activeadmin-oidc 1.0.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5aaac0eb113550e4278c0ebd3dcae2898c148d2f439a87da8c119ed9a5129811
-  data.tar.gz: ee952618ae8ad48518d4f6a125b20a5e4ccaf3840233391e98964f11a708f222
+  metadata.gz: 013ffd8d314b6537d497b578633169a575ef8a09930c6363c07a29c6c4f9e05a
+  data.tar.gz: 39650f667cb6a69c427510b2f51eb48e11164040d8904b51bc7af4b072e09dc3
 SHA512:
-  metadata.gz: dbf926e94596cadb0d98a934ccd75dfa82f5ca3f2c97f9db665bfb0e3ef2bada39256620bc9078127e3cd36fc6dbf750dc0cbfc3de3f8d5cfc38ba2f40bb6cee
-  data.tar.gz: 45f36af5f4986bb57a539e93b9efbedd8e27e2402d5848b770891e1cac8e32d9013b57da143b9f30802b440a724e36e7839a4a395b14c46d2a0d150a3cc0646c
+  metadata.gz: 326a81f750548c6078850705cebc07d94577154f88201c4bf7b190207b53600bacbf742b14353d799ff0efcf4dec32b6d49a36d0779ff6f10b78ff0667971a6e
+  data.tar.gz: edc04731d82c7a98be8469a32ff2b119589723fc5df05cc4b6cf5c92e73aa5732dbcbe54765a5d890619f4c8ad98772f955522b8e7b4bcdebc21b2d803507603

data/README.md

@@ -38,14 +38,29 @@ Without these, `/admin` is public to anyone and the utility navigation (includin
 
 ```ruby
 class AdminUser < ApplicationRecord
-  devise :database_authenticatable,
-         :rememberable,
-         :omniauthable, omniauth_providers: [:oidc]
+  devise :omniauthable, omniauth_providers: [:oidc]
 
-  serialize :oidc_raw_info, coder: JSON
+  serialize :oidc_raw_info, coder: JSON # Postgres jsonb: drop this line
 end
 ```
 
+OIDC is the only authentication mechanism — `:database_authenticatable`, `encrypted_password`, and password reset / lockable / confirmable flows are not used. The IdP owns identity, recovery, MFA, and lockout. The engine auto-mounts `GET /admin/login` (SSO landing page) and `DELETE /admin/logout` so ActiveAdmin's login link still resolves without Devise's session routes.
+
+### Engine-mounted Devise
+
+If `devise_for :admin_users` lives inside a Rails engine (not the main app routes), set `Devise.router_name = :<engine_name>` in `config/initializers/devise.rb` and pass the same option to `devise_for`. The gem reads `Devise.available_router_name` and mounts its session routes inside that engine's route set, so `<Engine>.routes.url_helpers.new_<scope>_session_path` resolves correctly.
+
+For **isolated** engines (`isolate_namespace ...`) mounted at a prefix (e.g. `mount AdminPanel::Engine => '/admin'`), the engine prepends its mount path to every internal route. The gem's default `login_path = '/admin/login'` would then become `/admin/admin/login`. Configure engine-relative paths in `config/initializers/activeadmin_oidc.rb`:
+
+```ruby
+ActiveAdmin::Oidc.configure do |c|
+  c.login_path  = '/login'
+  c.logout_path = '/logout'
+end
+```
+
+Non-isolated engines don't need this override.
+
 ### 3. `config/initializers/activeadmin_oidc.rb` (generated)
 
 Fill in at minimum `issuer`, `client_id`, and an `on_login` hook. Full reference below.
@@ -57,6 +72,7 @@ The gem's Rails engine handles several things so host apps don't have to:
 * **OmniAuth strategy registration** — the engine registers the `:openid_connect` strategy with Devise automatically based on your `ActiveAdmin::Oidc` configuration. You do **not** need to add `config.omniauth` or `config.omniauth_path_prefix` to `devise.rb`.
 * **Callback controller** — the engine patches `ActiveAdmin::Devise.controllers` to route OmniAuth callbacks to the gem's controller. No manual `controllers: { omniauth_callbacks: ... }` needed in `routes.rb`.
 * **Login view override** — the engine prepends an SSO-only login page (no email/password fields) to the sessions controller's view path. If your host app ships its own `app/views/active_admin/devise/sessions/new.html.erb`, the gem detects it and backs off — your view wins.
+* **Session routes** — the engine mounts `GET /admin/login` (renders the SSO landing page) and `DELETE /admin/logout` under `devise_scope`, with the scope name derived from `config.admin_user_class`. Devise normally generates session routes as a side effect of `:database_authenticatable`; without that module the route helpers would not exist and ActiveAdmin's login redirect would 404.
 * **Path prefix** — the engine sets `Devise.omniauth_path_prefix` and `OmniAuth.config.path_prefix` to `/admin/auth` so the middleware intercepts requests under ActiveAdmin's mount point. Compatible with Rails 7.2+ and Rails 8's lazy route loading.
 * **Parameter filtering** — `code`, `id_token`, `access_token`, `refresh_token`, `state`, and `nonce` are added to `Rails.application.config.filter_parameters`.
 
