From c03aa03ac260dca84dd982ddf17d6cfd20d6e1a4 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Mon, 8 Jul 2024 15:38:23 -0700
Subject: [PATCH] Feature: automatic sso redirect (#7168)

---
 docs/advanced_usage.md                        |  3 +-
 docs/configuration.md                         |  8 ++++++
 src/documents/context_processors.py           |  1 +
 src/documents/templates/account/login.html    | 28 +++++++++++++------
 .../templates/paperless-ngx/base.html         |  2 +-
 .../templates/socialaccount/login.html        |  9 ++++++
 src/paperless/settings.py                     |  6 +++-
 src/paperless/tests/test_settings.py          | 10 +++++--
 8 files changed, 54 insertions(+), 13 deletions(-)

diff --git a/docs/advanced_usage.md b/docs/advanced_usage.md
index 14f2e49ab..d2c47209e 100644
--- a/docs/advanced_usage.md
+++ b/docs/advanced_usage.md
@@ -687,4 +687,5 @@ More details about configuration option for various providers can be found in th
 
 ### Disabling Regular Login
 
-Once external auth is set up, 'regular' login can be disabled with the [PAPERLESS_DISABLE_REGULAR_LOGIN](configuration.md#PAPERLESS_DISABLE_REGULAR_LOGIN) setting.
+Once external auth is set up, 'regular' login can be disabled with the [PAPERLESS_DISABLE_REGULAR_LOGIN](configuration.md#PAPERLESS_DISABLE_REGULAR_LOGIN) setting and / or users can be automatically
+redirected with the [PAPERLESS_REDIRECT_LOGIN_TO_SSO](configuration.md#PAPERLESS_REDIRECT_LOGIN_TO_SSO) setting.
diff --git a/docs/configuration.md b/docs/configuration.md
index d16943c37..63c2c7610 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -596,6 +596,14 @@ system. See the corresponding
 
 : Disables the regular frontend username / password login, i.e. once you have setup SSO. Note that this setting does not disable the Django admin login. To prevent logins directly to Django, consider blocking `/admin/` in your [web server or reverse proxy configuration](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-a-Reverse-Proxy-with-Paperless-ngx).
 
+You can optionally also automatically redirect users to the SSO login with [PAPERLESS_REDIRECT_LOGIN_TO_SSO](#PAPERLESS_REDIRECT_LOGIN_TO_SSO)
+
+    Defaults to False
+
+#### ['PAPERLESS_REDIRECT_LOGIN_TO_SSO=<bool>`](#PAPERLESS_REDIRECT_LOGIN_TO_SSO) {#PAPERLESS_REDIRECT_LOGIN_TO_SSO}
+
+: When this setting is enabled users will automatically be redirected (using javascript) to the first SSO provider login. You may still want to disable the frontend login form for clarity.
+
     Defaults to False
 
 #### [`PAPERLESS_ACCOUNT_SESSION_REMEMBER=<bool>`](#PAPERLESS_ACCOUNT_SESSION_REMEMBER) {#PAPERLESS_ACCOUNT_SESSION_REMEMBER}
diff --git a/src/documents/context_processors.py b/src/documents/context_processors.py
index 91a7ce391..a9200ac11 100644
--- a/src/documents/context_processors.py
+++ b/src/documents/context_processors.py
@@ -21,6 +21,7 @@ def settings(request):
         "EMAIL_ENABLED": django_settings.EMAIL_HOST != "localhost"
         or django_settings.EMAIL_HOST_USER != "",
         "DISABLE_REGULAR_LOGIN": django_settings.DISABLE_REGULAR_LOGIN,
+        "REDIRECT_LOGIN_TO_SSO": django_settings.REDIRECT_LOGIN_TO_SSO,
         "ACCOUNT_ALLOW_SIGNUPS": django_settings.ACCOUNT_ALLOW_SIGNUPS,
         "domain": getattr(django_settings, "PAPERLESS_URL", request.get_host()),
         "APP_TITLE": app_title,
diff --git a/src/documents/templates/account/login.html b/src/documents/templates/account/login.html
index 5613b9845..e3e9ec40a 100644
--- a/src/documents/templates/account/login.html
+++ b/src/documents/templates/account/login.html
@@ -49,16 +49,28 @@
                 {% if provider.id == "openid" %}
                     {% for brand in provider.get_brands %}
                         {% provider_login_url provider openid=brand.openid_url process=process as href %}
-                    <li class="d-grid mt-3"><a class="btn btn-secondary" href="{{ href }}">{{ brand.name }}</a></li>
+                    <li class="d-grid mt-3"><a class="btn btn-secondary oidc-url" href="{{ href }}">{{ brand.name }}</a></li>
                     {% endfor %}
                 {% else %}
-                {% provider_login_url provider process=process scope=scope auth_params=auth_params as href %}
-                <li class="d-grid mt-3">
-                  <form class="d-grid" method="POST" action="{{ href }}">
-                    {% csrf_token %}
-                    <button type="submit" class="btn btn-secondary">{{ provider.name }}</button>
-                  </form>
-                </li>
+                    {% provider_login_url provider process=process scope=scope auth_params=auth_params as href %}
+                        <li class="d-grid mt-3">
+                            <form id="social-login" class="d-grid" method="POST" action="{{ href }}">
+                                {% csrf_token %}
+                                <button type="submit" class="btn btn-secondary">{{ provider.name }}</button>
+                            </form>
+                        </li>
+                    {% if REDIRECT_LOGIN_TO_SSO and forloop.counter0 == 0 and request.GET.loggedout != '1' %}
+                        <script type="text/javascript">
+                            const form = document.getElementById('social-login');
+                            if (form) {
+                                form.submit();
+                            } else {
+                                if (document.getElementsByClassName('oidc-url').length > 0) {
+                                    document.getElementsByClassName('oidc-url')[0].click();
+                                }
+                            }
+                        </script>
+                    {% endif %}
                 {% endif %}
             {% endfor %}
         </ul>
diff --git a/src/documents/templates/paperless-ngx/base.html b/src/documents/templates/paperless-ngx/base.html
index 49fc0edf4..4b9a91120 100644
--- a/src/documents/templates/paperless-ngx/base.html
+++ b/src/documents/templates/paperless-ngx/base.html
@@ -18,7 +18,7 @@
 
