(core) Adding GristConnect login system

Summary: New login system to allow simple SSO flow that is based on Discourse description that is available at: https://meta.discourse.org/t/discourseconnect-official-single-sign-on-for-discourse-sso/13045 Test Plan: New core test. Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3418
2026-03-02 04:09:24 +00:00 · 2022-05-18 12:25:14 +02:00
parent cf23a2d1ee
commit 0ab9e4a6a0
16 changed files with 245 additions and 31 deletions
--- a/app/server/lib/FlexServer.ts
+++ b/app/server/lib/FlexServer.ts
@@ -89,6 +89,8 @@ export interface FlexServerOptions {
  pluginUrl?: string;
 }

+const noop: express.RequestHandler = (req, res, next) => next();
+
 export class FlexServer implements GristServer {
  public readonly create = create;
  public tagChecker: TagChecker;
@@ -508,17 +510,14 @@ export class FlexServer implements GristServer {
                                                                            this._getSignUpRedirectUrl);
      this._redirectToOrgMiddleware = tbind(this._redirectToOrg, this);
    } else {
-      const noop: express.RequestHandler = (req, res, next) => next();
      this._userIdMiddleware = noop;
      this._trustOriginsMiddleware = noop;
-      this._docPermissionsMiddleware = (req, res, next) => {
-        // For standalone single-user Grist, documents are stored on-disk
-        // with their filename equal to the document title, no document
-        // aliases are possible, and there is no access control.
-        // The _docPermissionsMiddleware is a no-op.
-        // TODO We might no longer have any tests for isSingleUserMode, or modes of operation.
-        next();
-      };
+      // For standalone single-user Grist, documents are stored on-disk
+      // with their filename equal to the document title, no document
+      // aliases are possible, and there is no access control.
+      // The _docPermissionsMiddleware is a no-op.
+      // TODO We might no longer have any tests for isSingleUserMode, or modes of operation.
+      this._docPermissionsMiddleware = noop;
      this._redirectToLoginWithExceptionsMiddleware = noop;
      this._redirectToLoginWithoutExceptionsMiddleware = noop;
      this._redirectToLoginUnconditionally = null;  // there is no way to log in.
@@ -722,6 +721,9 @@ export class FlexServer implements GristServer {
      baseDomain: this._defaultBaseDomain,
    });

+    const forcedLoginMiddleware = process.env.GRIST_FORCE_LOGIN === 'true' ?
+      this._redirectToLoginWithoutExceptionsMiddleware : noop;
+
    const welcomeNewUser: express.RequestHandler = isSingleUserMode() ?
      (req, res, next) => next() :
      expressWrap(async (req, res, next) => {
@@ -781,6 +783,7 @@ export class FlexServer implements GristServer {
      middleware: [
        this._redirectToHostMiddleware,
        this._userIdMiddleware,
+        forcedLoginMiddleware,
        this._redirectToLoginWithExceptionsMiddleware,
        this._redirectToOrgMiddleware,
        welcomeNewUser
@@ -789,6 +792,7 @@ export class FlexServer implements GristServer {
        // Same as middleware, except without login redirect middleware.
        this._redirectToHostMiddleware,
        this._userIdMiddleware,
+        forcedLoginMiddleware,
        this._redirectToOrgMiddleware,
        welcomeNewUser
      ],