feat : franceconnect v2

.github/workflows/ci_cd.yml

@@ -5,7 +5,7 @@ env:
   CI: "true"
   SIMPLECOV: "true"
   RSPEC_FORMAT: "documentation"
-  RUBY_VERSION: 3.0.2
+  RUBY_VERSION: 3.0.6
   RAILS_ENV: test
   NODE_VERSION: 16.9.1
   RUBYOPT: '-W:no-deprecated'

.ruby-version

@@ -1 +1 @@
-3.0.2
+3.0.6

Dockerfile

@@ -6,7 +6,7 @@ ENV RAILS_ENV=production \
 WORKDIR /app
 
 RUN apt-get update && \
-    apt-get -y install libpq-dev curl git libicu-dev build-essential && \
+    apt-get install -y libpq-dev curl git libicu-dev build-essential && \
     curl https://deb.nodesource.com/setup_16.x | bash && \
     apt-get install -y nodejs  && \
     npm install --global yarn && \
@@ -43,6 +43,9 @@ RUN apt update && \
     apt install -y postgresql-client imagemagick libproj-dev proj-bin libjemalloc2 && \
     gem install bundler:2.4.9
 
+ADD https://letsencrypt.org/certs/isrg-root-x2.pem  /etc/ssl/certs/ISRG_ROOT_X2.pem
+RUN chmod 644 /etc/ssl/certs/ISRG_ROOT_X2.pem && update-ca-certificates && c_rehash
+
 WORKDIR /app
 
 COPY --from=builder /usr/local/bundle /usr/local/bundle

Gemfile

@@ -16,14 +16,14 @@ gem "decidim-initiatives", "~> #{DECIDIM_VERSION}.0"
 
 # External Decidim gems
 gem "decidim-blog_author_petition", git: "https://github.com/OpenSourcePolitics/decidim-module-blog_author_petition.git", branch: "main"
-gem "decidim-decidim_awesome", git: "https://github.com/decidim-ice/decidim-module-decidim_awesome.git", branch: "main"
+gem "decidim-decidim_awesome", git: "https://github.com/decidim-ice/decidim-module-decidim_awesome.git", tag: "v0.9.2"
 gem "decidim-initiative_status", git: "https://github.com/OpenSourcePolitics/decidim-module-initiative_status.git", branch: "main"
 gem "decidim-spam_detection"
-gem "decidim-term_customizer", git: "https://github.com/armandfardeau/decidim-module-term_customizer.git", branch: "fix/precompile-on-docker-0.27"
+gem "decidim-term_customizer", git: "https://github.com/OpenSourcePolitics/decidim-module-term_customizer.git", branch: "fix/email_with_precompile"
 gem "decidim-transparent_trash", git: "https://github.com/OpenSourcePolitics/decidim-module-transparent_trash.git", branch: "master"
 
 # Omniauth gems
-gem "omniauth-france_connect", git: "https://github.com/OpenSourcePolitics/omniauth-france_connect"
+gem "omniauth_openid_connect"
 
 # Default
 gem "activejob-uniqueness", require: "active_job/uniqueness/sidekiq_patch"
@@ -34,8 +34,10 @@ gem "deface"
 gem "faker", "~> 2.14"
 gem "fog-aws"
 gem "foundation_rails_helper", git: "https://github.com/sgruhier/foundation_rails_helper.git"
+gem "html_tokenizer", "~> 0.0.8"
 gem "letter_opener_web", "~> 2.0"
 gem "omniauth-rails_csrf_protection", "~> 1.0"
+gem "openssl", "~> 3.2.0"
 gem "puma", ">= 5.6.2"
 gem "rack-attack"
 gem "sys-filesystem"

Gemfile.lock

@@ -14,33 +14,26 @@ GIT
     decidim-initiative_status (0.1)
       decidim-core (~> 0.27)
 
