Merge branch 'mealie-next' into feat/migrate-from-my-recipe-box

2025-12-15 14:55:21 -05:00 · 2024-03-22 20:33:37 +11:00
parent d770009e0d a6d31638e2
commit 2aaef9ae54
9 changed files with 105 additions and 87 deletions
--- a/mealie/core/security/providers/openid_provider.py
+++ b/mealie/core/security/providers/openid_provider.py
@@ -3,13 +3,14 @@ from functools import lru_cache

 import requests
 from authlib.jose import JsonWebKey, JsonWebToken, JWTClaims, KeySet
-from authlib.jose.errors import ExpiredTokenError
+from authlib.jose.errors import ExpiredTokenError, UnsupportedAlgorithmError
 from authlib.oidc.core import CodeIDToken
 from sqlalchemy.orm.session import Session

 from mealie.core import root_logger
 from mealie.core.config import get_app_settings
 from mealie.core.security.providers.auth_provider import AuthProvider
+from mealie.core.settings.settings import AppSettings
 from mealie.db.models.users.users import AuthMethod
 from mealie.repos.all_repositories import get_repositories
 from mealie.schema.user.auth import OIDCRequest
@@ -26,11 +27,11 @@ class OpenIDProvider(AuthProvider[OIDCRequest]):
    async def authenticate(self) -> tuple[str, timedelta] | None:
        """Attempt to authenticate a user given a username and password"""

-        claims = self.get_claims()
+        settings = get_app_settings()
+        claims = self.get_claims(settings)
        if not claims:
            return None

-        settings = get_app_settings()
        repos = get_repositories(self.session)

        user = self.try_get_user(claims.get("email"))
@@ -76,13 +77,20 @@ class OpenIDProvider(AuthProvider[OIDCRequest]):
        self._logger.info("[OIDC] Found user but their AuthMethod does not match OIDC")
        return None

-    def get_claims(self) -> JWTClaims | None:
+    def get_claims(self, settings: AppSettings) -> JWTClaims | None:
        """Get the claims from the ID token and check if the required claims are present"""
        required_claims = {"preferred_username", "name", "email"}
        jwks = OpenIDProvider.get_jwks()
        if not jwks:
            return None
-        claims = JsonWebToken(["RS256"]).decode(s=self.data.id_token, key=jwks, claims_cls=CodeIDToken)
+
+        algorithm = settings.OIDC_SIGNING_ALGORITHM
+        try:
+            claims = JsonWebToken([algorithm]).decode(s=self.data.id_token, key=jwks, claims_cls=CodeIDToken)
+        except UnsupportedAlgorithmError:
+            self._logger.error(
+                f"[OIDC] Unsupported algorithm '{algorithm}'. Unable to decode id token due to mismatched algorithm."
+            )

        try:
            claims.validate()
--- a/mealie/core/settings/settings.py
+++ b/mealie/core/settings/settings.py
@@ -182,6 +182,7 @@ class AppSettings(BaseSettings):
    OIDC_AUTO_REDIRECT: bool = False
    OIDC_PROVIDER_NAME: str = "OAuth"
    OIDC_REMEMBER_ME: bool = False
+    OIDC_SIGNING_ALGORITHM: str = "RS256"

    @property
    def OIDC_READY(self) -> bool:
--- a/mealie/lang/messages/no-NO.json
+++ b/mealie/lang/messages/no-NO.json
@@ -33,12 +33,12 @@
        "generic-deleted": "{name} har blitt slettet"
    },
    "datetime": {
-        "year": "year|years",
-        "day": "day|days",
-        "hour": "hour|hours",
-        "minute": "minute|minutes",
-        "second": "second|seconds",
-        "millisecond": "millisecond|milliseconds",
-        "microsecond": "microsecond|microseconds"
+        "year": "år|år",
+        "day": "dag|dager",
+        "hour": "time|timer",
+        "minute": "minutt|minutter",
+        "second": "sekund|sekunder",
+        "millisecond": "millisekund|millisekunder",
+        "microsecond": "mikrosekund|mikrosekunder"
    }
 }