fix: auth redirection issues in the web, space and admin apps (#4414)

* fix: login redirection * dev: log the user out when deactivating the account * dev: update redirect uris for google and github * fix: redirection url and invitation api and add redirection to god mode in nginx * dev: add reset password redirection * dev: update nginx headers * dev: fix setup sh and env example and put validation for use minio when fetching project covers * dev: stabilize dev setup * fix: handled redirection error in web, space, and admin apps * fix: resovled build errors --------- Co-authored-by: pablohashescobar <nikhilschacko@gmail.com>
2024-05-09 17:46:31 +05:30 · 2024-05-09 17:46:31 +05:30 · 58bf056ddb
commit 58bf056ddb
parent 692f570258
46 changed files with 250 additions and 172 deletions
--- a/apiserver/.env.example
+++ b/apiserver/.env.example
@ -1,7 +1,7 @@
 # Backend
 # Debug value for api server use it as 0 for production use
 DEBUG=0
-CORS_ALLOWED_ORIGINS=""
+CORS_ALLOWED_ORIGINS="http://localhost"

 # Error logs
 SENTRY_DSN=""
--- a/apiserver/plane/app/views/project/base.py
+++ b/apiserver/plane/app/views/project/base.py
@ -602,11 +602,19 @@ class ProjectPublicCoverImagesEndpoint(BaseAPIView):
    @cache_response(60 * 60 * 24, user=False)
    def get(self, request):
        files = []
-        s3 = boto3.client(
-            "s3",
-            aws_access_key_id=settings.AWS_ACCESS_KEY_ID,
-            aws_secret_access_key=settings.AWS_SECRET_ACCESS_KEY,
-        )
+        if settings.USE_MINIO:
+            s3 = boto3.client(
+                "s3",
+                endpoint_url=settings.AWS_S3_ENDPOINT_URL,
+                aws_access_key_id=settings.AWS_ACCESS_KEY_ID,
+                aws_secret_access_key=settings.AWS_SECRET_ACCESS_KEY,
+            )
+        else:
+            s3 = boto3.client(
+                "s3",
+                aws_access_key_id=settings.AWS_ACCESS_KEY_ID,
+                aws_secret_access_key=settings.AWS_SECRET_ACCESS_KEY,
+            )
        params = {
            "Bucket": settings.AWS_STORAGE_BUCKET_NAME,
            "Prefix": "static/project-cover/",
--- a/apiserver/plane/app/views/user/base.py
+++ b/apiserver/plane/app/views/user/base.py
@ -1,5 +1,7 @@
 # Django imports
 from django.db.models import Case, Count, IntegerField, Q, When
+from django.contrib.auth import logout
+from django.utils import timezone

 # Third party imports
 from rest_framework import status
@ -26,6 +28,7 @@ from plane.db.models import (
 from plane.license.models import Instance, InstanceAdmin
 from plane.utils.cache import cache_response, invalidate_cache
 from plane.utils.paginator import BasePaginator
+from plane.authentication.utils.host import user_ip


 class UserEndpoint(BaseViewSet):
@ -166,7 +169,14 @@ class UserEndpoint(BaseViewSet):
            "workspace_invite": False,
        }
        profile.save()
+
+        # User log out
+        user.last_logout_ip = user_ip(request=request)
+        user.last_logout_time = timezone.now()
        user.save()
+
+        # Logout the user
+        logout(request)
        return Response(status=status.HTTP_204_NO_CONTENT)


--- a/apiserver/plane/authentication/adapter/exception.py
+++ b/apiserver/plane/authentication/adapter/exception.py
@ -7,12 +7,6 @@ def auth_exception_handler(exc, context):
    response = exception_handler(exc, context)
    # Check if an AuthenticationFailed exception is raised.
    if isinstance(exc, NotAuthenticated):
-        # Return 403 if the users me api fails
-        request = context["request"]
-        if request.path == "/api/users/me/":
-            response.status_code = 403
-        # else return 401
-        else:
-            response.status_code = 401
+        response.status_code = 401

    return response
--- a/apiserver/plane/authentication/provider/oauth/github.py
+++ b/apiserver/plane/authentication/provider/oauth/github.py
@ -46,9 +46,7 @@ class GitHubOAuthProvider(OauthAdapter):
        client_id = GITHUB_CLIENT_ID
        client_secret = GITHUB_CLIENT_SECRET