+GIT
+  remote: https://github.com/OpenSourcePolitics/decidim-module-term_customizer.git
+  revision: 27f4f3f805b59571451f4d911620edbac762bb66
+  branch: fix/email_with_precompile
+  specs:
+    decidim-term_customizer (0.27.0)
+      decidim-admin (~> 0.27.0)
+      decidim-core (~> 0.27.0)
+
 GIT
   remote: https://github.com/OpenSourcePolitics/decidim-module-transparent_trash.git
   revision: 6e443678a0aecdc9d852dfa48dc103983c930a5c
   branch: master
   specs:
     decidim-transparent_trash (0.0.2)
 
-GIT
-  remote: https://github.com/OpenSourcePolitics/omniauth-france_connect
-  revision: 14a53ad31928c8a83742360cfbdb90938d0a057e
-  specs:
-    omniauth-france_connect (0.1.0)
-      omniauth_openid_connect (~> 0.4.0)
-
-GIT
-  remote: https://github.com/armandfardeau/decidim-module-term_customizer.git
-  revision: 41f6c0fa95cc26c7f0dbe317d48e83723cb08b1b
-  branch: fix/precompile-on-docker-0.27
-  specs:
-    decidim-term_customizer (0.27.0)
-      decidim-admin (~> 0.27.0)
-      decidim-core (~> 0.27.0)
-
 GIT
   remote: https://github.com/decidim-ice/decidim-module-decidim_awesome.git
   revision: aa01fdab225ae7a5e7de6fc5d529f7c236376c0c
-  branch: main
+  tag: v0.9.2
   specs:
     decidim-decidim_awesome (0.9.2)
       decidim-admin (>= 0.26.0, < 0.28)
@@ -137,7 +130,7 @@ GEM
       public_suffix (>= 2.0.2, < 6.0)
     aes_key_wrap (1.1.0)
     ast (2.4.2)
-    attr_required (1.0.1)
+    attr_required (1.0.2)
     aws-eventstream (1.2.0)
     aws-partitions (1.772.0)
     aws-sdk-core (3.174.0)
@@ -165,6 +158,7 @@ GEM
       descendants_tracker (~> 0.0.4)
       ice_nine (~> 0.11.0)
       thread_safe (~> 0.3, >= 0.3.1)
+    base64 (0.3.0)
     batch-loader (1.5.0)
     bcrypt (3.1.19)
     better_html (1.0.16)
@@ -175,7 +169,7 @@ GEM
       html_tokenizer (~> 0.0.6)
       parser (>= 2.4)
       smart_properties
-    bindata (2.4.15)
+    bindata (2.5.1)
     bindex (0.8.1)
     bootsnap (1.16.0)
       msgpack (~> 1.2)
@@ -457,6 +451,8 @@ GEM
       dotenv (= 2.8.1)
       railties (>= 3.2)
     dumb_delegator (1.0.0)
+    email_validator (2.2.4)
+      activemodel
     erb_lint (0.0.37)
       activesupport
       better_html (~> 1.0.7)
@@ -485,7 +481,7 @@ GEM
     faraday (2.7.10)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
-    faraday-follow_redirects (0.3.0)
+    faraday-follow_redirects (0.4.0)
       faraday (>= 1, < 3)
     faraday-net_http (3.0.2)
     ffi (1.15.5)
@@ -535,9 +531,8 @@ GEM
     html-pipeline (2.14.3)
       activesupport (>= 2)
       nokogiri (>= 1.4)
-    html_tokenizer (0.0.7)
