coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
ff976ee1cca3047e4e74f6a66f7c0dd2821f4640
gatehouse-api/scripts/README.md
T
coryHawkvelt ae2421763a google login works
2026-01-21 03:09:46 +10:30

341 lines
10 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Gatehouse Scripts
This directory contains utility scripts for managing and configuring Gatehouse.
## OAuth Provider Configuration Script
The [`configure_oauth_provider.py`](configure_oauth_provider.py:1) script allows administrators to easily configure OAuth providers at the application level.
### Overview
This script manages application-wide OAuth provider configurations using the new [`ApplicationProviderConfig`](../gatehouse_app/models/authentication_method.py:99) architecture. Unlike the deprecated organization-specific configuration, this allows users to authenticate with OAuth providers without needing to specify an organization first.
### Prerequisites
- Python 3.8+
- Virtual environment with dependencies installed
- Flask app must be properly configured (`.env` or environment variables)
### Quick Start
```bash
# Activate virtual environment
cd gatehouse-api
source .venv/bin/activate
# Create Google OAuth configuration
python scripts/configure_oauth_provider.py create google \
--client-id "YOUR_CLIENT_ID" \
--client-secret "YOUR_CLIENT_SECRET" \
--redirect-url "http://localhost:5173/auth/callback"
# List all configured providers
python scripts/configure_oauth_provider.py list
# Show provider details
python scripts/configure_oauth_provider.py show google
```
### Commands
#### `create` - Create a New Provider
Create a new OAuth provider configuration at the application level.
```bash
python scripts/configure_oauth_provider.py create PROVIDER [OPTIONS]
```
**Arguments:**
- `PROVIDER`: Provider type (google, github, microsoft)
**Options:**
- `--client-id TEXT`: OAuth client ID (required, or via environment)
- `--client-secret TEXT`: OAuth client secret (required, or via environment)
- `--redirect-url TEXT`: Default redirect URL for callbacks
- `--disabled`: Create provider in disabled state
- `--settings KEY=VALUE`: Custom settings (can be specified multiple times)
**Examples:**
```bash
# Basic Google configuration
python scripts/configure_oauth_provider.py create google \
--client-id "xxx.apps.googleusercontent.com" \
--client-secret "GOCSPX-xxx"
# With redirect URL
python scripts/configure_oauth_provider.py create google \
--client-id "xxx" \
--client-secret "yyy" \
--redirect-url "https://app.example.com/auth/callback"
# Create disabled initially
python scripts/configure_oauth_provider.py create github \
--client-id "xxx" \
--client-secret "yyy" \
--disabled
# With custom settings
python scripts/configure_oauth_provider.py create google \
--client-id "xxx" \
--client-secret "yyy" \
--settings "hosted_domain=example.com" \
--settings "prompt=consent"
```
#### `update` - Update Existing Provider
Update an existing OAuth provider configuration.
```bash
python scripts/configure_oauth_provider.py update PROVIDER [OPTIONS]
```
**Arguments:**
- `PROVIDER`: Provider type to update
**Options:**
- `--client-id TEXT`: New OAuth client ID
- `--client-secret TEXT`: New OAuth client secret
- `--redirect-url TEXT`: New default redirect URL
- `--enabled true|false`: Enable or disable the provider
- `--settings KEY=VALUE`: Custom settings to update
**Examples:**
```bash
# Update client credentials
python scripts/configure_oauth_provider.py update google \
--client-id "new-client-id" \
--client-secret "new-secret"
# Enable/disable provider
python scripts/configure_oauth_provider.py update google --enabled false
python scripts/configure_oauth_provider.py update google --enabled true
# Update redirect URL
python scripts/configure_oauth_provider.py update google \
--redirect-url "https://new-domain.com/auth/callback"
```
#### `list` - List All Providers
List all configured OAuth providers with their status.
```bash
python scripts/configure_oauth_provider.py list
```
**Example Output:**
```
Configured OAuth Providers
google - enabled
Client ID: 972920496362-xxx.apps.googleusercontent.com
Redirect URL: https://app.example.com/auth/callback
Created: 2026-01-20T13:00:00
Auth URL: https://accounts.google.com/o/oauth2/v2/auth
Scopes: openid, profile, email
github - disabled
Client ID: Iv1.xxx
Created: 2026-01-19T10:00:00
Auth URL: https://github.com/login/oauth/authorize
Scopes: read:user, user:email
```
#### `show` - Show Provider Details
Display detailed information about a specific OAuth provider.
```bash
python scripts/configure_oauth_provider.py show PROVIDER
```
**Arguments:**
- `PROVIDER`: Provider type to display
**Example:**
```bash
python scripts/configure_oauth_provider.py show google
```
**Example Output:**
```
Google OAuth Provider Details
Basic Information:
Provider Type: google
Provider ID: 123e4567-e89b-12d3-a456-426614174000
Client ID: 972920496362-xxx.apps.googleusercontent.com
Status: enabled
Default Redirect URL: https://app.example.com/auth/callback
Timestamps:
Created: 2026-01-20T13:00:00
Updated: 2026-01-20T14:30:00
OAuth Configuration:
Authorization URL: https://accounts.google.com/o/oauth2/v2/auth
Token URL: https://oauth2.googleapis.com/token
User Info URL: https://openidconnect.googleapis.com/v1/userinfo
JWKS URL: https://www.googleapis.com/oauth2/v3/certs
Scopes: openid, profile, email
```
#### `delete` - Delete Provider Configuration
Remove an OAuth provider configuration.
