feat(SSO): JWTやSAMLでのSingle Sign-Onの実装 (MisskeyIO#519)

packages/frontend/package.json

@@ -40,10 +40,10 @@
 		"chartjs-chart-matrix": "2.0.1",
 		"chartjs-plugin-gradient": "0.6.1",
 		"chartjs-plugin-zoom": "2.0.1",
-		"chromatic": "11.0.4",
+		"chromatic": "11.0.8",
 		"compare-versions": "6.1.0",
 		"cropperjs": "2.0.0-beta.4",
-		"date-fns": "3.3.1",
+		"date-fns": "3.4.0",
 		"escape-regexp": "0.0.1",
 		"estree-walker": "3.0.3",
 		"eventemitter3": "5.0.1",
@@ -58,9 +58,9 @@
 		"misskey-reversi": "workspace:*",
 		"photoswipe": "5.4.3",
 		"punycode": "2.3.1",
-		"rollup": "4.12.1",
+		"rollup": "4.13.0",
 		"sanitize-html": "2.12.1",
-		"sass": "1.71.1",
+		"sass": "1.72.0",
 		"shiki": "1.1.7",
 		"strict-event-emitter-types": "2.0.0",
 		"textarea-caret": "3.1.0",
@@ -71,72 +71,72 @@
 		"tsconfig-paths": "4.2.0",
 		"typescript": "5.4.2",
 		"uuid": "9.0.1",
-		"v-code-diff": "1.9.0",
-		"vite": "5.1.5",
+		"v-code-diff": "1.10.0",
+		"vite": "5.1.6",
 		"vue": "3.4.15",
 		"vuedraggable": "next"
 	},
 	"devDependencies": {
 		"@misskey-dev/eslint-plugin": "1.0.0",
 		"@misskey-dev/summaly": "5.0.3",
-		"@storybook/addon-actions": "8.0.0-beta.6",
-		"@storybook/addon-essentials": "8.0.0-beta.6",
-		"@storybook/addon-interactions": "8.0.0-beta.6",
-		"@storybook/addon-links": "8.0.0-beta.6",
-		"@storybook/addon-mdx-gfm": "8.0.0-beta.6",
-		"@storybook/addon-storysource": "8.0.0-beta.6",
-		"@storybook/blocks": "8.0.0-beta.6",
-		"@storybook/components": "8.0.0-beta.6",
-		"@storybook/core-events": "8.0.0-beta.6",
-		"@storybook/manager-api": "8.0.0-beta.6",
-		"@storybook/preview-api": "8.0.0-beta.6",
-		"@storybook/react": "8.0.0-beta.6",
-		"@storybook/react-vite": "8.0.0-beta.6",
-		"@storybook/test": "8.0.0-beta.6",
-		"@storybook/theming": "8.0.0-beta.6",
-		"@storybook/types": "8.0.0-beta.6",
-		"@storybook/vue3": "8.0.0-beta.6",
-		"@storybook/vue3-vite": "8.0.0-beta.6",
+		"@storybook/addon-actions": "8.0.0",
+		"@storybook/addon-essentials": "8.0.0",
+		"@storybook/addon-interactions": "8.0.0",
+		"@storybook/addon-links": "8.0.0",
+		"@storybook/addon-mdx-gfm": "8.0.0",
+		"@storybook/addon-storysource": "8.0.0",
+		"@storybook/blocks": "8.0.0",
+		"@storybook/components": "8.0.0",
+		"@storybook/core-events": "8.0.0",
+		"@storybook/manager-api": "8.0.0",
+		"@storybook/preview-api": "8.0.0",
+		"@storybook/react": "8.0.0",
+		"@storybook/react-vite": "8.0.0",
+		"@storybook/test": "8.0.0",
+		"@storybook/theming": "8.0.0",
+		"@storybook/types": "8.0.0",
+		"@storybook/vue3": "8.0.0",
+		"@storybook/vue3-vite": "8.0.0",
 		"@testing-library/vue": "8.0.2",
 		"@types/escape-regexp": "0.0.3",
 		"@types/estree": "1.0.5",
 		"@types/matter-js": "0.19.6",
 		"@types/micromatch": "4.0.6",
-		"@types/node": "20.11.25",
+		"@types/node": "20.11.27",
 		"@types/punycode": "2.1.4",
 		"@types/sanitize-html": "2.11.0",
 		"@types/throttle-debounce": "5.0.2",
 		"@types/tinycolor2": "1.4.6",
 		"@types/uuid": "9.0.8",
 		"@types/ws": "8.5.10",
-		"@typescript-eslint/eslint-plugin": "7.1.1",
-		"@typescript-eslint/parser": "7.1.1",
+		"@typescript-eslint/eslint-plugin": "7.2.0",
+		"@typescript-eslint/parser": "7.2.0",
 		"@vitest/coverage-v8": "0.34.6",
 		"@vue/runtime-core": "3.4.15",
 		"acorn": "8.11.3",
 		"cross-env": "7.0.3",
-		"cypress": "13.6.6",
+		"cypress": "13.7.0",
 		"eslint": "8.57.0",
 		"eslint-plugin-import": "2.29.1",
-		"eslint-plugin-vue": "9.22.0",
+		"eslint-plugin-vue": "9.23.0",
 		"fast-glob": "3.3.2",
 		"happy-dom": "13.6.2",
 		"intersection-observer": "0.12.2",
 		"micromatch": "4.0.5",
-		"msw": "2.2.2",
+		"msw": "2.2.3",
 		"msw-storybook-addon": "2.0.0-beta.1",
 		"nodemon": "3.1.0",
 		"prettier": "3.2.5",
 		"react": "18.2.0",
 		"react-dom": "18.2.0",
 		"start-server-and-test": "2.0.3",
-		"storybook": "8.0.0-beta.6",
+		"storybook": "8.0.0",
 		"storybook-addon-misskey-theme": "github:misskey-dev/storybook-addon-misskey-theme",
 		"vite-plugin-turbosnap": "1.0.3",
 		"vitest": "0.34.6",
 		"vitest-fetch-mock": "0.2.2",
-		"vue-component-type-helpers": "1.8.27",
+		"vue-component-type-helpers": "2.0.6",
 		"vue-eslint-parser": "9.4.2",
-		"vue-tsc": "1.8.27"
+		"vue-tsc": "2.0.6"
 	}
 }

packages/frontend/src/pages/admin/security.vue

@@ -137,7 +137,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 					<div class="_gaps">
 						<MkButton primary full @click="indieAuthAddNew"><i class="ti ti-plus"></i> New</MkButton>
-						<MkFolder v-for="(client, index) in indieAuthClients" :key="`${index}-${client.createdAt}`" :defaultOpen="!client.createdAt">
+						<MkFolder v-for="(client, index) in indieAuthClients" :key="`${indieAuthTimestamp}-${index}-${client.createdAt ? client.id : 'new'}`" :defaultOpen="!client.createdAt">
 							<template #label>{{ client.name || client.id }}</template>
 							<template #icon>
 								<i v-if="client.id" class="ti ti-key"></i>
@@ -166,6 +166,72 @@ SPDX-License-Identifier: AGPL-3.0-only
 						</MkButton>
 					</div>
 				</MkFolder>
+
+				<MkFolder>
+					<template #label>Single Sign-On Service Providers</template>
+
+					<div class="_gaps">
+						<MkButton primary full @click="ssoServiceAddNew"><i class="ti ti-plus"></i> New</MkButton>
+						<MkFolder v-for="(service, index) in ssoServices" :key="`${ssoServiceTimestamp}-${index}-${service.createdAt ? service.id : 'new'}`" :defaultOpen="!service.createdAt">
+							<template #label>{{ service.name || service.id }}</template>
+							<template #icon>
+								<i v-if="service.id" class="ti ti-key"></i>
+								<i v-else class="ti ti-plus"></i>
+							</template>
+							<template v-if="service.name && service.id" #caption>{{ service.id }}</template>
+
+							<div class="_gaps_m">
+								<MkInput v-model="service.id" disabled>
+									<template #label>Service ID</template>
+								</MkInput>
+								<MkInput v-model="service.name">
+									<template #label>Name</template>
+								</MkInput>
+								<MkRadios v-model="service.type">
+									<option value="jwt">JWT</option>
+									<option value="saml">SAML</option>
+								</MkRadios>
+								<MkInput v-model="service.issuer">
+									<template #label>Issuer</template>
+								</MkInput>
+								<MkTextarea v-model="service.audience">
+									<template #label>Audience</template>
+								</MkTextarea>
+								<MkInput v-model="service.acsUrl">
+									<template #label>Assertion Consumer Service URL</template>
+								</MkInput>
+								<MkInput v-model="service.publicKey">
+									<template #label>{{ service['useCertificate'] ? 'Public Key' : 'Secret' }}</template>
+								</MkInput>
+								<MkInput v-model="service.signatureAlgorithm">
+									<template #label>Signature Algorithm</template>
+								</MkInput>
+								<MkInput v-model="service.cipherAlgorithm">
+									<template #label>Cipher Algorithm</template>
+								</MkInput>
+								<MkSwitch v-model="service.wantAuthnRequestsSigned">
+									<template #label>Want Authn Requests Signed</template>
+								</MkSwitch>
+								<MkSwitch v-model="service.wantAssertionsSigned">
+									<template #label>Want Assertions Signed</template>
+								</MkSwitch>
+								<MkSwitch v-model="service.useCertificate" :disabled="!!service.createdAt">
+									<template #label>Use Certificate</template>
+								</MkSwitch>
+								<MkSwitch v-if="service.useCertificate" v-model="service.regenerateCertificate">
+									<template #label>Regenerate Certificate</template>
+								</MkSwitch>
+								<div class="buttons _buttons">
+									<MkButton primary @click="ssoServiceSave(service)"><i class="ti ti-device-floppy"></i> Save</MkButton>
+									<MkButton v-if="service.createdAt" warn @click="ssoServiceDelete(service)"><i class="ti ti-trash"></i> Delete</MkButton>
+								</div>
+							</div>
+						</MkFolder>
+						<MkButton v-if="ssoServiceHasMore" :class="$style.more" :disabled="!ssoServiceHasMore" primary rounded @click="ssoServiceFetch()">
+							<i class="ti ti-reload"></i>{{ i18n.ts.more }}
+						</MkButton>
+					</div>
+				</MkFolder>
 			</div>
 		</FormSuspense>
 	</MkSpacer>
@@ -208,8 +274,13 @@ const truemailInstance = ref<string | null>(null);
 const truemailAuthKey = ref<string | null>(null);
 const bannedEmailDomains = ref<string>('');
 const indieAuthClients = ref<any[]>([]);
+const indieAuthTimestamp = ref(0);
 const indieAuthOffset = ref(0);
 const indieAuthHasMore = ref(false);
+const ssoServices = ref<any[]>([]);
+const ssoServiceTimestamp = ref(0);
+const ssoServiceOffset = ref(0);
+const ssoServiceHasMore = ref(false);
 
 async function init() {
 	const meta = await misskeyApi('admin/meta');
@@ -274,12 +345,11 @@ function indieAuthFetch(resetOffset = false) {
 		offset: indieAuthOffset.value,
 		limit: 10,
 	}).then(clients => {
-		indieAuthClients.value = indieAuthClients.value.concat(clients.map((client: any) => ({
-			id: client.id,
-			name: client.name,
+		indieAuthClients.value = indieAuthClients.value.concat(clients.map(client => ({
+			...client,
 			redirectUris: client.redirectUris.join('\n'),
-			createdAt: client.createdAt,
 		})));
+		indieAuthTimestamp.value = Date.now();
 		indieAuthHasMore.value = clients.length === 10;
 		indieAuthOffset.value += clients.length;
 	});
@@ -302,7 +372,9 @@ function indieAuthDelete(client) {
 	}).then(({ canceled }) => {
 		if (canceled) return;
 		indieAuthClients.value = indieAuthClients.value.filter(x => x !== client);
-		misskeyApi('admin/indie-auth/delete', client);
+		os.apiWithDialog('admin/indie-auth/delete', client).then(() => {
+			indieAuthFetch(true);
+		});
 	});
 }
 
@@ -314,11 +386,100 @@ async function indieAuthSave(client) {
 	};
 
 	if (client.createdAt !== undefined) {
-		await misskeyApi('admin/indie-auth/update', params);
+		await os.apiWithDialog('admin/indie-auth/update', params).then(() => {
+			indieAuthFetch(true);
+		});
 	} else {
-		await misskeyApi('admin/indie-auth/create', params);
+		await os.apiWithDialog('admin/indie-auth/create', params).then(() => {
+			indieAuthFetch(true);
+		});
+	}
+}
+
+function ssoServiceFetch(resetOffset = false) {
+	if (resetOffset) {
+		ssoServices.value = [];
+		ssoServiceOffset.value = 0;
+	}
+
+	misskeyApi('admin/sso/list', {
+		offsetMode: true,
+		offset: ssoServiceOffset.value,
+		limit: 10,
+	}).then(services => {
+		ssoServices.value = ssoServices.value.concat(services.map(service => ({
+			...service,
+			audience: service.audience.join('\n'),
+		})));
+		ssoServiceTimestamp.value = Date.now();
+		ssoServiceHasMore.value = services.length === 10;
+		ssoServiceOffset.value += services.length;
+	});
+}
+
+ssoServiceFetch(true);
+
+function ssoServiceAddNew() {
+	ssoServices.value.unshift({
+		id: '',
+		name: '',
+		type: 'jwt',
+		issuer: '',
+		audience: '',
+		acsUrl: '',
+		publicKey: '',
+		signatureAlgorithm: 'HS256',
+		cipherAlgorithm: '',
+		wantAuthnRequestsSigned: false,
+		wantAssertionsSigned: true,
+		useCertificate: false,
+		regenerateCertificate: false,
+	});
+}
+
+function ssoServiceDelete(service) {
+	os.confirm({
+		type: 'warning',
+		text: i18n.tsx.deleteAreYouSure({ x: service.id }),
+	}).then(({ canceled }) => {
+		if (canceled) return;
+		ssoServices.value = ssoServices.value.filter(x => x !== service);
+		os.apiWithDialog('admin/sso/delete', service).then(() => {
+			ssoServiceFetch(true);
+		});
+	});
+}
+
+async function ssoServiceSave(service) {
+	const params = {
+		id: service.id,
+		name: service.name,
+		type: service.type,
+		issuer: service.issuer,
+		audience: service.audience.split('\n'),
+		acsUrl: service.acsUrl,
+		secret: service.publicKey,
+		signatureAlgorithm: service.signatureAlgorithm,
+		cipherAlgorithm: service.cipherAlgorithm,
+		wantAuthnRequestsSigned: service.wantAuthnRequestsSigned,
+		wantAssertionsSigned: service.wantAssertionsSigned,
+	};
+
+	if (service.createdAt !== undefined) {
+		await os.apiWithDialog('admin/sso/update', {
+			...params,
+			regenerateCertificate: service.regenerateCertificate,
+		}).then(() => {
+			ssoServiceFetch(true);
+		});
+	} else {
+		await os.apiWithDialog('admin/sso/create', {
+			...params,
+			useCertificate: service.useCertificate,
+		}).then(() => {
+			ssoServiceFetch(true);
+		});
 	}
-	indieAuthFetch(true);
 }
 