+    html_tokenizer (0.0.8)
     htmlentities (4.3.4)
-    httpclient (2.8.3)
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     i18n-tasks (0.9.37)
@@ -561,9 +556,10 @@ GEM
       rails (>= 3.2.0)
     jmespath (1.6.2)
     json (2.6.3)
-    json-jwt (1.16.3)
+    json-jwt (1.17.0)
       activesupport (>= 4.2)
       aes_key_wrap
+      base64
       bindata
       faraday (~> 2.0)
       faraday-follow_redirects
@@ -687,21 +683,23 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
-    omniauth_openid_connect (0.4.0)
-      addressable (~> 2.5)
+    omniauth_openid_connect (0.8.0)
       omniauth (>= 1.9, < 3)
-      openid_connect (~> 1.1)
-    openid_connect (1.4.2)
+      openid_connect (~> 2.2)
+    openid_connect (2.3.1)
       activemodel
       attr_required (>= 1.0.0)
-      json-jwt (>= 1.15.0)
-      net-smtp
-      rack-oauth2 (~> 1.21)
-      swd (~> 1.3)
+      email_validator
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      mail
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
       tzinfo
-      validate_email
       validate_url
-      webfinger (~> 1.2)
+      webfinger (~> 2.0)
+    openssl (3.2.3)
     origami (2.1.0)
       colorize (~> 0.7)
     orm_adapter (0.5.0)
@@ -736,10 +734,11 @@ GEM
       rack (>= 1.0, < 3)
     rack-cors (1.1.1)
       rack (>= 2.0.0)
-    rack-oauth2 (1.21.3)
+    rack-oauth2 (2.2.1)
       activesupport
       attr_required
-      httpclient
+      faraday (~> 2.0)
+      faraday-follow_redirects
       json-jwt (>= 1.11.0)
       rack (>= 2.1.0)
     rack-protection (3.0.6)
@@ -926,10 +925,11 @@ GEM
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
     ssrf_filter (1.1.1)
-    swd (1.3.0)
+    swd (2.0.3)
       activesupport (>= 3)
       attr_required (>= 0.0.5)
-      httpclient (>= 2.4)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     sys-filesystem (1.4.3)
       ffi (~> 1.1)
     temple (0.10.2)
@@ -947,9 +947,6 @@ GEM
     valid_email2 (2.3.1)
       activemodel (>= 3.2)
       mail (~> 2.5)
-    validate_email (0.1.6)
-      activemodel (>= 3.0)
-      mail (>= 2.2.5)
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
@@ -973,9 +970,10 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
-    webfinger (1.2.0)
+    webfinger (2.1.3)
       activesupport
-      httpclient (>= 2.4)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     webmock (3.18.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -1009,6 +1007,7 @@ PLATFORMS
   arm64-darwin-22
   x86_64-darwin-20
   x86_64-darwin-21
+  x86_64-darwin-22
   x86_64-linux
 
