Add ORCID OAuth 2.0 authentication integration#123
Merged
Conversation
Implement ORCID-based authentication allowing university researchers to log in via their ORCID accounts. The integration follows the existing per-Uczelnia service configuration pattern (like PBN, Clarivate). - Add orcid_client_id, orcid_client_secret, orcid_sandbox fields to Uczelnia model with helper properties (orcid_enabled, orcid_base_url) - Create orcid_integration app with OAuth 2.0 client, Django auth backend, login/callback views, and error template - Auth backend matches ORCID iD -> Autor.orcid -> Autor.email -> BppUser.email (no auto-creation of accounts) - Add ORCID fieldset to Uczelnia admin - Add context processor and template integration (top bar login menu and login form page show ORCID button when enabled) - Include 20 tests covering client, backend, and views https://claude.ai/code/session_01QgnftYGg47MECsDibKehDG
- Add orcid_tylko_dla_pracownikow field to Uczelnia: when enabled, only is_staff or is_superuser users can log in via ORCID - Update OrcidAuthenticationBackend to enforce the restriction - Add 14 new tests (34 total): - Model property tests (orcid_enabled, orcid_base_url, orcid_api_url) - Context processor tests - Staff restriction tests (blocks regular, allows staff, allows superuser) https://claude.ai/code/session_01QgnftYGg47MECsDibKehDG
Check is_active before allowing authentication — users with is_active=False are now rejected by OrcidAuthenticationBackend. Add two tests for the is_active check. https://claude.ai/code/session_01QgnftYGg47MECsDibKehDG
Validate next_url with url_has_allowed_host_and_scheme() before storing in session and before redirecting after login. External URLs like https://evil.com are now rejected and fall back to "/". Applied in both orcid_login (input) and orcid_callback (output) to defend in depth. Added 3 tests covering external URL, protocol-relative URL, and callback-side rejection. https://claude.ai/code/session_01QgnftYGg47MECsDibKehDG
Member
Author
|
@claude can you fix the tests? Perhaps the branch needs to be up to date with "dev" |
|
Claude finished @mpasternak's task in 4m 7s —— View job Fixed: CI "Build assets" failure
Root cause: The "Build assets" CI step was failing before any Python tests ran. The Fix ( command: 'VENV_DIR=${UV_PROJECT_ENVIRONMENT:-.venv} && ' +
'PY_DIR=$(ls -d "$VENV_DIR/lib/python3."* | head -1) && ' +
'mkdir -p .venv/lib && ' +
'rm -f .venv/lib/python && ' +
'ln -sf "$(cd "$PY_DIR" && pwd)" .venv/lib/python'This creates an absolute-path symlink so esbuild can resolve Pushed as commit |
The test-runner Docker image stores the venv at /opt/venv via UV_PROJECT_ENVIRONMENT, so the hardcoded .venv/lib path caused "cd: can't cd to .venv/lib" in CI, blocking the Build assets step. The updated command detects UV_PROJECT_ENVIRONMENT (falling back to .venv for local dev) and creates an absolute-path symlink so esbuild can resolve .venv/lib/python/site-packages/* in both environments. Co-authored-by: Michał Pasternak <mpasternak@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds ORCID OAuth 2.0 authentication support to the BPP system, allowing users to log in using their ORCID iD. The integration matches ORCID identifiers to existing Autor records and authenticates corresponding BppUser accounts.
Key Changes
orcid_integration/client.py): Implements OAuth 2.0 flow usingrequests-oauthlibfor authorization and token exchange with ORCID's public APIorcid_integration/backends.py): Custom Django authentication backend that:Autor.orcid→Autor.email→BppUser.emailorcid_tylko_dla_pracownikoworcid_integration/views.py): Implements OAuth flow endpoints:orcid_login: Initiates authorization, stores state and next URL in sessionorcid_callback: Handles OAuth callback, validates state, exchanges code for token, authenticates userbpp/models/uczelnia.py, migrations0411,0412):orcid_client_id,orcid_client_secret,orcid_sandbox— konfiguracja OAuthorcid_tylko_dla_pracownikow— gdy zaznaczone, logowanie ORCID dostępne wyłącznie dlais_staff/is_superuserorcid_base_url,orcid_api_url,orcid_enabledbpp/admin/uczelnia.py): Sekcja ORCID w adminie Uczelnia z 4 polamiorcid_auth_statusto provide ORCID status to templatesdjango_bpp/settings/base.py): Registeredorcid_integrationapp, auth backend, and context processororcid_integration/tests/):test_client.py(3) — authorization URL generation (sandbox, production, scope)test_backends.py(11) — user matching, missing autor/email/user, staff-only restrictiontest_views.py(10) — login flow, callback validation, error scenarios, successtest_uczelnia_orcid.py(7) — model properties (orcid_enabled,orcid_base_url,orcid_api_url)test_context_processor.py(3) — enabled/disabled/no uczelniaTest plan
orcid_tylko_dla_pracownikowand verify non-staff users are blockedhttps://claude.ai/code/session_01QgnftYGg47MECsDibKehDG