Simplify Lokksmith integration
This commit is contained in:
@@ -1,18 +1,14 @@
|
||||
import org.jetbrains.kotlin.gradle.plugin.mpp.KotlinNativeTarget
|
||||
|
||||
plugins {
|
||||
// AGP must apply before recipe.kotlin.multiplatform — the latter calls androidTarget(),
|
||||
// which requires the Android Gradle Plugin to already be on the project.
|
||||
alias(libs.plugins.androidApplication)
|
||||
id("recipe.kotlin.multiplatform")
|
||||
alias(libs.plugins.composeMultiplatform)
|
||||
alias(libs.plugins.composeCompiler)
|
||||
alias(libs.plugins.composeHotReload)
|
||||
alias(libs.plugins.kotlinSerialization)
|
||||
id("recipe.quality")
|
||||
}
|
||||
|
||||
// `group` is referenced by Compose Resources package naming — the
|
||||
// `compose.resources { packageOfResClass }` block below pins the historical package
|
||||
// regardless, but keep `group` set explicitly. Gradle artifact metadata only.
|
||||
group = "dev.ulfrx.recipe"
|
||||
version = "1.0.0"
|
||||
|
||||
@@ -57,8 +53,21 @@ android {
|
||||
}
|
||||
|
||||
kotlin {
|
||||
androidTarget()
|
||||
iosArm64()
|
||||
iosSimulatorArm64()
|
||||
|
||||
listOf(targets.getByName("iosArm64"), targets.getByName("iosSimulatorArm64")).forEach { target ->
|
||||
(target as KotlinNativeTarget).binaries.framework {
|
||||
baseName = "ComposeApp"
|
||||
isStatic = true
|
||||
}
|
||||
}
|
||||
|
||||
sourceSets {
|
||||
commonMain.dependencies {
|
||||
implementation(projects.shared)
|
||||
|
||||
implementation(project.dependencies.platform(libs.koin.bom))
|
||||
implementation(libs.koin.core)
|
||||
implementation(libs.koin.compose)
|
||||
@@ -72,13 +81,7 @@ kotlin {
|
||||
implementation(libs.compose.uiToolingPreview)
|
||||
implementation(libs.androidx.lifecycle.viewmodelCompose)
|
||||
implementation(libs.androidx.lifecycle.runtimeCompose)
|
||||
// `api` so `:shared` types flow through to the exported ObjC
|
||||
// framework headers when the iOS shell needs them.
|
||||
api(projects.shared)
|
||||
|
||||
// Phase 2: Ktor client + serialization + secure settings (D-13, D-16, D-17).
|
||||
// The MPP variant of `ktor-serialization-kotlinx-json` is required here; the
|
||||
// server module keeps the `-jvm` variant via `libs.ktor.serializationKotlinxJson`.
|
||||
implementation(libs.ktor.clientCore)
|
||||
implementation(libs.ktor.clientAuth)
|
||||
implementation(libs.ktor.clientContentNegotiation)
|
||||
@@ -86,42 +89,23 @@ kotlin {
|
||||
implementation(libs.ktor.serializationKotlinxJsonMpp)
|
||||
implementation(libs.kotlinx.serializationJson)
|
||||
implementation(libs.multiplatform.settings)
|
||||
implementation(libs.multiplatform.settings.coroutines)
|
||||
implementation(libs.lokksmith.compose)
|
||||
}
|
||||
commonTest.dependencies {
|
||||
// 02-07: kotlinx.coroutines.test.runTest is the multiplatform-safe
|
||||
// alternative to runBlocking (which is JVM/Native-only and breaks the
|
||||
// wasmJs test target). All commonTest coroutine tests use it.
|
||||
implementation(libs.kotlin.test)
|
||||
implementation(libs.kotlinx.coroutinesTest)
|
||||
}
|
||||
androidMain.dependencies {
|
||||
implementation(libs.compose.uiToolingPreview)
|
||||
implementation(libs.androidx.activity.compose)
|
||||
implementation(libs.koin.android)
|
||||
|
||||
// Phase 2 Android: AndroidX Security Crypto for the SecureAuthStateStore
|
||||
// actual (D-13). EncryptedSharedPreferences is accepted technical debt per
|
||||
// Open Question #1; the Keystore-backed implementation can replace it
|
||||
// without touching AuthSession.
|
||||
implementation(libs.androidx.security.crypto)
|
||||
implementation(libs.lokksmith.core)
|
||||
implementation(libs.ktor.clientOkhttp)
|
||||
}
|
||||
iosMain.dependencies {
|
||||
// Phase 2 iOS: Darwin engine for Ktor. Lokksmith handles the native
|
||||
// Darwin engine for Ktor. Lokksmith handles the native
|
||||
// ASWebAuthenticationSession integration directly from Kotlin.
|
||||
implementation(libs.lokksmith.core)
|
||||
implementation(libs.ktor.clientDarwin)
|
||||
}
|
||||
jvmMain.dependencies {
|
||||
implementation(compose.desktop.currentOs)
|
||||
implementation(libs.kotlinx.coroutinesSwing)
|
||||
|
||||
// Phase 2 Desktop: CIO is the JVM Ktor engine for the dev-mode auth stub
|
||||
// (D-02). The full stub lives in Plan 02-04; this just makes the engine
|
||||
// available so `composeApp:run` still compiles in Phase 2.
|
||||
implementation(libs.ktor.clientCio)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -129,10 +113,6 @@ dependencies {
|
||||
debugImplementation(libs.compose.uiTooling)
|
||||
}
|
||||
|
||||
// `group = "dev.ulfrx.recipe"` shifts the Compose Resources `Res` class package from
|
||||
// `recipe.composeapp.generated.resources` to `dev.ulfrx.recipe.composeapp.generated.resources`,
|
||||
// breaking the Phase 1 `App.kt` import. Lock the historical package so module-naming
|
||||
// changes don't cascade into UI code.
