- Role indicator (admin/user)
1. **HTTPS in Production**: Always use HTTPS in production and set `allow_insecure_http=False`
2. **Secure JWT Secret**: Use a strong, randomly generated JWT secret
3. **Environment Variables**: Never commit sensitive credentials to version control
4. **CORS Configuration**: Configure CORS appropriately for your frontend domain
5. **Cookie Security**: Ensure secure cookie settings in production
### ProtectedRoute
- Wraps the entire app
- **Enhanced loading screen** with session restoration feedback
- Shows login screen when needed
- Handles loading states
## User Types
## Security Features
- **Password Hashing**: bcrypt with salt
- **JWT Tokens**: Secure, expiring tokens
- **Token Validation**: Server-side validation on every request
- **Secure Storage**: Appropriate storage selection (localStorage vs sessionStorage)
- **HTTPS Ready**: Designed for production use
- **Input Validation**: Client and server-side validation
- **CSRF Protection**: Token-based authentication
- **Role-based Access**: Admin vs user permissions
- **Session Isolation**: Clear separation between persistent and session-only
The system supports two types of users:
## Development
1. **Traditional Users**: Created via username/password registration or admin creation
2. **SSO Users**: Created automatically when users authenticate via Google or GitHub
### Adding New Protected Routes
```python
# Backend - Add to AuthMiddleware protected_paths
protected_paths = [
"/api/config",
"/api/auth/users",
"/api/your-new-route", # Add here
]
```
### Frontend Authentication Hooks
```typescript
import { useAuth } from "@/contexts/auth-context";
function MyComponent() {
const { user, isAuthenticated, logout, isRemembered } = useAuth();
if (!isAuthenticated) {
return <div>Please log in</div>;
}
const sessionType = isRemembered() ? "persistent" : "session-only";
return (
<div>
Hello, {user.username}! ({sessionType} session)
</div>
);
}
```
### Session Management
```typescript
// Login with remember preference
await login({ username, password }, rememberMe);
// Check session type
const isPersistent = isRemembered();
// Manual session restoration
await checkAuthStatus();
```
## Future Extensibility
The authentication system is designed to easily support:
- **OAuth/SSO Integration** (Google, GitHub, etc.)
- **LDAP/Active Directory**
- **Multi-factor Authentication**
- **API Key Authentication**
- **Refresh Token Rotation**
- **Session Management Dashboard**
## Production Deployment
1. **Change Default Credentials**: Update `DEFAULT_ADMIN_PASSWORD`
2. **Secure JWT Secret**: Use a strong, unique `JWT_SECRET`
3. **HTTPS**: Enable HTTPS in production
4. **Environment Variables**: Use secure environment variable management
5. **Database**: Consider migrating to a proper database for user storage
6. **Session Security**: Consider shorter token expiration for high-security environments
SSO users:
- Have `sso_provider` and `sso_id` fields populated
- Cannot use password-based authentication
- Can be unlinked from SSO providers by admins
- Get `user` role by default (first user gets `admin` role)
## Troubleshooting
### Common Issues
1. **"Authentication Required" errors**: Check `ENABLE_AUTH` setting
2. **Token expired**: Tokens expire after `JWT_EXPIRATION_HOURS`
3. **Session not persisting**: Check if "Remember Me" was enabled during login
4. **Can't access admin features**: Ensure user has admin role
5. **Login screen not showing**: Check if auth is enabled and user is logged out
6. **Session lost on refresh**: Check browser storage and token validation
### Debug Authentication
```bash
# Check auth status
curl -X GET http://localhost:7171/api/auth/status
1. **SSO Login Fails**
- Check OAuth app configuration in Google/GitHub
- Verify redirect URIs match exactly
- Ensure client ID and secret are correct
# Test login
curl -X POST http://localhost:7171/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"admin123"}'
2. **CORS Errors**
- Configure CORS middleware to allow your frontend domain
- Check if frontend and backend URLs match configuration
# Check browser storage
localStorage.getItem("auth_token")
localStorage.getItem("auth_remember")
sessionStorage.getItem("auth_token")
```
3. **JWT Token Issues**
- Verify JWT_SECRET is set and consistent
- Check token expiration time
- Ensure clock synchronization between services
### Session Debugging
- **Browser Console**: Authentication system logs session restoration details
- **Network Tab**: Check `/api/auth/status` calls during app initialization
- **Application Tab**: Inspect localStorage/sessionStorage for token presence
- **Session Indicators**: Green/orange dots show current session type
4. **SSO Module Not Available**
- Install fastapi-sso: `pip install fastapi-sso==0.18.0`
- Restart the application after installation

