feat(plugin-auth): port OIDC plugins + host LoginByExternal / authpro…#54
Open
osindex wants to merge 11 commits into
Open
feat(plugin-auth): port OIDC plugins + host LoginByExternal / authpro…#54osindex wants to merge 11 commits into
osindex wants to merge 11 commits into
Conversation
…vider / PluginSettings
Brings the Google and Discord OIDC plugin suite from linglink into the
linapro main tree. Includes the full host-side seams the plugins need
(LoginByExternal, OAuthHandoffURL, authprovider capability, PluginSettings
capability, workspace RouterMode, /auth/providers endpoint) plus the
frontend oauth-handoff page and the plugin i18n resources.
Host (apps/lina-core):
- internal/service/auth: LoginByExternal + ListProviders interface,
auth_external.go impl, auth_provider.go impl, two new bizerr codes
(AUTH_EXTERNAL_IDENTITY_INVALID, AUTH_EXTERNAL_USER_NOT_PROVISIONED)
- internal/service/config: WorkspaceConfig.RouterMode + helpers +
config.template.yaml documentation + cmd panic allowlist entry
- internal/service/pluginsettings: new package writing namespaced
<pluginID>.<key> rows into sys_config so plugins drop private tables
- internal/service/pluginhostservices: extended auth adapter (LoginByExternal,
OAuthHandoffURL) + new pluginsettingsAdapter + directory/scope updates
- pkg/plugin/capability/authprovider: new package (Provider registry,
LoginEntry, kinds, ListViews)
- pkg/plugin/capability/contract: extended auth.go + new pluginsettings.go
- pkg/plugin/capability/capability.go: Services interface gains PluginSettings
- api/auth/v1/auth_provider.go + internal/controller/auth/auth_v1_provider.go
+ cmd_http_routes binding: /auth/providers endpoint
- testutil + runtime params test: stub PluginSettings accessor
Frontend (apps/lina-vben):
- src/api/core/auth.ts: listAuthProvidersApi + ProviderEntity DTO
- src/store/auth.ts: completeOAuthHandoff (single-tenant + multi-tenant)
- src/router/routes/core.ts: /oauth-handoff route under AuthPageLayout
- src/views/_core/authentication/oauth-handoff.vue: consumes host login
outcome via vue-router query, dispatches to SPA landing or tenant picker
- src/views/_core/authentication/login.vue: dynamic provider buttons from
/auth/providers, append ?state=<id> when backendRedirectEnabled
- src/locales/langs/{zh-CN,en-US}/plugins.json: shared instruction strings
for OIDC settings pages
Plugins (apps/lina-plugins):
- linapro-oidc-google: full plugin (DTO, controller, OAuth client + state
signing, settings service via PluginSettings, settings vue page,
manifest/i18n with apidoc translations)
- linapro-oidc-discord: same shape
- lina-plugins.go + go.mod: register both plugins under blank import
Docs (docs/):
- auth-provider-integration.md + zh-CN mirror (full integration guide)
- README.md + zh-CN mirror
Behaviour summary:
- OAuth callback path: /api/v1/auth/<provider>/callback (rides existing
/api/* proxy without extra reverse proxy config)
- Two independent post-login paths:
- SSO token delivery when enableBackendRedirect + state matches rule:
302 to rule URL with accessToken/refreshToken in query
- SPA handoff otherwise: /oauth-handoff stores tokens then routes to
defaultBackendRedirect (default /dashboard)
- Client Secret semantics: empty input keeps stored secret, masked in GET
- Redirect URI shown read-only with copy button (auto-derived from origin)
Verified locally in linapro:
- google plugin: rtk go build ./... -> Success
- discord plugin: rtk go build ./... -> Success
- workspace: rtk go build ./... -> Success
- linactl build needs pnpm install for web-antd which is a separate env
setup step; the Go side is green
Introduces a stable host-level directory menu 'auth-provider' that
groups every third-party authentication provider plugin under a single
navigation entry. Localised as 授权管理 (zh-CN) and Authentication
Providers (en-US, source language).
Host changes:
- manifest/sql/013-auth-provider-management.sql: idempotent INSERT of
the directory menu (parent_id=0, type='D', sort=11) so the entry is
always present in role authorization and menu tree views even when
no OIDC plugin is installed.
- manifest/i18n/{zh-CN,en-US}/menu.json: localized 'auth-provider'
title for the workbench menu renderer.
Submodule bump (apps/lina-plugins):
- Brings in the matching parent_key change on Google and Discord OIDC
plugins so their settings pages attach under auth-provider.
Plugins referencing parent_key=auth-provider failed at startup with 'plugin menu parent_key does not exist' because that parent was only created by SQL seed 013, which did not run at plugin menu-sync time. The host now owns auth-provider as an on-demand managed catalog (menu_metadata.go registry). Menu sync materializes it from the host-owned definition when a plugin first mounts under it, and removes it once the last child plugin is uninstalled. Stable host catalogs and user menus are never auto-removed. Orphan parents without a host definition are still rejected. Removes the 013 seed; plugins only reference parent_key. Bumps official-plugins submodule.
GET /plugins ignored pagination: the request DTO had no pageNum/pageSize and the service returned the full filtered list every time, so pageNum=2 had no effect on /admin#/system/plugin. Add pageNum/pageSize to ListReq and ListInput, window the filtered result via paginatePluginItems, and keep total as the full filtered count. A non-positive page size disables paging so internal callers keep the full projection.
Contributor
|
This PR still needs a few changes before it can be merged:
I have not added the |
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
Contributor
|
This PR is closer, but a few issues still need to be fixed before it can be merged:
I have not added the |
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
… on clear Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
…dback Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…vider / PluginSettings
Brings the Google and Discord OIDC plugin suite from linglink into the linapro main tree. Includes the full host-side seams the plugins need (LoginByExternal, OAuthHandoffURL, authprovider capability, PluginSettings capability, workspace RouterMode, /auth/providers endpoint) plus the frontend oauth-handoff page and the plugin i18n resources.
Host (apps/lina-core):
Frontend (apps/lina-vben):
Plugins (apps/lina-plugins):
Docs (docs/):
Behaviour summary:
Verified locally in linapro: