Check if can login

Author: amvanbaren

server/src/main/java/org/eclipse/openvsx/IExtensionRegistry.java

@@ -46,6 +46,4 @@ public interface IExtensionRegistry {
     String getPublicKey(String publicId);
 
     RegistryVersionJson getRegistryVersion();
-
-    boolean isOAuth2Enabled();
 }

server/src/main/java/org/eclipse/openvsx/LocalRegistryService.java

@@ -26,14 +26,12 @@
 import org.eclipse.openvsx.util.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.cache.annotation.Cacheable;
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.elasticsearch.core.SearchHits;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.stereotype.Component;
 import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBody;
@@ -65,7 +63,6 @@ public class LocalRegistryService implements IExtensionRegistry {
     private final EclipseService eclipse;
     private final CacheService cache;
     private final ExtensionVersionIntegrityService integrityService;
-    private final ClientRegistrationRepository clientRegistrationRepository;
 
     public LocalRegistryService(
             EntityManager entityManager,
@@ -78,8 +75,7 @@ public LocalRegistryService(
             StorageUtilService storageUtil,
             EclipseService eclipse,
             CacheService cache,
-            ExtensionVersionIntegrityService integrityService,
-            @Autowired(required = false) ClientRegistrationRepository clientRegistrationRepository
+            ExtensionVersionIntegrityService integrityService
     ) {
         this.entityManager = entityManager;
         this.repositories = repositories;
@@ -92,7 +88,6 @@ public LocalRegistryService(
         this.eclipse = eclipse;
         this.cache = cache;
         this.integrityService = integrityService;
-        this.clientRegistrationRepository = clientRegistrationRepository;
     }
 
     @Value("${ovsx.webui.url:}")
@@ -1147,9 +1142,4 @@ public RegistryVersionJson getRegistryVersion() {
         registryVersion.setVersion(this.registryVersion);
         return registryVersion;
     }
-
-    @Override
-    public boolean isOAuth2Enabled() {
-        return this.clientRegistrationRepository == null ? false : true;    
-    }
 }

server/src/main/java/org/eclipse/openvsx/RegistryAPI.java

@@ -1404,38 +1404,4 @@ public ResponseEntity<RegistryVersionJson> getServerVersion() {
             return exc.toResponseEntity(RegistryVersionJson.class);
         }
     }
-
-    @GetMapping(path = "/api/oauth2/enabled", produces = MediaType.APPLICATION_JSON_VALUE)
-    @CrossOrigin
-    @Operation(summary = "Check if OAuth2 is enabled")
-    @ApiResponse(
-        responseCode = "200",
-        description = "Returns true if OAuth2 is enabled, false otherwise"
-    )
-    @ApiResponse(
-        responseCode = "429",
-        description = "A client has sent too many requests in a given amount of time",
-        headers = {
-            @Header(
-                name = "X-Rate-Limit-Retry-After-Seconds",
-                description = "Number of seconds to wait before retrying after receiving a 429 response",
-                schema = @Schema(type = "integer", format = "int32")
-            ),
-            @Header(
-                name = "X-Rate-Limit-Remaining",
-                description = "Number of remaining requests available",
-                schema = @Schema(type = "integer", format = "int32")
-            )
-        }
-    )
-    public ResponseEntity<Boolean> isOAuth2Enabled() {
-        try {
-            boolean enabled = local.isOAuth2Enabled();
-            return ResponseEntity.ok()
-                    .cacheControl(CacheControl.maxAge(5, TimeUnit.MINUTES).cachePublic())
-                    .body(enabled);
-        } catch (Exception exc) {
-            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(false);
-        }
-    }
 }

server/src/main/java/org/eclipse/openvsx/UpstreamRegistryService.java

@@ -428,17 +428,6 @@ public RegistryVersionJson getRegistryVersion() {
         }
     }
 
-    /**
-     * For the upstream registry, it is assumed that OAuth2 is always configured and required.
-     * This method consistently returns {@code true} to reflect that assumption.
-     * 
-     * @return {@code true}, indicating that OAuth2 is enabled and expected to be configured.
-    */
-    @Override
-    public boolean isOAuth2Enabled() {
-        return true;    
-    }
-
     private void handleError(Throwable exc) throws RuntimeException {
         if (exc instanceof HttpStatusCodeException) {
             var status = ((HttpStatusCodeException) exc).getStatusCode();

server/src/main/java/org/eclipse/openvsx/UserAPI.java

@@ -33,8 +33,8 @@
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.server.ResponseStatusException;
-import org.springframework.web.servlet.ModelAndView;
 
+import java.net.URI;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
@@ -66,14 +66,30 @@ public UserAPI(
         this.storageUtil = storageUtil;
     }
 
+    @GetMapping(
+            path = "/can-login",
+            produces = MediaType.APPLICATION_JSON_VALUE
+    )
+    public ResponseEntity<Boolean> canLogin() {
+        return ResponseEntity.ok()
+                .cacheControl(CacheControl.maxAge(10, TimeUnit.MINUTES).cachePublic())
+                .body(users.canLogin());
+    }
+
     /**
      * Redirect to GitHub Oauth2 login as default login provider.
      */
     @GetMapping(
         path = "/login"
     )
-    public ModelAndView login(ModelMap model) {
-        return new ModelAndView("redirect:/oauth2/authorization/github", model);
+    public ResponseEntity<Void> login(ModelMap model) {
+        if(users.canLogin()) {
+            return ResponseEntity.status(HttpStatus.FOUND)
+                    .location(URI.create(UrlUtil.createApiUrl(UrlUtil.getBaseUrl(), "oauth2", "authorization", "github")))
+                    .build();
+        } else {
+            return ResponseEntity.notFound().build();
+        }
     }
 
     /**
@@ -84,7 +100,7 @@ public ModelAndView login(ModelMap model) {
         produces = MediaType.APPLICATION_JSON_VALUE
     )
     public ErrorJson getAuthError(HttpServletRequest request) {
-        var authException = request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
+        var authException = users.canLogin() ? request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) : null;
         if (!(authException instanceof AuthenticationException))
             throw new ResponseStatusException(HttpStatus.NOT_FOUND);
 
@@ -241,6 +257,11 @@ public List<NamespaceJson> getOwnNamespaces() {
         produces = MediaType.APPLICATION_JSON_VALUE
     )
     public ResponseEntity<ResultJson> updateNamespaceDetails(@RequestBody NamespaceDetailsJson details) {
+        var user = users.findLoggedInUser();
+        if (user == null) {
+            return new ResponseEntity<>(HttpStatus.FORBIDDEN);
+        }
+
         try {
             return ResponseEntity.ok()
                     .cacheControl(CacheControl.maxAge(10, TimeUnit.MINUTES).cachePublic())
@@ -262,6 +283,11 @@ public ResponseEntity<ResultJson> updateNamespaceDetailsLogo(
             @PathVariable String namespace,
             @RequestParam MultipartFile file
     ) {
+        var user = users.findLoggedInUser();
+        if (user == null) {
+            return new ResponseEntity<>(HttpStatus.FORBIDDEN);
+        }
+
         try {
             return ResponseEntity.ok()
                     .body(users.updateNamespaceDetailsLogo(namespace, file));

server/src/main/java/org/eclipse/openvsx/UserService.java

@@ -30,8 +30,10 @@
 import org.eclipse.openvsx.security.IdPrincipal;
 import org.eclipse.openvsx.storage.StorageUtilService;
 import org.eclipse.openvsx.util.*;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.cache.annotation.CacheEvict;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.stereotype.Component;
 import org.springframework.web.multipart.MultipartFile;
@@ -53,22 +55,29 @@ public class UserService {
     private final StorageUtilService storageUtil;
     private final CacheService cache;
     private final ExtensionValidator validator;
+    private final ClientRegistrationRepository clientRegistrationRepository;
 
