feat(oidc): add Google + Discord OIDC source plugins#4
Open
osindex wants to merge 7 commits into
Open
Conversation
Adds two new source plugins that publish OAuth2 login entries on the
workbench login page and finish the OAuth flow through the host's
LoginByExternal seam (lina-core capability/contract.AuthService).
linapro-oidc-google + linapro-oidc-discord ship:
- plugin.yaml: i18n.enabled with zh-CN default + en-US locale, source
language English, menu entry under platform_only scope
- manifest/i18n/{zh-CN,en-US}/{menu,plugin,error}.json plus
apidoc/settings/settings.json for DTO meta translations
- backend/api/settings/v1/settings.go: Get/Save DTOs; ClientSecret is
intentionally NOT required because the GET masks the stored secret
and PUT with empty value preserves it
- backend/internal/service/config: typed Settings struct backed by host
PluginSettingsService ("<pluginID>.<key>" rows in sys_config); no
private SQL table
- backend/internal/service/oauth: provider-specific OAuth2 client
(authorize URL, code exchange, userinfo) with HMAC-signed state
containing nonce + expires_at for CSRF + replay protection
- backend/internal/controller/settings: GET masks secret, PUT preserves
- backend/internal/controller/oauth: /api/v1/auth/<provider> initiator +
/callback handler. Callback validates state, exchanges code, fetches
userinfo, hands off to authSvc.LoginByExternal, then either
- SSO mode: enableBackendRedirect + state matches a backendRedirects
rule => 302 to rule URL with tokens in query
- SPA mode (everything else): 302 to /oauth-handoff with redirect
target = defaultBackendRedirect (default /dashboard)
Errors classified via bizerr RuntimeCode so the SPA handoff page
shows a precise error (AUTH_EXTERNAL_USER_NOT_PROVISIONED, etc).
- backend/internal/service/provider: authprovider.Provider impl reading
live settings on each LoginEntry call so admin toggles take effect
without restarting the plugin
- backend/plugin.go: pluginhost.NewSourcePlugin + auth route binding +
authprovider.RegisterProvider with the typed settings service
- frontend/pages/<provider>-settings.vue: admin settings page using
() for the instructions card (host locales/langs/plugins.json),
read-only Redirect URI with copy, per-rule state URL copy
- frontend/pages/google-login.vue: simple inline login button page
- frontend/constants.ts: callback / login entry / console URL constants
go.mod + go.sum: add the two plugin modules + matching replace stanzas
so the parent module resolves the new plugin source.
lina-plugins.go: blank import both plugins so plugin init() runs in the
compiled host binary.
Verified locally:
- google plugin: rtk go build ./... -> Success
- discord plugin: rtk go build ./... -> Success
- google plugin tests: 17 passed in 8 packages (state signing, settings
config helpers, DTO validation, callback error classification)
- discord plugin tests: 17 passed in 8 packages (same set)
…der parent Adds parent_key: auth-provider to each OIDC plugin's settings menu in plugin.yaml so the host plugin lifecycle menu sync inserts the page under the new host-level 'auth-provider' directory instead of as a loose top-level menu. The 'auth-provider' parent menu is seeded by the host at apps/lina-core/manifest/sql/013-auth-provider-management.sql and localized via the host menu i18n resources, so both plugins coexist under a single 授权管理 (zh-CN) / Authentication Providers (en-US) navigation entry even when only one of them is installed.
auth-provider is now materialized and removed by the host on plugin demand. Plugins only reference parent_key; they no longer define the parent catalog's name/icon/sort. README host-boundary section updated accordingly.
…EADME.zh-CN Keep the bilingual README in sync: the Chinese mirror now matches the English host-boundary section describing the host-owned on-demand auth-provider catalog.
Add linapro-oidc-google and linapro-oidc-discord (source, platform_only, global) to the bilingual plugin inventory tables.
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds two new source plugins that publish OAuth2 login entries on the workbench login page and finish the OAuth flow through the host's LoginByExternal seam (lina-core capability/contract.AuthService).
linapro-oidc-google + linapro-oidc-discord ship:
go.mod + go.sum: add the two plugin modules + matching replace stanzas so the parent module resolves the new plugin source.
lina-plugins.go: blank import both plugins so plugin init() runs in the compiled host binary.
Verified locally: