src/backend/core/authentication/backends.py

"""Authentication Backends for the Meet core app."""

from django.conf import settings
from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
from django.utils.translation import gettext_lazy as _

import requests
from mozilla_django_oidc.auth import (
    OIDCAuthenticationBackend as MozillaOIDCAuthenticationBackend,
)

from core.models import User
from core.services.marketing import (
    ContactCreationError,
    ContactData,
    get_marketing_service,
)


class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
    """Custom OpenID Connect (OIDC) Authentication Backend.

    This class overrides the default OIDC Authentication Backend to accommodate differences
    in the User and Identity models, and handles signed and/or encrypted UserInfo response.
    """

    def get_userinfo(self, access_token, id_token, payload):
        """Return user details dictionary.

        Parameters:
        - access_token (str): The access token.
        - id_token (str): The id token (unused).
        - payload (dict): The token payload (unused).

        Note: The id_token and payload parameters are unused in this implementation,
        but were kept to preserve base method signature.

        Note: It handles signed and/or encrypted UserInfo Response. It is required by
        Agent Connect, which follows the OIDC standard. It forces us to override the
        base method, which deal with 'application/json' response.

        Returns:
        - dict: User details dictionary obtained from the OpenID Connect user endpoint.
        """

        user_response = requests.get(
            self.OIDC_OP_USER_ENDPOINT,
            headers={"Authorization": f"Bearer {access_token}"},
            verify=self.get_settings("OIDC_VERIFY_SSL", True),
            timeout=self.get_settings("OIDC_TIMEOUT", None),
            proxies=self.get_settings("OIDC_PROXY", None),
        )
        user_response.raise_for_status()
        userinfo = self.verify_token(user_response.text)
        return userinfo

    def get_or_create_user(self, access_token, id_token, payload):
        """Return a User based on userinfo. Get or create a new user if no user matches the Sub.

        Parameters:
        - access_token (str): The access token.
        - id_token (str): The ID token.
        - payload (dict): The user payload.

        Returns:
        - User: An existing or newly created User instance.

        Raises:
        - Exception: Raised when user creation is not allowed and no existing user is found.
        """

        user_info = self.get_userinfo(access_token, id_token, payload)
        sub = user_info.get("sub")

        if not sub:
            raise SuspiciousOperation(
                _("User info contained no recognizable user identification")
            )

        email = user_info.get("email")
        user = self.get_existing_user(sub, email)

        claims = {
            "email": email,
            "full_name": self.compute_full_name(user_info),
            "short_name": user_info.get(settings.OIDC_USERINFO_SHORTNAME_FIELD),
        }
        if not user and self.get_settings("OIDC_CREATE_USER", True):
            user = User.objects.create(
                sub=sub,
                password="!",  # noqa: S106
                **claims,
            )

            if settings.SIGNUP_NEW_USER_TO_MARKETING_EMAIL:
                self.signup_to_marketing_email(email)

        elif not user:
            return None

        if not user.is_active:
            raise SuspiciousOperation(_("User account is disabled"))

        self.update_user_if_needed(user, claims)

        return user

    @staticmethod
    def signup_to_marketing_email(email):
        """Pragmatic approach to newsletter signup during authentication flow.

        Details:
        1. Uses a very short timeout (1s) to prevent blocking the auth process
        2. Silently fails if the marketing service is down/slow to prioritize user experience
        3. Trade-off: May miss some signups but ensures auth flow remains fast

        Note: For a more robust solution, consider using Async task processing (Celery/Django-Q)
        """
        try:
            marketing_service = get_marketing_service()
            contact_data = ContactData(
                email=email, attributes={"VISIO_SOURCE": ["SIGNIN"]}
            )
            marketing_service.create_contact(contact_data, timeout=1)
        except (ContactCreationError, ImproperlyConfigured, ImportError):
            pass

    def get_existing_user(self, sub, email):
        """Fetch existing user by sub or email."""
        try:
            return User.objects.get(sub=sub)
        except User.DoesNotExist:
            if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:
                try:
                    return User.objects.get(email__iexact=email)
                except User.DoesNotExist:
                    pass
                except User.MultipleObjectsReturned as e:
                    raise SuspiciousOperation(
                        _("Multiple user accounts share a common email.")
                    ) from e
        return None