-        redirect_uri = (
-            f"{request.scheme}://{request.get_host()}/auth/github/callback/"
-        )
+        redirect_uri = f"""{"https" if request.is_secure() else "http"}://{request.get_host()}/auth/github/callback/"""
        url_params = {
            "client_id": client_id,
            "redirect_uri": redirect_uri,
--- a/apiserver/plane/authentication/provider/oauth/google.py
+++ b/apiserver/plane/authentication/provider/oauth/google.py
@ -43,9 +43,7 @@ class GoogleOAuthProvider(OauthAdapter):
        client_id = GOOGLE_CLIENT_ID
        client_secret = GOOGLE_CLIENT_SECRET

-        redirect_uri = (
-            f"{request.scheme}://{request.get_host()}/auth/google/callback/"
-        )
+        redirect_uri = f"""{"https" if request.is_secure() else "http"}://{request.get_host()}/auth/google/callback/"""
        url_params = {
            "client_id": client_id,
            "scope": self.scope,
--- a/apiserver/plane/authentication/utils/host.py
+++ b/apiserver/plane/authentication/utils/host.py
@ -6,7 +6,7 @@ def base_host(request):
    return (
        request.META.get("HTTP_ORIGIN")
        or f"{urlsplit(request.META.get('HTTP_REFERER')).scheme}://{urlsplit(request.META.get('HTTP_REFERER')).netloc}"
-        or f"{request.scheme}://{request.get_host()}"
+        or f"""{"https" if request.is_secure() else "http"}://{request.get_host()}"""
    )


--- a/apiserver/plane/authentication/utils/redirection_path.py
+++ b/apiserver/plane/authentication/utils/redirection_path.py
@ -10,10 +10,13 @@ def get_redirection_path(user):
        return "onboarding"

    # Redirect to the last workspace if the user has last workspace
-    if profile.last_workspace_id and Workspace.objects.filter(
-        pk=profile.last_workspace_id,
-        workspace_member__member_id=user.id,
-        workspace_member__is_active=True,
+    if (
+        profile.last_workspace_id
+        and Workspace.objects.filter(
+            pk=profile.last_workspace_id,
+            workspace_member__member_id=user.id,
+            workspace_member__is_active=True,
+        ).exists()
    ):
        workspace = Workspace.objects.filter(
            pk=profile.last_workspace_id,
--- a/apiserver/plane/authentication/views/common.py
+++ b/apiserver/plane/authentication/views/common.py
@ -206,7 +206,7 @@ class ResetPasswordEndpoint(View):

            url = urljoin(
                base_host(request=request),
-                "accounts/sign-in?" + urlencode({"success", True}),
+                "accounts/sign-in?" + urlencode({"success": True}),
            )
            return HttpResponseRedirect(url)
        except DjangoUnicodeDecodeError:
--- a/apiserver/plane/settings/local.py
+++ b/apiserver/plane/settings/local.py
@ -31,6 +31,8 @@ MEDIA_URL = "/uploads/"
 MEDIA_ROOT = os.path.join(BASE_DIR, "uploads")  # noqa

 CORS_ALLOWED_ORIGINS = [
+    "http://localhost",
+    "http://127.0.0.1",
    "http://localhost:3000",
    "http://127.0.0.1:3000",
    "http://localhost:4000",
--- a/apiserver/requirements/base.txt
+++ b/apiserver/requirements/base.txt
@ -60,4 +60,4 @@ zxcvbn==4.4.28
 # timezone
 pytz==2024.1
 # jwt
-jwt==1.3.1
+PyJWT==2.8.0