Merge branch 'mealie-next' into fix/handle-utc-in-postgres-with-timezone

mealie-recipes · Oct 6, 2024 · 06137eb · 06137eb
2 parents 71bb287 + b5c0104
commit 06137eb
Show file tree

Hide file tree

Showing 75 changed files with 695 additions and 471 deletions.
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -23,7 +23,6 @@ services:
       POSTGRES_SERVER: postgres
       POSTGRES_PORT: 5432
       POSTGRES_DB: mealie
-
       # =====================================
       # Email Configuration
       # SMTP_HOST=

diff --git a/docs/docs/contributors/developers-guide/migration-guide.md b/docs/docs/contributors/developers-guide/migration-guide.md
@@ -15,6 +15,7 @@ We have renamed the `updateAt` field to `updatedAt`. While the API will still ac
 ### Backend Endpoint Changes
 
 These endpoints have moved, but are otherwise unchanged:
+
 - `/recipes/create-url` -> `/recipes/create/url`
 - `/recipes/create-url/bulk` -> `/recipes/create/url/bulk`
 - `/recipes/create-from-zip` -> `/recipes/create/zip`
@@ -38,6 +39,7 @@ These endpoints have moved, but are otherwise unchanged:
 `/groups/members` previously returned a `UserOut` object, but now returns a `UserSummary`. Should you need the full user information (username, email, etc.), rather than just the summary, see `/households/members` instead for the household members.
 
 These endpoints have been completely removed:
+
 - `/admin/analytics` (no longer used)
 - `/groups/permissions` (see household permissions)
 - `/groups/statistics` (see household statistics)
@@ -49,6 +51,7 @@ These endpoints have been completely removed:
 ### Frontend Links
 
 These frontend pages have moved:
+
 - `/group/mealplan/...` -> `/household/mealplan/...`
 - `/group/members` -> `/household/members`
 - `/group/notifiers` -> `/household/notifiers`