    @staticmethod
    def compute_full_name(user_info):
        """Compute user's full name based on OIDC fields in settings."""
        full_name = " ".join(
            filter(
                None,
                (
                    user_info.get(field)
                    for field in settings.OIDC_USERINFO_FULLNAME_FIELDS
                ),
            )
        )
        return full_name or None

    @staticmethod
    def update_user_if_needed(user, claims):
        """Update user claims if they have changed."""
        user_fields = vars(user.__class__)  # Get available model fields
        updated_claims = {
            key: value
            for key, value in claims.items()
            if value and key in user_fields and value != getattr(user, key)
        }

        if not updated_claims:
            return

        User.objects.filter(sub=user.sub).update(**updated_claims)
🚚(backend) rename Impress to Meet I have updated all references of "Impress" to "Meet". Migrations were manually updated and not regenerated. Never-mind, they all will be squashed before the first release. I have also searched for reference to "Magnify", and replaced them by "Meet". While updating the backend sources, I have also fixed other parts of the project, namely: - Compose file - Github documentation and CI - Makefile commands 2024-07-01 18:10:40 +02:00			`"""Authentication Backends for the Meet core app."""`
✨(project) Django boilerplate This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress. The code has been cleaned to remove unnecessary Impress logic and dependencies. Changes made: - Removed Minio, WebRTC, and create bucket from the stack. - Removed the Next.js frontend (it will be replaced by Vite). - Cleaned up impress-specific backend logics. The whole stack remains functional: - All tests pass. - Linter checks pass. - Agent Connexion sources are already set-up. Why clear out the code? To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress allowed us to quickly inherit its code quality tools and deployment configurations for staging, pre-production, and production environments. What’s broken? - The tsclient is not functional anymore. - Some make commands need to be fixed. - Helm sources are outdated. - Naming across the project sources are inconsistent (impress, visio, etc.) - CI is not configured properly. This list might be incomplete. Let's grind it. 2024-01-09 15:30:36 +01:00
🛂(backend) fallback to email matching when OIDC sub is not found When OIDC providers return random values in the "sub" field instead of stable identifiers, implement email-based user matching as fallback. Note: Current implementation needs improvement. Tests forthcoming. Original: @sampaccoud (ff7914f) on Impress 2024-11-04 13:40:09 +01:00			`from django.conf import settings`
✨(backend) post email to marketing tools while signing up new users Submitting new users to the marketing service is currently handled during signup and is performed only once. This is a pragmatic first implementation, yet imperfect. In the future, this should be improved by delegating the call to a Celery worker or an async task. 2024-12-20 15:40:34 +01:00			`from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation`
✨(project) Django boilerplate This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress. The code has been cleaned to remove unnecessary Impress logic and dependencies. Changes made: - Removed Minio, WebRTC, and create bucket from the stack. - Removed the Next.js frontend (it will be replaced by Vite). - Cleaned up impress-specific backend logics. The whole stack remains functional: - All tests pass. - Linter checks pass. - Agent Connexion sources are already set-up. Why clear out the code? To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress allowed us to quickly inherit its code quality tools and deployment configurations for staging, pre-production, and production environments. What’s broken? - The tsclient is not functional anymore. - Some make commands need to be fixed. - Helm sources are outdated. - Naming across the project sources are inconsistent (impress, visio, etc.) - CI is not configured properly. This list might be incomplete. Let's grind it. 2024-01-09 15:30:36 +01:00			`from django.utils.translation import gettext_lazy as _`

			`import requests`
			`from mozilla_django_oidc.auth import (`
			`OIDCAuthenticationBackend as MozillaOIDCAuthenticationBackend,`
			`)`

			`from core.models import User`
♻️(backend) avoid repeating 'service' in python modules These modules are already stored under the 'service' folder, it was redundant. Renamed these files based on @lunika feedbacks. 2025-03-07 18:25:09 +01:00			`from core.services.marketing import (`
✨(backend) post email to marketing tools while signing up new users Submitting new users to the marketing service is currently handled during signup and is performed only once. This is a pragmatic first implementation, yet imperfect. In the future, this should be improved by delegating the call to a Celery worker or an async task. 2024-12-20 15:40:34 +01:00			`ContactCreationError,`
			`ContactData,`
			`get_marketing_service,`
			`)`
✨(project) Django boilerplate This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress. The code has been cleaned to remove unnecessary Impress logic and dependencies. Changes made: - Removed Minio, WebRTC, and create bucket from the stack. - Removed the Next.js frontend (it will be replaced by Vite). - Cleaned up impress-specific backend logics. The whole stack remains functional: - All tests pass. - Linter checks pass. - Agent Connexion sources are already set-up. Why clear out the code? To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress allowed us to quickly inherit its code quality tools and deployment configurations for staging, pre-production, and production environments. What’s broken? - The tsclient is not functional anymore. - Some make commands need to be fixed. - Helm sources are outdated. - Naming across the project sources are inconsistent (impress, visio, etc.) - CI is not configured properly. This list might be incomplete. Let's grind it. 2024-01-09 15:30:36 +01:00

