defmodule SsoBsnWeb.Router do use SsoBsnWeb, :router use SsoBsnWeb, :verified_routes import SsoBsnWeb.UserAuth pipeline :browser do plug :accepts, ["html"] plug :fetch_session plug :fetch_live_flash plug :put_root_layout, html: {SsoBsnWeb.Layouts, :root} plug :protect_from_forgery plug :put_secure_browser_headers plug :fetch_current_user end pipeline :api do plug :accepts, ["json"] plug Corsica, origins: "*" end scope "/", SsoBsnWeb do pipe_through :browser get "/", PageController, :home get "/redirect", UserSessionController, :redirect_next end # Other scopes may use custom stacks. # scope "/api", SsoBsnWeb do # pipe_through :api # end # Enable LiveDashboard in development if Application.compile_env(:sso_bsn, :dev_routes) do # If you want to use the LiveDashboard in production, you should put # it behind authentication and allow only admins to access it. # If your application does not have an admins-only section yet, # you can use Plug.BasicAuth to set up some basic authentication # as long as you are also using SSL (which you should anyway). import Phoenix.LiveDashboard.Router scope "/dev" do pipe_through :browser live_dashboard "/dashboard", metrics: SsoBsnWeb.Telemetry end end ## Authentication routes defp ts_auth(conn, _) do {o1, o2, o3, o4} = conn.remote_ip case System.cmd("tailscale", ["whois", "--json", "#{o1}.#{o2}.#{o3}.#{o4}"], stderr_to_stdout: true) do {json, 0} -> username = Jason.decode!(json)["UserProfile"]["DisplayName"] user = SsoBsn.Accounts.get_user_by_username(username) login_token = SsoBsn.Accounts.generate_user_login_token(user) conn |> redirect(to: if next = conn.query_params["next"] do ~p"/users/log_in/#{login_token}?next=#{next}" else ~p"/users/log_in/#{login_token}" end) |> halt() {_, 1} -> conn end end scope "/", SsoBsnWeb do pipe_through [:browser, :redirect_if_user_is_authenticated, :ts_auth] live_session :redirect_if_user_is_authenticated, on_mount: [{SsoBsnWeb.UserAuth, :redirect_if_user_is_authenticated}] do live "/users/register", UserRegistrationLive, :new live "/users/log_in", UserLoginLive, :new end get "/users/log_in/:token", UserSessionController, :login end scope "/", SsoBsnWeb do pipe_through [:browser, :require_authenticated_user] live_session :require_authenticated_user, on_mount: [{SsoBsnWeb.UserAuth, :ensure_authenticated}] do live "/users/settings", UserSettingsLive, :edit end end scope "/", SsoBsnWeb do pipe_through [:browser] delete "/users/log_out", UserSessionController, :delete end scope "/", SsoBsnWeb do pipe_through [:api, :fetch_session, :fetch_current_user] get "/whoami", UserSessionController, :check_auth end # OIDC scope "/oauth", SsoBsnWeb.Oauth do pipe_through :api post "/revoke", RevokeController, :revoke post "/token", TokenController, :token post "/introspect", IntrospectController, :introspect end scope "/openid", SsoBsnWeb.Openid do pipe_through :api get "/userinfo", UserinfoController, :userinfo post "/userinfo", UserinfoController, :userinfo get "/jwks", JwksController, :jwks_index end scope "/oauth", SsoBsnWeb.Oauth do pipe_through [:browser, :fetch_current_user] get "/authorize", AuthorizeController, :authorize end scope "/openid", SsoBsnWeb.Openid do pipe_through [:browser, :fetch_current_user] get "/authorize", AuthorizeController, :authorize end scope "/.well-known", SsoBsnWeb do pipe_through :api get "/openid-configuration", Openid.ConfigurationController, :config get "/webfinger", Webfinger, :webfinger end end