diff --git a/docs/docs/documentation/getting-started/authentication/oidc-v2.md b/docs/docs/documentation/getting-started/authentication/oidc-v2.md
@@ -0,0 +1,96 @@
+# OpenID Connect (OIDC) Authentication
+
+:octicons-tag-24: v2.0.0
+
+!!! note
+    Breaking changes to OIDC Authentication were introduced with Mealie v2. Please see the below for [migration steps](#migration-from-mealie-v1x).
+
+    Looking instead for the docs for Mealie :octicons-tag-24: v1.x? [Click here](./oidc.md)
+
+Mealie supports 3rd party authentication via [OpenID Connect (OIDC)](https://openid.net/connect/), an identity layer built on top of OAuth2. OIDC is supported by many Identity Providers (IdP), including:
+
+- [Authentik](https://goauthentik.io/integrations/sources/oauth/#openid-connect)
+- [Authelia](https://www.authelia.com/configuration/identity-providers/open-id-connect/)
+- [Keycloak](https://www.keycloak.org/docs/latest/securing_apps/#_oidc)
+- [Okta](https://www.okta.com/openid-connect/)
+
+## Account Linking
+
+Signing in with OAuth will automatically find your account in Mealie and link to it. If a user does not exist in Mealie, then one will be created (if enabled), but will be unable to log in with any other authentication method. An admin can configure another authentication method for such a user.
+
+## Provider Setup
+
+Before you can start using OIDC Authentication, you must first configure a new client application in your identity provider. Your identity provider must support the OAuth **Authorization Code flow with PKCE**. The steps will vary by provider, but generally, the steps are as follows.
+
+1. Create a new client application
+    - The Provider type should be OIDC or OAuth2
+    - The Grant type should be `Authorization Code`
+    - The Client type should be `private` (you should have a **Client Secret**)
+
+2. Configure redirect URI
+
+    The redirect URI(s) that are needed:
+
+    1. `http(s)://DOMAIN:PORT/login`
+    2. `https(s)://DOMAIN:PORT/login?direct=1`
+        1. This URI is only required if your IdP supports [RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) such as Keycloak. You may also be able to combine this into the previous URI by using a wildcard: `http(s)://DOMAIN:PORT/login*`
+
+    The redirect URI(s) should include any URL that Mealie is accessible from. Some examples include
+
+        http://localhost:9091/login
+        https://mealie.example.com/login
+
+3. Configure allowed scopes
+
+    The scopes required are `openid profile email`
+
+    If you plan to use the [groups](#groups) to configure access within Mealie, you will need to also add the scope defined by the `OIDC_GROUPS_CLAIM` environment variable. The default claim is `groups`
+
+## Mealie Setup
+
+Take the client id and your discovery URL and update your environment variables to include the required OIDC variables described in [Installation - Backend Configuration](../installation/backend-config.md#openid-connect-oidc).
+
+### Groups
+
+There are two (optional) [environment variables](../installation/backend-config.md#openid-connect-oidc) that can control which of the users in your IdP can log in to Mealie and what permissions they will have. Keep in mind that these groups **do not necessarily correspond to groups in Mealie**. The groups claim is configurable via the `OIDC_GROUPS_CLAIM` environment variable. The groups should be **defined in your IdP** and be returned in the configured claim value.
+
+`OIDC_USER_GROUP`: Users must be a part of this group (within your IdP) to be able to log in.
+
+`OIDC_ADMIN_GROUP`: Users that are in this group (within your IdP) will be made an **admin** in Mealie. Users in this group do not also need to be in the `OIDC_USER_GROUP`
+
+## Examples
+
+Example configurations for several Identity Providers have been provided by the Community in the [GitHub Discussions](https://github.com/mealie-recipes/mealie/discussions/categories/oauth-provider-example).
+
+If you don't see your provider and have successfully set it up, please consider [creating your own example](https://github.com/mealie-recipes/mealie/discussions/new?category=oauth-provider-example) so that others can have a smoother setup.
+
+
+## Migration from Mealie v1.x
+
+**High level changes**
+
+- A Client Secret is now required
+- CORS is no longer a requirement since all authentication happens server-side
+- A user will be successfully authenticated if they are part of *either* `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP`. Admins no longer need to be part of both groups
+- ID Token signing algorithm is now inferred using the `id_token_signing_alg_values_supported` metadata from the discovery URL
+
+### Changes in your IdP
+
+**Required**
+
+- You must change the Mealie client in your IdP to be **private**. The option is different for every provider, but you need to obtain a **client secret**.
+
+**Optional**
+
+- You may now also remove the `OIDC_USER_GROUP` from your admin users if you so desire. Users within the `OIDC_ADMIN_GROUP` will now be able to successfully authenticate with only that group.
+- You may remove any CORS configuration. i.e. configured origins
+
+### Changes in Mealie
+
+**Required**
+
+- After obtaining the **client secret** from your IdP, you must add it to Mealie using the `OIDC_CLIENT_SECRET` environment variable or via [docker secrets](../installation/backend-config.md#docker-secrets). This secret will not be logged on startup.
+
+**Optional**
+
+- Remove `OIDC_SIGNING_ALGORITHM` from your environment. It will no longer have any effect.
diff --git a/docs/docs/documentation/getting-started/installation/backend-config.md b/docs/docs/documentation/getting-started/installation/backend-config.md
@@ -82,20 +82,20 @@ Changing the webworker settings may cause unforeseen memory leak issues with Mea
 
 :octicons-tag-24: v1.4.0
 
-For usage, see [Usage - OpenID Connect](../authentication/oidc.md)
+For usage, see [Usage - OpenID Connect](../authentication/oidc-v2.md)
 
 | Variables              | Default | Description                                                                                                                                                                                                                                                                                            |
 | ---------------------- | :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | OIDC_AUTH_ENABLED      |  False  | Enables authentication via OpenID Connect                                                                                                                                                                                                                                                              |
 | OIDC_SIGNUP_ENABLED    |  True   | Enables new users to be created when signing in for the first time with OIDC                                                                                                                                                                                                                           |
 | OIDC_CONFIGURATION_URL |  None   | The URL to the OIDC configuration of your provider. This is usually something like https://auth.example.com/.well-known/openid-configuration                                                                                                                                                           |
 | OIDC_CLIENT_ID         |  None   | The client id of your configured client in your provider                                                                                                                                                                                                                                               |
-| OIDC_USER_GROUP        |  None   | If specified, only users belonging to this group will be able to successfully authenticate, regardless of the `OIDC_ADMIN_GROUP`. For more information see [this page](../authentication/oidc.md#groups)                                                                                               |
-| OIDC_ADMIN_GROUP       |  None   | If specified, users belonging to this group will be made an admin. For more information see [this page](../authentication/oidc.md#groups)                                                                                                                                                              |
+| OIDC_CLIENT_SECRET <br/> :octicons-tag-24: v2.0.0    |  None   | The client secret of your configured client in your provider|
+| OIDC_USER_GROUP        |  None   | If specified, only users belonging to this group will be able to successfully authenticate. For more information see [this page](../authentication/oidc-v2.md#groups)                                                                                               |
+| OIDC_ADMIN_GROUP       |  None   | If specified, users belonging to this group will be able to successfully authenticate *and* be made an admin. For more information see [this page](../authentication/oidc-v2.md#groups)                                                                                                                                                              |
 | OIDC_AUTO_REDIRECT     |  False  | If `True`, then the login page will be bypassed an you will be sent directly to your Identity Provider. You can still get to the login page by adding `?direct=1` to the login URL                                                                                                                     |
 | OIDC_PROVIDER_NAME     |  OAuth  | The provider name is shown in SSO login button. "Login with <OIDC_PROVIDER_NAME\>"                                                                                                                                                                                                                     |
 | OIDC_REMEMBER_ME       |  False  | Because redirects bypass the login screen, you cant extend your session by clicking the "Remember Me" checkbox. By setting this value to true, a session will be extended as if "Remember Me" was checked                                                                                              |
-| OIDC_SIGNING_ALGORITHM |  RS256  | The algorithm used to sign the id token (examples: RS256, HS256)                                                                                                                                                                                                                                       |
 | OIDC_USER_CLAIM        |  email  | This is the claim which Mealie will use to look up an existing user by (e.g. "email", "preferred_username")                                                                                                                                                                                            |
 | OIDC_GROUPS_CLAIM      | groups  | Optional if not using `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP`. This is the claim Mealie will request from your IdP and will use to compare to `OIDC_USER_GROUP` or `OIDC_ADMIN_GROUP` to allow the user to log in to Mealie or is set as an admin. **Your IdP must be configured to grant this claim** |
 | OIDC_TLS_CACERTFILE    |  None   | File path to Certificate Authority used to verify server certificate (e.g. `/path/to/ca.crt`)                                                                                                                                                                                                          |

diff --git a/docs/docs/documentation/getting-started/updating.md b/docs/docs/documentation/getting-started/updating.md
@@ -17,7 +17,7 @@ If you are upgrading from pre-v1.0.0 to v1.0.0 or later (v2.0.0, etc.), make sur
 [See Backups and Restore Section](../getting-started/usage/backups-and-restoring.md) for details on backing up your data
 
 ## Docker
-For all setups using Docker the updating process looks something like this
+For all setups using Docker, the updating process looks something like this:
 
 - Stop the container using `docker compose down`
 - If you are not using the latest tag, change the version (image tag) in your docker-compose file

diff --git a/docs/docs/overrides/api.html b/docs/docs/overrides/api.html
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
@@ -81,7 +81,7 @@ nav:
 
       - Authentication:
           - LDAP: "documentation/getting-started/authentication/ldap.md"
-          - OpenID Connect: "documentation/getting-started/authentication/oidc.md"
+          - OpenID Connect: "documentation/getting-started/authentication/oidc-v2.md"
 