225
SSO_IMPLEMENTATION.md Normal file
View File

@@ -0,0 +1,225 @@
# SSO (Single Sign-On) Implementation for Spotizerr
## Overview
I have successfully implemented comprehensive SSO backend logic for Google and GitHub authentication in your Spotizerr application. This implementation integrates seamlessly with your existing JWT-based authentication system.
## What Was Implemented
### 1. Dependencies Added
- Added `fastapi-sso==0.18.0` to `requirements.txt`
### 2. New Files Created
- `routes/auth/sso.py` - Complete SSO implementation with Google & GitHub support
- `routes/auth/sso_example.py` - Example client for testing SSO functionality
- `SSO_IMPLEMENTATION.md` - This documentation file
### 3. Updated Files
- `routes/auth/__init__.py` - Extended User model to support SSO fields
- `routes/auth/auth.py` - Updated authentication status to include SSO info
- `routes/auth/middleware.py` - Added SSO endpoints to public paths
- `AUTH_SETUP.md` - Comprehensive SSO setup documentation
- `requirements.txt` - Added fastapi-sso dependency
### 4. Extended User Model
The `User` class now supports:
- `sso_provider` - Which SSO provider was used (google/github)
- `sso_id` - Provider-specific user ID
- `is_sso_user` - Boolean flag for frontend use
## Environment Configuration
Create a `.env` file with the following variables:
```bash
# Basic Authentication
ENABLE_AUTH=true
JWT_SECRET=your-super-secret-jwt-key-change-in-production
JWT_EXPIRATION_HOURS=24
DEFAULT_ADMIN_USERNAME=admin
DEFAULT_ADMIN_PASSWORD=your-secure-password
# SSO Configuration
SSO_ENABLED=true
SSO_BASE_REDIRECT_URI=http://localhost:8000/api/auth/sso/callback
FRONTEND_URL=http://localhost:3000
# Google SSO (optional)
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
# GitHub SSO (optional)
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret
```
## API Endpoints Added
### SSO Status & Information
- `GET /api/auth/sso/status` - Get SSO configuration and available providers
### Google SSO
- `GET /api/auth/sso/login/google` - Initiate Google OAuth flow
- `GET /api/auth/sso/callback/google` - Handle Google OAuth callback (automatic)
### GitHub SSO
- `GET /api/auth/sso/login/github` - Initiate GitHub OAuth flow
- `GET /api/auth/sso/callback/github` - Handle GitHub OAuth callback (automatic)
### SSO Management
- `POST /api/auth/sso/unlink/{provider}` - Unlink SSO provider from user account
### Enhanced Authentication Status
- `GET /api/auth/status` - Now includes SSO status and available providers
## OAuth Provider Setup
### Google SSO Setup
1. Go to [Google Cloud Console](https://console.cloud.google.com/)
2. Create a new project or select existing one
3. Enable Google+ API
4. Go to "Credentials" → "Create Credentials" → "OAuth 2.0 Client IDs"
5. Configure OAuth consent screen
6. Set authorized redirect URIs:
- Development: `http://localhost:8000/api/auth/sso/callback/google`
- Production: `https://yourdomain.com/api/auth/sso/callback/google`
7. Copy Client ID and Client Secret to environment variables
### GitHub SSO Setup
1. Go to GitHub Settings → Developer settings → OAuth Apps
2. Click "New OAuth App"
3. Fill in application details:
- Application name: Your app name
- Homepage URL: Your app URL
- Authorization callback URL:
- Development: `http://localhost:8000/api/auth/sso/callback/github`
- Production: `https://yourdomain.com/api/auth/sso/callback/github`
4. Copy Client ID and Client Secret to environment variables
## How It Works
### SSO Flow
1. User clicks "Login with Google/GitHub" button in frontend
2. Frontend redirects to `/api/auth/sso/login/{provider}`
3. User is redirected to provider's OAuth consent screen
4. After consent, provider redirects to `/api/auth/sso/callback/{provider}`
5. Backend validates OAuth code and retrieves user info
6. System creates or updates user account
7. JWT token is generated and set as HTTP-only cookie
8. User is redirected to frontend with authentication complete
### User Management
- **New SSO Users**: Automatically created with `user` role (first user gets `admin`)
- **Existing Users**: SSO provider linked to existing account by email
- **Username Generation**: Uses email prefix, ensures uniqueness
- **Password**: SSO users have `password_hash: null` (cannot use password login)
## Testing the Implementation
### 1. Install Dependencies
```bash
pip install fastapi-sso==0.18.0
```
### 2. Configure Environment
Set up your `.env` file with the OAuth credentials from Google/GitHub
### 3. Start the Application
```bash
uvicorn app:app --reload
```
### 4. Test SSO Status
```bash
curl http://localhost:8000/api/auth/sso/status
```
### 5. Test Authentication Flow
1. Visit `http://localhost:8000/api/auth/sso/login/google` in browser
2. Complete OAuth flow
3. Should redirect to frontend with authentication
### 6. Programmatic Testing
Run the example script:
```bash
python routes/auth/sso_example.py
```
## Security Features
### Production Ready
- **HTTPS Support**: Set `allow_insecure_http=False` in production
- **Secure Cookies**: HTTP-only cookies with secure flag
- **CORS Configuration**: Properly configured for your frontend domain
- **Token Validation**: Full server-side JWT validation
- **Provider Verification**: Validates OAuth responses from providers
### OAuth Security
- **State Parameter**: CSRF protection in OAuth flow
- **Redirect URI Validation**: Strict redirect URI matching
- **Token Expiration**: Configurable JWT token expiration
- **Provider Validation**: Ensures tokens come from legitimate providers
## Integration Points
### Frontend Integration
The authentication status endpoint now returns SSO information:
```json
{
"auth_enabled": true,
"sso_enabled": true,
"sso_providers": ["google", "github"],
"authenticated": false,
"user": null,
"registration_enabled": true
}
```
### User Data Structure
SSO users have additional fields:
```json
{
"username": "john_doe",
"email": "john@example.com",
"role": "user",
"sso_provider": "google",
"is_sso_user": true,
"created_at": "2024-01-15T10:30:00",
"last_login": "2024-01-15T10:30:00"
}
```
## Error Handling
The implementation includes comprehensive error handling for:
- Missing OAuth credentials
- OAuth flow failures
- Provider-specific errors
- Invalid redirect URIs
- Network timeouts
- Invalid tokens
## Backwards Compatibility
- **Existing Users**: Unaffected, can still use password authentication
- **Existing API**: All existing endpoints work unchanged
- **Configuration**: SSO is optional, system works without it
- **Database**: Extends existing user storage, no migration needed
## Next Steps
1. **Configure OAuth Apps**: Set up Google and GitHub OAuth applications
2. **Update Frontend**: Add SSO login buttons that redirect to SSO endpoints
3. **Test Flow**: Test complete authentication flow end-to-end
4. **Production Setup**: Configure HTTPS and production redirect URIs
5. **User Management**: Add SSO management to your admin interface
## Support
The implementation follows FastAPI best practices and integrates cleanly with your existing authentication system. All SSO functionality is optional and gracefully degrades if not configured.
For issues or questions, check the comprehensive documentation in `AUTH_SETUP.md` or refer to the example client in `routes/auth/sso_example.py`.