@@ -231,7 +247,7 @@ AdminUser.last.oidc_raw_info
 
 ## Custom login view
 
-The gem ships a minimal SSO-only login page (a single button, no email/password fields). If you need a different layout — for instance, a combined SSO + password form for a break-glass mode — drop your own template at:
+The gem ships a minimal SSO-only login page (a single button, no email/password fields). If you need a different layout — for instance, different branding, an explanatory paragraph, or multiple OmniAuth strategies — drop your own template at:
 
 ```
 app/views/active_admin/devise/sessions/new.html.erb
@@ -267,6 +283,38 @@ The gem logs internal diagnostics (on_login exceptions, omniauth failures) via `
 ActiveAdmin::Oidc.logger = MyStructuredLogger.new
 ```
 
+## Testing
+
+`require "activeadmin/oidc/test_helpers"` exposes `ActiveAdmin::Oidc::TestHelpers` with three methods for stubbing OmniAuth in specs:
+
+```ruby
+stub_oidc_sign_in(sub: "alice-sub", claims: { "email" => "alice@example.com", "roles" => ["admin"] })
+stub_oidc_failure(:invalid_credentials)
+reset_oidc_stubs # call in an after hook
+```
+
+Wire them up in `rails_helper.rb`. The `oidc_mode: true` tag scopes the helpers and the cleanup hook to specs that actually need OIDC stubs:
+
+```ruby
+require "activeadmin/oidc/test_helpers"
+
+RSpec.configure do |config|
+  config.include ActiveAdmin::Oidc::TestHelpers, oidc_mode: true
+  config.after(:each, :oidc_mode) { reset_oidc_stubs }
+end
+```
+
+Then in your specs:
+
+```ruby
+RSpec.describe "OIDC sign-in", :oidc_mode do
+  it "signs in" do
+    stub_oidc_sign_in(claims: { "email" => "a@b.example" })
+    # ...
+  end
+end
+```
+
 ## License
 
 MIT — see [`LICENSE.txt`](LICENSE.txt).

data/app/controllers/active_admin/oidc/devise/omniauth_callbacks_controller.rb

@@ -73,6 +73,16 @@ module ActiveAdmin
         def after_sign_in_path_for(resource)
           stored_location_for(resource) || '/admin'
         end
+
+        # Devise's default `after_omniauth_failure_path_for` calls
+        # `new_session_path(scope)`, a URL helper Devise only generates
+        # when :database_authenticatable mounts session routes. The
+        # engine mounts `new_<scope>_session_path` itself (see
+        # `mount_oidc_sessions_routes` initializer) regardless of which
+        # modules are loaded, so we always route through that helper.
+        def after_omniauth_failure_path_for(scope)
+          public_send(:"new_#{scope}_session_path")
+        end
       end
     end
   end

data/app/views/active_admin/devise/sessions/new.html.erb

@@ -1,7 +1,24 @@
-<div id="login">
-  <h2><%= active_admin_application.site_title(self) %></h2>
+<% if ActiveAdmin::Oidc.aa_v4? %>
+  <div class="p-6 sm:p-8 space-y-4 md:space-y-6 w-full sm:max-w-md bg-white sm:rounded-md shadow dark:border dark:bg-gray-800/50 dark:border-gray-800">
+    <h2 class="text-xl font-bold text-gray-900 md:text-2xl dark:text-white flex gap-2 items-center">
+      <%= site_title %> <%= set_page_title t('active_admin.devise.login.title') %>
+    </h2>
 
-  <%= form_tag omniauth_authorize_path(resource_name, :oidc), method: :post, data: { turbo: false } do %>
-    <%= submit_tag ActiveAdmin::Oidc.config.login_button_label %>
-  <% end %>
-</div>
+    <%= button_to ActiveAdmin::Oidc.config.login_button_label,
+                  "/admin/auth/oidc",
+                  method: :post,
+                  class: "activeadmin-oidc-login-button w-full",
+                  form_class: 'formtastic',
+                  data: { turbo: false } %>
+  </div>
+<% else %>
+  <div id="login">
+    <h2><%= active_admin_application.site_title(self) %></h2>
+
+    <%= button_to ActiveAdmin::Oidc.config.login_button_label,
+                  "/admin/auth/oidc",
+                  method: :post,
+                  class: "activeadmin-oidc-login-button",
+                  data: { turbo: false } %>
+  </div>
+<% end %>

data/lib/activeadmin/oidc/configuration.rb

@@ -11,12 +11,15 @@ module ActiveAdmin
       DEFAULT_ADMIN_USER_CLASS    = 'AdminUser'
       DEFAULT_ACCESS_DENIED_MESSAGE =
         'Your account has no permission to access this admin panel.'
+      DEFAULT_LOGIN_PATH  = '/admin/login'
+      DEFAULT_LOGOUT_PATH = '/admin/logout'
 
       attr_accessor :issuer, :client_id, :client_secret, :scope,
                     :redirect_uri,
                     :login_button_label, :timeout,
                     :identity_attribute, :identity_claim,
-                    :access_denied_message, :on_login, :admin_user_class
+                    :access_denied_message, :on_login, :admin_user_class,
+                    :login_path, :logout_path
 
       def initialize
         reset!
@@ -34,6 +37,8 @@ module ActiveAdmin
         @identity_claim        = DEFAULT_IDENTITY_CLAIM
         @access_denied_message = DEFAULT_ACCESS_DENIED_MESSAGE
         @admin_user_class      = DEFAULT_ADMIN_USER_CLASS
+        @login_path            = DEFAULT_LOGIN_PATH
+        @logout_path           = DEFAULT_LOGOUT_PATH
         @on_login              = nil
         @pkce_override         = nil
         self

data/lib/activeadmin/oidc/engine.rb

@@ -11,11 +11,30 @@ module ActiveAdmin
       # Used to gate controller registration and view overrides so the
       # gem is a no-op when OIDC is not enabled on the model.
       def self.oidc_enabled?
-        admin_class = ActiveAdmin::Oidc.config.admin_user_class
-        klass = admin_class.is_a?(String) ? admin_class.safe_constantize : admin_class
+        klass = admin_user_class
         klass.respond_to?(:devise_modules) && klass.devise_modules.include?(:omniauthable)
       end
 
+      def self.admin_user_class
+        admin_class = ActiveAdmin::Oidc.config.admin_user_class
+        admin_class.is_a?(String) ? admin_class.safe_constantize : admin_class
+      end
+
+      # Returns the route set our session routes should be appended to.
+      # Follows `Devise.available_router_name` (set by the host via
+      # `Devise.router_name = :foo`) so that engine-mounted Devise
+      # setups see the helpers on the right engine's url_helpers.
+      def self.session_routes_target(app)
+        router_name = ::Devise.available_router_name
+        return app.routes if router_name.blank? || router_name.to_sym == :main_app
+
+        engine_class = ::Rails::Engine.subclasses.find do |klass|
+          klass.engine_name.to_sym == router_name.to_sym
+        end
+
+        engine_class ? engine_class.routes : app.routes
+      end
+
       ControllersPatch = Module.new do
         def controllers
           result = super
@@ -101,6 +120,48 @@ module ActiveAdmin
       initializer 'activeadmin_oidc.filter_parameters' do |app|
         app.config.filter_parameters |= %i[code id_token access_token refresh_token state nonce]
       end
+
+      # The gem is OIDC-first: mount our SSO landing page at /admin/login
+      # and a warden-based /admin/logout under the existing devise scope.
+      # Without these, hosts that omit :database_authenticatable have no
+      # session routes from Devise at all, so ActiveAdmin's redirect to
+      # `new_admin_user_session_path` 404s. Hosts that DO keep
+      # :database_authenticatable get our SSO landing on GET; Devise's
+      # POST /admin/login (password sign-in) is unaffected because it
+      # lives on the same path with a different verb.
+      #
+      # Mount target follows `Devise.available_router_name`: hosts that
+      # mount Devise inside an engine set `Devise.router_name = :admin_panel`,
+      # which pins Devise URL helpers to `AdminPanel::Engine.routes`. We
+      # mount in the same route set so
+      # `<Engine>.routes.url_helpers.new_admin_user_session_path` resolves.
+      # Defaults to `Rails.application.routes` when unset.
+      initializer 'activeadmin_oidc.mount_oidc_sessions_routes' do |app|
+        # after_initialize fires once at boot. `RouteSet#clear!` deliberately
+        # preserves the append/prepend queues across reloads, so re-running
+        # this hook (as `to_prepare` would in dev) accumulates duplicate
+        # append callbacks and crashes the second draw with
+        # "Invalid route name, already in use: 'new_admin_user_session'".
+        app.config.after_initialize do
+          next unless Engine.oidc_enabled?
+
+          cfg         = ActiveAdmin::Oidc.config
+          login_path  = cfg.login_path
+          logout_path = cfg.logout_path
+          scope_name  = Engine.admin_user_class.model_name.singular.to_sym
+
+          Engine.session_routes_target(app).append do
+            devise_scope scope_name do
+              # Use the controller class directly via `.action(...)` so
+              # isolated engines don't try to resolve the controller as
+              # `<Engine>::ActiveAdmin::Devise::SessionsController` from
+              # the relative string form.
+              get    login_path,  to: ::ActiveAdmin::Devise::SessionsController.action(:new),     as: :"new_#{scope_name}_session"
+              delete logout_path, to: ::ActiveAdmin::Devise::SessionsController.action(:destroy), as: :"destroy_#{scope_name}_session"
+            end
+          end
+        end
+      end
     end
   end
 end

data/lib/activeadmin/oidc/test_helpers.rb

@@ -63,41 +63,5 @@ module ActiveAdmin
         OmniAuth.config.request_validation_phase = @_oidc_saved_request_validation_phase if defined?(@_oidc_saved_request_validation_phase)
       end
     end
-
-    # RSpec support for oidc_mode tag filtering.
-    # Require this file in spec_helper or rails_helper to auto-configure:
-    #
-    #   require "activeadmin/oidc/test_helpers"
-    #
-    # Specs tagged `oidc_mode: true` will be skipped unless the AdminUser
-    # model has :omniauthable loaded. Set CI_RUN_OIDC=true in your CI job
-    # to run only OIDC-tagged specs.
-    module RSpecSupport
-      def self.install!
-        return unless defined?(RSpec)
-
-        RSpec.configure do |config|
-          config.include TestHelpers, oidc_mode: true
-          config.after(:each, :oidc_mode) { reset_oidc_stubs }
-
-          config.before(:each, :oidc_mode) do
-            admin_class = ActiveAdmin::Oidc.config.admin_user_class
-            klass = admin_class.is_a?(String) ? admin_class.safe_constantize : admin_class
-            unless klass.respond_to?(:devise_modules) && klass.devise_modules.include?(:omniauthable)
-              skip 'requires OIDC mode (run with config/oidc.yml in place and CI_RUN_OIDC=true)'
-            end
-          end
-
-          if ENV['CI_RUN_OIDC'].present?
-            config.filter_run_including oidc_mode: true
-          else
-            config.filter_run_excluding oidc_mode: true
-          end
-        end
-      end
-    end
   end
 end
-
-# Auto-install RSpec support when required during a test run.
-ActiveAdmin::Oidc::RSpecSupport.install!

data/lib/activeadmin/oidc/version.rb

@@ -2,6 +2,6 @@
 
 module ActiveAdmin
   module Oidc
-    VERSION = "1.0.0"
+    VERSION = "2.0.0"
   end
 end

data/lib/activeadmin-oidc.rb

@@ -3,6 +3,7 @@
 require "logger"
 require "active_support/core_ext/object/blank"
 require "activeadmin/oidc/version"
+require "active_admin/version"
 
 # `omniauth-rails_csrf_protection` registers a Railtie that replaces
 # OmniAuth 2.x's Rack-level authenticity check with Rails' own forgery
@@ -53,6 +54,15 @@ module ActiveAdmin
         @logger = nil
       end
 