|
||||
compose.resources {
|
||||
packageOfResClass = "recipe.composeapp.generated.resources"
|
||||
}
|
||||
|
||||
@@ -1,9 +1,23 @@
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import android.content.Context
|
||||
import com.russhwolf.settings.Settings
|
||||
import com.russhwolf.settings.SharedPreferencesSettings
|
||||
import dev.lokksmith.Lokksmith
|
||||
import dev.lokksmith.SingletonLokksmithProvider
|
||||
import dev.lokksmith.createLokksmith
|
||||
import org.koin.android.ext.koin.androidContext
|
||||
import org.koin.dsl.module
|
||||
|
||||
val androidAuthModule =
|
||||
module {
|
||||
single { createAndroidLokksmith(androidContext().applicationContext) }
|
||||
single<Lokksmith> {
|
||||
createLokksmith(androidContext().applicationContext).also { lokksmith ->
|
||||
SingletonLokksmithProvider.set(lokksmith)
|
||||
}
|
||||
}
|
||||
single<Settings> {
|
||||
val prefs = androidContext().applicationContext.getSharedPreferences("recipe_auth_state", Context.MODE_PRIVATE)
|
||||
SharedPreferencesSettings(prefs)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,76 +0,0 @@
|
||||
@file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import android.content.Context
|
||||
import android.content.Intent
|
||||
import dev.lokksmith.Lokksmith
|
||||
import dev.lokksmith.SingletonLokksmithProvider
|
||||
import dev.lokksmith.android.LokksmithAuthFlowActivity
|
||||
import dev.lokksmith.createLokksmith
|
||||
import org.koin.core.context.GlobalContext
|
||||
|
||||
actual class OidcClient {
|
||||
private val context: Context
|
||||
get() = GlobalContext.get().get<Context>().applicationContext
|
||||
|
||||
private val lokksmith: Lokksmith
|
||||
get() = GlobalContext.get().get()
|
||||
|
||||
actual suspend fun login(): OidcResult {
|
||||
val client = lokksmith.recipeClient()
|
||||
val flow = client.recipeAuthorizationCodeFlow()
|
||||
val initiation = flow.prepare()
|
||||
|
||||
context.startActivity(
|
||||
LokksmithAuthFlowActivity
|
||||
.createCustomTabsIntent(context = context, initiation = initiation)
|
||||
.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK),
|
||||
)
|
||||
|
||||
return when (val failure = lokksmith.completeAuthFlow(client).toOidcFailureOrNull()) {
|
||||
null -> {
|
||||
runCatching { client.toOidcSuccess() }.getOrElse { error ->
|
||||
OidcResult.AuthError(error.message ?: "OIDC login failed", error)
|
||||
}
|
||||
}
|
||||
|
||||
else -> {
|
||||
failure
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
actual suspend fun refresh(authStateJson: String): OidcResult {
|
||||
if (authStateJson != LOKKSMITH_AUTH_STATE_JSON) {
|
||||
return OidcResult.AuthError("Stored Android auth state is not a Lokksmith session")
|
||||
}
|
||||
val client = lokksmith.recipeClient()
|
||||
return runCatching { client.toOidcSuccess() }
|
||||
.getOrElse { OidcResult.AuthError(it.message ?: "OIDC refresh failed", it) }
|
||||
}
|
||||
|
||||
actual suspend fun logout(authStateJson: String) {
|
||||
val client = lokksmith.recipeClient()
|
||||
val flow = client.recipeEndSessionFlow()
|
||||
|
||||
if (flow != null) {
|
||||
runCatching {
|
||||
val initiation = flow.prepare()
|
||||
context.startActivity(
|
||||
LokksmithAuthFlowActivity
|
||||
.createCustomTabsIntent(context = context, initiation = initiation)
|
||||
.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK),
|
||||
)
|
||||
lokksmith.completeAuthFlow(client)
|
||||
}
|
||||
}
|
||||
|
||||
client.resetTokens()
|
||||
}
|
||||
}
|
||||
|
||||
fun createAndroidLokksmith(context: Context): Lokksmith =
|
||||
createLokksmith(context).also { lokksmith ->
|
||||
SingletonLokksmithProvider.set(lokksmith)
|
||||
}
|
||||
@@ -1,50 +0,0 @@
|
||||
@file:Suppress("DEPRECATION", "EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import android.content.Context
|
||||
import androidx.security.crypto.EncryptedSharedPreferences
|
||||
import androidx.security.crypto.MasterKey
|
||||
import org.koin.core.context.GlobalContext
|
||||
|
||||
actual class SecureAuthStateStore {
|
||||
private val preferences by lazy {
|
||||
val appContext = GlobalContext.get().get<Context>().applicationContext
|
||||
val masterKey =
|
||||
MasterKey
|
||||
.Builder(appContext)
|
||||
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
|
||||
.build()
|
||||
|
||||
// AndroidX Security Crypto is deprecated, but AUTH-02 explicitly requires
|
||||
// EncryptedSharedPreferences in v1; this abstraction contains that debt.
|
||||
EncryptedSharedPreferences.create(
|
||||
appContext,
|
||||
FILE_NAME,
|
||||
masterKey,
|
||||
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
|
||||
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM,
|
||||
)
|
||||
}
|
||||
|
||||
actual fun read(): String? = preferences.getString(KEY_AUTH_STATE_JSON, null)
|
||||
|
||||
actual fun write(authStateJson: String) {
|
||||
preferences
|
||||
.edit()
|
||||
.putString(KEY_AUTH_STATE_JSON, authStateJson)
|
||||
.apply()
|
||||
}
|
||||
|
||||
actual fun clear() {
|
||||
preferences
|
||||
.edit()
|
||||
.remove(KEY_AUTH_STATE_JSON)
|
||||
.apply()
|
||||
}
|
||||
|
||||
private companion object {
|
||||
const val FILE_NAME = "recipe_auth_state"
|
||||
const val KEY_AUTH_STATE_JSON = "auth_state_json"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,20 @@
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import dev.lokksmith.client.request.flow.AuthFlow
|
||||
import dev.lokksmith.client.request.flow.AuthFlowResultProvider
|
||||
|
||||
/**
|
||||
* Bridges suspending OIDC orchestration ([OidcClient]) to Lokksmith's
|
||||
* Compose-native launcher.
|
||||
*
|
||||
* Lokksmith owns the platform user-agent step (Custom Tabs / `ASWebAuthenticationSession`)
|
||||
* via `rememberAuthFlowLauncher()`, which exposes its state as Compose `State`. To keep
|
||||
* [AuthSession] / [LoginViewModel] callable as plain `suspend` functions, the screen
|
||||
* wraps the Compose launcher in an [AuthBrowser] (see [ComposeAuthBrowser]) and hands
|
||||
* it to the ViewModel. Result polling happens via `snapshotFlow`.
|
||||
*
|
||||
* Tests can fake this seam without touching Compose or Lokksmith.
|
||||
*/
|
||||
interface AuthBrowser {
|
||||
suspend fun launchAndAwait(initiation: AuthFlow.Initiation): AuthFlowResultProvider.Result
|
||||
}
|
||||
@@ -3,25 +3,20 @@ package dev.ulfrx.recipe.auth
|
||||
import dev.ulfrx.recipe.ui.screens.auth.LoginViewModel
|
||||
import dev.ulfrx.recipe.ui.screens.auth.PostLoginViewModel
|
||||
import io.ktor.client.HttpClient
|
||||
import org.koin.core.module.dsl.viewModel
|
||||
import org.koin.dsl.module
|
||||
import org.koin.plugin.module.dsl.single
|
||||
import org.koin.plugin.module.dsl.viewModel
|
||||
|
||||
val authModule =
|
||||
module {
|
||||
single<SecureAuthStateStore> { SecureAuthStateStore() }
|
||||
single<OidcClient> { OidcClient() }
|
||||
single<MeClient> { MeClient() }
|
||||
single<AuthSession> {
|
||||
AuthSession(
|
||||
oidcClient = get<OidcClient>(),
|
||||
store = get<SecureAuthStateStore>(),
|
||||
meClient = get<MeClient>(),
|
||||
)
|
||||
}
|
||||
single<SecureAuthStateStore>()
|
||||
single<OidcClient>()
|
||||
single<MeClient>()
|
||||
single<AuthSession>()
|
||||
single<HttpClient> { AuthHttpClient.create(get()) }
|
||||
|
||||
// Phase 2 auth-gate ViewModels (02-07). Registered here so the same module that
|
||||
// owns AuthSession also owns its UI consumers; Koin scopes them per Composable.
|
||||
viewModel { LoginViewModel(authSession = get()) }
|
||||
viewModel { PostLoginViewModel(authSession = get()) }
|
||||
viewModel<LoginViewModel>()
|
||||
viewModel<PostLoginViewModel>()
|
||||
}
|
||||
|
||||
@@ -6,11 +6,11 @@ import kotlinx.coroutines.flow.StateFlow
|
||||
import kotlinx.coroutines.flow.asStateFlow
|
||||
|
||||
interface OidcClientGateway {
|
||||
suspend fun login(): OidcResult
|
||||
suspend fun login(browser: AuthBrowser): OidcResult
|
||||
|
||||
suspend fun refresh(authStateJson: String): OidcResult
|
||||
|
||||
suspend fun logout(authStateJson: String)
|
||||
suspend fun logout(authStateJson: String, browser: AuthBrowser)
|
||||
}
|
||||
|
||||
interface AuthStateStore {
|
||||
@@ -45,12 +45,12 @@ class AuthSession(
|
||||
) : this(
|
||||
oidcClient =
|
||||
object : OidcClientGateway {
|
||||
override suspend fun login(): OidcResult = oidcClient.login()
|
||||
override suspend fun login(browser: AuthBrowser): OidcResult = oidcClient.login(browser)
|
||||
|
||||
override suspend fun refresh(authStateJson: String): OidcResult = oidcClient.refresh(authStateJson)
|
||||
|
||||
override suspend fun logout(authStateJson: String) {
|
||||
oidcClient.logout(authStateJson)
|
||||
override suspend fun logout(authStateJson: String, browser: AuthBrowser) {
|
||||
oidcClient.logout(authStateJson, browser)
|
||||
}
|
||||
},
|
||||
store =
|
||||
@@ -92,8 +92,8 @@ class AuthSession(
|
||||
}
|
||||
}
|
||||
|
||||
suspend fun login(): AuthLoginResult =
|
||||
when (val loginResult = oidcClient.login()) {
|
||||
suspend fun login(browser: AuthBrowser): AuthLoginResult =
|
||||
when (val loginResult = oidcClient.login(browser)) {
|
||||
is OidcResult.Success -> {
|
||||
authenticate(loginResult)
|
||||
AuthLoginResult.Success
|
||||
@@ -115,11 +115,11 @@ class AuthSession(
|
||||
}
|
||||
}
|
||||
|
||||
suspend fun logout() {
|
||||
suspend fun logout(browser: AuthBrowser) {
|
||||
val storedJson = store.read()
|
||||
if (!storedJson.isNullOrBlank()) {
|
||||
runCatching {
|
||||
oidcClient.logout(storedJson)
|
||||
oidcClient.logout(storedJson, browser)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import androidx.compose.runtime.snapshotFlow
|
||||
import dev.lokksmith.client.request.flow.AuthFlow
|
||||
import dev.lokksmith.client.request.flow.AuthFlowResultProvider
|
||||
import dev.lokksmith.compose.AuthFlowLauncher
|
||||
import kotlinx.coroutines.flow.first
|
||||
|
||||
/**
|
||||
* Adapter that converts Lokksmith's Compose-native [AuthFlowLauncher] (state-based)
|
||||
* into a suspending [AuthBrowser] (one-shot await). The screen creates this once via
|
||||
* `remember(launcher)` and passes it to the ViewModel, so call sites stay plain
|
||||
* `suspend`-friendly.
|
||||
*/
|
||||
class ComposeAuthBrowser(
|
||||
private val launcher: AuthFlowLauncher,
|
||||
) : AuthBrowser {
|
||||
override suspend fun launchAndAwait(initiation: AuthFlow.Initiation): AuthFlowResultProvider.Result {
|
||||
launcher.launch(initiation)
|
||||
return snapshotFlow { launcher.result }
|
||||
.first { result ->
|
||||
result is AuthFlowResultProvider.Result.Success ||
|
||||
result is AuthFlowResultProvider.Result.Cancelled ||
|
||||
result is AuthFlowResultProvider.Result.Error
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2,24 +2,17 @@ package dev.ulfrx.recipe.auth
|
||||
|
||||
import dev.lokksmith.Lokksmith
|
||||
import dev.lokksmith.client.Client
|
||||
import dev.lokksmith.client.InternalClient
|
||||
import dev.lokksmith.client.request.flow.AuthFlow
|
||||
import dev.lokksmith.client.request.flow.AuthFlowResultProvider
|
||||
import dev.lokksmith.client.request.flow.AuthFlowStateResponseHandler
|
||||
import dev.lokksmith.client.request.flow.authorizationCode.AuthorizationCodeFlow
|
||||
import dev.lokksmith.client.request.flow.endSession.EndSessionFlow
|
||||
import dev.lokksmith.client.request.parameter.Scope
|
||||
import dev.lokksmith.discoveryUrl
|
||||
import dev.lokksmith.id
|
||||
import dev.ulfrx.recipe.shared.Constants
|
||||
import kotlinx.coroutines.async
|
||||
import kotlinx.coroutines.coroutineScope
|
||||
import kotlinx.coroutines.flow.distinctUntilChanged
|
||||
import kotlinx.coroutines.flow.first
|
||||
import kotlinx.coroutines.flow.map
|
||||
import kotlinx.coroutines.selects.select
|
||||
|
||||
internal const val LOKKSMITH_CLIENT_KEY = "recipe-app"
|
||||
internal const val LOKKSMITH_AUTH_STATE_JSON = "lokksmith:$LOKKSMITH_CLIENT_KEY"
|
||||
internal const val LOKKSMITH_AUTH_STATE_MARKER = "lokksmith:$LOKKSMITH_CLIENT_KEY"
|
||||
|
||||
internal suspend fun Lokksmith.recipeClient(): Client =
|
||||
getOrCreate(LOKKSMITH_CLIENT_KEY) {
|
||||
@@ -27,7 +20,7 @@ internal suspend fun Lokksmith.recipeClient(): Client =
|
||||
discoveryUrl = Constants.OIDC_ISSUER + ".well-known/openid-configuration"
|
||||
}
|
||||
|
||||
internal fun Client.recipeAuthorizationCodeFlow(): dev.lokksmith.client.request.flow.AuthFlow =
|
||||
internal fun Client.recipeAuthorizationCodeFlow(): AuthFlow =
|
||||
authorizationCodeFlow(
|
||||
AuthorizationCodeFlow.Request(
|
||||
redirectUri = Constants.OIDC_REDIRECT_URI,
|
||||
@@ -35,49 +28,15 @@ internal fun Client.recipeAuthorizationCodeFlow(): dev.lokksmith.client.request.
|
||||
),
|
||||
)
|
||||
|
||||
internal fun Client.recipeEndSessionFlow(): dev.lokksmith.client.request.flow.AuthFlow? =
|
||||
internal fun Client.recipeEndSessionFlow(): AuthFlow? =
|
||||
endSessionFlow(EndSessionFlow.Request(redirectUri = Constants.OIDC_REDIRECT_URI))
|
||||
|
||||
internal suspend fun Client.awaitTerminalAuthFlowResult(): AuthFlowResultProvider.Result =
|
||||
AuthFlowResultProvider
|
||||
.forClient(this)
|
||||
.first { result ->
|
||||
result is AuthFlowResultProvider.Result.Success ||
|
||||
result is AuthFlowResultProvider.Result.Cancelled ||
|
||||
result is AuthFlowResultProvider.Result.Error
|
||||
}
|
||||
|
||||
internal suspend fun Lokksmith.completeAuthFlow(client: Client): AuthFlowResultProvider.Result =
|
||||
coroutineScope {
|
||||
val terminal = async { client.awaitTerminalAuthFlowResult() }
|
||||
val responseUri =
|
||||
async {
|
||||
(client as InternalClient)
|
||||
.snapshots
|
||||
.map { snapshot -> snapshot.ephemeralFlowState?.responseUri }
|
||||
.distinctUntilChanged()
|
||||
.first { responseUri -> responseUri != null }
|
||||
}
|
||||
|
||||
select<AuthFlowResultProvider.Result> {
|
||||
terminal.onAwait { result ->
|
||||
responseUri.cancel()
|
||||
result
|
||||
}
|
||||
responseUri.onAwait { uri ->
|
||||
terminal.cancel()
|
||||
AuthFlowStateResponseHandler(this@completeAuthFlow).onResponse(checkNotNull(uri))
|
||||
client.awaitTerminalAuthFlowResult()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
internal suspend fun Client.toOidcSuccess(): OidcResult.Success {
|
||||
var freshTokens: Client.Tokens? = null
|
||||
runWithTokens { tokens -> freshTokens = tokens }
|
||||
val tokens = checkNotNull(freshTokens) { "Lokksmith returned no tokens" }
|
||||
return OidcResult.Success(
|
||||
authStateJson = LOKKSMITH_AUTH_STATE_JSON,
|
||||
authStateJson = LOKKSMITH_AUTH_STATE_MARKER,
|
||||
accessToken = tokens.accessToken.token,
|
||||
idToken = tokens.idToken.raw,
|
||||
expiresAtEpochMillis = tokens.accessToken.expiresAt?.let { it * 1_000L } ?: 0L,
|
||||
@@ -1,24 +1,52 @@
|
||||
@file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import dev.lokksmith.Lokksmith
|
||||
|
||||
/**
|
||||
* Common seam for Authentik OIDC.
|
||||
* Common Authentik OIDC client built on Lokksmith.
|
||||
*
|
||||
* Native Android/iOS actuals use Lokksmith for browser-based Authorization Code
|
||||
* + PKCE. Login requests must be public PKCE-compatible OIDC requests with
|
||||
* exactly these scopes: `openid profile email offline_access` (D-06).
