From d5ce6b680cbf50ddfa5ede2c680f8546498052ac Mon Sep 17 00:00:00 2001
From: Robert Meredith <rob@rjm.id.au>
Date: Mon, 2 May 2022 20:35:11 +1000
Subject: [PATCH] Skip intermediate login page with single provider

---
 app/Config/auth.php                           |  5 ++++
 app/Http/Controllers/Auth/LoginController.php | 27 ++++++++++++++++---
 resources/views/auth/login-redirect.blade.php | 16 +++++++++++
 tests/Auth/OidcTest.php                       | 14 ++++++++++
 4 files changed, 59 insertions(+), 3 deletions(-)
 create mode 100644 resources/views/auth/login-redirect.blade.php

diff --git a/app/Config/auth.php b/app/Config/auth.php
index 1e1a9d350..ec4389a6c 100644
--- a/app/Config/auth.php
+++ b/app/Config/auth.php
@@ -13,6 +13,11 @@ return [
     // Options: standard, ldap, saml2, oidc
     'method' => env('AUTH_METHOD', 'standard'),
 
+    // Automatically redirect to external login provider if only one provider is being used
+    // instead of displaying a single-button login page and requiring users to click through
+    // Supported methods: saml2, oidc
+    'auto_redirect' => env('AUTH_AUTO_REDIRECT', false),
+
     // Authentication Defaults
     // This option controls the default authentication "guard" and password
     // reset options for your application.
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index 742e10472..695bfa28d 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -25,14 +25,14 @@ class LoginController extends Controller
     |
     */
 
-    use AuthenticatesUsers;
+    use AuthenticatesUsers { logout as traitLogout; }
 
     /**
      * Redirection paths.
      */
     protected $redirectTo = '/';
     protected $redirectPath = '/';
-    protected $redirectAfterLogout = '/login';
+    protected $redirectAfterLogout = '/';
 
     protected $socialAuthService;
     protected $loginService;
@@ -50,7 +50,7 @@ class LoginController extends Controller
         $this->loginService = $loginService;
 
         $this->redirectPath = url('/');
-        $this->redirectAfterLogout = url('/login');
+        $this->redirectAfterLogout = url(config('auth.auto_redirect') ? '/login?logout=1' : '/');
     }
 
     public function username()
@@ -73,6 +73,7 @@ class LoginController extends Controller
     {
         $socialDrivers = $this->socialAuthService->getActiveDrivers();
         $authMethod = config('auth.method');
+        $autoRedirect = config('auth.auto_redirect');
 
         if ($request->has('email')) {
             session()->flashInput([
@@ -84,6 +85,12 @@ class LoginController extends Controller
         // Store the previous location for redirect after login
         $this->updateIntendedFromPrevious();
 
+        if ($autoRedirect && !($request->has('logout') && $request->get('logout') == '1') && count($socialDrivers) == 0 && in_array($authMethod, ['oidc', 'saml2'])) {
+            return view('auth.login-redirect', [
+                'authMethod'    => $authMethod,
+            ]);
+        }
+
         return view('auth.login', [
             'socialDrivers' => $socialDrivers,
             'authMethod'    => $authMethod,
@@ -251,4 +258,18 @@ class LoginController extends Controller
 
         redirect()->setIntendedUrl($previous);
     }
+
+    /**
+     * Logout user and perform subsequent redirect.
+     *
+     * @param \Illuminate\Http\Request $request
+     *
+     * @return mixed
+     */
+    public function logout(Request $request)
+    {
+        $this->traitLogout($request);
+
+        return redirect($this->redirectAfterLogout);
+    }
 }
diff --git a/resources/views/auth/login-redirect.blade.php b/resources/views/auth/login-redirect.blade.php
new file mode 100644
index 000000000..08501c6b3
--- /dev/null
+++ b/resources/views/auth/login-redirect.blade.php
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="{{ config('app.lang') }}"
+      dir="{{ config('app.rtl') ? 'rtl' : 'ltr' }}">
+<head>
+    <meta charset="utf-8">
+</head>
+<body>
+    <div id="loginredirect-wrapper" style="display:none">
+        @include('auth.parts.login-form-' . $authMethod)
+    </div>
+
+    <script nonce="{{ $cspNonce }}">
+        window.onload = function(){document.forms['login-form'].submit()};
+    </script>
+</body>
+</html>
diff --git a/tests/Auth/OidcTest.php b/tests/Auth/OidcTest.php
index 9aebb4d04..34fd70115 100644
--- a/tests/Auth/OidcTest.php
+++ b/tests/Auth/OidcTest.php
@@ -26,6 +26,7 @@ class OidcTest extends TestCase
 
         config()->set([
             'auth.method'                 => 'oidc',
+            'auth.auto_redirect'          => false,
             'auth.defaults.guard'         => 'oidc',
             'oidc.name'                   => 'SingleSignOn-Testing',
             'oidc.display_name_claims'    => ['name'],
@@ -111,6 +112,19 @@ class OidcTest extends TestCase
         $this->assertPermissionError($resp);
     }
 
+    public function test_automatic_redirect_on_login()
+    {
+        config()->set([
+            'auth.auto_redirect'        => true,
+            'services.google.client_id' => false,
+            'services.github.client_id' => false,
+        ]);
+        $req = $this->get('/login');
+        $req->assertSeeText('SingleSignOn-Testing');
+        $req->assertElementExists('form[action$="/oidc/login"][method=POST] button');
+        $req->assertElementExists('div#loginredirect-wrapper');
+    }
+
     public function test_login()
     {
         $req = $this->post('/oidc/login');