8
app.py
View File

@@ -189,6 +189,14 @@ def create_app():
# Register routers with URL prefixes
app.include_router(auth_router, prefix="/api/auth", tags=["auth"])
# Include SSO router if available
try:
from routes.auth.sso import router as sso_router
app.include_router(sso_router, prefix="/api/auth", tags=["sso"])
logging.info("SSO functionality enabled")
except ImportError as e:
logging.warning(f"SSO functionality not available: {e}")
app.include_router(config_router, prefix="/api", tags=["config"])
app.include_router(search_router, prefix="/api", tags=["search"])
app.include_router(credentials_router, prefix="/api/credentials", tags=["credentials"])

3
requirements.txt
View File

@@ -5,4 +5,5 @@ deezspot-spotizerr==2.2.2
httpx==0.28.1
bcrypt==4.2.1
PyJWT==2.10.1
python-multipart==0.0.17
python-multipart==0.0.17
fastapi-sso==0.18.0

26
routes/auth/__init__.py
View File

@@ -22,12 +22,14 @@ USERS_FILE = USERS_DIR / "users.json"
class User:
def __init__(self, username: str, email: str = None, role: str = "user", created_at: str = None, last_login: str = None):
def __init__(self, username: str, email: str = None, role: str = "user", created_at: str = None, last_login: str = None, sso_provider: str = None, sso_id: str = None):
self.username = username
self.email = email
self.role = role
self.created_at = created_at or datetime.utcnow().isoformat()
self.last_login = last_login
self.sso_provider = sso_provider
self.sso_id = sso_id
def to_dict(self) -> Dict[str, Any]:
return {
@@ -35,7 +37,9 @@ class User:
"email": self.email,
"role": self.role,
"created_at": self.created_at,
"last_login": self.last_login
"last_login": self.last_login,
"sso_provider": self.sso_provider,
"sso_id": self.sso_id
}
def to_public_dict(self) -> Dict[str, Any]:
@@ -45,7 +49,9 @@ class User:
"email": self.email,
"role": self.role,
"created_at": self.created_at,
"last_login": self.last_login
"last_login": self.last_login,
"sso_provider": self.sso_provider,
"is_sso_user": self.sso_provider is not None
}
@@ -87,15 +93,16 @@ class UserManager:
"""Verify password against hash"""
return bcrypt.checkpw(password.encode('utf-8'), hashed.encode('utf-8'))
def create_user(self, username: str, password: str, email: str = None, role: str = "user") -> tuple[bool, str]:
"""Create a new user"""
def create_user(self, username: str, password: str = None, email: str = None, role: str = "user", sso_provider: str = None, sso_id: str = None) -> tuple[bool, str]:
"""Create a new user (traditional or SSO)"""
users = self.load_users()
if username in users:
return False, "Username already exists"
hashed_password = self.hash_password(password)
user = User(username=username, email=email, role=role)
# For SSO users, password is None
hashed_password = self.hash_password(password) if password else None
user = User(username=username, email=email, role=role, sso_provider=sso_provider, sso_id=sso_id)
users[username] = {
**user.to_dict(),
@@ -103,7 +110,7 @@ class UserManager:
}
self.save_users(users)
logger.info(f"Created user: {username}")
logger.info(f"Created user: {username} (SSO: {sso_provider or 'No'})")
return True, "User created successfully"
def authenticate_user(self, username: str, password: str) -> Optional[User]:
@@ -220,3 +227,6 @@ def create_default_admin():
# Initialize default admin on import
create_default_admin()
# SSO functionality will be imported separately to avoid circular imports
SSO_AVAILABLE = True

