Add Google and Angeleno Account SSO login (hackforla#1502)

Enable OIDC sign-in for City staff (Google) and external users (Angeleno Account), with demo mode for local development and DB support for external identity mapping.

Author: jasonzhang1231

client/src/components/Authorization/Login.jsx

@@ -1,4 +1,4 @@
-import React, { useState, useRef, useContext } from "react";
+import React, { useEffect, useState, useRef, useContext } from "react";
 import UserContext from "../../contexts/UserContext";
 import { Link, useParams, useNavigate, useLocation } from "react-router-dom";
 import { createUseStyles, useTheme } from "react-jss";
@@ -19,6 +19,25 @@ const useStyles = createUseStyles(theme => ({
     justifyContent: "flex-end",
     margin: "16px auto"
   },
+  ssoButtonContainer: {
+    display: "flex",
+    flexDirection: "column",
+    gap: "12px",
+    justifyContent: "center",
+    margin: "16px auto"
+  },
+  divider: {
+    alignItems: "center",
+    display: "flex",
+    gap: "12px",
+    margin: "24px 0",
+    "&::before, &::after": {
+      background: "#d8d8d8",
+      content: "''",
+      flex: 1,
+      height: "1px"
+    }
+  },
   warning: {
     color: "red",
     textAlign: "center",
@@ -45,6 +64,35 @@ const Login = () => {
     password: ""
   };
 
+  const getPostLoginPath = () => {
+    if (projectId) return `/calculation/5/${projectId}`;
+    if (redirectUrl) return `/${redirectUrl}`;
+    return "/calculation/1/0";
+  };
+
+  useEffect(() => {
+    const completeSsoLogin = async () => {
+      if (
+        searchParams.get("angeleno") !== "success" &&
+        searchParams.get("google") !== "success"
+      ) {
+        return;
+      }
+
+      const sessionResponse = await accountService.getSession();
+      if (sessionResponse?.isSuccess) {
+        userContext.updateAccount(sessionResponse.user);
+        navigate(searchParams.get("next") || getPostLoginPath());
+      } else {
+        setErrorMsg(
+          "SSO sign-in succeeded, but the TDM session could not be loaded."
+        );
+      }
+    };
+
+    completeSsoLogin();
+  }, []);
+
   const loginSchema = Yup.object().shape({
     email: Yup.string()
       .email("Invalid email address format")
@@ -107,6 +155,14 @@ const Login = () => {
     }
   };
 
+  const handleAngelenoLogin = () => {
+    accountService.startAngelenoLogin(getPostLoginPath());
+  };
+
+  const handleGoogleLogin = () => {
+    accountService.startGoogleLogin(getPostLoginPath());
+  };
+
   return (
     <ContentContainer>
       <div style={theme.typography.heading1}>
@@ -117,6 +173,25 @@ const Login = () => {
       </div>
       <br />
       <div className="auth-form">
+        <div className={classes.ssoButtonContainer}>
+          <Button
+            id="cy-login-google"
+            type="button"
+            variant="primary"
+            onClick={handleGoogleLogin}
+          >
+            Sign in with Google SSO (City staff)
+          </Button>
+          <Button
+            id="cy-login-angeleno"
+            type="button"
+            variant="primary"
+            onClick={handleAngelenoLogin}
+          >
+            Sign in with Angeleno Account (external users)
+          </Button>
+        </div>
+        <div className={classes.divider}>or sign in with TDM credentials</div>
         <Formik
           initialValues={initialValues}
           validationSchema={loginSchema}

client/src/services/account.service.js

@@ -64,6 +64,29 @@ export const login = async (email, password) => {
   }
 };
 
+export const getSession = async () => {
+  try {
+    const response = await axios.get(baseUrl + "/session");
+    return response.data;
+  } catch (err) {
+    console.error(err);
+  }
+};
+
+export const startAngelenoLogin = redirectPath => {
+  const redirect = redirectPath || "/calculation/1/0";
+  window.location.assign(
+    `${baseUrl}/angeleno/login?redirect=${encodeURIComponent(redirect)}`
+  );
+};
+
+export const startGoogleLogin = redirectPath => {
+  const redirect = redirectPath || "/calculation/1/0";
+  window.location.assign(
+    `${baseUrl}/google/login?redirect=${encodeURIComponent(redirect)}`
+  );
+};
+
 export const logout = async () => {
   const response = await axios.get(`${baseUrl}/logout`);
   return response;

server/.env.example

@@ -1,7 +1,7 @@
-# Instructions: Create a .env file in the server directory. Copy and paste values from Google Docs.
+# Instructions: Copy to server/.env and fill in secrets from your team vault or Google Docs.
 
 # Node server settings
-PORT=
+PORT=5001
 NODE_OPTIONS=
 
 JWT_SECRET_KEY=
@@ -11,12 +11,15 @@ SENDGRID_API_KEY=
 EMAIL_PUBLIC_COMMENT_LA_CITY=
 EMAIL_PUBLIC_COMMENT_WEB_TEAM=
 
-# These env settings are specific to running the web api server and app on localhost.
-CLIENT_URL=
-SERVER_URL=
+#########################################
+## Local development (default)         ##
+#########################################
+
+CLIENT_URL=http://localhost:3001
+SERVER_URL=http://localhost:5001
 