     <body class="text-center">
         <div class="position-absolute top-50 start-50 translate-middle">
-            <form class="form-accounts" method="post">
+            <form class="form-accounts" id="form-account" method="post">
                 {% csrf_token %}
                 {% if not APP_LOGO and not APP_TITLE %}
                     {% include "paperless-ngx/snippets/svg_logo.html" with extra_attrs="width='300' class='logo mb-4'" %}
diff --git a/src/documents/templates/socialaccount/login.html b/src/documents/templates/socialaccount/login.html
index ce67362d1..70c71ced2 100644
--- a/src/documents/templates/socialaccount/login.html
+++ b/src/documents/templates/socialaccount/login.html
@@ -12,4 +12,13 @@
     <div class="d-grid mt-3">
         <button class="btn btn-lg btn-primary" type="submit">{% translate "Continue" %}</button>
     </div>
+
+    {% if REDIRECT_LOGIN_TO_SSO %}
+        <script type="text/javascript">
+            const form = document.getElementById('form-account');
+            if (form) {
+                form.submit();
+            }
+        </script>
+    {% endif %}
 {% endblock form_content %}
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index e2aab9dbb..fe7caebb8 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -369,7 +369,10 @@ def _parse_base_paths() -> tuple[str, str, str, str, str]:
     base_url = (script_name or "") + "/"
     login_url = base_url + "accounts/login/"
     login_redirect_url = base_url + "dashboard"
-    logout_redirect_url = os.getenv("PAPERLESS_LOGOUT_REDIRECT_URL", base_url)
+    logout_redirect_url = os.getenv(
+        "PAPERLESS_LOGOUT_REDIRECT_URL",
+        login_url + "?loggedout=1",
+    )
     return script_name, base_url, login_url, login_redirect_url, logout_redirect_url
 
 
@@ -460,6 +463,7 @@ SOCIALACCOUNT_PROVIDERS = json.loads(
 ACCOUNT_EMAIL_SUBJECT_PREFIX = "[Paperless-ngx] "
 
 DISABLE_REGULAR_LOGIN = __get_boolean("PAPERLESS_DISABLE_REGULAR_LOGIN")
+REDIRECT_LOGIN_TO_SSO = __get_boolean("PAPERLESS_REDIRECT_LOGIN_TO_SSO")
 
 AUTO_LOGIN_USERNAME = os.getenv("PAPERLESS_AUTO_LOGIN_USERNAME")
 
diff --git a/src/paperless/tests/test_settings.py b/src/paperless/tests/test_settings.py
index 511148523..5c257a08c 100644
--- a/src/paperless/tests/test_settings.py
+++ b/src/paperless/tests/test_settings.py
@@ -410,7 +410,10 @@ class TestPathSettings(TestCase):
         self.assertEqual("/", base_paths[1])  # BASE_URL
         self.assertEqual("/accounts/login/", base_paths[2])  # LOGIN_URL
         self.assertEqual("/dashboard", base_paths[3])  # LOGIN_REDIRECT_URL
-        self.assertEqual("/", base_paths[4])  # LOGOUT_REDIRECT_URL
+        self.assertEqual(
+            "/accounts/login/?loggedout=1",
+            base_paths[4],
+        )  # LOGOUT_REDIRECT_URL
 
     @mock.patch("os.environ", {"PAPERLESS_FORCE_SCRIPT_NAME": "/paperless"})
     def test_subpath(self):
@@ -427,7 +430,10 @@ class TestPathSettings(TestCase):
         self.assertEqual("/paperless/", base_paths[1])  # BASE_URL
         self.assertEqual("/paperless/accounts/login/", base_paths[2])  # LOGIN_URL
         self.assertEqual("/paperless/dashboard", base_paths[3])  # LOGIN_REDIRECT_URL
-        self.assertEqual("/paperless/", base_paths[4])  # LOGOUT_REDIRECT_URL
+        self.assertEqual(
+            "/paperless/accounts/login/?loggedout=1",
+            base_paths[4],
+        )  # LOGOUT_REDIRECT_URL
 
     @mock.patch(
         "os.environ",