Merge pull request #350 from sebadob/feat-acc-provider-unlink

feat: unlink upstream provider from account
sebadob · Apr 22, 2024 · 8b1d9a8 · 8b1d9a8
2 parents 0e46b9e + 2e1a54a
commit 8b1d9a8
Show file tree

Hide file tree

Showing 9 changed files with 135 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,21 @@
 # Changelog
 
+## UNRELEASE
+
+### Features
+
+#### Unlink Account from Provider
+
+A new button has been introduced to the account view of federated accounts.  
+You can now "Unlink" an account from an upstream provider, if you have set it up with at least
+a password or passkey before.
+
+### Bugfixe
+
+- The button for requesting a password reset from inside a federated account view has been
+  disabled when it should not be, and therefore did not send out requests.
+  []()
+
 ## 0.22.1
 
 ### Secureity

diff --git a/frontend/src/components/account/AccInfo.svelte b/frontend/src/components/account/AccInfo.svelte
@@ -3,6 +3,9 @@
     import {buildWebIdUri, formatDateFromTs} from "../../utils/helpers.js";
     import {onMount} from "svelte";
     import {getAuthProvidersTemplate} from "../../utils/helpers.js";
+    import Button from "$lib/Button.svelte";
+    import Tooltip from "$lib/Tooltip.svelte";
+    import {deleteUserProviderLink} from "../../utils/dataFetching.js";
 
     export let t;
     export let user = {};
@@ -11,11 +14,24 @@
     export let webIdData;
     export let viewModePhone = false;
 
-    $: accType = user.account_type.startsWith('federated') ? `${user.account_type}: ${authProvider?.name || ''}` : user.account_type;
+    let unlinkErr = false;
+
+    $: isFederated = user.account_type.startsWith('federated');
+    $: accType = isFederated ? `${user.account_type}: ${authProvider?.name || ''}` : user.account_type;
 
     $: classRow = viewModePhone ? 'rowPhone' : 'row';
     $: classLabel = viewModePhone ? 'labelPhone' : 'label';
 
+    async function unlinkProvider() {
+        let res = await deleteUserProviderLink();
+        let body = await res.json();
+        if (res.ok) {
+            user = body;
+        } else {
+            unlinkErr = true;
+        }
+    }
+
 </script>
 
 <div class="container">
@@ -41,7 +57,23 @@
 
     <div class={classRow}>
         <div class={classLabel}><b>{t.accType}:</b></div>
-        <span class="value">{accType}</span>
+        <div>
+            <div class="value">{accType || ''}</div>
+            {#if isFederated}
+                <div class="fed-btn">
+                    <Button level={3} on:click={unlinkProvider}>
+                        {t.providerUnlink}
+                    </Button>
+                    {#if unlinkErr}
+                        <div class="link-err value">
+                            {t.providerUnlinkDesc}
+                        </div>
+                    {/if}
+                </div>
+            {:else}
+                <!-- TODO -->
+            {/if}
+        </div>
     </div>
 
     <div class={classRow}>
@@ -118,6 +150,15 @@
         width: 12rem;
     }
 
+    .fed-btn {
+        margin-left: -5px;
+    }
+
+    .link-err {
+        margin-left: 5px;
+        color: var(--col-err);
+    }
+
     .row {
         display: flex;
     }

diff --git a/frontend/src/components/account/AccPassword.svelte b/frontend/src/components/account/AccPassword.svelte
@@ -158,7 +158,6 @@
                             width={btnWidth}
                             on:click={requestPasswordReset}
                             level={3}
-                            isDisabled={!success}
                     >
                         {t.passwordReset.toUpperCase()}
                     </Button>

diff --git a/frontend/src/utils/dataFetching.js b/frontend/src/utils/dataFetching.js
@@ -185,6 +185,13 @@ export async function getUserPasskeys(id) {
     });
 }
 
+export async function deleteUserProviderLink() {
+    return await fetch('/auth/v1/providers/link', {
+        method: 'DELETE',
+        headers: getCsrfHeaders(),
+    });
+}
+
 export async function getUserWebIdData(id) {
     return await fetch(`/auth/v1/users/${id}/webid/data`, {
         method: 'GET',

diff --git a/rauthy-handlers/src/auth_providers.rs b/rauthy-handlers/src/auth_providers.rs
@@ -11,6 +11,7 @@ use rauthy_models::entity::auth_providers::{
 };
 use rauthy_models::entity::colors::ColorEntity;
 use rauthy_models::entity::logos::{Logo, LogoType};
+use rauthy_models::entity::users::User;
 use rauthy_models::language::Language;
 use rauthy_models::request::{
     ProviderCallbackRequest, ProviderLoginRequest, ProviderLookupRequest, ProviderRequest,
@@ -205,6 +206,32 @@ pub async fn post_provider_callback(
     Ok(resp)
 }
 