     public UserService(
             EntityManager entityManager,
             RepositoryService repositories,
             StorageUtilService storageUtil,
             CacheService cache,
-            ExtensionValidator validator
+            ExtensionValidator validator,
+            @Autowired(required = false) ClientRegistrationRepository clientRegistrationRepository
     ) {
         this.entityManager = entityManager;
         this.repositories = repositories;
         this.storageUtil = storageUtil;
         this.cache = cache;
         this.validator = validator;
+        this.clientRegistrationRepository = clientRegistrationRepository;
     }
 
     public UserData findLoggedInUser() {
+        if(!canLogin()) {
+            return null;
+        }
+
         var authentication = SecurityContextHolder.getContext().getAuthentication();
         if (authentication != null) {
             if (authentication.getPrincipal() instanceof IdPrincipal) {
@@ -315,4 +324,8 @@ public ResultJson deleteAccessToken(UserData user, long id) {
         token.setActive(false);
         return ResultJson.success("Deleted access token for user " + user.getLoginName() + ".");
     }
+
+    public boolean canLogin() {
+        return clientRegistrationRepository != null && clientRegistrationRepository.findByRegistrationId("github") != null;
+    }
 }

server/src/main/java/org/eclipse/openvsx/security/OAuth2UserServices.java

@@ -110,6 +110,10 @@ public IdPrincipal loadUser(OAuth2UserRequest userRequest) {
         }
     }
 
+    public boolean canLogin() {
+        return users.canLogin();
+    }
+
     private IdPrincipal loadGitHubUser(OAuth2UserRequest userRequest) {
         var authUser = delegate.loadUser(userRequest);
         String loginName = authUser.getAttribute("login");

server/src/main/java/org/eclipse/openvsx/security/SecurityConfig.java

@@ -41,25 +41,9 @@ public SecurityConfig(@Autowired(required = false) ClientRegistrationRepository
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http, OAuth2UserServices userServices) throws Exception {
-        var redirectUrl = StringUtils.isEmpty(webuiUrl) ? "/" : webuiUrl;
-        
-        if (clientRegistrationRepository == null) {
-            // Minimal security configuration when OAuth2 is not available
-            return http.authorizeHttpRequests(
+        var filterChain = http.authorizeHttpRequests(
                 registry -> registry
-                        .anyRequest()
-                            .permitAll())
-                        .cors(configurer -> configurer.configure(http))
-                        .csrf(configurer -> {
-                            configurer.ignoringRequestMatchers(antMatchers("/api/-/publish", "/api/-/namespace/create", "/api/-/query", "/vscode/**"));
-                        })
-                        .exceptionHandling(configurer -> configurer.authenticationEntryPoint(new Http403ForbiddenEntryPoint()))
-                        .build();
-        }
-
-        return http.authorizeHttpRequests(
-                registry -> registry
-                        .requestMatchers(antMatchers("/*", "/login/**", "/oauth2/**", "/user", "/user/auth-error", "/logout", "/actuator/health/**", "/actuator/metrics", "/actuator/metrics/**", "/actuator/prometheus", "/v3/api-docs/**", "/swagger-resources/**", "/swagger-ui/**", "/webjars/**"))
+                        .requestMatchers(antMatchers("/*", "/login/**", "/oauth2/**", "/can-login", "/user", "/user/auth-error", "/logout", "/actuator/health/**", "/actuator/metrics", "/actuator/metrics/**", "/actuator/prometheus", "/v3/api-docs/**", "/swagger-resources/**", "/swagger-ui/**", "/webjars/**"))
                             .permitAll()
                         .requestMatchers(antMatchers("/api/*/*/review", "/api/*/*/review/delete", "/api/user/publish", "/api/user/namespace/create"))
                             .authenticated()
@@ -76,15 +60,20 @@ public SecurityFilterChain filterChain(HttpSecurity http, OAuth2UserServices use
                 .csrf(configurer -> {
                     configurer.ignoringRequestMatchers(antMatchers("/api/-/publish", "/api/-/namespace/create", "/api/-/query", "/vscode/**"));
                 })
-                .exceptionHandling(configurer -> configurer.authenticationEntryPoint(new Http403ForbiddenEntryPoint()))
-                .oauth2Login(configurer -> {
-                    configurer.defaultSuccessUrl(redirectUrl);
-                    configurer.successHandler(new CustomAuthenticationSuccessHandler(redirectUrl));
-                    configurer.failureUrl(redirectUrl + "?auth-error");
-                    configurer.userInfoEndpoint(customizer -> customizer.oidcUserService(userServices.getOidc()).userService(userServices.getOauth2()));
-                })
-                .logout(configurer -> configurer.logoutSuccessUrl(redirectUrl))
-                .build();
+                .exceptionHandling(configurer -> configurer.authenticationEntryPoint(new Http403ForbiddenEntryPoint()));
+
+        if(userServices.canLogin()) {
+            var redirectUrl = StringUtils.isEmpty(webuiUrl) ? "/" : webuiUrl;
+            filterChain.oauth2Login(configurer -> {
+                configurer.defaultSuccessUrl(redirectUrl);
+                configurer.successHandler(new CustomAuthenticationSuccessHandler(redirectUrl));
+                configurer.failureUrl(redirectUrl + "?auth-error");
+                configurer.userInfoEndpoint(customizer -> customizer.oidcUserService(userServices.getOidc()).userService(userServices.getOauth2()));
+            })
+            .logout(configurer -> configurer.logoutSuccessUrl(redirectUrl));
+        }
+
+        return filterChain.build();
     }
 
