feat: Add the option for header authentication to create users (#4841)

* feat: allow SSO to create new users automatically

* feat: apply default user settings to SSO users

* feat: add warnings to header auth toggles

src/Ombi.Settings/Settings/Models/AuthenticationSettings.cs

@@ -15,5 +15,6 @@ namespace Ombi.Settings.Settings.Models
         public bool EnableOAuth { get; set; } // Plex OAuth
         public bool EnableHeaderAuth { get; set; } // Header SSO
         public string HeaderAuthVariable { get; set; } // Header SSO
+        public bool HeaderAuthCreateUser { get; set; } // Header SSO
     }
 }

src/Ombi/ClientApp/src/app/interfaces/ISettings.ts

@@ -247,6 +247,7 @@ export interface IAuthenticationSettings extends ISettings {
   enableOAuth: boolean;
   enableHeaderAuth: boolean;
   headerAuthVariable: string;
+  headerAuthCreateUser: boolean;
 }
 
 export interface ICustomPage extends ISettings {

src/Ombi/ClientApp/src/app/settings/authentication/authentication.component.html

@@ -23,6 +23,9 @@
         <div class="checkbox">
           <mat-slide-toggle id="enableHeaderAuth" name="enableHeaderAuth" formControlName="enableHeaderAuth">Enable Authentication with Header Variable</mat-slide-toggle>
         </div>
+        <div class="alert warning-box">
+          Enabling Header Authentication will allow anyone to bypass authentication unless you are using a properly configured reverse proxy. Use with caution!
+        </div>
       </div>
 
       <div class="form-group" *ngIf="form.controls.enableHeaderAuth.value">
@@ -32,6 +35,15 @@
         </div>
       </div>
 
+      <div class="form-group" *ngIf="form.controls.enableHeaderAuth.value">
+        <div class="checkbox">
+          <mat-slide-toggle id="headerAuthCreateUser" name="headerAuthCreateUser" formControlName="headerAuthCreateUser">SSO creates new users automatically</mat-slide-toggle>
+        </div>
+        <div class="alert warning-box" *ngIf="form.controls.headerAuthCreateUser.value">
+          If the user in the Header Authentication variable does not exist, a new user will be created. You can configure the default permissions for new users in the <a target="_blank" href="/Settings/UserManagement">User Management settings</a>.
+        </div>
+      </div>
+
 
       <div class="form-group">
         <div>

src/Ombi/ClientApp/src/app/settings/authentication/authentication.component.scss

@@ -13,3 +13,10 @@
     box-shadow: 0 5px 11px 0 rgba(255, 255, 255, 0.18), 0 4px 15px 0 rgba(255, 255, 255, 0.15);
     color: inherit;
 }
+
+.warning-box {
+    margin: 16px 0;
+    color: white;
+    background-color: $ombi-background-accent;
+    border-color: $warn;
+}

src/Ombi/ClientApp/src/app/settings/authentication/authentication.component.ts

@@ -28,6 +28,7 @@ export class AuthenticationComponent implements OnInit {
                 enableOAuth: [x.enableOAuth],
                 enableHeaderAuth: [x.enableHeaderAuth],
                 headerAuthVariable: [x.headerAuthVariable],
+                headerAuthCreateUser: [x.headerAuthCreateUser],
             });
             this.form.controls.enableHeaderAuth.valueChanges.subscribe(x => {
                 if (x) {

src/Ombi/Controllers/V1/TokenController.cs

@@ -36,13 +36,15 @@ namespace Ombi.Controllers.V1
     public class TokenController : ControllerBase
     {
         public TokenController(OmbiUserManager um, ITokenRepository token,
-            IPlexOAuthManager oAuthManager, ILogger<TokenController> logger, ISettingsService<AuthenticationSettings> auth)
+            IPlexOAuthManager oAuthManager, ILogger<TokenController> logger, ISettingsService<AuthenticationSettings> auth,
+            ISettingsService<UserManagementSettings> userManagement)
         {
             _userManager = um;
             _token = token;
             _plexOAuthManager = oAuthManager;
             _log = logger;
             _authSettings = auth;
+            _userManagementSettings = userManagement;
         }
 
         private readonly ITokenRepository _token;
@@ -50,6 +52,7 @@ namespace Ombi.Controllers.V1
         private readonly IPlexOAuthManager _plexOAuthManager;
         private readonly ILogger<TokenController> _log;
         private readonly ISettingsService<AuthenticationSettings> _authSettings;
+        private readonly ISettingsService<UserManagementSettings> _userManagementSettings;
 
         /// <summary>
         /// Gets the token.
@@ -304,9 +307,30 @@ namespace Ombi.Controllers.V1
                     // Check if user exists
                     var user = await _userManager.FindByNameAsync(username);
                     if (user == null)
+                    {
+                        if (authSettings.HeaderAuthCreateUser)
+                        {
+                            var defaultSettings = await _userManagementSettings.GetSettingsAsync();
+                            user = new OmbiUser {
+                                UserName = username,
+                                UserType = UserType.LocalUser,
+                                StreamingCountry = defaultSettings.DefaultStreamingCountry ?? "US",
+                                MovieRequestLimit = defaultSettings.MovieRequestLimit,
+                                MovieRequestLimitType = defaultSettings.MovieRequestLimitType,
+                                EpisodeRequestLimit = defaultSettings.EpisodeRequestLimit,
+                                EpisodeRequestLimitType = defaultSettings.EpisodeRequestLimitType,
+                                MusicRequestLimit = defaultSettings.MusicRequestLimit,
+                                MusicRequestLimitType = defaultSettings.MusicRequestLimitType,
+                            };
+
+                            await _userManager.CreateAsync(user);
+                            await _userManager.AddToRolesAsync(user, defaultSettings.DefaultRoles);
+                        }
+                        else
                         {
                             return new UnauthorizedResult();
                         }
+                    }
 
                     return await CreateToken(true, user);
                 }