27
routes/auth/auth.py
View File

@@ -43,6 +43,8 @@ class UserResponse(BaseModel):
role: str
created_at: str
last_login: Optional[str]
sso_provider: Optional[str] = None
is_sso_user: bool = False
class LoginResponse(BaseModel):
@@ -60,6 +62,8 @@ class AuthStatusResponse(BaseModel):
authenticated: bool = False
user: Optional[UserResponse] = None
registration_enabled: bool = True
sso_enabled: bool = False
sso_providers: List[str] = []
# Dependency to get current user
@@ -112,11 +116,27 @@ async def require_admin(current_user: User = Depends(require_auth)) -> User:
@router.get("/status", response_model=AuthStatusResponse)
async def auth_status(current_user: Optional[User] = Depends(get_current_user)):
"""Get authentication status"""
# Check if SSO is enabled and get available providers
sso_enabled = False
sso_providers = []
try:
from . import sso
sso_enabled = sso.SSO_ENABLED and AUTH_ENABLED
if sso.google_sso:
sso_providers.append("google")
if sso.github_sso:
sso_providers.append("github")
except ImportError:
pass # SSO module not available
return AuthStatusResponse(
auth_enabled=AUTH_ENABLED,
authenticated=current_user is not None,
user=UserResponse(**current_user.to_public_dict()) if current_user else None,
registration_enabled=AUTH_ENABLED and not DISABLE_REGISTRATION
registration_enabled=AUTH_ENABLED and not DISABLE_REGISTRATION,
sso_enabled=sso_enabled,
sso_providers=sso_providers
)
@@ -301,4 +321,7 @@ async def change_password(
user_manager.save_users(users)
logger.info(f"Password changed for user: {current_user.username}")
return MessageResponse(message="Password changed successfully")
return MessageResponse(message="Password changed successfully")
# Note: SSO routes are included in the main app, not here to avoid circular imports

1
routes/auth/middleware.py
View File

@@ -34,6 +34,7 @@ class AuthMiddleware(BaseHTTPMiddleware):
"/api/auth/login",
"/api/auth/register",
"/api/auth/logout",
"/api/auth/sso", # All SSO endpoints
"/static",
"/favicon.ico"
]

