Build with filtered source

Further nixos module fixes
Add tailwind and esbuild to assets build
Handle domain on session cookies correctly

.gitignore

@@ -43,3 +43,4 @@ npm-debug.log
 /.nix-mix
 /.nix-hex
 /.elixir_ls
+/result

config/runtime.exs

@@ -46,7 +46,7 @@ if config_env() == :prod do
 
   host = System.get_env("SSO_BSN_HOST") || raise "SSO_BSN_HOST must be set to the external host of the service"
 
-  config :wax_, origin: "https://#{host}/"
+  config :wax_, origin: "https://#{host}"
   config :boruta, Boruta.Oauth, issuer: "https://#{host}/"
 
   config :sso_bsn, :dns_cluster_query, System.get_env("DNS_CLUSTER_QUERY")

default.nix

@@ -4,18 +4,31 @@
   mixRelease,
   fetchMixDeps,
   elixir,
+  tailwindcss,
+  esbuild
 }:
 mixRelease rec {
   pname = "sso_bsn";
   version = "0.0.1";
 
   inherit elixir;
-  src = self;
+  src = builtins.path {
+    path = ./.;
+    name = "${pname}-source";
+    filter = (path: _type: baseNameOf path != "flake.nix" && baseNameOf path != "flake.lock");
+  };
   mixFodDeps = fetchMixDeps {
     pname = "mix-deps-${pname}";
     inherit version src;
     sha256 = "sha256-p74p7Dpi1xzddD+dygKF5cSLDATNKRXziKPNQgIhRPc=";
   };
+  postBuild = ''
+    ln -sfv ${tailwindcss}/bin/tailwindcss _build/tailwind-linux-x64
+    ln -sfv ${esbuild}/bin/esbuild _build/esbuild-linux-x64
+
+    mix assets.deploy
+    mix phx.digest
+  '';
 
   ELIXIR_MAKE_CACHE_DIR = "/tmp/.elixir-make-cache";
   meta.mainProgram = "sso_bsn";

flake.nix

@@ -47,11 +47,13 @@
         };
         options.services.nginx.virtualHosts = lib.mkOption {
           type = lib.types.attrsOf (lib.types.submodule ({ config, ...}: {
-            options.locations = lib.types.attrsOf (lib.types.submodule {
-              extraConfig = lib.mkIf config.sso.enable ''
-                proxy_set_header X-Auth-Username $auth_resp_username
-              '';
-            })
+            options.locations = lib.mkOption {
+              type = lib.types.attrsOf (lib.types.submodule {
+                extraConfig = lib.mkIf config.sso.enable ''
+                  proxy_set_header X-Auth-Username $auth_resp_username
+                '';
+              });
+            };
             options.sso.enable = lib.mkEnableOption "SSO BSN";
             config.extraConfig = lib.mkIf config.sso.enable ''
               auth_request /__auth_sso_validate;
@@ -72,14 +74,20 @@
               error_page 401 = @error401;
 
               location @error401 {
-                return 302 url=https://${cfg.host}/user/log_in?next=$http_host$request_uri;
+                return 302 https://${cfg.host}/users/log_in?next=$scheme://$http_host$request_uri;
               }
             '';
           }));
         };
         config.environment.systemPackages = lib.mkIf cfg.enable [ script ];
-        users.users.nginx.extraGroups = ["sso-bsn"];
-        users.groups.sso-bsn = {};
+        config.users = lib.mkIf cfg.enable {
+          groups.sso-bsn = {};
+          users.nginx.extraGroups = ["sso-bsn"];
+          users.sso-bsn = {
+            group = "sso-bsn";
+            isSystemUser = true;
+          };
+        };
         config.systemd.services.sso-bsn = lib.mkIf cfg.enable {
           description = "sso-bsn";
           environment = {
@@ -95,12 +103,17 @@
           '';
           wantedBy = [ "multi-user.target" ];
           serviceConfig = {
-            DynamicUser = true;
             ProtectHome = true;
             PrivateUsers = true;
             StateDirectory = "sso-bsn";
             RuntimeDirectory = "sso-bsn";
             UMask = "007";
+            User = "sso-bsn";
+            Group = "sso-bsn";
+            PrivateTmp = true;
+            RemoveIPC = true;
+            NoNewPrivileges = true;
+            RestrictSUIDSGID = true;
           };
         };
         config.services.nginx.virtualHosts = lib.mkIf cfg.enable {

lib/sso_bsn/accounts/user_token.ex

@@ -41,7 +41,7 @@ defmodule SsoBsn.Accounts.UserToken do
   end
 
   def build_login_token(user) do
-    token = Base.encode64(:crypto.strong_rand_bytes(@rand_size))
+    token = Base.url_encode64(:crypto.strong_rand_bytes(@rand_size))
     {token, %UserToken{token: token, context: "login", user_id: user.id}}
   end
 

lib/sso_bsn_web/endpoint.ex

@@ -8,11 +8,23 @@ defmodule SsoBsnWeb.Endpoint do
     store: :cookie,
     key: "_sso_bsn_key",
     signing_salt: "2YoB6zeO",
-    same_site: "Lax",
-    # domain: Application.get_env(:sso_bsn, :session_domain)
+    same_site: "Lax"
   ]
 
-  socket "/live", Phoenix.LiveView.Socket, websocket: [connect_info: [session: @session_options]]
+  def domain(), do: Application.get_env(:sso_bsn, :session_domain)
+  def session_options(opts),
+    do: Keyword.put(opts, :domain, domain())
+
+  defmodule RuntimeDomainSession do
+    def init(opts), do: Plug.Session.init(opts)
+
+    def call(conn, opts) do
+      Plug.Session.call(conn, opts |> Map.update(:cookie_opts, [], &(Keyword.put(&1, :domain, SsoBsnWeb.Endpoint.domain()))))
+    end
+  end
+
+  socket "/live", Phoenix.LiveView.Socket,
+    websocket: [connect_info: [session: {__MODULE__, :session_options, [@session_options]}]]
 
   # Serve at "/" the static files from "priv/static" directory.
   #
@@ -21,7 +33,7 @@ defmodule SsoBsnWeb.Endpoint do
   plug Plug.Static,
     at: "/",
     from: :sso_bsn,
-    gzip: false,
+    gzip: true,
     only: SsoBsnWeb.static_paths()
 
   # Code reloading can be explicitly enabled under the
@@ -47,6 +59,6 @@ defmodule SsoBsnWeb.Endpoint do
 
   plug Plug.MethodOverride
   plug Plug.Head
-  plug Plug.Session, @session_options
+  plug RuntimeDomainSession, @session_options
   plug SsoBsnWeb.Router
 end

lib/sso_bsn_web/live/user_registration_live.ex

@@ -88,8 +88,7 @@ defmodule SsoBsnWeb.UserRegistrationLive do
         {:noreply, socket |> redirect(to: ~p"/users/log_in/#{login_token}")}
 
       {:error, error} ->
-        dbg(error)
-        {:noreply, socket |> put_flash(:error, "An error occured")}
+        {:noreply, socket |> put_flash(:error, "An error occured: #{inspect(error)}")}
     end
   end