+      # True when the installed ActiveAdmin is the 4.x line (including the
+      # 4.0.0 prereleases). AA 4 ships a Tailwind-based admin layout, so
+      # the login view override must emit Tailwind markup instead of the
+      # legacy `#login` structure AA 3.x expects. Mirrors the version probe
+      # ActiveAdmin plugins use (e.g. activeadmin_table_footer's styles.rb).
+      def aa_v4?
+        ::Gem::Version.new(::ActiveAdmin::VERSION) >= ::Gem::Version.new("4.0.0.beta1")
+      end
+
       private
 
       def default_logger

data/lib/generators/active_admin/oidc/install/install_generator.rb

@@ -2,6 +2,7 @@
 
 require "rails/generators/base"
 require "rails/generators/active_record"
+require "active_admin/version"
 
 module ActiveAdmin
   module Oidc
@@ -74,8 +75,13 @@ module ActiveAdmin
         end
 
         def create_view_override
-          copy_file "sessions_new.html.erb",
-                    "app/views/active_admin/devise/sessions/new.html.erb"
+          if aa_v4?
+            copy_file "sessions_new_v4.html.erb",
+                      "app/views/active_admin/devise/sessions/new.html.erb"
+          else
+            copy_file "sessions_new.html.erb",
+                      "app/views/active_admin/devise/sessions/new.html.erb"
+          end
         end
 
         # Non-blocking: the generator completed successfully, but the
@@ -142,6 +148,15 @@ module ActiveAdmin
           adapter = (ActiveRecord::Base.connection_db_config.adapter rescue "sqlite3").to_s
           adapter.start_with?("postgres") ? ":jsonb" : ":text"
         end
+
+        # True when the installed ActiveAdmin is the 4.x line (including the
+        # 4.0.0 prereleases). AA 4 ships a Tailwind-based admin layout, so
+        # the login view override must emit Tailwind markup instead of the
+        # legacy `#login` structure AA 3.x expects. Mirrors the version probe
+        # ActiveAdmin plugins use (e.g. activeadmin_table_footer's styles.rb).
+        def aa_v4?
+          ::Gem::Version.new(::ActiveAdmin::VERSION) >= ::Gem::Version.new("4.0.0.beta1")
+        end
       end
     end
   end

data/lib/generators/active_admin/oidc/install/templates/sessions_new_v4.html.erb

@@ -0,0 +1,12 @@
+<div class="p-6 sm:p-8 space-y-4 md:space-y-6 w-full sm:max-w-md bg-white sm:rounded-md shadow dark:border dark:bg-gray-800/50 dark:border-gray-800">
+  <h2 class="text-xl font-bold text-gray-900 md:text-2xl dark:text-white flex gap-2 items-center">
+    <%%= site_title %> <%%= set_page_title t('active_admin.devise.login.title') %>
+  </h2>
+
+  <%%= button_to ActiveAdmin::Oidc.config.login_button_label,
+       "/admin/auth/oidc",
+       method: :post,
+       class: "activeadmin-oidc-login-button w-full",
+       form_class: 'formtastic',
+       data: { turbo: false } %>
+</div>

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: activeadmin-oidc
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Igor Fedoronchuk
@@ -18,7 +18,7 @@ dependencies:
         version: '3.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -28,21 +28,21 @@ dependencies:
         version: '3.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.9'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.9'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -77,14 +77,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.7'
+        version: '0.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.7'
+        version: '0.6'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -114,75 +114,61 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '6.0'
 - !ruby/object:Gem::Dependency
-  name: webmock
+  name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.19'
+        version: '3.40'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.19'
+        version: '3.40'
 - !ruby/object:Gem::Dependency
-  name: jwt
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.7'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.7'
-- !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '3.19'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '3.19'
 - !ruby/object:Gem::Dependency
-  name: sprockets-rails
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '2.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '2.7'
 - !ruby/object:Gem::Dependency
-  name: sassc-rails
+  name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '1.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '1.7'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -262,6 +248,7 @@ files:
 - lib/generators/active_admin/oidc/install/templates/initializer.rb.tt
 - lib/generators/active_admin/oidc/install/templates/migration.rb.tt
 - lib/generators/active_admin/oidc/install/templates/sessions_new.html.erb
+- lib/generators/active_admin/oidc/install/templates/sessions_new_v4.html.erb
 homepage: https://github.com/activeadmin-plugins/activeadmin-oidc
 licenses:
 - MIT