 const headerActions = computed(() => []);

packages/frontend/src/pages/sso.vue

@@ -0,0 +1,65 @@
+<!--
+SPDX-FileCopyrightText: syuilo and misskey-project
+SPDX-License-Identifier: AGPL-3.0-only
+-->
+
+<template>
+<MkStickyContainer>
+	<template #header><MkPageHeader/></template>
+	<MkSpacer :contentMax="800">
+		<div v-if="$i">
+			<div v-if="name">{{ i18n.tsx._auth.shareAccess({ name }) }}</div>
+			<div v-else>{{ i18n.ts._auth.shareAccessAsk }}</div>
+			<form :class="$style.buttons" :action="`/sso/${kind}/authorize`" accept-charset="utf-8" method="post">
+				<input name="transaction_id" class="mk-input-tr-id-hidden" type="hidden" :value="transactionIdMeta?.content"/>
+				<input name="login_token" class="mk-input-token-hidden" type="hidden" :value="$i.token"/>
+				<MkButton inline name="cancel" value="cancel">{{ i18n.ts.cancel }}</MkButton>
+				<MkButton inline primary>{{ i18n.ts.accept }}</MkButton>
+			</form>
+		</div>
+		<div v-else>
+			<p :class="$style.loginMessage">{{ i18n.ts._auth.pleaseLogin }}</p>
+			<MkSignin @login="onLogin"/>
+		</div>
+	</MkSpacer>
+</MkStickyContainer>
+</template>
+
+<script lang="ts" setup>
+import MkSignin from '@/components/MkSignin.vue';
+import MkButton from '@/components/MkButton.vue';
+import { $i, login } from '@/account.js';
+import { i18n } from '@/i18n.js';
+import { definePageMetadata } from '@/scripts/page-metadata.js';
+
+const transactionIdMeta = document.querySelector<HTMLMetaElement>('meta[name="misskey:sso:transaction-id"]');
+if (transactionIdMeta) {
+	transactionIdMeta.remove();
+}
+
+const name = document.querySelector<HTMLMetaElement>('meta[name="misskey:sso:service-name"]')?.content;
+const kind = document.querySelector<HTMLMetaElement>('meta[name="misskey:sso:kind"]')?.content;
+
+function onLogin(res): void {
+	login(res.i);
+}
+
+definePageMetadata(() => ({
+	title: 'Single Sign-On',
+	icon: 'ti ti-apps',
+}));
+</script>
+
+<style lang="scss" module>
+.buttons {
+	margin-top: 16px;
+	display: flex;
+	gap: 8px;
+	flex-wrap: wrap;
+}
+
+.loginMessage {
+	text-align: center;
+	margin: 8px 0 24px;
+}
+</style>

packages/frontend/src/router/definition.ts

@@ -264,6 +264,9 @@ const routes: RouteDef[] = [{
 }, {
 	path: '/oauth/authorize',
 	component: page(() => import('@/pages/oauth.vue')),
+}, {
+	path: '/sso/:kind/:serviceId',
+	component: page(() => import('@/pages/sso.vue')),
 }, {
 	path: '/tags/:tag',
 	component: page(() => import('@/pages/tag.vue')),