```bash
python scripts/configure_oauth_provider.py delete PROVIDER [OPTIONS]
```
**Arguments:**
- `PROVIDER`: Provider type to delete
**Options:**
- `--yes`, `-y`: Skip confirmation prompt
**Examples:**
```bash
# Delete with confirmation prompt
python scripts/configure_oauth_provider.py delete google
# Delete without confirmation
python scripts/configure_oauth_provider.py delete google --yes
```
### Environment Variables
The script supports loading OAuth credentials from environment variables, which is useful for automation and CI/CD pipelines.
**Supported Variables:**
- `{PROVIDER}_CLIENT_ID`: OAuth client ID
- `{PROVIDER}_CLIENT_SECRET`: OAuth client secret
- `{PROVIDER}_REDIRECT_URL`: Default redirect URL
**Example:**
```bash
# Export environment variables
export GOOGLE_CLIENT_ID="xxx.apps.googleusercontent.com"
export GOOGLE_CLIENT_SECRET="GOCSPX-xxx"
export GOOGLE_REDIRECT_URL="https://app.example.com/auth/callback"
# Create provider using environment variables
python scripts/configure_oauth_provider.py create google
# You can still override with command-line arguments
python scripts/configure_oauth_provider.py create google \
--redirect-url "https://different.com/callback"
```
### Supported Providers
The script comes with pre-configured endpoint information for:
- **Google** (`google`)
- Authorization: `https://accounts.google.com/o/oauth2/v2/auth`
- Token: `https://oauth2.googleapis.com/token`
- User Info: `https://openidconnect.googleapis.com/v1/userinfo`
- Default Scopes: `openid, profile, email`
- **GitHub** (`github`)
- Authorization: `https://github.com/login/oauth/authorize`
- Token: `https://github.com/login/oauth/access_token`
- User Info: `https://api.github.com/user`
- Default Scopes: `read:user, user:email`
- **Microsoft** (`microsoft`)
- Authorization: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize`
- Token: `https://login.microsoftonline.com/common/oauth2/v2.0/token`
- User Info: `https://graph.microsoft.com/oidc/userinfo`
- Default Scopes: `openid, profile, email`
### Error Handling
The script provides clear error messages and appropriate exit codes:
- **Exit Code 0**: Success
- **Exit Code 1**: Error occurred
**Common Errors:**
1. **Provider Already Exists**
```
✗ Failed to create provider: Provider google already exists
Use 'update' command to modify existing provider configuration.
```
2. **Provider Not Found**
```
✗ Failed to update provider: Provider google not found
Use 'create' command to add a new provider configuration.
```
3. **Missing Credentials**
```
✗ Client ID is required. Provide via --client-id or GOOGLE_CLIENT_ID environment variable.
```
### Integration with Shell Scripts
The [`configure-google-auth.sh`](../../docs/configure-google-auth.sh:1) script demonstrates how to integrate the Python script into a shell script for easier deployment:
```bash
#!/bin/bash
# Set credentials
GOOGLE_CLIENT_ID="xxx"
GOOGLE_CLIENT_SECRET="yyy"
REDIRECT_URL="https://app.example.com/callback"
# Call Python script
cd gatehouse-api
python3 scripts/configure_oauth_provider.py create google \
--client-id "$GOOGLE_CLIENT_ID" \
--client-secret "$GOOGLE_CLIENT_SECRET" \
--redirect-url "$REDIRECT_URL"
```
### API Service Methods
The script uses the following [`ExternalAuthService`](../gatehouse_app/services/external_auth_service.py:1) methods:
- [`create_app_provider_config()`](../gatehouse_app/services/external_auth_service.py:308) - Create provider configuration
- [`update_app_provider_config()`](../gatehouse_app/services/external_auth_service.py:369) - Update provider configuration
- [`get_app_provider_config()`](../gatehouse_app/services/external_auth_service.py:427) - Get single provider
- [`list_app_provider_configs()`](../gatehouse_app/services/external_auth_service.py:454) - List all providers
- [`delete_app_provider_config()`](../gatehouse_app/services/external_auth_service.py:465) - Delete provider configuration
### Security Considerations
1. **Client Secret Storage**: Client secrets are encrypted using the application's encryption key before storage in the database
2. **Environment Variables**: Be cautious when using environment variables in shared environments
3. **Secret Exposure**: The `show` command never displays the client secret (it's always excluded)
4. **Confirmation Prompts**: The `delete` command requires confirmation unless `--yes` flag is used
### Troubleshooting
**Database Connection Issues:**
- Ensure PostgreSQL is running and accessible
- Check `.env` file for correct `DATABASE_URL`
- Verify virtual environment is activated
**Import Errors:**
- Activate the virtual environment: `source .venv/bin/activate`
- Install dependencies: `pip install -r requirements.txt`
**Permission Issues:**
- Ensure script is executable: `chmod +x scripts/configure_oauth_provider.py`
### Related Documentation
- [External Auth Architecture](../../docs/external-auth-architecture.md)
- [Application-Wide OAuth Design](../../docs/external-auth-application-wide-design.md)
- [OAuth API Changes](../../docs/oauth-api-changes.md)
Reference in New Issue View Git Blame Copy Permalink