-# User Test Accounts for Shared AWS Development Environment
-#(Used by ThunderClient for API Endpoint testing)
+# User Test Accounts for Shared Dev Environment
+# (Used by ThunderClient for API endpoint testing)
 USERTEST_EMAIL=
 USERTEST_PASSWORD=
 ROLESTEST_EMAIL=
@@ -30,36 +33,80 @@ SQL_SERVER_PORT=
 SQL_DATABASE_NAME=
 SQL_USER_NAME=
 SQL_PASSWORD=
-SQL_ENCRYPT=
+SQL_ENCRYPT=true
 SQL_TRUST_SERVER_CERTIFICATE=
 EMAIL_SENDER=
 APPLICATIONINSIGHTS_CONNECTION_STRING=
 
+# Angeleno Account / OIDC (sandbox)
+# Set ANGELENO_DEMO_MODE=true for local demos without OIDC credentials.
+ANGELENO_DEMO_MODE=true
+ANGELENO_DEMO_EMAIL=
+ANGELENO_DEMO_FIRST_NAME=
+ANGELENO_DEMO_LAST_NAME=
+ANGELENO_DEMO_SUBJECT=
+ANGELENO_DEMO_PASSWORD=
+ANGELENO_ISSUER=https://login.sandbox.account.lacity.gov
+ANGELENO_CLIENT_ID=
+ANGELENO_CLIENT_SECRET=
+ANGELENO_REDIRECT_URI=http://localhost:5001/api/accounts/angeleno/callback
+ANGELENO_AUTHORIZATION_URL=https://login.sandbox.account.lacity.gov/authorize
+ANGELENO_TOKEN_URL=https://login.sandbox.account.lacity.gov/oauth/token
+ANGELENO_JWKS_URL=https://login.sandbox.account.lacity.gov/.well-known/jwks.json
+ANGELENO_SCOPE=openid profile email
+
+# Google SSO / OIDC for internal City users
+# Set GOOGLE_SSO_DEMO_MODE=true for local demos without OAuth credentials.
+GOOGLE_SSO_DEMO_MODE=true
+GOOGLE_SSO_DEMO_EMAIL=
+GOOGLE_SSO_DEMO_FIRST_NAME=
+GOOGLE_SSO_DEMO_LAST_NAME=
+GOOGLE_SSO_DEMO_SUBJECT=
+GOOGLE_SSO_ISSUER=https://accounts.google.com
+GOOGLE_SSO_CLIENT_ID=
+GOOGLE_SSO_CLIENT_SECRET=
+GOOGLE_SSO_REDIRECT_URI=http://localhost:5001/api/accounts/google/callback
+GOOGLE_SSO_HOSTED_DOMAIN=lacity.org
+GOOGLE_SSO_AUTHORIZATION_URL=
+GOOGLE_SSO_TOKEN_URL=
+GOOGLE_SSO_JWKS_URL=
+GOOGLE_SSO_SCOPE=openid profile email
+
 #########################################
-## Local Development Database Settings ##
+## Shared Dev Environment (Azure)      ##
+## https://tdm-dev.azurewebsites.net   ##
 #########################################
-
-## Local Development Database - Windows Native
-# SQL_SERVER_NAME=
-# SQL_SERVER_INSTANCE=
-# SQL_SERVER_PORT=
-# SQL_DATABASE_NAME=
-# SQL_USER_NAME=
-# SQL_PASSWORD=
-# SQL_ENCRYPT=
-# SQL_TRUST_SERVER_CERTIFICATE=
-# EMAIL_SENDER=
-# APPLICATIONINSIGHTS_CONNECTION_STRING=
+# Use these values in Azure App Service env vars (not for local .env):
+#
+# CLIENT_URL=https://tdm-dev.azurewebsites.net
+# SERVER_URL=https://tdm-dev.azurewebsites.net
+# ANGELENO_DEMO_MODE=false
+# ANGELENO_REDIRECT_URI=https://tdm-dev.azurewebsites.net/api/accounts/angeleno/callback
+# GOOGLE_SSO_DEMO_MODE=false
+# GOOGLE_SSO_REDIRECT_URI=https://tdm-dev.azurewebsites.net/api/accounts/google/callback
+#
+# Register with Angeleno (sandbox):
+#   Callback URL:       https://tdm-dev.azurewebsites.net/api/accounts/angeleno/callback
+#   Allowed logout URL: https://tdm-dev.azurewebsites.net/login
+#   Allowed origins:    https://tdm-dev.azurewebsites.net
+#   Web origins:        https://tdm-dev.azurewebsites.net
 
 ## Local Development Database - Docker Container
-## Example for SQL Server Express on Docker
-# SQL_SERVER_NAME=
+# SQL_SERVER_NAME=localhost
 # SQL_SERVER_INSTANCE=
+# SQL_SERVER_PORT=1434
+# SQL_DATABASE_NAME=tdmdev
+# SQL_USER_NAME=sa
+# SQL_PASSWORD=Dogfood1!
+# SQL_ENCRYPT=false
+# SQL_TRUST_SERVER_CERTIFICATE=true
+
+## Local Development Database - Windows Native
+# SQL_SERVER_NAME=localhost
+# SQL_SERVER_INSTANCE=SQLEXPRESS
 # SQL_SERVER_PORT=
-# SQL_DATABASE_NAME=
-# SQL_USER_NAME=
-# SQL_PASSWORD=
-# SQL_ENCRYPT=
-# SQL_TRUST_SERVER_CERTIFICATE=
-# EMAIL_SENDER=
-# APPLICATIONINSIGHTS_CONNECTION_STRING=
+# SQL_DATABASE_NAME=tdmdev
+# SQL_USER_NAME=sa
+# SQL_PASSWORD=Dogfood1!
+# SQL_ENCRYPT=false
+# SQL_TRUST_SERVER_CERTIFICATE=true