|
||||
* Lokksmith owns state and nonce verification.
|
||||
* Lokksmith owns PKCE, state, nonce, token storage, refresh, and end-session
|
||||
* (D-06, D-16, D-19, D-20). This class only orchestrates: build the flow request
|
||||
* and hand its [dev.lokksmith.client.request.flow.AuthFlow.Initiation] to the
|
||||
* caller-supplied [AuthBrowser] (Lokksmith's `rememberAuthFlowLauncher` on
|
||||
* mobile; a fake in tests), then map the terminal result.
|
||||
*
|
||||
* Refresh must go through Lokksmith fresh-token handling, then return an opaque
|
||||
* auth-state marker for persistence (D-16). Logout must use RP-initiated
|
||||
* end-session before local state is cleared; callers still clear local state if
|
||||
* remote logout fails so users are never trapped in a stale session (D-19, D-20).
|
||||
* Logout still clears local state if remote end-session fails so users are never
|
||||
* trapped in a stale session.
|
||||
*/
|
||||
expect class OidcClient() {
|
||||
suspend fun login(): OidcResult
|
||||
class OidcClient(
|
||||
private val lokksmith: Lokksmith,
|
||||
) {
|
||||
suspend fun login(browser: AuthBrowser): OidcResult {
|
||||
val client = lokksmith.recipeClient()
|
||||
val flow = client.recipeAuthorizationCodeFlow()
|
||||
|
||||
suspend fun refresh(authStateJson: String): OidcResult
|
||||
return when (val failure = browser.launchAndAwait(flow.prepare()).toOidcFailureOrNull()) {
|
||||
null ->
|
||||
runCatching { client.toOidcSuccess() }
|
||||
.getOrElse { OidcResult.AuthError(it.message ?: "OIDC login failed", it) }
|
||||
|
||||
suspend fun logout(authStateJson: String)
|
||||
else -> failure
|
||||
}
|
||||
}
|
||||
|
||||
suspend fun refresh(authStateJson: String): OidcResult {
|
||||
if (authStateJson != LOKKSMITH_AUTH_STATE_MARKER) {
|
||||
return OidcResult.AuthError("Stored auth state is not a Lokksmith session")
|
||||
}
|
||||
val client = lokksmith.recipeClient()
|
||||
return runCatching { client.toOidcSuccess() }
|
||||
.getOrElse { OidcResult.AuthError(it.message ?: "OIDC refresh failed", it) }
|
||||
}
|
||||
|
||||
suspend fun logout(authStateJson: String, browser: AuthBrowser) {
|
||||
val client = lokksmith.recipeClient()
|
||||
val flow = client.recipeEndSessionFlow()
|
||||
|
||||
if (flow != null) {
|
||||
runCatching { browser.launchAndAwait(flow.prepare()) }
|
||||
}
|
||||
|
||||
client.resetTokens()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,19 +1,34 @@
|
||||
@file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import com.russhwolf.settings.Settings
|
||||
|
||||
/**
|
||||
* Persists the opaque platform auth state marker for the current app install.
|
||||
* Persists the opaque auth-state marker that signals "this install has logged in".
|
||||
*
|
||||
* Mobile actuals must use explicit secure platform storage for token material
|
||||
* (D-13): iOS Keychain and Android encrypted/Keystore-backed storage. Do not use
|
||||
* no-arg or default insecure settings implementations for auth state. The stored
|
||||
* value is global to the install and must be deleted on logout (D-15).
|
||||
* The actual OIDC tokens (access, refresh, id) live in Lokksmith's own platform
|
||||
* storage (Keychain on iOS, encrypted store on Android). This class only persists
|
||||
* the literal marker constant ([LOKKSMITH_AUTH_STATE_MARKER]) so [AuthSession]
|
||||
* can decide whether to attempt a silent refresh on cold start. Because the value
|
||||
* is non-secret, plain key/value storage is sufficient.
|
||||
*
|
||||
* Platform [Settings] are wired in the platform Koin module:
|
||||
* - Android: [com.russhwolf.settings.SharedPreferencesSettings]
|
||||
* - iOS: [com.russhwolf.settings.KeychainSettings]
|
||||
*/
|
||||
expect class SecureAuthStateStore() {
|
||||
fun read(): String?
|
||||
class SecureAuthStateStore(
|
||||
private val settings: Settings,
|
||||
) {
|
||||
fun read(): String? = settings.getStringOrNull(KEY)
|
||||
|
||||
fun write(authStateJson: String)
|
||||
fun write(authStateJson: String) {
|
||||
settings.putString(KEY, authStateJson)
|
||||
}
|
||||
|
||||
fun clear()
|
||||
fun clear() {
|
||||
settings.remove(KEY)
|
||||
}
|
||||
|
||||
private companion object {
|
||||
const val KEY = "auth_state_marker"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,7 +17,10 @@ import androidx.compose.material3.Surface
|
||||
import androidx.compose.material3.Text
|
||||
import androidx.compose.runtime.Composable
|
||||
import androidx.compose.runtime.getValue
|
||||
import androidx.compose.runtime.remember
|
||||
import androidx.compose.ui.Alignment
|
||||
import dev.lokksmith.compose.rememberAuthFlowLauncher
|
||||
import dev.ulfrx.recipe.auth.ComposeAuthBrowser
|
||||
import androidx.compose.ui.Modifier
|
||||
import androidx.compose.ui.text.style.TextAlign
|
||||
import androidx.compose.ui.unit.dp
|
||||
@@ -35,6 +38,8 @@ import recipe.composeapp.generated.resources.auth_sign_in_button
|
||||
@Composable
|
||||
fun LoginScreen(viewModel: LoginViewModel) {
|
||||
val state by viewModel.state.collectAsStateWithLifecycle()
|
||||
val launcher = rememberAuthFlowLauncher()
|
||||
val browser = remember(launcher) { ComposeAuthBrowser(launcher) }
|
||||
|
||||
Surface(
|
||||
modifier = Modifier.fillMaxSize(),
|
||||
@@ -55,7 +60,7 @@ fun LoginScreen(viewModel: LoginViewModel) {
|
||||
)
|
||||
Spacer(Modifier.height(24.dp))
|
||||
Button(
|
||||
onClick = { viewModel.onSignInClick() },
|
||||
onClick = { viewModel.onSignInClick(browser) },
|
||||
enabled = !state.isLoading,
|
||||
) {
|
||||
if (state.isLoading) {
|
||||
|
||||
@@ -2,6 +2,7 @@ package dev.ulfrx.recipe.ui.screens.auth
|
||||
|
||||
import androidx.lifecycle.ViewModel
|
||||
import androidx.lifecycle.viewModelScope
|
||||
import dev.ulfrx.recipe.auth.AuthBrowser
|
||||
import dev.ulfrx.recipe.auth.AuthLoginResult
|
||||
import dev.ulfrx.recipe.auth.AuthSession
|
||||
import kotlinx.coroutines.Job
|
||||
@@ -26,9 +27,9 @@ data class LoginScreenState(
|
||||
)
|
||||
|
||||
/**
|
||||
* Wraps [AuthSession] to drive the LoginScreen. Method-per-action: [onSignInClick] is the
|
||||
* single entry point. Cancellation/network/unknown failures map to user-facing string
|
||||
* resources per `02-UI-SPEC.md` § Copywriting Contract.
|
||||
* Wraps [AuthSession] to drive the LoginScreen. The screen owns the
|
||||
* Lokksmith [AuthBrowser] (via `rememberAuthFlowLauncher` + [dev.ulfrx.recipe.auth.ComposeAuthBrowser])
|
||||
* and hands it in on click — the ViewModel never touches Compose or Lokksmith directly.
|
||||
*
|
||||
* Returns the launched [Job] from [onSignInClick] so tests can deterministically await
|
||||
* completion without dragging a TestDispatcher into commonTest.