285
routes/auth/sso.py Normal file
View File

@@ -0,0 +1,285 @@
"""
SSO (Single Sign-On) implementation for Google and GitHub authentication
"""
import os
import logging
from typing import Optional, Dict, Any
from datetime import datetime, timedelta
from fastapi import APIRouter, Request, HTTPException, Depends
from fastapi.responses import RedirectResponse
from fastapi_sso.sso.google import GoogleSSO
from fastapi_sso.sso.github import GithubSSO
from fastapi_sso.sso.base import OpenID
from pydantic import BaseModel
from . import user_manager, token_manager, User, AUTH_ENABLED
logger = logging.getLogger(__name__)
router = APIRouter()
# SSO Configuration
SSO_ENABLED = os.getenv("SSO_ENABLED", "true").lower() in ("true", "1", "yes", "on")
GOOGLE_CLIENT_ID = os.getenv("GOOGLE_CLIENT_ID")
GOOGLE_CLIENT_SECRET = os.getenv("GOOGLE_CLIENT_SECRET")
GITHUB_CLIENT_ID = os.getenv("GITHUB_CLIENT_ID")
GITHUB_CLIENT_SECRET = os.getenv("GITHUB_CLIENT_SECRET")
SSO_BASE_REDIRECT_URI = os.getenv("SSO_BASE_REDIRECT_URI", "http://localhost:7171/api/auth/sso/callback")
# Initialize SSO providers
google_sso = None
github_sso = None
if GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET:
google_sso = GoogleSSO(
client_id=GOOGLE_CLIENT_ID,
client_secret=GOOGLE_CLIENT_SECRET,
redirect_uri=f"{SSO_BASE_REDIRECT_URI}/google",
allow_insecure_http=True, # Set to False in production with HTTPS
)
if GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET:
github_sso = GithubSSO(
client_id=GITHUB_CLIENT_ID,
client_secret=GITHUB_CLIENT_SECRET,
redirect_uri=f"{SSO_BASE_REDIRECT_URI}/github",
allow_insecure_http=True, # Set to False in production with HTTPS
)
class MessageResponse(BaseModel):
message: str
class SSOProvider(BaseModel):
name: str
display_name: str
enabled: bool
login_url: Optional[str] = None
class SSOStatusResponse(BaseModel):
sso_enabled: bool
providers: list[SSOProvider]
def create_or_update_sso_user(openid: OpenID, provider: str) -> User:
"""Create or update user from SSO provider data"""
# Generate username from email or use provider ID
email = openid.email
if not email:
raise HTTPException(status_code=400, detail="Email is required for SSO authentication")
# Use email prefix as username, fallback to provider + id
username = email.split("@")[0]
if not username:
username = f"{provider}_{openid.id}"
# Check if user already exists by email
existing_user = None
users = user_manager.load_users()
for user_data in users.values():
if user_data.get("email") == email:
existing_user = User(**{k: v for k, v in user_data.items() if k != "password_hash"})
break
if existing_user:
# Update last login
users[existing_user.username]["last_login"] = datetime.utcnow().isoformat()
users[existing_user.username]["sso_provider"] = provider
users[existing_user.username]["sso_id"] = openid.id
user_manager.save_users(users)
return existing_user
else:
# Create new user
# Ensure username is unique
counter = 1
original_username = username
while username in users:
username = f"{original_username}{counter}"
counter += 1
user = User(
username=username,
email=email,
role="user" # Default role for SSO users
)
users[username] = {
**user.to_dict(),
"sso_provider": provider,
"sso_id": openid.id,
"password_hash": None # SSO users don't have passwords
}
user_manager.save_users(users)
logger.info(f"Created SSO user: {username} via {provider}")
return user
@router.get("/sso/status", response_model=SSOStatusResponse)
async def sso_status():
"""Get SSO status and available providers"""
providers = []
if google_sso:
providers.append(SSOProvider(
name="google",
display_name="Google",
enabled=True,
login_url="/api/auth/sso/login/google"
))
if github_sso:
providers.append(SSOProvider(
name="github",
display_name="GitHub",
enabled=True,
login_url="/api/auth/sso/login/github"
))
return SSOStatusResponse(
sso_enabled=SSO_ENABLED and AUTH_ENABLED,
providers=providers
)
@router.get("/sso/login/google")
async def google_login():
"""Initiate Google SSO login"""
if not SSO_ENABLED or not AUTH_ENABLED:
raise HTTPException(status_code=400, detail="SSO is disabled")
if not google_sso:
raise HTTPException(status_code=400, detail="Google SSO is not configured")
async with google_sso:
return await google_sso.get_login_redirect(params={"prompt": "consent", "access_type": "offline"})
@router.get("/sso/login/github")
async def github_login():
"""Initiate GitHub SSO login"""
if not SSO_ENABLED or not AUTH_ENABLED:
raise HTTPException(status_code=400, detail="SSO is disabled")
if not github_sso:
raise HTTPException(status_code=400, detail="GitHub SSO is not configured")
async with github_sso:
return await github_sso.get_login_redirect()
@router.get("/sso/callback/google")
async def google_callback(request: Request):
"""Handle Google SSO callback"""
if not SSO_ENABLED or not AUTH_ENABLED:
raise HTTPException(status_code=400, detail="SSO is disabled")
if not google_sso:
raise HTTPException(status_code=400, detail="Google SSO is not configured")
try:
async with google_sso:
openid = await google_sso.verify_and_process(request)
# Create or update user
user = create_or_update_sso_user(openid, "google")
# Create JWT token
access_token = token_manager.create_token(user)
# Redirect to frontend with token (you might want to customize this)
frontend_url = os.getenv("FRONTEND_URL", "http://localhost:3000")
response = RedirectResponse(url=f"{frontend_url}?token={access_token}")
# Also set as HTTP-only cookie
response.set_cookie(
key="access_token",
value=access_token,
httponly=True,
secure=False, # Set to True in production with HTTPS
samesite="lax",
max_age=timedelta(hours=24).total_seconds()
)
return response
except Exception as e:
logger.error(f"Google SSO callback error: {e}")
raise HTTPException(status_code=400, detail="Authentication failed")
@router.get("/sso/callback/github")
async def github_callback(request: Request):
"""Handle GitHub SSO callback"""
if not SSO_ENABLED or not AUTH_ENABLED:
raise HTTPException(status_code=400, detail="SSO is disabled")
if not github_sso:
raise HTTPException(status_code=400, detail="GitHub SSO is not configured")
try:
async with github_sso:
openid = await github_sso.verify_and_process(request)
# Create or update user
user = create_or_update_sso_user(openid, "github")
# Create JWT token
access_token = token_manager.create_token(user)
# Redirect to frontend with token (you might want to customize this)
frontend_url = os.getenv("FRONTEND_URL", "http://localhost:3000")
response = RedirectResponse(url=f"{frontend_url}?token={access_token}")
# Also set as HTTP-only cookie
response.set_cookie(
key="access_token",
value=access_token,
httponly=True,
secure=False, # Set to True in production with HTTPS
samesite="lax",
max_age=timedelta(hours=24).total_seconds()
)
return response
except Exception as e:
logger.error(f"GitHub SSO callback error: {e}")
raise HTTPException(status_code=400, detail="Authentication failed")
@router.post("/sso/unlink/{provider}", response_model=MessageResponse)
async def unlink_sso_provider(
provider: str,
request: Request,
):
"""Unlink SSO provider from user account"""
if not SSO_ENABLED or not AUTH_ENABLED:
raise HTTPException(status_code=400, detail="SSO is disabled")
if provider not in ["google", "github"]:
raise HTTPException(status_code=400, detail="Invalid SSO provider")
# Get current user from request (avoiding circular imports)
from .middleware import require_auth_from_state
current_user = await require_auth_from_state(request)
if not current_user.sso_provider:
raise HTTPException(status_code=400, detail="User is not linked to any SSO provider")
if current_user.sso_provider != provider:
raise HTTPException(status_code=400, detail=f"User is not linked to {provider}")
# Update user to remove SSO linkage
users = user_manager.load_users()
if current_user.username in users:
users[current_user.username]["sso_provider"] = None
users[current_user.username]["sso_id"] = None
user_manager.save_users(users)
logger.info(f"Unlinked SSO provider {provider} from user {current_user.username}")
return MessageResponse(message=f"SSO provider {provider} unlinked successfully")

