[4777][ADD] auth_oauth_enforced

Author: nobuQuartile

auth_oauth_enforced/README.rst

@@ -0,0 +1,56 @@
+======================
+Auth OAuth Enforced
+======================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:6e65a7f2af3e5fed27a05a5fbe038b72e403595474a8b896c2d2bb836faf654f
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-qrtl%2Faxls--custom-lightgray.png?logo=github
+    :target: https://github.com/qrtl/thc-oca/tree/16.0/auth_oauth_enforced
+    :alt: qrtl/thc-oca
+
+|badge1| |badge2| |badge3|
+
+This module controls login methods by email domain, requiring OAuth for
+specified domains, as defined in company settings.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/qrtl/thc-oca/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/qrtl/thc-oca/issues/new?body=module:%20auth_oauth_enforced%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Quartile Limited
+
+Maintainers
+-----------
+
+This module is part of the `qrtl/thc-oca <https://github.com/qrtl/thc-oca/tree/16.0/auth_oauth_enforced>`_ project on GitHub.
+
+You are welcome to contribute.

auth_oauth_enforced/__init__.py

@@ -0,0 +1,2 @@
+from . import controllers
+from . import models

auth_oauth_enforced/__manifest__.py

@@ -0,0 +1,15 @@
+# Copyright 2024 Quartile Limited (https://www.quartile.co)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+{
+    "name": "Auth OAuth Enforced",
+    "version": "16.0.1.0.0",
+    "author": "Quartile Limited, Odoo Community Association (OCA)",
+    "website": "https://www.quartile.co",
+    "category": "Tools",
+    "license": "AGPL-3",
+    "depends": ["auth_oauth", "auth_signup"],
+    "data": [
+        "views/res_company_views.xml",
+    ],
+    "installable": True,
+}

auth_oauth_enforced/controllers/__init__.py

@@ -0,0 +1 @@
+from . import main

auth_oauth_enforced/controllers/main.py

@@ -0,0 +1,50 @@
+# Copyright 2024 Quartile Limited (https://www.quartile.co)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+
+from odoo import _, http
+from odoo.http import request
+
+from odoo.addons.auth_signup.controllers import main
+from odoo.addons.web.controllers import home
+
+
+class Home(home.Home):
+    @http.route("/web/login", type="http", auth="none")
+    def web_login(self, redirect=None, **kw):
+        # Only proceed if it's a POST request and 'login' is provided
+        if request.httprequest.method != "POST" or "login" not in kw:
+            return super().web_login(redirect=redirect, **kw)
+        login = kw["login"]
+        user = request.env["res.users"].sudo().search([("login", "=", login)], limit=1)
+        # Only proceed if 'force_oauth_domains' is set for the company
+        if user._is_allowed_password_login():
+            return super().web_login(redirect=redirect, **kw)
+        # User is not allowed to login with a password, prompt for OAuth login
+        providers = self.list_providers()
+        values = request.params
+        values["error"] = _(
+            "You are not allowed to login with password. Please use OAuth login."
+        )
+        values["providers"] = providers
+        return request.render("web.login", values)
+
+
+class CustomAuthSignup(main.AuthSignupHome):
+    @http.route(
+        "/web/reset_password", type="http", auth="public", website=True, sitemap=False
+    )
+    def web_auth_reset_password(self, *args, **kw):
+        qcontext = self.get_auth_signup_qcontext()
+        login = qcontext.get("login", request.params.get("login"))
+        password = qcontext.get("password")
+        confirm_password = qcontext.get("confirm_password")
+        if not login or not password or not confirm_password:
+            return super().web_auth_reset_password(*args, **kw)
+        user = request.env["res.users"].sudo().search([("login", "=", login)], limit=1)
+        if user._is_allowed_password_login():
+            return super().web_auth_reset_password(*args, **kw)
+        qcontext["error"] = _(
+            "You are not allowed to login with password. Please use OAuth login."
+        )
+        return request.render("auth_signup.reset_password", qcontext)

auth_oauth_enforced/i18n/ja.po

@@ -0,0 +1,44 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_oauth_force_oauth
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2024-03-01 09:10+0000\n"
+"PO-Revision-Date: 2024-03-01 09:10+0000\n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: auth_oauth_force_oauth
+#: model:ir.model,name:auth_oauth_force_oauth.model_res_company
+msgid "Companies"
+msgstr "会社"
+
+#. module: auth_oauth_force_oauth
+#: model:ir.model.fields,help:auth_oauth_force_oauth.field_res_company__force_oauth_domains
+msgid "Fill in the domains, separated by commas."
+msgstr "カンマで区切ってドメインを入力"
+
+#. module: auth_oauth_force_oauth
+#: model:ir.model.fields,field_description:auth_oauth_force_oauth.field_res_company__force_oauth_domains
+msgid "Force OAuth Domains"
+msgstr "OAuth強制ドメイン"
+
+#. module: auth_oauth_force_oauth
+#: model:ir.model,name:auth_oauth_force_oauth.model_res_users
+msgid "User"
+msgstr "ユーザ"
+
+#. module: auth_oauth_force_oauth
+#. odoo-python
+#: code:addons/auth_oauth_force_oauth/controllers/main.py:0
+#: code:addons/auth_oauth_force_oauth/controllers/main.py:0
+#, python-format
+msgid "You are not allowed to login with password. Please use OAuth login."
+msgstr "あなたはパスワードログインを許可されていません。OAuthログインを使用してください。"

auth_oauth_enforced/models/__init__.py

@@ -0,0 +1,2 @@
+from . import res_company
+from . import res_users

auth_oauth_enforced/models/res_company.py

@@ -0,0 +1,12 @@
+# Copyright 2024 Quartile Limited (https://www.quartile.co)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+from odoo import fields, models
+
+
+class ResCompany(models.Model):
+    _inherit = "res.company"
+
+    force_oauth_domains = fields.Char(
+        "Force OAuth Domains", help="Fill in the domains, separated by commas."
+    )

auth_oauth_enforced/models/res_users.py

@@ -0,0 +1,16 @@
+# Copyright 2024 Quartile Limited (https://www.quartile.co)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+from odoo import api, models
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    @api.model
+    def _is_allowed_password_login(self):
+        force_domains = self.company_id.force_oauth_domains
+        if not force_domains:
+            return True
+        force_domains_list = [domain.strip() for domain in force_domains.split(",")]
+        return not any(self.login.endswith(domain) for domain in force_domains_list)

auth_oauth_enforced/readme/DESCRIPTION.md

@@ -0,0 +1,3 @@
+This module controls login methods by email domain, requiring OAuth for
+specified domains, as defined in company
+settings.