frontend: Login, logout, and account creation (#179)

* add login page components

* Add Register page and hooks for auth

* Add the register page and connect all the frontend elements

* Redirect to /login if the token expires and clean up some console errors

* Add error messages for failed logins

* frontend: Add Single Sign-on to Toolkit (#227)

* Add Google SSO login plus OpenID components

* Dynamically set SSO login buttons and show or hide username and password based on auth_strategies

---------

Co-authored-by: Tianjing Li <[email protected]>

* fix startup event

* Fix build errors and update the API client

* Fix tests by adding missing env vars

Add test OIDC_WELL_KNOWN_ENDPOINT var to fixtures

* Add a walkthrough guide of the toolkit  (#251)

* GUide

* Chang

* Change

* Change

* Update docs/walkthrough/walkthrough.md

Co-authored-by: Luísa Moura <[email protected]>

* Update walkthrough.md

---------

Co-authored-by: Luísa Moura <[email protected]>

* coral-web: fix agent info panel opening by default (#253)

cast isEditAgentPanelOpen to boolean

* [backend] enforce agent update with user-id (#246)

* updates

* remove client changes

* remove logs

* use better header user id check

* fix validators

* typo

* Metrics: add middleware (#185)

* Metrics: add middleware

* add chat calls

* merge

* lint

* make it async

* add user id

* add more fields

* add retry and duration

* add meta

* comments

* fix tests

* improve error handling

* rename fields

* match spec

* comments

* clean code

* only create loop when theres endpoint

* add assistant id to chat

* feat(toolkit): show assistant welcome message (#255)

* feat(toolkit): show assistant welcome message

* feat(toolkit): show assistant welcome message

---------

Co-authored-by: misspia-cohere <[email protected]>
Co-authored-by: Tianjing Li <[email protected]>
Co-authored-by: Beatrix De Wilde <[email protected]>
Co-authored-by: Luísa Moura <[email protected]>
Co-authored-by: misspia-cohere <[email protected]>
Co-authored-by: Scott <[email protected]>
Co-authored-by: Khalil Najjar <[email protected]>

Author: 7 people

.env-template

@@ -42,7 +42,9 @@ USE_AGENTS_VIEW=False
 USE_COMMUNITY_FEATURES='True'
 
 # For setting up authentication, see: docs/auth_guide.md
-JWT_SECRET_KEY=<See auth.guide.md on how to generate a secure one>
+AUTH_SECRET_KEY=<See auth.guide.md on how to generate a secure one>
+# Required for specifying Redirect URI
+FRONTEND_HOSTNAME=http://localhost:4000
 
 # Google OAuth 
 GOOGLE_CLIENT_ID=<GOOGLE_CLIENT_ID>
@@ -51,4 +53,4 @@ GOOGLE_CLIENT_SECRET=<GOOGLE_CLIENT_SECRET>
 # OpenID Connect
 OIDC_CLIENT_ID=<OIDC_CLIENT_ID>
 OIDC_CLIENT_SECRET=<OIDC_CLIENT_SECRET>
-OIDC_CONFIG_ENDPOINT=<OIDC_CONFIG_ENDPOINT>
+OIDC_WELL_KNOWN_ENDPOINT=<OIDC_WELL_KNOWN_ENDPOINT>

src/backend/config/auth.py

@@ -21,3 +21,12 @@ def is_authentication_enabled() -> bool:
         return True
 
     return False
+
+
+async def get_auth_strategy_endpoints() -> None:
+    """
+    Fetches the endpoints for each enabled strategy.
+    """
+    for strategy in ENABLED_AUTH_STRATEGY_MAPPING.values():
+        if hasattr(strategy, "get_endpoints"):
+            await strategy.get_endpoints()

src/backend/config/routers.py

@@ -94,7 +94,8 @@ class RouterName(StrEnum):
         ],
         "auth": [
             Depends(get_session),
-            Depends(validate_authorization),
+            # TODO: Add if the router's have to have authorization
+            # Depends(validate_authorization),
         ],
     },
 }

src/backend/main.py

@@ -1,12 +1,15 @@
+import asyncio
+import os
 from contextlib import asynccontextmanager
 
 from alembic.command import upgrade
 from alembic.config import Config
 from dotenv import load_dotenv
 from fastapi import FastAPI, HTTPException
 from fastapi.middleware.cors import CORSMiddleware
+from starlette.middleware.sessions import SessionMiddleware
 
-from backend.config.auth import is_authentication_enabled
+from backend.config.auth import get_auth_strategy_endpoints, is_authentication_enabled
 from backend.config.routers import ROUTER_DEPENDENCIES
 from backend.routers.agent import router as agent_router
 from backend.routers.auth import router as auth_router
@@ -23,17 +26,10 @@
 
 # CORS Origins
 ORIGINS = ["*"]
-# Session expiration time in seconds, set to None to last only browser session
-SESSION_EXPIRY = 60 * 60 * 24 * 7  # A week
-
-
-@asynccontextmanager
-async def lifespan(app: FastAPI):
-    yield
 
 
 def create_app():
-    app = FastAPI(lifespan=lifespan)
+    app = FastAPI()
 
     routers = [
         auth_router,
@@ -50,6 +46,10 @@ def create_app():
     # These values must be set in config/routers.py
     dependencies_type = "default"
     if is_authentication_enabled():
+        # Required to save temporary OAuth state in session
+        app.add_middleware(
+            SessionMiddleware, secret_key=os.environ.get("AUTH_SECRET_KEY")
+        )
         dependencies_type = "auth"
     for router in routers:
         if getattr(router, "name", "") in ROUTER_DEPENDENCIES.keys():
@@ -76,6 +76,15 @@ def create_app():
 app = create_app()
 
 
+@app.on_event("startup")
+async def startup_event():
+    """
+    Retrieves all the Auth provider endpoints if authentication is enabled.
+    """
+    if is_authentication_enabled():
+        await get_auth_strategy_endpoints()
+
+
 @app.get("/health")
 async def health():
     """

src/backend/routers/auth.py

@@ -32,28 +32,39 @@ def get_strategies() -> list[ListAuthStrategy]:
         List[dict]: List of dictionaries containing the enabled auth strategy names.
     """
     strategies = []
-    for key in ENABLED_AUTH_STRATEGY_MAPPING.keys():
-        strategies.append({"strategy": key})
+    for strategy_name, strategy_instance in ENABLED_AUTH_STRATEGY_MAPPING.items():
+        strategies.append(
+            {
+                "strategy": strategy_name,
+                "client_id": (
+                    strategy_instance.get_client_id()
+                    if hasattr(strategy_instance, "get_client_id")
+                    else None
+                ),
+                "authorization_endpoint": (
+                    strategy_instance.get_authorization_endpoint()
+                    if hasattr(strategy_instance, "get_authorization_endpoint")
+                    else None
+                ),
+            }
+        )
 
     return strategies
 
 
 @router.post("/login", response_model=Union[JWTResponse, None])
 async def login(request: Request, login: Login, session: DBSessionDep):
     """
-    Logs user in and either:
-    - (Basic email/password authentication) Verifies their credentials, retrieves the user and returns a JWT token.
-    - (OAuth) Redirects to the /auth endpoint.
+    Logs user in, performing basic email/password auth.
+    Verifies their credentials, retrieves the user and returns a JWT token.
 
     Args:
         request (Request): current Request object.
         login (Login): Login payload.
         session (DBSessionDep): Database session.
 
     Returns:
-        dict: JWT token on basic auth success
-        or
-        Redirect: to /auth endpoint
+        dict: JWT token on Basic auth success
 
     Raises:
         HTTPException: If the strategy or payload are invalid, or if the login fails.
@@ -76,27 +87,20 @@ async def login(request: Request, login: Login, session: DBSessionDep):
             detail=f"Missing the following keys in the payload: {missing_keys}.",
         )
 
-    # Login with redirect to /auth
-    if strategy.SHOULD_AUTH_REDIRECT:
-        # Fetch endpoint with method name
-        redirect_uri = request.url_for(strategy.REDIRECT_METHOD_NAME)
-        return await strategy.login(request, redirect_uri)
-    # Login with email/password and set session directly
-    else:
-        user = strategy.login(session, payload)
-        if not user:
-            raise HTTPException(
-                status_code=401,
-                detail=f"Error performing {strategy_name} authentication with payload: {payload}.",
-            )
+    user = strategy.login(session, payload)
+    if not user:
+        raise HTTPException(
+            status_code=401,
+            detail=f"Error performing {strategy_name} authentication with payload: {payload}.",
+        )
 
-        token = JWTService().create_and_encode_jwt(user)
+    token = JWTService().create_and_encode_jwt(user)
 
-        return {"token": token}
+    return {"token": token}
 
 
 @router.get("/google/auth", response_model=JWTResponse)
-async def google_authenticate(request: Request, session: DBSessionDep):
+async def google_authorize(request: Request, session: DBSessionDep):
     """
     Callback authentication endpoint used for Google OAuth after redirecting to
     the service's login screen.
@@ -112,11 +116,11 @@ async def google_authenticate(request: Request, session: DBSessionDep):
     """
     strategy_name = GoogleOAuth.NAME
 
-    return await authenticate(request, session, strategy_name)
+    return await authorize(request, session, strategy_name)
 
 
 @router.get("/oidc/auth", response_model=JWTResponse)
-async def oidc_authenticate(request: Request, session: DBSessionDep):
+async def oidc_authorize(request: Request, session: DBSessionDep):
     """
     Callback authentication endpoint used for OIDC after redirecting to
     the service's login screen.
@@ -132,7 +136,8 @@ async def oidc_authenticate(request: Request, session: DBSessionDep):
     """
     strategy_name = OpenIDConnect.NAME
 