|
||||
@@ -39,12 +40,12 @@ class LoginViewModel(
|
||||
private val _state = MutableStateFlow(LoginScreenState())
|
||||
val state: StateFlow<LoginScreenState> = _state.asStateFlow()
|
||||
|
||||
fun onSignInClick(): Job {
|
||||
fun onSignInClick(browser: AuthBrowser): Job {
|
||||
// Clear any previous inline error and enter the loading state before suspending —
|
||||
// contract from UI-SPEC: tapping the button again clears stale error text.
|
||||
_state.value = LoginScreenState(isLoading = true, errorKey = null)
|
||||
return viewModelScope.launch {
|
||||
val result = authSession.login()
|
||||
val result = authSession.login(browser)
|
||||
_state.value =
|
||||
LoginScreenState(
|
||||
isLoading = false,
|
||||
|
||||
@@ -12,7 +12,10 @@ import androidx.compose.material3.OutlinedButton
|
||||
import androidx.compose.material3.Surface
|
||||
import androidx.compose.material3.Text
|
||||
import androidx.compose.runtime.Composable
|
||||
import androidx.compose.runtime.remember
|
||||
import androidx.compose.ui.Alignment
|
||||
import dev.lokksmith.compose.rememberAuthFlowLauncher
|
||||
import dev.ulfrx.recipe.auth.ComposeAuthBrowser
|
||||
import androidx.compose.ui.Modifier
|
||||
import androidx.compose.ui.text.style.TextAlign
|
||||
import androidx.compose.ui.unit.dp
|
||||
@@ -30,6 +33,8 @@ fun PostLoginPlaceholderScreen(
|
||||
user: User,
|
||||
viewModel: PostLoginViewModel,
|
||||
) {
|
||||
val launcher = rememberAuthFlowLauncher()
|
||||
val browser = remember(launcher) { ComposeAuthBrowser(launcher) }
|
||||
Surface(
|
||||
modifier = Modifier.fillMaxSize(),
|
||||
color = MaterialTheme.colorScheme.surface,
|
||||
@@ -49,7 +54,7 @@ fun PostLoginPlaceholderScreen(
|
||||
textAlign = TextAlign.Center,
|
||||
)
|
||||
Spacer(Modifier.height(24.dp))
|
||||
OutlinedButton(onClick = { viewModel.onSignOutClick() }) {
|
||||
OutlinedButton(onClick = { viewModel.onSignOutClick(browser) }) {
|
||||
Text(text = stringResource(Res.string.auth_sign_out_button))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,20 +2,22 @@ package dev.ulfrx.recipe.ui.screens.auth
|
||||
|
||||
import androidx.lifecycle.ViewModel
|
||||
import androidx.lifecycle.viewModelScope
|
||||
import dev.ulfrx.recipe.auth.AuthBrowser
|
||||
import dev.ulfrx.recipe.auth.AuthSession
|
||||
import kotlinx.coroutines.launch
|
||||
|
||||
/**
|
||||
* Trivial in Phase 2 — exists so Phase 3's `HouseholdGate` follows the same VM pattern.
|
||||
* Logout is silent (CONTEXT D-19): no confirmation modal; tap immediately initiates
|
||||
* RP-initiated end-session via [AuthSession.logout].
|
||||
* RP-initiated end-session via [AuthSession.logout]. The screen supplies the
|
||||
* Lokksmith-backed [AuthBrowser].
|
||||
*/
|
||||
class PostLoginViewModel(
|
||||
private val authSession: AuthSession,
|
||||
) : ViewModel() {
|
||||
fun onSignOutClick() {
|
||||
fun onSignOutClick(browser: AuthBrowser) {
|
||||
viewModelScope.launch {
|
||||
authSession.logout()
|
||||
authSession.logout(browser)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -14,6 +14,7 @@ import androidx.compose.material3.Text
|
||||
import androidx.compose.runtime.Composable
|
||||
import androidx.compose.ui.Alignment
|
||||
import androidx.compose.ui.Modifier
|
||||
import androidx.compose.ui.tooling.preview.Preview
|
||||
import androidx.compose.ui.unit.dp
|
||||
import org.jetbrains.compose.resources.stringResource
|
||||
import recipe.composeapp.generated.resources.Res
|
||||
@@ -25,6 +26,7 @@ import recipe.composeapp.generated.resources.auth_app_name
|
||||
* color flash.
|
||||
*/
|
||||
@Composable
|
||||
@Preview
|
||||
fun SplashScreen() {
|
||||
Surface(
|
||||
modifier = Modifier.fillMaxSize(),
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import dev.lokksmith.client.request.flow.AuthFlow
|
||||
import dev.lokksmith.client.request.flow.AuthFlowResultProvider
|
||||
import dev.ulfrx.recipe.shared.dto.User
|
||||
import kotlinx.coroutines.test.runTest
|
||||
import kotlin.test.Test
|
||||
@@ -38,7 +40,7 @@ class AuthSessionTest {
|
||||
val meClient = FakeMeClient(user = USER)
|
||||
val session = newSession(store = store, oidcClient = oidcClient, meClient = meClient)
|
||||
|
||||
val result = session.login()
|
||||
val result = session.login(NoopBrowser)
|
||||
|
||||
assertEquals(AuthLoginResult.Success, result)
|
||||
assertEquals(AUTH_STATE_JSON, store.value)
|
||||
@@ -119,7 +121,7 @@ class AuthSessionTest {
|
||||
val oidcClient = FakeOidcClient()
|
||||
val session = newSession(store = store, oidcClient = oidcClient)
|
||||
|
||||
session.logout()
|
||||
session.logout(NoopBrowser)
|
||||
|
||||
assertEquals(listOf(AUTH_STATE_JSON), oidcClient.logoutCalls)
|
||||
assertNull(store.value)
|
||||
@@ -134,7 +136,7 @@ class AuthSessionTest {
|
||||
val oidcClient = FakeOidcClient(logoutThrows = true)
|
||||
val session = newSession(store = store, oidcClient = oidcClient)
|
||||
|
||||
session.logout()
|
||||
session.logout(NoopBrowser)
|
||||
|
||||
assertEquals(listOf(AUTH_STATE_JSON), oidcClient.logoutCalls)
|
||||
assertNull(store.value)
|
||||
@@ -152,7 +154,7 @@ class AuthSessionTest {
|
||||
oidcClient = FakeOidcClient(loginResult = OidcResult.Cancelled),
|
||||
)
|
||||
|
||||
val result = session.login()
|
||||
val result = session.login(NoopBrowser)
|
||||
|
||||
assertEquals(AuthLoginResult.Cancelled, result)
|
||||
assertNull(store.value)
|
||||
@@ -171,6 +173,11 @@ class AuthSessionTest {
|
||||
meClient = meClient,
|
||||
)
|
||||
|
||||
private object NoopBrowser : AuthBrowser {
|
||||
override suspend fun launchAndAwait(initiation: AuthFlow.Initiation): AuthFlowResultProvider.Result =
|
||||
AuthFlowResultProvider.Result.Undefined
|
||||
}
|
||||
|
||||
private class FakeAuthStateStore(
|
||||
var value: String? = null,
|
||||
) : AuthStateStore {
|
||||
@@ -194,7 +201,7 @@ class AuthSessionTest {
|
||||
val refreshCalls = mutableListOf<String>()
|
||||
val logoutCalls = mutableListOf<String>()
|
||||
|
||||
override suspend fun login(): OidcResult {
|
||||
override suspend fun login(browser: AuthBrowser): OidcResult {
|
||||
loginCalls += Unit
|
||||
return loginResult
|
||||
}
|
||||
@@ -204,7 +211,7 @@ class AuthSessionTest {
|
||||
return refreshResult
|
||||
}
|
||||
|
||||
override suspend fun logout(authStateJson: String) {
|
||||
override suspend fun logout(authStateJson: String, browser: AuthBrowser) {
|
||||
logoutCalls += authStateJson
|
||||
if (logoutThrows) {
|
||||
error("end-session failed")
|
||||
|
||||
@@ -1,13 +1,49 @@
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import com.russhwolf.settings.Settings
|
||||
import kotlin.test.Test
|
||||
import kotlin.test.assertEquals
|
||||
import kotlin.test.assertNull
|
||||
|
||||
private class InMemorySettings : Settings {
|
||||
private val map = mutableMapOf<String, Any>()
|
||||
|
||||
override val keys: Set<String> get() = map.keys
|
||||
override val size: Int get() = map.size
|
||||
|
||||
override fun clear() = map.clear()
|
||||
override fun remove(key: String) { map.remove(key) }
|
||||
override fun hasKey(key: String): Boolean = map.containsKey(key)
|
||||
|
||||
override fun putInt(key: String, value: Int) { map[key] = value }
|
||||
override fun getInt(key: String, defaultValue: Int): Int = (map[key] as? Int) ?: defaultValue
|
||||
override fun getIntOrNull(key: String): Int? = map[key] as? Int
|
||||
|
||||
override fun putLong(key: String, value: Long) { map[key] = value }
|
||||
override fun getLong(key: String, defaultValue: Long): Long = (map[key] as? Long) ?: defaultValue
|
||||
override fun getLongOrNull(key: String): Long? = map[key] as? Long
|
||||
|
||||
override fun putString(key: String, value: String) { map[key] = value }
|
||||
override fun getString(key: String, defaultValue: String): String = (map[key] as? String) ?: defaultValue
|
||||
override fun getStringOrNull(key: String): String? = map[key] as? String
|
||||
|
||||
override fun putFloat(key: String, value: Float) { map[key] = value }
|
||||
override fun getFloat(key: String, defaultValue: Float): Float = (map[key] as? Float) ?: defaultValue
|
||||
override fun getFloatOrNull(key: String): Float? = map[key] as? Float
|
||||
|
||||
override fun putDouble(key: String, value: Double) { map[key] = value }
|
||||
override fun getDouble(key: String, defaultValue: Double): Double = (map[key] as? Double) ?: defaultValue
|
||||
override fun getDoubleOrNull(key: String): Double? = map[key] as? Double
|
||||
|
||||
override fun putBoolean(key: String, value: Boolean) { map[key] = value }
|
||||
override fun getBoolean(key: String, defaultValue: Boolean): Boolean = (map[key] as? Boolean) ?: defaultValue
|
||||
override fun getBooleanOrNull(key: String): Boolean? = map[key] as? Boolean
|
||||
}
|
||||
|
||||
class SecureAuthStateStoreContractTest {
|
||||
@Test
|
||||
fun writeOverwritesPreviousValueAndReadReturnsLatest() {
|
||||
val store = SecureAuthStateStore()
|
||||
val store = SecureAuthStateStore(InMemorySettings())
|
||||
|
||||
store.write("""{"refresh_token":"first"}""")
|
||||
store.write("""{"refresh_token":"second"}""")
|
||||
@@ -17,7 +53,7 @@ class SecureAuthStateStoreContractTest {
|
||||
|
||||
@Test
|
||||
fun clearRemovesStoredValue() {
|
||||
val store = SecureAuthStateStore()
|
||||
val store = SecureAuthStateStore(InMemorySettings())
|
||||
|
||||
store.write("""{"refresh_token":"stored"}""")
|
||||
store.clear()
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
package dev.ulfrx.recipe.ui.screens.auth
|
||||
|
||||
import dev.lokksmith.client.request.flow.AuthFlow
|
||||
import dev.lokksmith.client.request.flow.AuthFlowResultProvider
|
||||
import dev.ulfrx.recipe.auth.AuthBrowser
|
||||
import dev.ulfrx.recipe.auth.AuthSession
|
||||
import dev.ulfrx.recipe.auth.AuthStateStore
|
||||
import dev.ulfrx.recipe.auth.MeGateway
|
||||
@@ -24,7 +27,7 @@ class LoginViewModelTest {
|
||||
val session = newSession(loginResult = OidcResult.Cancelled)
|
||||
val viewModel = LoginViewModel(session)
|
||||
|
||||
viewModel.onSignInClick().join()
|
||||
viewModel.onSignInClick(NoopBrowser).join()
|
||||
|
||||
assertEquals(Res.string.auth_error_cancelled, viewModel.state.value.errorKey)
|
||||
assertEquals(false, viewModel.state.value.isLoading)
|
||||
@@ -36,7 +39,7 @@ class LoginViewModelTest {
|
||||
val session = newSession(loginResult = OidcResult.NetworkError)
|
||||
val viewModel = LoginViewModel(session)
|
||||
|
||||
viewModel.onSignInClick().join()
|
||||
viewModel.onSignInClick(NoopBrowser).join()
|
||||
|
||||
assertEquals(Res.string.auth_error_network, viewModel.state.value.errorKey)
|
||||
assertEquals(false, viewModel.state.value.isLoading)
|
||||
@@ -48,7 +51,7 @@ class LoginViewModelTest {
|
||||
val session = newSession(loginResult = OidcResult.AuthError("token endpoint failed"))
|
||||
val viewModel = LoginViewModel(session)
|
||||
|
||||
viewModel.onSignInClick().join()
|
||||
viewModel.onSignInClick(NoopBrowser).join()
|
||||
|
||||
assertEquals(Res.string.auth_error_unknown, viewModel.state.value.errorKey)
|
||||
assertEquals(false, viewModel.state.value.isLoading)
|
||||
@@ -69,7 +72,7 @@ class LoginViewModelTest {
|
||||
)
|
||||
val viewModel = LoginViewModel(session)
|
||||
|
||||
viewModel.onSignInClick().join()
|
||||
viewModel.onSignInClick(NoopBrowser).join()
|
||||
|
||||
assertNull(viewModel.state.value.errorKey)
|
||||
assertEquals(false, viewModel.state.value.isLoading)
|
||||
@@ -85,23 +88,24 @@ class LoginViewModelTest {
|
||||
val queue = mutableListOf<OidcResult>(OidcResult.Cancelled)
|
||||
val oidc =
|
||||
object : OidcClientGateway {
|
||||
override suspend fun login(): OidcResult = if (queue.isNotEmpty()) queue.removeAt(0) else gate.await()
|
||||
override suspend fun login(browser: AuthBrowser): OidcResult =
|
||||
if (queue.isNotEmpty()) queue.removeAt(0) else gate.await()
|
||||
|
||||
override suspend fun refresh(authStateJson: String): OidcResult = OidcResult.AuthError("not used")
|
||||
|
||||
override suspend fun logout(authStateJson: String) {}
|
||||
override suspend fun logout(authStateJson: String, browser: AuthBrowser) {}
|
||||
}
|
||||
val session = AuthSession(oidc, FakeAuthStateStore(), FakeMeClient(USER))
|
||||
val viewModel = LoginViewModel(session)
|
||||
|
||||
// First attempt: error seeded.
|
||||
viewModel.onSignInClick().join()
|
||||
viewModel.onSignInClick(NoopBrowser).join()
|
||||
assertEquals(Res.string.auth_error_cancelled, viewModel.state.value.errorKey)
|
||||
|
||||
// Second attempt: launching the job sets loading=true + clears error
|
||||
// BEFORE suspending. onSignInClick() does that synchronously before
|
||||
// returning the launched Job, so we can assert immediately.