     private RequestMatcher[] antMatchers(String... patterns)

server/src/main/java/org/eclipse/openvsx/security/TokenService.java

@@ -52,19 +52,19 @@ public TokenService(
         this.clientRegistrationRepository = clientRegistrationRepository;
     }
 
+    private boolean isEnabled() {
+        return clientRegistrationRepository != null;
+    }
+
     public AuthToken updateTokens(long userId, String registrationId, OAuth2AccessToken accessToken,
             OAuth2RefreshToken refreshToken) {
-        var userData = entityManager.find(UserData.class, userId);
+        var userData = isEnabled() ? entityManager.find(UserData.class, userId) : null;
         if (userData == null) {
             return null;
         }
 
         switch (registrationId) {
             case "github": {
-                if (clientRegistrationRepository == null) {
-                    // Handle the case where GitHub OAuth2 is not configured
-                    return updateGitHubToken(userData, null);
-                }
                 if (accessToken == null) {
                     return updateGitHubToken(userData, null);
                 }
@@ -124,6 +124,10 @@ private AuthToken updateEclipseToken(UserData userData, AuthToken token) {
     }
 
     public AuthToken getActiveToken(UserData userData, String registrationId) {
+        if(!isEnabled()) {
+            return null;
+        }
+
         switch (registrationId) {
             case "github": {
                 return userData.getGithubToken();
@@ -153,7 +157,7 @@ private boolean isExpired(Instant instant) {
         return instant != null && Instant.now().isAfter(instant);
     }
 
-    protected Pair<OAuth2AccessToken, OAuth2RefreshToken> refreshEclipseToken(AuthToken token) {
+    private Pair<OAuth2AccessToken, OAuth2RefreshToken> refreshEclipseToken(AuthToken token) {
         if(token.refreshToken() == null || isExpired(token.refreshExpiresAt())) {
             return null;
         }

server/src/main/java/org/eclipse/openvsx/web/WebConfig.java

@@ -53,6 +53,8 @@ public void addCorsMappings(CorsRegistry registry) {
                         .allowedOrigins(webuiUrl)
                         .allowCredentials(true);
             }
+            registry.addMapping("/can-login")
+                    .allowedOrigins(webuiUrl);
             registry.addMapping("/documents/**")
                     .allowedOrigins("*");
             registry.addMapping("/api/**")