54
spotizerr-ui/src/components/auth/LoginScreen.tsx
View File

@@ -8,7 +8,7 @@ interface LoginScreenProps {
}
export function LoginScreen({ onSuccess }: LoginScreenProps) {
const { login, register, isLoading, authEnabled, registrationEnabled, isRemembered } = useAuth();
const { login, register, isLoading, authEnabled, registrationEnabled, isRemembered, ssoEnabled, ssoProviders } = useAuth();
const [isLoginMode, setIsLoginMode] = useState(true);
const [formData, setFormData] = useState({
username: "",
@@ -138,6 +138,11 @@ export function LoginScreen({ onSuccess }: LoginScreenProps) {
});
};
const handleSSOLogin = (provider: string) => {
// Redirect to SSO login endpoint
window.location.href = `/api/auth/sso/login/${provider}`;
};
return (
<div className="min-h-screen flex items-center justify-center bg-gradient-to-br from-surface to-surface-secondary dark:from-surface-dark dark:to-surface-secondary-dark p-4">
<div className="w-full max-w-md">
@@ -296,6 +301,53 @@ export function LoginScreen({ onSuccess }: LoginScreenProps) {
</button>
</form>
{/* SSO Buttons */}
{ssoEnabled && ssoProviders.length > 0 && (
<div className="mt-6">
<div className="relative">
<div className="absolute inset-0 flex items-center">
<div className="w-full border-t border-border dark:border-border-dark" />
</div>
<div className="relative flex justify-center text-sm">
<span className="bg-surface dark:bg-surface-dark px-2 text-content-secondary dark:text-content-secondary-dark">
Or continue with
</span>
</div>
</div>
<div className="mt-6 grid grid-cols-1 gap-3">
{ssoProviders.map((provider) => (
<button
key={provider.name}
type="button"
onClick={() => handleSSOLogin(provider.name)}
disabled={isSubmitting || isLoading}
className="w-full inline-flex justify-center py-3 px-4 border border-input-border dark:border-input-border-dark rounded-lg bg-input-background dark:bg-input-background-dark text-content-primary dark:text-content-primary-dark shadow-sm hover:bg-input-background/80 dark:hover:bg-input-background-dark/80 focus:outline-none focus:ring-2 focus:ring-primary/20 transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
>
<div className="flex items-center gap-3">
{provider.name === 'google' && (
<svg className="w-5 h-5" viewBox="0 0 24 24">
<path fill="#4285F4" d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"/>
<path fill="#34A853" d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"/>
<path fill="#FBBC05" d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"/>
<path fill="#EA4335" d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"/>
</svg>
)}
{provider.name === 'github' && (
<svg className="w-5 h-5 fill-current" viewBox="0 0 24 24">
<path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z"/>
</svg>
)}
<span className="font-medium">
Continue with {provider.display_name}
</span>
</div>
</button>
))}
</div>
</div>
)}
{/* Toggle Mode */}
<div className="mt-6 text-center">
<p className="text-content-secondary dark:text-content-secondary-dark">