-    return await authenticate(request, session, strategy_name)
+    # TODO: Merge authorize endpoints into single one
+    return await authorize(request, session, strategy_name)
 
 
 @router.get("/logout", response_model=Logout)
@@ -157,7 +162,7 @@ async def logout(
     return {}
 
 
-async def authenticate(
+async def authorize(
     request: Request, session: DBSessionDep, strategy_name: str
 ) -> JWTResponse:
     if not is_enabled_authentication_strategy(strategy_name):
@@ -168,22 +173,20 @@ async def authenticate(
     strategy = ENABLED_AUTH_STRATEGY_MAPPING[strategy_name]
 
     try:
-        token = await strategy.authenticate(request)
+        userinfo = await strategy.authorize(request)
     except OAuthError as e:
         raise HTTPException(
-            status_code=401,
-            detail=f"Could not authenticate, failed with error: {str(e)}",
+            status_code=400,
+            detail=f"Could not fetch access token from provider, failed with error: {str(e)}",
         )
 
-    token_user = token.get("userinfo")
-
-    if not token_user:
+    if not userinfo:
         raise HTTPException(
             status_code=401, detail=f"Could not get user from auth token: {token}."
         )
 
     # Get or create user, then set session user
-    user = get_or_create_user(session, token_user)
+    user = get_or_create_user(session, userinfo)
 
     token = JWTService().create_and_encode_jwt(user)
 

src/backend/schemas/auth.py

@@ -17,6 +17,8 @@ class Logout(BaseModel):
 
 class ListAuthStrategy(BaseModel):
     strategy: str
+    client_id: str | None
+    authorization_endpoint: str | None
 
 
 class JWTResponse(BaseModel):

src/backend/services/auth/jwt.py

@@ -16,11 +16,11 @@ class JWTService:
     ALGORITHM = "HS256"
 
     def __init__(self):
-        secret_key = os.environ.get("JWT_SECRET_KEY")
+        secret_key = os.environ.get("AUTH_SECRET_KEY")
 
         if not secret_key:
             raise ValueError(
-                "JWT_SECRET_KEY environment variable is missing, and is required to enable authentication."
+                "AUTH_SECRET_KEY environment variable is missing, and is required to enable authentication."
             )
 
         self.secret_key = secret_key

src/backend/services/auth/strategies/base.py

@@ -8,11 +8,9 @@ class BaseAuthenticationStrategy:
 
     Attributes:
         NAME (str): The name of the strategy.
-        SHOULD_AUTH_REDIRECT (str): Whether the strategy requires a redirect to the /auth endpoint after login.
     """
 
     NAME = "Base"
-    SHOULD_AUTH_REDIRECT = False
 
     @staticmethod
     def get_required_payload(self) -> List[str]:
@@ -24,35 +22,56 @@ def get_required_payload(self) -> List[str]:
     @abstractmethod
     def login(self, **kwargs: Any):
         """
-        Login logic: dealing with checking credentials, returning user object
-        to store into session if finished. For OAuth strategies, the next step
-        will be to authenticate.
+        Check email/password credentials and return JWT token.
         """
         ...
 
 
-class BaseOAuthStrategy(BaseAuthenticationStrategy):
+class BaseOAuthStrategy:
     """
     Base strategy for OAuth, abstract class that should be inherited from.
 
     Attributes:
         NAME (str): The name of the strategy.
-        SHOULD_AUTH_REDIRECT (str): Whether the strategy requires a redirect to the /auth endpoint after login.
-        REDIRECT_METHOD_NAME (str | None): The router method name that should be used for redirect callback.
     """
 
-    SHOULD_AUTH_REDIRECT = True
-    REDIRECT_METHOD_NAME = None
+    NAME = None
 
-    def __init__subclass(cls, **kwargs):
-        super().__init__subclass__(**kwargs)
-        if cls.REDIRECT_METHOD_NAME is None:
-            raise ValueError(
-                f"{cls.__name__} must have a REDIRECT_METHOD_NAME defined, and a corresponding router definition."
-            )
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._post_init_check()
+
+    def _post_init_check(self):
+        if any(
+            [
+                self.NAME is None,
+            ]
+        ):
+            raise ValueError(f"{self.__name__} must have NAME parameter(s) defined.")
+
+    @abstractmethod
+    def get_client_id(self, **kwargs: Any):
+        """
+        Retrieves the OAuth app's client ID
+        """
+        ...
+
+    @abstractmethod
+    def get_authorization_endpoint(self, **kwargs: Any):
+        """
+        Retrieves the OAuth app's authorization endpoint.
+        """
+        ...
+
+    @abstractmethod
+    async def get_endpoints(self, **kwargs: Any):
+        """
+        Retrieves the /token and /userinfo endpoints.
+        """
+        ...
 
     @abstractmethod
-    def authenticate(self, **kwargs: Any):
+    async def authorize(self, **kwargs: Any):
         """
         Authentication logic: dealing with user data and returning it
         to set the current user session for OAuth strategies.