From 0c51aff748f8c9cf95366afb47614520bf28d5a1 Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain@sbx.pm>
Date: Tue, 22 Mar 2022 16:40:09 +0100
Subject: [PATCH] (feat) OAuth2 scopes are now configurable from the interface

Previously, scopes were supported through OAUTH2_SCOPE since v5.3.1.
BREAKING CHANGE: update your oauth2 provider configuration if you need scopes support
---
 CHANGELOG.md                                          |  2 ++
 app/controllers/api/auth_providers_controller.rb      |  2 +-
 .../templates/admin/authentications/_oauth2.html      | 11 +++++++++++
 app/views/api/auth_providers/show.json.jbuilder       |  4 ++--
 config/locales/app.shared.en.yml                      |  1 +
 .../20220322135836_add_scopes_to_o_auth2_provider.rb  |  9 +++++++++
 db/schema.rb                                          |  3 ++-
 doc/environment.md                                    |  5 -----
 lib/omni_auth/strategies/sso_oauth2_provider.rb       |  2 +-
 9 files changed, 29 insertions(+), 10 deletions(-)
 create mode 100644 db/migrate/20220322135836_add_scopes_to_o_auth2_provider.rb

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ef5e1ccb2..759b9d2e0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Changelog Fab-manager
 
 - Support for Google Analytics V4
+- OAuth2 scopes are now configurable from the interface
 - Updated environment documentation
 - Updated react-i18next to 11.15.6
 - Updated i18next to 21.6.13
@@ -30,6 +31,7 @@
 - [TODO DEPLOY] `\curl -sSL https://raw.githubusercontent.com/sleede/fab-manager/master/scripts/cve-2021-44228.sh | bash`
 - [TODO DEPLOY] migrate your Google Analytics property to GA4, see [this guide](https://support.google.com/analytics/answer/9744165)
 - [TODO DEPLOY] update your tracking ID in Customization > Privacy > Statistics > Google Analytics
+- [TODO DEPLOY] update your oAuth2 provider configuration with the scopes previously defined in the OAUTH2_SCOPE environment variable
 
 ## v5.3.5 2022 March 02
 
diff --git a/app/controllers/api/auth_providers_controller.rb b/app/controllers/api/auth_providers_controller.rb
index 071b6a927..f83915e9f 100644
--- a/app/controllers/api/auth_providers_controller.rb
+++ b/app/controllers/api/auth_providers_controller.rb
@@ -83,7 +83,7 @@ class API::AuthProvidersController < API::ApiController
     params.require(:auth_provider)
           .permit(:name, :providable_type,
                   providable_attributes: [:id, :base_url, :token_endpoint, :authorization_endpoint, :logout_endpoint,
-                                          :profile_url, :client_id, :client_secret,
+                                          :profile_url, :client_id, :client_secret, :scopes,
                                           o_auth2_mappings_attributes: [:id, :local_model, :local_field, :api_field,
                                                                         :api_endpoint, :api_data_type, :_destroy,
                                                                         transformation: [:type, :format, :true_value,
diff --git a/app/frontend/templates/admin/authentications/_oauth2.html b/app/frontend/templates/admin/authentications/_oauth2.html
index b86470397..4f1fc8c82 100644
--- a/app/frontend/templates/admin/authentications/_oauth2.html
+++ b/app/frontend/templates/admin/authentications/_oauth2.html
@@ -90,4 +90,15 @@
     </div>
 </div>
 
+<div class="form-group" ng-class="{'has-error': providerForm['auth_provider[scopes]'].$dirty && providerForm['auth_provider[scopes]'].$invalid}">
+    <label for="provider_client_secret" class="col-sm-3 control-label" translate>{{ 'app.shared.oauth2.scopes' }}</label>
+    <div class="col-sm-9">
+        <input type="text"
+          ng-model="provider.providable_attributes.scopes"
+          class="form-control"
+          name="auth_provider[scopes]"
+          id="provider_scopes"
+          placeholder="profile,email...">
+    </div>
+</div>
 <ng-include src="'/admin/authentications/_oauth2_mapping.html'"></ng-include>
diff --git a/app/views/api/auth_providers/show.json.jbuilder b/app/views/api/auth_providers/show.json.jbuilder
index 7bb61df29..78e7397b1 100644
--- a/app/views/api/auth_providers/show.json.jbuilder
+++ b/app/views/api/auth_providers/show.json.jbuilder
@@ -4,9 +4,9 @@ json.partial! 'api/auth_providers/auth_provider', auth_provider: @provider
 
 if @provider.providable_type == OAuth2Provider.name
   json.providable_attributes do
-    json.extract! @provider.providable, :id, :base_url, :token_endpoint, :authorization_endpoint, :profile_url, :client_id, :client_secret
+    json.extract! @provider.providable, :id, :base_url, :token_endpoint, :authorization_endpoint, :profile_url, :client_id, :client_secret, :scopes
     json.o_auth2_mappings_attributes @provider.providable.o_auth2_mappings do |m|
       json.extract! m, :id, :local_model, :local_field, :api_field, :api_endpoint, :api_data_type, :transformation
     end
   end
-end
\ No newline at end of file
+end
diff --git a/config/locales/app.shared.en.yml b/config/locales/app.shared.en.yml
index 8d3837da8..6f647d6fc 100644
--- a/config/locales/app.shared.en.yml
+++ b/config/locales/app.shared.en.yml
@@ -267,6 +267,7 @@ en:
         obtain_it_when_registering_with_your_provider: "Obtain it when registering with your provider."
         client_secret: "Client secret"
         oauth2_client_secret_is_required: "OAuth 2.0 client secret is required."
+        scopes: "Scopes"
         define_the_fields_mapping: "Define the fields mapping"
         add_a_match: "Add a match"
         model: "Model"
diff --git a/db/migrate/20220322135836_add_scopes_to_o_auth2_provider.rb b/db/migrate/20220322135836_add_scopes_to_o_auth2_provider.rb
new file mode 100644
index 000000000..59c6c88dd
--- /dev/null
+++ b/db/migrate/20220322135836_add_scopes_to_o_auth2_provider.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# This migration saves the scopes of the OAuth2 provider to the database.
+# Previously, the scopes were defined in the OAUTH2_SCOPE environment variable.
+class AddScopesToOAuth2Provider < ActiveRecord::Migration[5.2]
+  def change
+    add_column :o_auth2_providers, :scopes, :string
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index eebcc5570..8da79429e 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2022_03_16_133304) do
+ActiveRecord::Schema.define(version: 2022_03_22_135836) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "fuzzystrmatch"
@@ -391,6 +391,7 @@ ActiveRecord::Schema.define(version: 2022_03_16_133304) do
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.string "profile_url"
+    t.string "scopes"
   end
 
   create_table "offer_days", id: :serial, force: :cascade do |t|
diff --git a/doc/environment.md b/doc/environment.md
index d1dc87088..8f73d88ca 100644
--- a/doc/environment.md
+++ b/doc/environment.md
@@ -138,11 +138,6 @@ Please, ensure you know what you're doing, as this can lead to serious security
 A comma separated list of settings that cannot be changed from the UI.
 Please refer to https://github.com/sleede/fab-manager/blob/master/app/models/setting.rb for a list of possible values.
 Only the system administrator can change them, with the command: `ENV=value rails fablab:setup:env_to_db`
-<a name="OAUTH2_SCOPE"></a>
-
-    OAUTH2_SCOPE
-
-A comma separated list of scopes that will be requested when authenticating with OAuth2.
 <a name="SSO_DEBUG"></a>
 
     SSO_DEBUG
diff --git a/lib/omni_auth/strategies/sso_oauth2_provider.rb b/lib/omni_auth/strategies/sso_oauth2_provider.rb
index 7c6d60f31..af59688ad 100644
--- a/lib/omni_auth/strategies/sso_oauth2_provider.rb
+++ b/lib/omni_auth/strategies/sso_oauth2_provider.rb
@@ -28,7 +28,7 @@ module OmniAuth::Strategies
 
     def authorize_params
       super.tap do |params|
-        params[:scope] = ENV['OAUTH2_SCOPE']
+        params[:scope] = active_provider.providable.scopes
       end
     end