118
spotizerr-ui/src/contexts/AuthProvider.tsx
View File

@@ -6,7 +6,9 @@ import type {
User,
LoginRequest,
RegisterRequest,
AuthError
AuthError,
SSOProvider,
SSOStatusResponse
} from "@/types/auth";
interface AuthProviderProps {
@@ -18,6 +20,8 @@ export function AuthProvider({ children }: AuthProviderProps) {
const [isLoading, setIsLoading] = useState(true);
const [authEnabled, setAuthEnabled] = useState(false);
const [registrationEnabled, setRegistrationEnabled] = useState(true);
const [ssoEnabled, setSSOEnabled] = useState(false);
const [ssoProviders, setSSOProviders] = useState<SSOProvider[]>([]);
const [isInitialized, setIsInitialized] = useState(false);
// Guard to prevent multiple simultaneous initializations
@@ -25,6 +29,33 @@ export function AuthProvider({ children }: AuthProviderProps) {
const isAuthenticated = user !== null;
// Check for SSO token in URL (OAuth callback)
const checkForSSOToken = useCallback(async () => {
const urlParams = new URLSearchParams(window.location.search);
const token = urlParams.get('token');
if (token) {
console.log("SSO token found in URL, processing...");
try {
const user = await authApiClient.handleSSOToken(token, true); // Default to remember
setUser(user);
// Remove token from URL
const newUrl = window.location.pathname;
window.history.replaceState({}, document.title, newUrl);
console.log("SSO login successful:", user.username);
return true;
} catch (error) {
console.error("SSO token processing failed:", error);
// Remove token from URL even if processing failed
const newUrl = window.location.pathname;
window.history.replaceState({}, document.title, newUrl);
}
}
return false;
}, []);
// Initialize authentication on app start
const initializeAuth = useCallback(async () => {
// Prevent multiple simultaneous initializations
@@ -38,6 +69,30 @@ export function AuthProvider({ children }: AuthProviderProps) {
setIsLoading(true);
console.log("Initializing authentication...");
// First, check for SSO token in URL
const ssoTokenProcessed = await checkForSSOToken();
if (ssoTokenProcessed) {
// SSO token was processed, still need to get auth status for SSO info
const status = await authApiClient.checkAuthStatus();
setAuthEnabled(status.auth_enabled);
setRegistrationEnabled(status.registration_enabled);
setSSOEnabled(status.sso_enabled || false);
// Get SSO providers if enabled
if (status.sso_enabled) {
try {
const ssoStatus = await authApiClient.getSSOStatus();
setSSOProviders(ssoStatus.providers);
} catch (error) {
console.warn("Failed to get SSO status:", error);
setSSOProviders([]);
}
}
setIsInitialized(true);
return;
}
// Check if we have a stored token first, before making any API calls
const hasStoredToken = authApiClient.getToken() !== null;
console.log("Has stored token:", hasStoredToken);
@@ -51,9 +106,23 @@ export function AuthProvider({ children }: AuthProviderProps) {
// Token is valid and we have user data
setAuthEnabled(tokenValidation.userData.auth_enabled);
setRegistrationEnabled(tokenValidation.userData.registration_enabled);
setSSOEnabled(tokenValidation.userData.sso_enabled || false);
if (tokenValidation.userData.authenticated && tokenValidation.userData.user) {
setUser(tokenValidation.userData.user);
console.log("Session restored for user:", tokenValidation.userData.user.username);
// Get SSO providers if enabled
if (tokenValidation.userData.sso_enabled) {
try {
const ssoStatus = await authApiClient.getSSOStatus();
setSSOProviders(ssoStatus.providers);
} catch (error) {
console.warn("Failed to get SSO status:", error);
setSSOProviders([]);
}
}
setIsInitialized(true);
return;
} else {
@@ -71,6 +140,18 @@ export function AuthProvider({ children }: AuthProviderProps) {
const status = await authApiClient.checkAuthStatus();
setAuthEnabled(status.auth_enabled);
setRegistrationEnabled(status.registration_enabled);
setSSOEnabled(status.sso_enabled || false);
// Get SSO providers if enabled
if (status.sso_enabled) {
try {
const ssoStatus = await authApiClient.getSSOStatus();
setSSOProviders(ssoStatus.providers);
} catch (error) {
console.warn("Failed to get SSO status:", error);
setSSOProviders([]);
}
}
if (!status.auth_enabled) {
console.log("Authentication is disabled");
@@ -99,7 +180,7 @@ export function AuthProvider({ children }: AuthProviderProps) {
setIsInitialized(true);
console.log("Authentication initialization complete");
}
}, []);
}, [checkForSSOToken]);
// Initialize on mount
useEffect(() => {
@@ -118,6 +199,18 @@ export function AuthProvider({ children }: AuthProviderProps) {
setAuthEnabled(status.auth_enabled);
setRegistrationEnabled(status.registration_enabled);
setSSOEnabled(status.sso_enabled || false);
// Get SSO providers if enabled
if (status.sso_enabled) {
try {
const ssoStatus = await authApiClient.getSSOStatus();
setSSOProviders(ssoStatus.providers);
} catch (error) {
console.warn("Failed to get SSO status:", error);
setSSOProviders([]);
}
}
if (status.auth_enabled && status.authenticated && status.user) {
setUser(status.user);
@@ -205,6 +298,21 @@ export function AuthProvider({ children }: AuthProviderProps) {
return authApiClient.isRemembered();
}, []);
// SSO methods
const getSSOStatus = useCallback(async (): Promise<SSOStatusResponse> => {
return await authApiClient.getSSOStatus();
}, []);
const handleSSOCallback = useCallback(async (token: string): Promise<void> => {
try {
const user = await authApiClient.handleSSOToken(token, true);
setUser(user);
} catch (error) {
console.error("SSO callback failed:", error);
throw error;
}
}, []);
// Listen for storage changes (logout in another tab)
useEffect(() => {
const handleStorageChange = (e: StorageEvent) => {
@@ -227,6 +335,8 @@ export function AuthProvider({ children }: AuthProviderProps) {
isLoading,
authEnabled,
registrationEnabled,
ssoEnabled,
ssoProviders,
// Actions
login,
@@ -234,6 +344,10 @@ export function AuthProvider({ children }: AuthProviderProps) {
logout,
checkAuthStatus,
// SSO Actions
getSSOStatus,
handleSSOCallback,
// Token management
getToken,
setToken,

32
spotizerr-ui/src/lib/api-client.ts
View File

@@ -7,7 +7,8 @@ import type {
LoginResponse,
AuthStatusResponse,
User,
CreateUserRequest
CreateUserRequest,
SSOStatusResponse
} from "@/types/auth";
class AuthApiClient {
@@ -300,6 +301,35 @@ class AuthApiClient {
return response.data;
}
// SSO methods
async getSSOStatus(): Promise<SSOStatusResponse> {
const response = await this.apiClient.get<SSOStatusResponse>("/auth/sso/status");
return response.data;
}
// Handle SSO callback token (when user returns from OAuth provider)
async handleSSOToken(token: string, rememberMe: boolean = true): Promise<User> {
// Set the token and get user info
this.setToken(token, rememberMe);
// Validate the token and get user data
const tokenValidation = await this.validateStoredToken();
if (tokenValidation.isValid && tokenValidation.userData?.user) {
toast.success("SSO Login Successful", {
description: `Welcome, ${tokenValidation.userData.user.username}!`,
});
return tokenValidation.userData.user;
} else {
this.clearToken();
throw new Error("Invalid SSO token");
}
}
// Get SSO login URLs (these redirect to OAuth provider)
getSSOLoginUrl(provider: string): string {
return `/api/auth/sso/login/${provider}`;
}
// Expose the underlying axios instance for other API calls
get client() {
return this.apiClient;

71
spotizerr-ui/src/lib/theme.ts Normal file
View File

@@ -0,0 +1,71 @@
// Theme management functions
export function getTheme(): 'light' | 'dark' | 'system' {
return (localStorage.getItem('theme') as 'light' | 'dark' | 'system') || 'system';
}
export function setTheme(theme: 'light' | 'dark' | 'system') {
localStorage.setItem('theme', theme);
applyTheme(theme);
}
export function toggleTheme() {
const currentTheme = getTheme();
let nextTheme: 'light' | 'dark' | 'system';
switch (currentTheme) {
case 'light':
nextTheme = 'dark';
break;
case 'dark':
nextTheme = 'system';
break;
default:
nextTheme = 'light';
break;
}
setTheme(nextTheme);
return nextTheme;
}
function applyTheme(theme: 'light' | 'dark' | 'system') {
const root = document.documentElement;
if (theme === 'system') {
// Use system preference
const prefersDark = window.matchMedia('(prefers-color-scheme: dark)').matches;
if (prefersDark) {
root.classList.add('dark');
} else {
root.classList.remove('dark');
}
} else if (theme === 'dark') {
root.classList.add('dark');
} else {
root.classList.remove('dark');
}
}
// Dark mode detection and setup
export function setupDarkMode() {
// First, ensure we start with a clean slate
document.documentElement.classList.remove('dark');
const savedTheme = getTheme();
applyTheme(savedTheme);
// Listen for system theme changes (only when using system theme)
const mediaQuery = window.matchMedia('(prefers-color-scheme: dark)');
const handleSystemThemeChange = (e: MediaQueryListEvent) => {
// Only respond to system changes when we're in system mode
if (getTheme() === 'system') {
if (e.matches) {
document.documentElement.classList.add('dark');
} else {
document.documentElement.classList.remove('dark');
}
}
};
mediaQuery.addEventListener('change', handleSystemThemeChange);
}

73
spotizerr-ui/src/main.tsx
View File

@@ -4,80 +4,9 @@ import { RouterProvider } from "@tanstack/react-router";
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
import { router } from "./router";
import { AuthProvider } from "./contexts/AuthProvider";
import { setupDarkMode } from "./lib/theme";
import "./index.css";
// Theme management functions
export function getTheme(): 'light' | 'dark' | 'system' {
return (localStorage.getItem('theme') as 'light' | 'dark' | 'system') || 'system';
}
export function setTheme(theme: 'light' | 'dark' | 'system') {
localStorage.setItem('theme', theme);
applyTheme(theme);
}
export function toggleTheme() {
const currentTheme = getTheme();
let nextTheme: 'light' | 'dark' | 'system';
switch (currentTheme) {
case 'light':
nextTheme = 'dark';
break;
case 'dark':
nextTheme = 'system';
break;
default:
nextTheme = 'light';
break;
}
setTheme(nextTheme);
return nextTheme;
}
function applyTheme(theme: 'light' | 'dark' | 'system') {
const root = document.documentElement;
if (theme === 'system') {
// Use system preference
const prefersDark = window.matchMedia('(prefers-color-scheme: dark)').matches;
if (prefersDark) {
root.classList.add('dark');
} else {
root.classList.remove('dark');
}
} else if (theme === 'dark') {
root.classList.add('dark');
} else {
root.classList.remove('dark');
}
}
// Dark mode detection and setup
function setupDarkMode() {
// First, ensure we start with a clean slate
document.documentElement.classList.remove('dark');
const savedTheme = getTheme();
applyTheme(savedTheme);
// Listen for system theme changes (only when using system theme)
const mediaQuery = window.matchMedia('(prefers-color-scheme: dark)');
const handleSystemThemeChange = (e: MediaQueryListEvent) => {
// Only respond to system changes when we're in system mode
if (getTheme() === 'system') {
if (e.matches) {
document.documentElement.classList.add('dark');
} else {
document.documentElement.classList.remove('dark');
}
}
};
mediaQuery.addEventListener('change', handleSystemThemeChange);
}
// Initialize dark mode
setupDarkMode();

2
spotizerr-ui/src/routes/root.tsx
View File

@@ -6,7 +6,7 @@ import { Queue } from "@/components/Queue";
import { ProtectedRoute } from "@/components/auth/ProtectedRoute";
import { UserMenu } from "@/components/auth/UserMenu";
import { useContext, useState, useEffect } from "react";
import { getTheme, toggleTheme } from "@/main";
import { getTheme, toggleTheme } from "@/lib/theme";
function ThemeToggle() {
const [currentTheme, setCurrentTheme] = useState<'light' | 'dark' | 'system'>('system');

22
spotizerr-ui/src/types/auth.ts
View File

@@ -5,6 +5,8 @@ export interface User {
role: "user" | "admin";
created_at: string;
last_login?: string;
sso_provider?: string;
is_sso_user?: boolean;
}
export interface LoginRequest {
@@ -29,6 +31,20 @@ export interface AuthStatusResponse {
authenticated: boolean;
user?: User;
registration_enabled: boolean;
sso_enabled?: boolean;
sso_providers?: string[];
}
export interface SSOProvider {
name: string;
display_name: string;
enabled: boolean;
login_url?: string;
}
export interface SSOStatusResponse {
sso_enabled: boolean;
providers: SSOProvider[];
}
export interface CreateUserRequest {
@@ -45,6 +61,8 @@ export interface AuthContextType {
isLoading: boolean;
authEnabled: boolean;
registrationEnabled: boolean;
ssoEnabled: boolean;
ssoProviders: SSOProvider[];
// Actions
login: (credentials: LoginRequest, rememberMe?: boolean) => Promise<void>;
@@ -52,6 +70,10 @@ export interface AuthContextType {
logout: () => void;
checkAuthStatus: () => Promise<void>;
// SSO Actions
getSSOStatus: () => Promise<SSOStatusResponse>;
handleSSOCallback: (token: string) => Promise<void>;
// Token management
getToken: () => string | null;
setToken: (token: string | null, rememberMe?: boolean) => void;