Support external users #162
Conversation
…ers for /external-users endpoints
…n of openid-connect bundle
DISPLAY-1039: Release 1.4.0
no message
Code authorization flow
… in the database as a fullname
| App\Entity\Tenant\UserActivationCode: | ||
| itemOperations: | ||
| get: | ||
| security: 'is_granted("ROLE_ADMIN") or is_granted("ROLE_EXTERNAL_USER_ADMIN")' |
There was a problem hiding this comment.
Would it be better to only have is_granted("ROLE_EXTERNAL_USER_ADMIN") here and the use the role hierarchy to let ROLE_ADMIN have the ROLE_EXTERNAL_USER_ADMIN. I think that would make it easier to change this later if we decide that **_USER_ADMIN should be a dedicated role.
| get: | ||
| security: 'is_granted("ROLE_ADMIN") or is_granted("ROLE_EXTERNAL_USER_ADMIN")' | ||
| delete: | ||
| security: 'is_granted("ROLE_ADMIN") or is_granted("ROLE_EXTERNAL_USER_ADMIN")' |
There was a problem hiding this comment.
Consider using role hierarchy as above
| delete: | ||
| security: 'is_granted("ROLE_ADMIN") or is_granted("ROLE_EXTERNAL_USER_ADMIN")' | ||
| refresh_code: | ||
| security: 'is_granted("ROLE_ADMIN") or is_granted("ROLE_EXTERNAL_USER_ADMIN")' |
There was a problem hiding this comment.
Consider using role hierarchy as above
| refresh_code: | ||
| security: 'is_granted("ROLE_ADMIN") or is_granted("ROLE_EXTERNAL_USER_ADMIN")' | ||
| method: 'POST' | ||
| path: '/user-activation-codes/{id}/refresh-code' |
There was a problem hiding this comment.
We have other auth related endpoint under /v1/authentication should this be there as well?
There was a problem hiding this comment.
I think I will leave it as a separate endpoint since it relates to an entity
| $user = $passport->getUser(); | ||
|
|
||
| if (!$user instanceof User) { | ||
| throw new AuthenticationException('UserInterface not of User type'); |
There was a problem hiding this comment.
I have no idea what that exception message means
src/Service/ExternalUserService.php
Outdated
| { | ||
| $slugged = $this->slugifyDisplayName($displayName); | ||
|
|
||
| return "$slugged@ext"; |
There was a problem hiding this comment.
I prefer $slugged.'@ext' or a sprintf() for readbility
| $type = UserTypeEnum::OIDC_EXTERNAL; | ||
| $name = ExternalUserService::EXTERNAL_USER_DEFAULT_NAME; | ||
| $providerId = $this->externalUserService->generatePersonalIdentifierHash($signInName); | ||
| $email = null; |
There was a problem hiding this comment.
Not sure what the best solution is if the email is not nullable. Either do $signInName.'@ext' as a temporary value or make email nullable, but unique. (MySQL allows multiple NULLs in a column with a unique constraint.)
There was a problem hiding this comment.
Will create a temporary email from providerId when the user has not activated. The mail will be updated after activation.
src/Service/ExternalUserService.php
Outdated
| public function refreshCode(UserActivationCode $code): UserActivationCode | ||
| { | ||
| $code->setCode($this->generateExternalUserCode()); | ||
| $code->setCodeExpire((new \DateTime())->add(new \DateInterval('P2D'))); |
There was a problem hiding this comment.
We should not have this hardcoded two different places (Also found in ExternalUserActivationCodeInputDataTransformer). Promote it to a public class constant here, and then reference it.
(Or better, make it and .env value)
src/Service/ExternalUserService.php
Outdated
| private function generateRandomCode(): string | ||
| { | ||
| $length = 12; | ||
| $chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'; |
There was a problem hiding this comment.
Promote to class constant
Co-authored-by: Ture Gjørup <[email protected]>
…2display/display-api-service into feature/external-login-entity-and-api
…system at migration time
…k_jwt_authentication
Link to ticket
https://jira.itkdev.dk/browse/DISPLAY-993
Description
NB! Uses the changes from #163 since support for multiple providers is necessary.
Screenshots
Checklist