			`class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):`
			`"""Custom OpenID Connect (OIDC) Authentication Backend.`

			`This class overrides the default OIDC Authentication Backend to accommodate differences`
			`in the User and Identity models, and handles signed and/or encrypted UserInfo response.`
			`"""`

			`def get_userinfo(self, access_token, id_token, payload):`
			`"""Return user details dictionary.`

			`Parameters:`
			`- access_token (str): The access token.`
			`- id_token (str): The id token (unused).`
			`- payload (dict): The token payload (unused).`

			`Note: The id_token and payload parameters are unused in this implementation,`
			`but were kept to preserve base method signature.`

			`Note: It handles signed and/or encrypted UserInfo Response. It is required by`
			`Agent Connect, which follows the OIDC standard. It forces us to override the`
			`base method, which deal with 'application/json' response.`

			`Returns:`
			`- dict: User details dictionary obtained from the OpenID Connect user endpoint.`
			`"""`

			`user_response = requests.get(`
			`self.OIDC_OP_USER_ENDPOINT,`
			`headers={"Authorization": f"Bearer {access_token}"},`
			`verify=self.get_settings("OIDC_VERIFY_SSL", True),`
			`timeout=self.get_settings("OIDC_TIMEOUT", None),`
			`proxies=self.get_settings("OIDC_PROXY", None),`
			`)`
			`user_response.raise_for_status()`
			`userinfo = self.verify_token(user_response.text)`
			`return userinfo`

			`def get_or_create_user(self, access_token, id_token, payload):`
			`"""Return a User based on userinfo. Get or create a new user if no user matches the Sub.`

			`Parameters:`
			`- access_token (str): The access token.`
			`- id_token (str): The ID token.`
			`- payload (dict): The user payload.`

			`Returns:`
			`- User: An existing or newly created User instance.`

			`Raises:`
			`- Exception: Raised when user creation is not allowed and no existing user is found.`
			`"""`

			`user_info = self.get_userinfo(access_token, id_token, payload)`
			`sub = user_info.get("sub")`

✅(backend) handle empty subscription string Handle case where sub value is an empty string instead of None. Previously this edge case would cause unexpected behavior. Related to previous commit that added the test coverage. 2024-11-04 09:31:48 +01:00			`if not sub:`
✨(project) Django boilerplate This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress. The code has been cleaned to remove unnecessary Impress logic and dependencies. Changes made: - Removed Minio, WebRTC, and create bucket from the stack. - Removed the Next.js frontend (it will be replaced by Vite). - Cleaned up impress-specific backend logics. The whole stack remains functional: - All tests pass. - Linter checks pass. - Agent Connexion sources are already set-up. Why clear out the code? To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress allowed us to quickly inherit its code quality tools and deployment configurations for staging, pre-production, and production environments. What’s broken? - The tsclient is not functional anymore. - Some make commands need to be fixed. - Helm sources are outdated. - Naming across the project sources are inconsistent (impress, visio, etc.) - CI is not configured properly. This list might be incomplete. Let's grind it. 2024-01-09 15:30:36 +01:00			`raise SuspiciousOperation(`
			`_("User info contained no recognizable user identification")`
			`)`

🛂(backend) fallback to email matching when OIDC sub is not found When OIDC providers return random values in the "sub" field instead of stable identifiers, implement email-based user matching as fallback. Note: Current implementation needs improvement. Tests forthcoming. Original: @sampaccoud (ff7914f) on Impress 2024-11-04 13:40:09 +01:00			`email = user_info.get("email")`
			`user = self.get_existing_user(sub, email)`

