search

AidansJCR / aidans-jcr

A new website for Aidan's JCR. Powered by Wagtail CMS with custom apps for other features
https://st-aidans.com
4 stars 1 forks source link

Google Auth login for JCR exec/subexec/societies #13

Open OhmGeek opened 7 years ago

OhmGeek commented 7 years ago

Rather than having to create accounts for EACH and every member of college, we can use Google Auth.

Because of the large number of un-grouped accounts, we need to look into adding groups, so that we have one for exec, one for subexec (which already exist within Google Admin), along with sports and separate societies groups. We can then use these to customise their user experience.

TODO:

OhmGeek commented 7 years ago

Best option is the package 'django-social-auth'. Install the package to the project, then configure settings. From the source: https://www.safaribooksonline.com/blog/2012/11/02/google-apps-auth-for-internal-django-sites/

# Django Social Auth Config

AUTHENTICATION_BACKENDS = ( 
    'social_auth.backends.google.GoogleOAuth2Backend',  # putting this 1st means that most users will auth with their Google identity
    'django.contrib.auth.backends.ModelBackend',        # ...but this one means we can still have local admin accounts as a fallback
)

LOGIN_URL          = '/login/google-oauth2/'       
LOGIN_ERROR_URL    = '/login-error/'

SOCIAL_AUTH_RAISE_EXCEPTIONS = False
SOCIAL_AUTH_PROCESS_EXCEPTIONS = 'social_auth.utils.log_exceptions_to_messages'  # ...assuming you like the messages framework

GOOGLE_OAUTH2_CLIENT_ID      = 'yourCLIENTidHERE'  # this is on the credentials web page from above
GOOGLE_OAUTH2_CLIENT_SECRET  = 'YOURsecretHERE'    # this is also on the credentials web page from above
GOOGLE_WHITE_LISTED_DOMAINS = ['st-aidans.com']  # this is what actually limits access

SOCIAL_AUTH_COMPLETE_URL_NAME  = 'socialauth_complete'
SOCIAL_AUTH_ASSOCIATE_URL_NAME = 'socialauth_associate_complete'
OhmGeek commented 7 years ago

With this, we need to write a unit test for several different possibilities:

  1. Random Gmail account that isn't related to st-aidans.com
  2. Exec st-aidans account (check groups)
  3. Subexec group
  4. Sports group
  5. Societies group
  6. St Aidan's non-group assigned account (i.e. one of the standard user accounts from way back).

This will ensure we can keep our login system running, at least for Google.

OhmGeek commented 7 years ago

For now, we will just use Django login for this, but GAuth might be useful as we go on