feat(sso): replace local auth with Keycloak OIDC callback flow

backend/app/api/auth.py

@@ -1,43 +1,60 @@
-from fastapi import APIRouter, Depends, HTTPException, Response, status
+from fastapi import APIRouter, Depends, HTTPException, Request, Response, status
+from fastapi.responses import RedirectResponse
 from sqlalchemy.orm import Session
+from authlib.integrations.starlette_client import OAuthError
 from app import models, schemas
-from app.auth import create_access_token, get_current_user, hash_password, verify_password
-from app.database import get_db
+from app.auth import create_access_token, get_current_user, oauth
+from app.database import get_db, settings
 
 router = APIRouter()
 
-
-@router.post("/register", response_model=schemas.UserOut, status_code=201)
-def register(body: schemas.UserCreate, db: Session = Depends(get_db)) -> models.User:
-    if db.query(models.User).filter(models.User.username == body.username).first():
-        raise HTTPException(status_code=400, detail="Username already registered")
-    if db.query(models.User).filter(models.User.email == body.email).first():
-        raise HTTPException(status_code=400, detail="Email already registered")
-    user = models.User(
-        username=body.username,
-        email=body.email,
-        hashed_password=hash_password(body.password),
-    )
-    db.add(user)
-    db.commit()
-    db.refresh(user)
-    return user
+FIREWALL_ADMINS_GROUP = "firewall admins"
 
 
-@router.post("/login")
-def login(body: schemas.LoginRequest, response: Response, db: Session = Depends(get_db)) -> dict:
-    user = db.query(models.User).filter(models.User.username == body.username).first()
-    if not user or not verify_password(body.password, user.hashed_password):
-        raise HTTPException(status_code=401, detail="Invalid credentials")
-    token = create_access_token(user.id)
+@router.get("/oidc/login")
+async def oidc_login(request: Request) -> RedirectResponse:
+    return await oauth.keycloak.authorize_redirect(request, settings.keycloak_redirect_uri)
+
+
+@router.get("/oidc/callback")
+async def oidc_callback(request: Request, db: Session = Depends(get_db)) -> RedirectResponse:
+    try:
+        token = await oauth.keycloak.authorize_access_token(request)
+    except OAuthError as e:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
+
+    userinfo = token.get("userinfo") or {}
+    groups = userinfo.get("groups", [])
+    if FIREWALL_ADMINS_GROUP not in groups:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not in firewall admins group")
+
+    sub = userinfo["sub"]
+    email = userinfo.get("email", "")
+    username = userinfo.get("preferred_username", sub)
+
+    user = db.query(models.User).filter(models.User.keycloak_sub == sub).first()
+    if not user:
+        user = models.User(
+            keycloak_sub=sub,
+            email=email,
+            username=username,
+            hashed_password=None,
+            is_active=True,
+        )
+        db.add(user)
+        db.commit()
+        db.refresh(user)
+
+    access_token = create_access_token(user.id)
+    response = RedirectResponse(url="/", status_code=status.HTTP_302_FOUND)
     response.set_cookie(
         key="access_token",
-        value=token,
+        value=access_token,
         httponly=True,
         samesite="lax",
         max_age=3600,
     )
-    return {"message": "Logged in"}
+    return response
 
 
 @router.post("/logout")