✨(backend) persist OIDC first name and last name while authenticating Inspired by @sampaccoud's eee2003 commit on impress, adapt the code to be more Pythonic. Add basic test coverage for user name synchronization on login. User name fields now update automatically at each login when new data is available. Note: current logic doesn't handle the case where a user with existing names logs in with missing first/last names - should we clear the names then? Removing a field that was present in the initial form is not a valid update operation. 2024-11-13 12:18:41 +01:00			`claims = {`
			`"email": email,`
			`"full_name": self.compute_full_name(user_info),`
			`"short_name": user_info.get(settings.OIDC_USERINFO_SHORTNAME_FIELD),`
			`}`
🛂(backend) fallback to email matching when OIDC sub is not found When OIDC providers return random values in the "sub" field instead of stable identifiers, implement email-based user matching as fallback. Note: Current implementation needs improvement. Tests forthcoming. Original: @sampaccoud (ff7914f) on Impress 2024-11-04 13:40:09 +01:00			`if not user and self.get_settings("OIDC_CREATE_USER", True):`
			`user = User.objects.create(`
			`sub=sub,`
			`password="!", # noqa: S106`
✨(backend) persist OIDC first name and last name while authenticating Inspired by @sampaccoud's eee2003 commit on impress, adapt the code to be more Pythonic. Add basic test coverage for user name synchronization on login. User name fields now update automatically at each login when new data is available. Note: current logic doesn't handle the case where a user with existing names logs in with missing first/last names - should we clear the names then? Removing a field that was present in the initial form is not a valid update operation. 2024-11-13 12:18:41 +01:00			`**claims,`
🛂(backend) fallback to email matching when OIDC sub is not found When OIDC providers return random values in the "sub" field instead of stable identifiers, implement email-based user matching as fallback. Note: Current implementation needs improvement. Tests forthcoming. Original: @sampaccoud (ff7914f) on Impress 2024-11-04 13:40:09 +01:00			`)`
✨(backend) post email to marketing tools while signing up new users Submitting new users to the marketing service is currently handled during signup and is performed only once. This is a pragmatic first implementation, yet imperfect. In the future, this should be improved by delegating the call to a Celery worker or an async task. 2024-12-20 15:40:34 +01:00
			`if settings.SIGNUP_NEW_USER_TO_MARKETING_EMAIL:`
			`self.signup_to_marketing_email(email)`

🛂(backend) fallback to email matching when OIDC sub is not found When OIDC providers return random values in the "sub" field instead of stable identifiers, implement email-based user matching as fallback. Note: Current implementation needs improvement. Tests forthcoming. Original: @sampaccoud (ff7914f) on Impress 2024-11-04 13:40:09 +01:00			`elif not user:`
✅(backend) handle inactive user Handle case where user is inactive. Previously this edge case would cause unexpected behavior. Related to previous commit that added the test coverage. 2024-11-04 10:52:38 +01:00			`return None`

			`if not user.is_active:`
			`raise SuspiciousOperation(_("User account is disabled"))`

✨(backend) persist OIDC first name and last name while authenticating Inspired by @sampaccoud's eee2003 commit on impress, adapt the code to be more Pythonic. Add basic test coverage for user name synchronization on login. User name fields now update automatically at each login when new data is available. Note: current logic doesn't handle the case where a user with existing names logs in with missing first/last names - should we clear the names then? Removing a field that was present in the initial form is not a valid update operation. 2024-11-13 12:18:41 +01:00			`self.update_user_if_needed(user, claims)`

✨(project) Django boilerplate This commit introduces a boilerplate inspired by https://github.com/numerique-gouv/impress. The code has been cleaned to remove unnecessary Impress logic and dependencies. Changes made: - Removed Minio, WebRTC, and create bucket from the stack. - Removed the Next.js frontend (it will be replaced by Vite). - Cleaned up impress-specific backend logics. The whole stack remains functional: - All tests pass. - Linter checks pass. - Agent Connexion sources are already set-up. Why clear out the code? To adhere to the KISS principle, we aim to maintain a minimalist codebase. Cloning Impress allowed us to quickly inherit its code quality tools and deployment configurations for staging, pre-production, and production environments. What’s broken? - The tsclient is not functional anymore. - Some make commands need to be fixed. - Helm sources are outdated. - Naming across the project sources are inconsistent (impress, visio, etc.) - CI is not configured properly. This list might be incomplete. Let's grind it. 2024-01-09 15:30:36 +01:00			`return user`
🛂(backend) fallback to email matching when OIDC sub is not found When OIDC providers return random values in the "sub" field instead of stable identifiers, implement email-based user matching as fallback. Note: Current implementation needs improvement. Tests forthcoming. Original: @sampaccoud (ff7914f) on Impress 2024-11-04 13:40:09 +01:00
✨(backend) post email to marketing tools while signing up new users Submitting new users to the marketing service is currently handled during signup and is performed only once. This is a pragmatic first implementation, yet imperfect. In the future, this should be improved by delegating the call to a Celery worker or an async task. 2024-12-20 15:40:34 +01:00			`@staticmethod`
			`def signup_to_marketing_email(email):`
			`"""Pragmatic approach to newsletter signup during authentication flow.`