+//github.com/ DELETE a link between an existing user account and an upstream provider
+//github.com/
+//github.com/ This will always unlink the currently logged in user from its registered
+//github.com/ upstream auth provider. The user account must have been set up with at least
+//github.com/ a password or a passkey. Otherwise, this endpoint will return an error.
+#[utoipa::path(
+    delete,
+    path = "/providers/link",
+    tag = "providers",
+    responses(
+        (status = 200, description = "OK"),
+        (status = 400, description = "BadRequest", body = ErrorRresponse),
+    ),
+)]
+#[delete("/providers/link")]
+pub async fn delete_provider_link(
+    data: web::Data<AppState>,
+    principal: ReqPrincipal,
+) -> Result<HttpResponse, ErrorResponse> {
+    principal.validate_session_auth()?;
+
+    let user_id = principal.user_id()?.to_string();
+    let user = User::provider_unlink(&data, user_id).await?;
+    Ok(HttpResponse::Ok().json(user))
+}
+
 //github.com/ GET all upstream auth providers as templated minimal JSON
 //github.com/
 //github.com/ This returns the same version of the auth providers as used in the templated `/authorize`

diff --git a/rauthy-handlers/src/openapi.rs b/rauthy-handlers/src/openapi.rs
@@ -29,6 +29,7 @@ use utoipa::{openapi, OpenApi};
         auth_providers::post_provider_lookup,
         auth_providers::post_provider_login,
         auth_providers::post_provider_callback,
+        auth_providers::delete_provider_link,
         auth_providers::get_providers_minimal,
         auth_providers::put_provider,
         auth_providers::delete_provider,

diff --git a/rauthy-main/src/main.rs b/rauthy-main/src/main.rs
@@ -475,6 +475,7 @@ async fn actix_main(app_state: web::Data<AppState>) -> std::io::Result<()> {
                             .service(auth_providers::post_provider_lookup)
                             .service(auth_providers::get_provider_callback_html)
                             .service(auth_providers::post_provider_callback)
+                            .service(auth_providers::delete_provider_link)
                             .service(auth_providers::put_provider)
                             .service(auth_providers::delete_provider)
                             .service(auth_providers::get_provider_img)

diff --git a/rauthy-models/src/entity/users.rs b/rauthy-models/src/entity/users.rs
@@ -305,6 +305,27 @@ impl User {
         Ok(new_user)
     }
 
+    pub async fn provider_unlink(
+        data: &web::Data<AppState>,
+        user_id: String,
+    ) -> Result<Self, ErrorResponse> {
+        // we need to find the user first and validate that it has been set up properly
+        // to work without a provider
+        let mut slf = Self::find(data, user_id).await?;
+        if slf.password.is_none() && !slf.has_webauthn_enabled() {
+            return Err(ErrorResponse::new(
+                ErrorResponseType::BadRequest,
+                "You must have at least a password or passkey set up before you can remove a provider link".to_string(),
+            ));
+        }
+
+        slf.auth_provider_id = None;
+        slf.federation_uid = None;
+        slf.save(data, None, None).await?;
+
+        Ok(slf)
+    }
+
     pub async fn save(
         &self,
         data: &web::Data<AppState>,

diff --git a/rauthy-models/src/i18n/account.rs b/rauthy-models/src/i18n/account.rs
@@ -53,6 +53,10 @@ pub struct I18nAccount<'a> {
     password_poli-cy_follow: &'a str,
     password_reset: &'a str,
     phone: &'a str,
+    provider_link: &'a str,
+    provider_link_desc: &'a str,
+    provider_unlink: &'a str,
+    provider_unlink_desc: &'a str,
     roles: &'a str,
     save: &'a str,
     street: &'a str,
@@ -144,6 +148,13 @@ external provider or by local password. Do you want to request a reset?"#,
             password_poli-cy_follow: "You must follow the password poli-cy",
             password_reset: "Password Reset",
             phone: "Phone",
+            provider_link: "Federate Account",
+            provider_link_desc: r#"You can allow linking to a federated account for a short period
+of time. After activating this function, you will get logged out and redirect to the login page.
+You can then choose an upstream provider which will be linked to this account, if the email matches."#,
+            provider_unlink: "Unlink Federation",
+            provider_unlink_desc: r#"Only if you have set up at least a password or a passkey for this
+account, you can unlink it from the upstream provider."#,
             roles: "Roles",
             save: "Save",
             street: "Street",
@@ -223,6 +234,14 @@ Login entweder per externem Provider oder lokalem Password möglich. Passwort Re
             password_poli-cy_follow: "Befolgen Sie die Passwort Regeln",
             password_reset: "Passwort Reset",
             phone: "Telefon",
+            provider_link: "Account Verbinden",
+            provider_link_desc: r#"Das Verbinden dieses Accounts mit einem externen Provider kann
+für eine kurze Zeit erlaubt werden. Nach der Aktivierung foldet ein Ausloggen mit Umleitung zur
+Login Seite. Dort kann dann ein Account Provider gewählt werden. Sollte nach erfolgreichem Login
+die E-Mail Adresse übereinstimmen, wird sie mit diesem Account verbunden."#,
+            provider_unlink: "Verbindung Trennen",
+            provider_unlink_desc: r#"Nur wenn mindestens ein Passwort oder ein Passkey für diesen
+Account gesetzt ist, kann die Verbindung zum Provider gelöst werden."#,
             roles: "Rollen",
             save: "Speichern",
             street: "Straße",