Switched GH auth to use app + automatically accept org invite (#25)

BigSpaceships · web-flow · commit af54893ea685 · 2025-10-21T20:48:39.000-04:00
* add redirect uri env support

* github app auth as well as automatically adding people to org

* logging for key error to debug

* remove github from ldap before deleting to fix desync error

* fixed env var name

* linting

* moved when ldap github user role is removed
diff --git a/config.env.py b/config.env.py
@@ -11,6 +11,9 @@
 # OpenID Connect SSO config
 OIDC_ISSUER = os.environ.get('OIDC_ISSUER',
                              'https://sso.csh.rit.edu/auth/realms/csh')
+
+OIDC_REDIRECT_URI = os.environ.get('OIDC_REDIRECT_URI',
+                                   'https://eac.csh.rit.edu/redirect_uri')
 OIDC_CLIENT_CONFIG = {
     'client_id': os.environ.get('OIDC_CLIENT_ID', ''),
     'client_secret': os.environ.get('OIDC_CLIENT_SECRET', ''),
@@ -28,9 +31,10 @@
 SLACK_SECRET = os.environ.get('SLACK_SECRET', '')
 
 # GitHub secrets
-GITHUB_OAUTH_CLIENT_ID = os.environ.get('GITHUB_OAUTH_CLIENT_ID', '')
-GITHUB_OAUTH_CLIENT_SECRET = os.environ.get('GITHUB_OAUTH_CLIENT_SECRET', '')
+GITHUB_REDIRECT_URI = os.environ.get('GITHUB_REDIRECT_URI',
+                                     'https://eac.csh.rit.edu/github/return')
 GITHUB_APP_CLIENT_ID = os.environ.get('GITHUB_APP_CLIENT_ID', '')
+GITHUB_APP_CLIENT_SECRET = os.environ.get('GITHUB_APP_CLIENT_SECRET', '')
 GITHUB_APP_PRIVATE_KEY = os.environ.get('GITHUB_APP_PRIVATE_KEY', '')
 
 # Twitch secrets
diff --git a/eac/__init__.py b/eac/__init__.py
@@ -55,7 +55,9 @@
 
 _GITHUB_AUTH_URI = 'https://github.com/login/oauth/authorize' \
         + '?client_id=%s' \
-        + '&state=%s'
+        + '&state=%s' \
+        + '&redirect_uri=%s'
+
 _GITHUB_TOKEN_URI = 'https://github.com/login/oauth/access_token' \
         + '?client_id=%s' \
         + '&client_secret=%s' \
@@ -151,7 +153,8 @@ def _auth_github() -> werkzeug.Response:
     # Redirect to github for authorisation
     return redirect(
         _GITHUB_AUTH_URI %
-        (APP.config['GITHUB_OAUTH_CLIENT_ID'], APP.config['STATE']))
+        (APP.config['GITHUB_APP_CLIENT_ID'], APP.config['STATE'],
+         urllib.parse.quote(APP.config['GITHUB_REDIRECT_URI'], safe='')))
 
 
 @APP.route('/github/return', methods=['GET'])
@@ -165,8 +168,8 @@ def _github_landing() -> tuple[str, int]:
     # Get token from github
     resp = requests.post(
         _GITHUB_TOKEN_URI %
-        (APP.config['GITHUB_OAUTH_CLIENT_ID'],
-         APP.config['GITHUB_OAUTH_CLIENT_SECRET'], request.args.get('code')),
+        (APP.config['GITHUB_APP_CLIENT_ID'],
+         APP.config['GITHUB_APP_CLIENT_SECRET'], request.args.get('code')),
         headers={'Accept': 'application/json'},
         timeout=APP.config['REQUEST_TIMEOUT'])
     try:
@@ -176,9 +179,14 @@ def _github_landing() -> tuple[str, int]:
         raise e
 
     resp_json = resp.json()
-    token = resp_json['access_token']
+    try:
+        user_token = resp_json['access_token']
+    except KeyError as e:
+        print('error: ', e, resp_json)
+        raise e
+
     header = {
-        'Authorization': 'token ' + token,
+        'Authorization': 'Bearer ' + user_token,
         'Accept': 'application/vnd.github.v3+json'
     }
 
@@ -200,7 +208,7 @@ def _github_landing() -> tuple[str, int]:
     uid = str(session['userinfo'].get('preferred_username', ''))
     member = _LDAP.get_member(uid, uid=True)
 
-    _link_github(github_username, github_id, member)
+    _link_github(github_username, github_id, member, user_token)
     return render_template('callback.html'), 200
 
 
@@ -255,7 +263,8 @@ def _auth_github_org() -> str:
     return org_token
 
 
-def _link_github(github_username: str, github_id: str, member: Any) -> None:
+def _link_github(github_username: str, github_id: str, member: Any,
+                 user_token: str) -> None:
     """
     Puts a member's github into LDAP and adds them to the org.
     :param github_username: the user's github username
@@ -286,6 +295,17 @@ def _link_github(github_username: str, github_id: str, member: Any) -> None:
         print('response:', resp.json())
         raise e
 
+    github_user_headers = {
+        'Accept': 'application/vnd.github.v3+json',
+        'Authorization': f'Token {user_token}',
+    }
+
+    requests.patch(
+        'https://api.github.com/user/memberships/orgs/ComputerScienceHouse',
+        headers=github_user_headers,
+        json={'state': 'active'},
+        timeout=APP.config['REQUEST_TIMEOUT'])
+
     member.github = github_username
 
 