			`Details:`
			`1. Uses a very short timeout (1s) to prevent blocking the auth process`
			`2. Silently fails if the marketing service is down/slow to prioritize user experience`
			`3. Trade-off: May miss some signups but ensures auth flow remains fast`

			`Note: For a more robust solution, consider using Async task processing (Celery/Django-Q)`
			`"""`
			`try:`
			`marketing_service = get_marketing_service()`
			`contact_data = ContactData(`
			`email=email, attributes={"VISIO_SOURCE": ["SIGNIN"]}`
			`)`
			`marketing_service.create_contact(contact_data, timeout=1)`
			`except (ContactCreationError, ImproperlyConfigured, ImportError):`
			`pass`

🛂(backend) fallback to email matching when OIDC sub is not found When OIDC providers return random values in the "sub" field instead of stable identifiers, implement email-based user matching as fallback. Note: Current implementation needs improvement. Tests forthcoming. Original: @sampaccoud (ff7914f) on Impress 2024-11-04 13:40:09 +01:00			`def get_existing_user(self, sub, email):`
			`"""Fetch existing user by sub or email."""`
			`try:`
			`return User.objects.get(sub=sub)`
			`except User.DoesNotExist:`
			`if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:`
			`try:`
🐛(backend) harden email matching against ambiguous cases Handle case-sensitivity and whitespace in email lookups. Detect and block multiple matching accounts as security precaution. 2024-11-04 14:01:09 +01:00			`return User.objects.get(email__iexact=email)`
🛂(backend) fallback to email matching when OIDC sub is not found When OIDC providers return random values in the "sub" field instead of stable identifiers, implement email-based user matching as fallback. Note: Current implementation needs improvement. Tests forthcoming. Original: @sampaccoud (ff7914f) on Impress 2024-11-04 13:40:09 +01:00			`except User.DoesNotExist:`
			`pass`
🐛(backend) harden email matching against ambiguous cases Handle case-sensitivity and whitespace in email lookups. Detect and block multiple matching accounts as security precaution. 2024-11-04 14:01:09 +01:00			`except User.MultipleObjectsReturned as e:`
			`raise SuspiciousOperation(`
			`_("Multiple user accounts share a common email.")`
			`) from e`
🛂(backend) fallback to email matching when OIDC sub is not found When OIDC providers return random values in the "sub" field instead of stable identifiers, implement email-based user matching as fallback. Note: Current implementation needs improvement. Tests forthcoming. Original: @sampaccoud (ff7914f) on Impress 2024-11-04 13:40:09 +01:00			`return None`
✨(backend) persist OIDC first name and last name while authenticating Inspired by @sampaccoud's eee2003 commit on impress, adapt the code to be more Pythonic. Add basic test coverage for user name synchronization on login. User name fields now update automatically at each login when new data is available. Note: current logic doesn't handle the case where a user with existing names logs in with missing first/last names - should we clear the names then? Removing a field that was present in the initial form is not a valid update operation. 2024-11-13 12:18:41 +01:00
			`@staticmethod`
			`def compute_full_name(user_info):`
			`"""Compute user's full name based on OIDC fields in settings."""`
			`full_name = " ".join(`
			`filter(`
			`None,`
			`(`
			`user_info.get(field)`
			`for field in settings.OIDC_USERINFO_FULLNAME_FIELDS`
			`),`
			`)`
			`)`
			`return full_name or None`

			`@staticmethod`
			`def update_user_if_needed(user, claims):`
			`"""Update user claims if they have changed."""`
			`user_fields = vars(user.__class__) # Get available model fields`
			`updated_claims = {`
			`key: value`
			`for key, value in claims.items()`
			`if value and key in user_fields and value != getattr(user, key)`
			`}`

			`if not updated_claims:`
			`return`

			`User.objects.filter(sub=user.sub).update(**updated_claims)`