Feature: allow auto-redirecting to SSO login

2024-07-03 12:42:15 -07:00 · 2024-07-03 12:42:15 -07:00 · b6da973324
commit b6da973324
parent ada283441c
7 changed files with 42 additions and 10 deletions
--- a/docs/advanced_usage.md
+++ b/docs/advanced_usage.md
@ -687,4 +687,5 @@ More details about configuration option for various providers can be found in th

 ### Disabling Regular Login

-Once external auth is set up, 'regular' login can be disabled with the [PAPERLESS_DISABLE_REGULAR_LOGIN](configuration.md#PAPERLESS_DISABLE_REGULAR_LOGIN) setting.
+Once external auth is set up, 'regular' login can be disabled with the [PAPERLESS_DISABLE_REGULAR_LOGIN](configuration.md#PAPERLESS_DISABLE_REGULAR_LOGIN) setting and / or users can be automatically
+redirected with the [PAPERLESS_REDIRECT_LOGIN_TO_SSO](configuration.md#PAPERLESS_REDIRECT_LOGIN_TO_SSO) setting.
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -596,6 +596,14 @@ system. See the corresponding

 : Disables the regular frontend username / password login, i.e. once you have setup SSO. Note that this setting does not disable the Django admin login. To prevent logins directly to Django, consider blocking `/admin/` in your [web server or reverse proxy configuration](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-a-Reverse-Proxy-with-Paperless-ngx).

+You can optionally also automatically redirect users to the SSO login with [PAPERLESS_REDIRECT_LOGIN_TO_SSO](#PAPERLESS_REDIRECT_LOGIN_TO_SSO)
+
+    Defaults to False
+
+#### ['PAPERLESS_REDIRECT_LOGIN_TO_SSO=<bool>`](#PAPERLESS_REDIRECT_LOGIN_TO_SSO) {#PAPERLESS_REDIRECT_LOGIN_TO_SSO}
+
+: When this setting is enabled users will automatically be redirected (using javascript) to the first SSO provider login. You may still want to disable the frontend login form for clarity.
+
    Defaults to False

 #### [`PAPERLESS_ACCOUNT_SESSION_REMEMBER=<bool>`](#PAPERLESS_ACCOUNT_SESSION_REMEMBER) {#PAPERLESS_ACCOUNT_SESSION_REMEMBER}
--- a/src/documents/context_processors.py
+++ b/src/documents/context_processors.py
@ -21,6 +21,7 @@ def settings(request):
        "EMAIL_ENABLED": django_settings.EMAIL_HOST != "localhost"
        or django_settings.EMAIL_HOST_USER != "",
        "DISABLE_REGULAR_LOGIN": django_settings.DISABLE_REGULAR_LOGIN,
+        "REDIRECT_LOGIN_TO_SSO": django_settings.REDIRECT_LOGIN_TO_SSO,
        "ACCOUNT_ALLOW_SIGNUPS": django_settings.ACCOUNT_ALLOW_SIGNUPS,
        "domain": getattr(django_settings, "PAPERLESS_URL", request.get_host()),
        "APP_TITLE": app_title,
--- a/src/documents/templates/account/login.html
+++ b/src/documents/templates/account/login.html
@ -49,16 +49,28 @@
                {% if provider.id == "openid" %}
                    {% for brand in provider.get_brands %}
                        {% provider_login_url provider openid=brand.openid_url process=process as href %}
-                    <li class="d-grid mt-3"><a class="btn btn-secondary" href="{{ href }}">{{ brand.name }}</a></li>
+                    <li class="d-grid mt-3"><a class="btn btn-secondary oidc-url" href="{{ href }}">{{ brand.name }}</a></li>
                    {% endfor %}
                {% else %}
                    {% provider_login_url provider process=process scope=scope auth_params=auth_params as href %}
                        <li class="d-grid mt-3">
-                  <form class="d-grid" method="POST" action="{{ href }}">
+                            <form id="social-login" class="d-grid" method="POST" action="{{ href }}">
                                {% csrf_token %}
                                <button type="submit" class="btn btn-secondary">{{ provider.name }}</button>
                            </form>
                        </li>
+                    {% if REDIRECT_LOGIN_TO_SSO and forloop.counter0 == 0 %}
+                        <script type="text/javascript">
+                            const form = document.getElementById('social-login');
+                            if (form) {
+                                form.submit();
+                            } else {
+                                if (document.getElementsByClassName('oidc-url').length > 0) {
+                                    document.getElementsByClassName('oidc-url')[0].click();
+                                }
+                            }
+                        </script>
+                    {% endif %}
                {% endif %}
            {% endfor %}
        </ul>
--- a/src/documents/templates/paperless-ngx/base.html
+++ b/src/documents/templates/paperless-ngx/base.html
@ -18,7 +18,7 @@

    <body class="text-center">
        <div class="position-absolute top-50 start-50 translate-middle">
-            <form class="form-accounts" method="post">
+            <form class="form-accounts" id="form-account" method="post">
                {% csrf_token %}
                {% if not APP_LOGO and not APP_TITLE %}
                    {% include "paperless-ngx/snippets/svg_logo.html" with extra_attrs="width='300' class='logo mb-4'" %}
--- a/src/documents/templates/socialaccount/login.html
+++ b/src/documents/templates/socialaccount/login.html
@ -12,4 +12,13 @@
    <div class="d-grid mt-3">
        <button class="btn btn-lg btn-primary" type="submit">{% translate "Continue" %}</button>
    </div>
+
+    {% if REDIRECT_LOGIN_TO_SSO %}
+        <script type="text/javascript">
+            const form = document.getElementById('form-account');
+            if (form) {
+                form.submit();
+            }
+        </script>
+    {% endif %}
 {% endblock form_content %}
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@ -460,6 +460,7 @@ SOCIALACCOUNT_PROVIDERS = json.loads(
 ACCOUNT_EMAIL_SUBJECT_PREFIX = "[Paperless-ngx] "

 DISABLE_REGULAR_LOGIN = __get_boolean("PAPERLESS_DISABLE_REGULAR_LOGIN")
+REDIRECT_LOGIN_TO_SSO = __get_boolean("PAPERLESS_REDIRECT_LOGIN_TO_SSO")

 AUTO_LOGIN_USERNAME = os.getenv("PAPERLESS_AUTO_LOGIN_USERNAME")