fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth
Ember's auth route bounces between ?with=netkingdom/ and ?with=token when OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the bare auth path with a static login page that calls auth_url directly; OIDC callbacks still proxy to the OpenBao UI.
This commit is contained in:
86
helm/openbao-ui-overlay/login.js
Normal file
86
helm/openbao-ui-overlay/login.js
Normal file
@@ -0,0 +1,86 @@
|
||||
(function () {
|
||||
"use strict";
|
||||
|
||||
const PRESETS_URL = "/ui/platform-overlay/presets.json";
|
||||
const DEFAULT_PRESETS = {
|
||||
mount: "netkingdom",
|
||||
role: "platform-admin",
|
||||
title: "Sign in with KeyCape",
|
||||
signInLabel: "Sign in with KeyCape",
|
||||
banner:
|
||||
"Platform operators authenticate through KeyCape at kc.coulomb.social.",
|
||||
};
|
||||
|
||||
async function loadPresets() {
|
||||
try {
|
||||
const response = await fetch(PRESETS_URL, { cache: "no-store" });
|
||||
if (!response.ok) return { ...DEFAULT_PRESETS };
|
||||
return { ...DEFAULT_PRESETS, ...(await response.json()) };
|
||||
} catch (_error) {
|
||||
return { ...DEFAULT_PRESETS };
|
||||
}
|
||||
}
|
||||
|
||||
async function redirectToKeyCape(presets) {
|
||||
const mount = presets.mount || "netkingdom";
|
||||
const role = presets.role || "platform-admin";
|
||||
const redirectUri = `${window.location.origin}/ui/vault/auth/${mount}/oidc/callback`;
|
||||
|
||||
const response = await fetch(`/v1/auth/${mount}/oidc/auth_url`, {
|
||||
method: "POST",
|
||||
headers: { "Content-Type": "application/json" },
|
||||
body: JSON.stringify({
|
||||
role,
|
||||
redirect_uri: redirectUri,
|
||||
}),
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(`OIDC auth_url request failed (${response.status})`);
|
||||
}
|
||||
|
||||
const payload = await response.json();
|
||||
const authUrl = payload?.data?.auth_url;
|
||||
if (!authUrl) {
|
||||
throw new Error("OIDC auth_url missing from OpenBao response");
|
||||
}
|
||||
|
||||
window.location.assign(authUrl);
|
||||
}
|
||||
|
||||
function showError(message) {
|
||||
const error = document.getElementById("login-error");
|
||||
if (!error) return;
|
||||
error.textContent = message;
|
||||
error.classList.add("is-visible");
|
||||
}
|
||||
|
||||
async function init() {
|
||||
const presets = await loadPresets();
|
||||
const title = document.getElementById("login-title");
|
||||
const banner = document.getElementById("login-banner");
|
||||
const button = document.getElementById("login-submit");
|
||||
|
||||
if (title) title.textContent = presets.title;
|
||||
if (banner) banner.textContent = presets.banner;
|
||||
if (button) button.textContent = presets.signInLabel;
|
||||
|
||||
if (!button) return;
|
||||
|
||||
button.addEventListener("click", async () => {
|
||||
button.disabled = true;
|
||||
try {
|
||||
await redirectToKeyCape(presets);
|
||||
} catch (error) {
|
||||
button.disabled = false;
|
||||
showError(
|
||||
error instanceof Error
|
||||
? error.message
|
||||
: "Sign-in failed. Contact your administrator."
|
||||
);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
init();
|
||||
})();
|
||||
Reference in New Issue
Block a user