 DEPENDENCIES
@@ -1035,11 +1034,13 @@ DEPENDENCIES
   fog-aws
   foundation_rails_helper!
   health_check (~> 3.1)
+  html_tokenizer (~> 0.0.8)
   letter_opener_web (~> 2.0)
   listen (~> 3.1)
   lograge
-  omniauth-france_connect!
   omniauth-rails_csrf_protection (~> 1.0)
+  omniauth_openid_connect
+  openssl (~> 3.2.0)
   parallel_tests (~> 3.7)
   puma (>= 5.6.2)
   rack-attack
@@ -1057,7 +1058,7 @@ DEPENDENCIES
   web-console (= 4.2)
 
 RUBY VERSION
-   ruby 3.0.2p107
+   ruby 3.0.6p216
 
 BUNDLED WITH
    2.4.9

app/controllers/decidim/omniauth_registrations_controller_override.rb

@@ -7,6 +7,73 @@ module OmniauthRegistrationsControllerOverride
     included do
       include Decidim::AfterSignInActionHelper
 
+      def create
+        form_params = user_params_from_oauth_hash || params[:user]
+
+        @form = form(Decidim::OmniauthRegistrationForm).from_params(form_params)
+        @form.email ||= verified_email
+
+        Decidim::CreateOmniauthRegistration.call(@form, verified_email) do
+          on(:ok) do |user|
+            if user.active_for_authentication?
+              sign_in_and_redirect user, event: :authentication
+              provider_name = current_organization.enabled_omniauth_providers.dig(@form.provider.to_sym, :display_name) || @form.provider.titleize
+              set_flash_message :notice, :success, kind: provider_name
+            else
+              expire_data_after_sign_in!
+              user.resend_confirmation_instructions unless user.confirmed?
+              redirect_to decidim.root_path
+              flash[:notice] = t("devise.registrations.signed_up_but_unconfirmed")
+            end
+          end
+
+          on(:invalid) do
+            set_flash_message :notice, :success, kind: @form.provider.capitalize
+            session["devise.omniauth.verified_email"] = verified_email
+            render :new
+          end
+
+          on(:error) do |user|
+            if user.errors[:email]
+              set_flash_message :alert, :failure, kind: @form.provider.capitalize,
+                                                  reason: t("decidim.devise.omniauth_registrations.create.email_already_exists")
+            end
+            session["devise.omniauth.verified_email"] = verified_email
+            render :new
+          end
+        end
+      end
+
+      def sign_in_and_redirect(resource_or_scope, *args)
+        strategy = request.env["omniauth.strategy"]
+        provider = strategy.present? ? strategy.name : request.params["provider"]
+        session["omniauth.provider"] = provider
+        super
+      end
+
+      # Skip authorization handler by default
+      def skip_first_login_authorization?
+        ActiveRecord::Type::Boolean.new.cast(ENV.fetch("SKIP_FIRST_LOGIN_AUTHORIZATION", "false"))
+      end
+
+      # def failure
+      # https://github.com/heartcombo/devise/blob/main/app/controllers/devise/omniauth_callbacks_controller.rb#L10
+      # end
+
+      protected
+
+      def after_omniauth_failure_path_for(scope)
+        request.params[stored_location_key_for(scope)] || session[stored_location_key_for(scope)] || request.referer || super
+      end
+
+      private
+
+      def verified_email
+        @verified_email ||= oauth_data.dig(:info, :email) || session.delete("devise.omniauth.verified_email")
+      end
+
+      # rubocop: disable Metrics/CyclomaticComplexity
+      # rubocop: disable Metrics/PerceivedComplexity
       def after_sign_in_path_for(user)
         after_sign_in_action_for(user, request.params[:after_action]) if request.params[:after_action].present?
 
@@ -15,14 +82,14 @@ def after_sign_in_path_for(user)
         elsif user.present? && !user.tos_accepted? && request.params[:after_action].present?
           session["tos_after_action"] = request.params[:after_action]
           super
-        elsif !pending_redirect?(user) && first_login_and_not_authorized?(user)
-          decidim_verifications.authorizations_path
+        elsif !skip_first_login_authorization? && (first_login_and_not_authorized?(user) && !user.admin? && !pending_redirect?(user))
+          decidim_verifications.first_login_authorizations_path
         else
           super
         end
       end
-
-      private
+      # rubocop: enable Metrics/CyclomaticComplexity
+      # rubocop: enable Metrics/PerceivedComplexity
 
       def verified_email
         @verified_email ||= find_verified_email

app/helpers/application_helper.rb

@@ -25,4 +25,8 @@ def sso_provider_button(provider, link_to_path)
       html_element
     end
   end
+
+  def disable_profile_editing_on_omniauth_connection?
+    current_organization.enabled_omniauth_providers.any? && session["omniauth.provider"].present?
+  end
 end

app/overrides/decidim/account/show/disabled_omniauth_synced_email_field.html.erb.deface

@@ -0,0 +1,2 @@
+<!-- replace "erb[loud]:contains('email_field :email')" -->
+      <%= f.email_field :email, disabled: disable_profile_editing_on_omniauth_connection? || current_user.unconfirmed_email.present?, autocomplete: "email" %>

app/overrides/decidim/account/show/disabled_omniauth_synced_name_field.html.erb.deface

@@ -0,0 +1,2 @@
+<!-- replace "erb[loud]:contains('text_field :name')" -->
+      <%= f.text_field :name, disabled: disable_profile_editing_on_omniauth_connection?, autocomplete: "name" %>