|
||||
val job = viewModel.onSignInClick()
|
||||
val job = viewModel.onSignInClick(NoopBrowser)
|
||||
assertTrue(viewModel.state.value.isLoading)
|
||||
assertNull(viewModel.state.value.errorKey)
|
||||
|
||||
@@ -124,6 +128,11 @@ class LoginViewModelTest {
|
||||
meClient = meClient,
|
||||
)
|
||||
|
||||
private object NoopBrowser : AuthBrowser {
|
||||
override suspend fun launchAndAwait(initiation: AuthFlow.Initiation): AuthFlowResultProvider.Result =
|
||||
AuthFlowResultProvider.Result.Undefined
|
||||
}
|
||||
|
||||
private class FakeAuthStateStore(
|
||||
var value: String? = null,
|
||||
) : AuthStateStore {
|
||||
@@ -142,11 +151,11 @@ class LoginViewModelTest {
|
||||
private val loginResult: OidcResult = OidcResult.AuthError("login not configured"),
|
||||
private val refreshResult: OidcResult = OidcResult.AuthError("refresh not configured"),
|
||||
) : OidcClientGateway {
|
||||
override suspend fun login(): OidcResult = loginResult
|
||||
override suspend fun login(browser: AuthBrowser): OidcResult = loginResult
|
||||
|
||||
override suspend fun refresh(authStateJson: String): OidcResult = refreshResult
|
||||
|
||||
override suspend fun logout(authStateJson: String) {}
|
||||
override suspend fun logout(authStateJson: String, browser: AuthBrowser) {}
|
||||
}
|
||||
|
||||
private class FakeMeClient(
|
||||
|
||||
@@ -1,8 +1,30 @@
|
||||
@file:OptIn(
|
||||
com.russhwolf.settings.ExperimentalSettingsApi::class,
|
||||
com.russhwolf.settings.ExperimentalSettingsImplementation::class,
|
||||
kotlinx.cinterop.ExperimentalForeignApi::class,
|
||||
)
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import com.russhwolf.settings.KeychainSettings
|
||||
import com.russhwolf.settings.Settings
|
||||
import dev.lokksmith.Lokksmith
|
||||
import dev.lokksmith.SingletonLokksmithProvider
|
||||
import dev.lokksmith.createLokksmith
|
||||
import org.koin.dsl.module
|
||||
import platform.Security.kSecAttrAccessible
|
||||
import platform.Security.kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
|
||||
|
||||
val iosAuthModule =
|
||||
module {
|
||||
single { createIosLokksmith() }
|
||||
single<Lokksmith> {
|
||||
createLokksmith().also { lokksmith ->
|
||||
SingletonLokksmithProvider.set(lokksmith)
|
||||
}
|
||||
}
|
||||
single<Settings> {
|
||||
KeychainSettings(
|
||||
kSecAttrAccessible to kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,98 +0,0 @@
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import dev.lokksmith.Lokksmith
|
||||
import dev.lokksmith.client.Client
|
||||
import dev.lokksmith.client.InternalClient
|
||||
import dev.lokksmith.client.request.flow.AuthFlowResultProvider
|
||||
import dev.lokksmith.client.request.flow.AuthFlowStateResponseHandler
|
||||
import dev.lokksmith.client.request.flow.authorizationCode.AuthorizationCodeFlow
|
||||
import dev.lokksmith.client.request.flow.endSession.EndSessionFlow
|
||||
import dev.lokksmith.client.request.parameter.Scope
|
||||
import dev.lokksmith.discoveryUrl
|
||||
import dev.lokksmith.id
|
||||
import dev.ulfrx.recipe.shared.Constants
|
||||
import kotlinx.coroutines.async
|
||||
import kotlinx.coroutines.coroutineScope
|
||||
import kotlinx.coroutines.flow.distinctUntilChanged
|
||||
import kotlinx.coroutines.flow.first
|
||||
import kotlinx.coroutines.flow.map
|
||||
import kotlinx.coroutines.selects.select
|
||||
|
||||
internal const val LOKKSMITH_CLIENT_KEY = "recipe-app"
|
||||
internal const val LOKKSMITH_AUTH_STATE_JSON = "lokksmith:$LOKKSMITH_CLIENT_KEY"
|
||||
|
||||
internal suspend fun Lokksmith.recipeClient(): Client =
|
||||
getOrCreate(LOKKSMITH_CLIENT_KEY) {
|
||||
id = Constants.OIDC_CLIENT_ID
|
||||
discoveryUrl = Constants.OIDC_ISSUER + ".well-known/openid-configuration"
|
||||
}
|
||||
|
||||
internal fun Client.recipeAuthorizationCodeFlow(): dev.lokksmith.client.request.flow.AuthFlow =
|
||||
authorizationCodeFlow(
|
||||
AuthorizationCodeFlow.Request(
|
||||
redirectUri = Constants.OIDC_REDIRECT_URI,
|
||||
scope = setOf(Scope.Profile, Scope.Email, Scope.Custom("offline_access")),
|
||||
),
|
||||
)
|
||||
|
||||
internal fun Client.recipeEndSessionFlow(): dev.lokksmith.client.request.flow.AuthFlow? =
|
||||
endSessionFlow(EndSessionFlow.Request(redirectUri = Constants.OIDC_REDIRECT_URI))
|
||||
|
||||
internal suspend fun Client.awaitTerminalAuthFlowResult(): AuthFlowResultProvider.Result =
|
||||
AuthFlowResultProvider
|
||||
.forClient(this)
|
||||
.first { result ->
|
||||
result is AuthFlowResultProvider.Result.Success ||
|
||||
result is AuthFlowResultProvider.Result.Cancelled ||
|
||||
result is AuthFlowResultProvider.Result.Error
|
||||
}
|
||||
|
||||
internal suspend fun Lokksmith.completeAuthFlow(client: Client): AuthFlowResultProvider.Result =
|
||||
coroutineScope {
|
||||
val terminal = async { client.awaitTerminalAuthFlowResult() }
|
||||
val responseUri =
|
||||
async {
|
||||
(client as InternalClient)
|
||||
.snapshots
|
||||
.map { snapshot -> snapshot.ephemeralFlowState?.responseUri }
|
||||
.distinctUntilChanged()
|
||||
.first { responseUri -> responseUri != null }
|
||||
}
|
||||
|
||||
select<AuthFlowResultProvider.Result> {
|
||||
terminal.onAwait { result ->
|
||||
responseUri.cancel()
|
||||
result
|
||||
}
|
||||
responseUri.onAwait { uri ->
|
||||
terminal.cancel()
|
||||
AuthFlowStateResponseHandler(this@completeAuthFlow).onResponse(checkNotNull(uri))
|
||||
client.awaitTerminalAuthFlowResult()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
internal suspend fun Client.toOidcSuccess(): OidcResult.Success {
|
||||
var freshTokens: Client.Tokens? = null
|
||||
runWithTokens { tokens -> freshTokens = tokens }
|
||||
val tokens = checkNotNull(freshTokens) { "Lokksmith returned no tokens" }
|
||||
return OidcResult.Success(
|
||||
authStateJson = LOKKSMITH_AUTH_STATE_JSON,
|
||||
accessToken = tokens.accessToken.token,
|
||||
idToken = tokens.idToken.raw,
|
||||
expiresAtEpochMillis = tokens.accessToken.expiresAt?.let { it * 1_000L } ?: 0L,
|
||||
)
|
||||
}
|
||||
|
||||
internal fun AuthFlowResultProvider.Result.toOidcFailureOrNull(): OidcResult? =
|
||||
when (this) {
|
||||
is AuthFlowResultProvider.Result.Success -> null
|
||||
|
||||
is AuthFlowResultProvider.Result.Cancelled -> OidcResult.Cancelled
|
||||
|
||||
is AuthFlowResultProvider.Result.Error -> OidcResult.AuthError(message ?: "OIDC flow failed")
|
||||
|
||||
AuthFlowResultProvider.Result.Undefined,
|
||||
is AuthFlowResultProvider.Result.Processing,
|
||||
-> OidcResult.AuthError("OIDC flow did not complete")
|
||||
}
|
||||
@@ -1,55 +0,0 @@
|
||||
@file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import dev.lokksmith.Lokksmith
|
||||
import dev.lokksmith.SingletonLokksmithProvider
|
||||
import dev.lokksmith.createLokksmith
|
||||
import dev.lokksmith.ios.launchAuthFlow
|
||||
import org.koin.mp.KoinPlatform
|
||||
|
||||
actual class OidcClient {
|
||||
private val lokksmith: Lokksmith
|
||||
get() = KoinPlatform.getKoin().get()
|
||||
|
||||
actual suspend fun login(): OidcResult {
|
||||
val client = lokksmith.recipeClient()
