add working sso + working Caddy + 2 scripts for hosts

2025-05-13 21:21:07 +02:00
parent 248b608aba
commit cd4678c883
5 changed files with 64 additions and 30 deletions
--- a/web/app.py
+++ b/web/app.py
@@ -1,3 +1,4 @@
+import os
 from flask import Flask, redirect, url_for, session, render_template
 from flask_sqlalchemy import SQLAlchemy
 from authlib.integrations.flask_client import OAuth
@@ -5,7 +6,7 @@ from authlib.integrations.flask_client import OAuth
 app = Flask(__name__)
 app.config['SQLALCHEMY_DATABASE_URI'] = 'mysql+pymysql://flaskuser:flaskpass@mariadb/flaskdb'
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
-app.secret_key = 'ninolabat'
+app.secret_key = os.environ.get("SECRET_KEY", "dev-key")

 db = SQLAlchemy(app)

@@ -15,8 +16,8 @@ oauth = OAuth(app)
 keycloak = oauth.register(
    name='keycloak',
    client_id='flask-app',
-    client_secret='jp4T3FnlpzHyc4Ch4zNoO8cAakXzHi50',
-    server_metadata_url='http://keycloak:8080/realms/GestHub/.well-known/openid-configuration',
+    client_secret='6R70kt1x9KjYpccZCMnPvJAGiJFzRHjE',
+    server_metadata_url='http://keycloak.localhost/realms/gesthub/.well-known/openid-configuration',
    client_kwargs={
        'scope': 'openid profile email',
    }
@@ -31,12 +32,15 @@ def index():

@app.route('/login')
 def login():
+    nonce = uuid.uuid4().hex
+    session['nonce'] = nonce
    redirect_uri = url_for('auth', _external=True)
    return keycloak.authorize_redirect(redirect_uri)

@app.route('/auth')
 def auth():
    token = keycloak.authorize_access_token()
+    nonce = session.pop('nonce', None)
    userinfo = keycloak.parse_id_token(token)
    session['user'] = userinfo
    return redirect('/')