       - Community Guides:
           - iOS Shortcuts: "documentation/community-guide/ios.md"

diff --git a/frontend/components/Layout/LayoutParts/AppHeader.vue b/frontend/components/Layout/LayoutParts/AppHeader.vue
@@ -35,7 +35,7 @@
       <v-btn v-else icon @click="activateSearch">
         <v-icon> {{ $globals.icons.search }}</v-icon>
       </v-btn>
-      <v-btn v-if="loggedIn" :text="$vuetify.breakpoint.smAndUp" :icon="$vuetify.breakpoint.xs" @click="$auth.logout()">
+      <v-btn v-if="loggedIn" :text="$vuetify.breakpoint.smAndUp" :icon="$vuetify.breakpoint.xs" @click="logout()">
         <v-icon :left="$vuetify.breakpoint.smAndUp">{{ $globals.icons.logout }}</v-icon>
         {{ $vuetify.breakpoint.smAndUp ? $t("user.logout") : "" }}
       </v-btn>
@@ -48,7 +48,7 @@
 </template>
 
 <script lang="ts">
-import { computed, defineComponent, onBeforeUnmount, onMounted, ref, useContext, useRoute } from "@nuxtjs/composition-api";
+import { computed, defineComponent, onBeforeUnmount, onMounted, ref, useContext, useRoute, useRouter } from "@nuxtjs/composition-api";
 import { useLoggedInState } from "~/composables/use-logged-in-state";
 import RecipeDialogSearch from "~/components/Domain/Recipe/RecipeDialogSearch.vue";
 
@@ -64,6 +64,7 @@ export default defineComponent({
     const { $auth } = useContext();
     const { loggedIn } = useLoggedInState();
     const route = useRoute();
+    const router = useRouter();
     const groupSlug = computed(() => route.value.params.groupSlug || $auth.user?.groupSlug || "");
 
     const routerLink = computed(() => groupSlug.value ? `/g/${groupSlug.value}` : "/");
@@ -89,11 +90,16 @@ export default defineComponent({
       document.removeEventListener("keydown", handleKeyEvent);
     });
 
+    async function logout() {
+        await $auth.logout().then(() => router.push("/login?direct=1"))
+    }
+
     return {
       activateSearch,
       domSearchDialog,
       routerLink,
       loggedIn,
+      logout,
     };
   },
 });

diff --git a/frontend/lang/messages/af-ZA.json b/frontend/lang/messages/af-ZA.json
@@ -652,7 +652,8 @@
       "missing-unit": "Create missing unit: {unit}",
       "missing-food": "Create missing food: {food}",
       "no-food": "No Food"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Gevorderde soek",

diff --git a/frontend/lang/messages/ar-SA.json b/frontend/lang/messages/ar-SA.json
@@ -652,7 +652,8 @@
       "missing-unit": "Create missing unit: {unit}",
       "missing-food": "Create missing food: {food}",
       "no-food": "No Food"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Advanced Search",

diff --git a/frontend/lang/messages/bg-BG.json b/frontend/lang/messages/bg-BG.json
@@ -652,7 +652,8 @@
       "missing-unit": "Create missing unit: {unit}",
       "missing-food": "Create missing food: {food}",
       "no-food": "No Food"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Разширено търсене",

diff --git a/frontend/lang/messages/ca-ES.json b/frontend/lang/messages/ca-ES.json
@@ -652,7 +652,8 @@
       "missing-unit": "Crear unitat que manca: {unit}",
       "missing-food": "Crear menjar que manca: {food}",
       "no-food": "Sense menjar"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Cerca avançada",

diff --git a/frontend/lang/messages/cs-CZ.json b/frontend/lang/messages/cs-CZ.json
@@ -652,7 +652,8 @@
       "missing-unit": "Create missing unit: {unit}",
       "missing-food": "Create missing food: {food}",
       "no-food": "No Food"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Pokročilé vyhledávání",

diff --git a/frontend/lang/messages/da-DK.json b/frontend/lang/messages/da-DK.json
@@ -652,7 +652,8 @@
       "missing-unit": "Opret manglende måleenhed: {unit}",
       "missing-food": "Opret manglende fødevare: {food}",
       "no-food": "Ingen fødevarer"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Avanceret søgning",

diff --git a/frontend/lang/messages/de-DE.json b/frontend/lang/messages/de-DE.json
@@ -652,7 +652,8 @@
       "missing-unit": "Fehlende Einheit erstellen: {unit}",
       "missing-food": "Fehlendes Lebensmittel erstellen: {food}",
       "no-food": "Kein Lebensmittel"
-    }
+    },
+    "reset-servings-count": "Portionen zurücksetzen"
   },
   "search": {
     "advanced-search": "Erweiterte Suche",

diff --git a/frontend/lang/messages/el-GR.json b/frontend/lang/messages/el-GR.json
@@ -652,7 +652,8 @@
       "missing-unit": "Δημιουργία μονάδας που λείπει: {unit}",
       "missing-food": "Δημιουργία τροφίμου που λείπει: {food}",
       "no-food": "Χωρίς Τρόφιμο"
-    }
+    },
+    "reset-servings-count": "Επαναφορά μέτρησης μερίδων"
   },
   "search": {
     "advanced-search": "Σύνθετη Αναζήτηση",

diff --git a/frontend/lang/messages/en-GB.json b/frontend/lang/messages/en-GB.json
@@ -652,7 +652,8 @@
       "missing-unit": "Create missing unit: {unit}",
       "missing-food": "Create missing food: {food}",
       "no-food": "No Food"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Advanced Search",

diff --git a/frontend/lang/messages/es-ES.json b/frontend/lang/messages/es-ES.json
@@ -652,7 +652,8 @@
       "missing-unit": "Crear unidad faltante: {unit}",
       "missing-food": "Crear comida faltante: {food}",
       "no-food": "Sin Comida"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Búsqueda avanzada",

diff --git a/frontend/lang/messages/fi-FI.json b/frontend/lang/messages/fi-FI.json
@@ -652,7 +652,8 @@
       "missing-unit": "Luo puuttuva yksikkö: {unit}",
       "missing-food": "Luo puuttuva ruoka: {food}",
       "no-food": "Ei ruokaa"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Tarkennettu haku",

diff --git a/frontend/lang/messages/fr-BE.json b/frontend/lang/messages/fr-BE.json
@@ -652,7 +652,8 @@
       "missing-unit": "Créer une unité manquante : {unit}",
       "missing-food": "Créer un aliment manquant : {food}",
       "no-food": "Aucun aliment"
-    }
+    },
+    "reset-servings-count": "Réinitialiser le nombre de portions"
   },
   "search": {
     "advanced-search": "Recherche avancée",

diff --git a/frontend/lang/messages/fr-CA.json b/frontend/lang/messages/fr-CA.json
@@ -652,7 +652,8 @@
       "missing-unit": "Créer une unité manquante : {unit}",
       "missing-food": "Créer un aliment manquant : {food}",
       "no-food": "Aucun aliment"
-    }
+    },
+    "reset-servings-count": "Réinitialiser le nombre de portions"
   },
   "search": {
     "advanced-search": "Recherche avancée",

diff --git a/frontend/lang/messages/fr-FR.json b/frontend/lang/messages/fr-FR.json
@@ -652,7 +652,8 @@
       "missing-unit": "Créer une unité manquante : {unit}",
       "missing-food": "Créer un aliment manquant : {food}",
       "no-food": "Aucun aliment"
-    }
+    },
+    "reset-servings-count": "Réinitialiser le nombre de portions"
   },
   "search": {
     "advanced-search": "Recherche avancée",

diff --git a/frontend/lang/messages/gl-ES.json b/frontend/lang/messages/gl-ES.json
@@ -652,7 +652,8 @@
       "missing-unit": "Create missing unit: {unit}",
       "missing-food": "Create missing food: {food}",
       "no-food": "No Food"
-    }
+    },
+    "reset-servings-count": "Reset Servings Count"
   },
   "search": {
     "advanced-search": "Advanced Search",