|
||||
val flow = client.recipeAuthorizationCodeFlow()
|
||||
val initiation = flow.prepare()
|
||||
|
||||
lokksmith.launchAuthFlow(initiation)
|
||||
|
||||
return when (val failure = lokksmith.completeAuthFlow(client).toOidcFailureOrNull()) {
|
||||
null -> runCatching { client.toOidcSuccess() }.getOrElse { OidcResult.AuthError(it.message ?: "OIDC login failed", it) }
|
||||
else -> failure
|
||||
}
|
||||
}
|
||||
|
||||
actual suspend fun refresh(authStateJson: String): OidcResult {
|
||||
if (authStateJson != LOKKSMITH_AUTH_STATE_JSON) {
|
||||
return OidcResult.AuthError("Stored iOS auth state is not a Lokksmith session")
|
||||
}
|
||||
val client = lokksmith.recipeClient()
|
||||
return runCatching { client.toOidcSuccess() }
|
||||
.getOrElse { OidcResult.AuthError(it.message ?: "OIDC refresh failed", it) }
|
||||
}
|
||||
|
||||
actual suspend fun logout(authStateJson: String) {
|
||||
val client = lokksmith.recipeClient()
|
||||
val flow = client.recipeEndSessionFlow()
|
||||
|
||||
if (flow != null) {
|
||||
runCatching {
|
||||
lokksmith.launchAuthFlow(flow.prepare())
|
||||
lokksmith.completeAuthFlow(client)
|
||||
}
|
||||
}
|
||||
|
||||
client.resetTokens()
|
||||
}
|
||||
}
|
||||
|
||||
fun createIosLokksmith(): Lokksmith =
|
||||
createLokksmith().also { lokksmith ->
|
||||
SingletonLokksmithProvider.set(lokksmith)
|
||||
}
|
||||
@@ -1,32 +0,0 @@
|
||||
@file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
import com.russhwolf.settings.ExperimentalSettingsApi
|
||||
import com.russhwolf.settings.ExperimentalSettingsImplementation
|
||||
import com.russhwolf.settings.KeychainSettings
|
||||
import kotlinx.cinterop.ExperimentalForeignApi
|
||||
import platform.Security.kSecAttrAccessible
|
||||
import platform.Security.kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
|
||||
|
||||
@OptIn(ExperimentalSettingsApi::class, ExperimentalSettingsImplementation::class, ExperimentalForeignApi::class)
|
||||
actual class SecureAuthStateStore {
|
||||
private val settings =
|
||||
KeychainSettings(
|
||||
kSecAttrAccessible to kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
|
||||
)
|
||||
|
||||
actual fun read(): String? = settings.getStringOrNull(AUTH_STATE_KEY)
|
||||
|
||||
actual fun write(authStateJson: String) {
|
||||
settings.putString(AUTH_STATE_KEY, authStateJson)
|
||||
}
|
||||
|
||||
actual fun clear() {
|
||||
settings.remove(AUTH_STATE_KEY)
|
||||
}
|
||||
|
||||
private companion object {
|
||||
const val AUTH_STATE_KEY = "dev.ulfrx.recipe.auth.lokksmith-state"
|
||||
}
|
||||
}
|
||||
@@ -1,38 +0,0 @@
|
||||
@file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
actual class OidcClient {
|
||||
actual suspend fun login(): OidcResult {
|
||||
val token =
|
||||
System.getenv(DEV_AUTH_TOKEN)
|
||||
?: return OidcResult.AuthError("DEV_AUTH_TOKEN is not set")
|
||||
|
||||
return OidcResult.Success(
|
||||
authStateJson = "dev:$token",
|
||||
accessToken = token,
|
||||
idToken = null,
|
||||
expiresAtEpochMillis = Long.MAX_VALUE,
|
||||
)
|
||||
}
|
||||
|
||||
actual suspend fun refresh(authStateJson: String): OidcResult {
|
||||
val token =
|
||||
authStateJson.removePrefix("dev:").takeIf { it.isNotBlank() }
|
||||
?: System.getenv(DEV_AUTH_TOKEN)
|
||||
?: return OidcResult.AuthError("DEV_AUTH_TOKEN is not set")
|
||||
|
||||
return OidcResult.Success(
|
||||
authStateJson = "dev:$token",
|
||||
accessToken = token,
|
||||
idToken = null,
|
||||
expiresAtEpochMillis = Long.MAX_VALUE,
|
||||
)
|
||||
}
|
||||
|
||||
actual suspend fun logout(authStateJson: String) = Unit
|
||||
|
||||
private companion object {
|
||||
const val DEV_AUTH_TOKEN = "DEV_AUTH_TOKEN"
|
||||
}
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
@file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
actual class SecureAuthStateStore {
|
||||
private var authStateJson: String? = null
|
||||
|
||||
actual fun read(): String? = authStateJson
|
||||
|
||||
actual fun write(authStateJson: String) {
|
||||
this.authStateJson = authStateJson
|
||||
}
|
||||
|
||||
actual fun clear() {
|
||||
authStateJson = null
|
||||
}
|
||||
}
|
||||
@@ -1,19 +0,0 @@
|
||||
package dev.ulfrx.recipe
|
||||
|
||||
import androidx.compose.ui.window.Window
|
||||
import androidx.compose.ui.window.application
|
||||
import dev.ulfrx.recipe.di.initKoin
|
||||
import dev.ulfrx.recipe.logging.configureLogging
|
||||
|
||||
fun main() {
|
||||
configureLogging()
|
||||
initKoin()
|
||||
application {
|
||||
Window(
|
||||
onCloseRequest = ::exitApplication,
|
||||
title = "recipe",
|
||||
) {
|
||||
App()
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
@file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
actual class OidcClient {
|
||||
actual suspend fun login(): OidcResult = throw NotImplementedError("Wasm OIDC: v2")
|
||||
|
||||
actual suspend fun refresh(authStateJson: String): OidcResult = throw NotImplementedError("Wasm OIDC: v2")
|
||||
|
||||
actual suspend fun logout(authStateJson: String): Unit = throw NotImplementedError("Wasm OIDC: v2")
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
@file:Suppress("EXPECT_ACTUAL_CLASSIFIERS_ARE_IN_BETA_WARNING")
|
||||
|
||||
package dev.ulfrx.recipe.auth
|
||||
|
||||
actual class SecureAuthStateStore {
|
||||
private var authStateJson: String? = null
|
||||
|
||||
actual fun read(): String? = authStateJson
|
||||
|
||||
actual fun write(authStateJson: String) {
|
||||
this.authStateJson = authStateJson
|
||||
}
|
||||
|
||||
actual fun clear() {
|
||||
authStateJson = null
|
||||
}
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
package dev.ulfrx.recipe
|
||||
|
||||
import androidx.compose.ui.ExperimentalComposeUiApi
|
||||
import androidx.compose.ui.window.ComposeViewport
|
||||
import dev.ulfrx.recipe.di.initKoin
|
||||
import dev.ulfrx.recipe.logging.configureLogging
|
||||
|
||||
@OptIn(ExperimentalComposeUiApi::class)
|
||||
fun main() {
|
||||
configureLogging()
|
||||
initKoin()
|
||||
ComposeViewport {
|
||||
App()
|
||||
}
|
||||
}
|
||||
@@ -1,20 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<title>recipe</title>
|
||||
<link type="text/css" rel="stylesheet" href="styles.css">
|
||||
</head>
|
||||
<body style="text-align: center; align-content: center">
|
||||
<svg xmlns="http://www.w3.org/2000/svg" width="40" height="40" viewBox="0 0 50 50" role="presentation">
|
||||
<circle cx="25" cy="25" r="20" stroke="#ccc" stroke-width="4" fill="none"/>
|
||||
<circle cx="25" cy="25" r="20" stroke="#333" stroke-width="4" fill="none" stroke-linecap="round"
|
||||
stroke-dasharray="90 125">
|
||||
<animateTransform attributeName="transform" type="rotate" from="0 25 25" to="360 25 25" dur="1s"
|
||||
repeatCount="indefinite"/>
|
||||
</circle>
|
||||
</svg>
|
||||
<script type="application/javascript" src="composeApp.js"></script>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,7 +0,0 @@
|
||||
html, body {
|
||||
width: 100%;
|
||||
height: 100%;
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
overflow: hidden;
|
||||
}
|
||||
Reference in New Issue
Block a user