From 7d63e987b2f88bb25f70d51b7400a8af2481b5cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Germ=C3=A1n=20Mart=C3=ADn?= <github@gmartin.net>
Date: Mon, 1 Dec 2025 00:27:52 +0100
Subject: [PATCH] Implement OIDC configuration validation

---
 apps/api/src/app/auth/auth.module.ts          | 93 +++++++++++++++++++
 .../login-with-access-token-dialog.html       | 11 ---
 2 files changed, 93 insertions(+), 11 deletions(-)

diff --git a/apps/api/src/app/auth/auth.module.ts b/apps/api/src/app/auth/auth.module.ts
index 4404205ce..996cf397f 100644
--- a/apps/api/src/app/auth/auth.module.ts
+++ b/apps/api/src/app/auth/auth.module.ts
@@ -19,6 +19,89 @@ import { GoogleStrategy } from './google.strategy';
 import { JwtStrategy } from './jwt.strategy';
 import { OidcStrategy } from './oidc.strategy';
 
+// ANSI color codes
+const colors = {
+  blue: '\x1b[34m',
+  reset: '\x1b[0m',
+  white: '\x1b[37m',
+  yellow: '\x1b[33m'
+};
+
+function validateOidcConfiguration(
+  configurationService: ConfigurationService
+): void {
+  const missingVariables: string[] = [];
+
+  // Common required variables for both configurations
+  const clientId = configurationService.get('OIDC_CLIENT_ID');
+  const clientSecret = configurationService.get('OIDC_CLIENT_SECRET');
+  const rootUrl = configurationService.get('ROOT_URL');
+
+  if (!clientId) {
+    missingVariables.push('OIDC_CLIENT_ID');
+  }
+
+  if (!clientSecret) {
+    missingVariables.push('OIDC_CLIENT_SECRET');
+  }
+
+  if (!rootUrl) {
+    missingVariables.push('ROOT_URL');
+  }
+
+  // Check for automatic or manual configuration
+  const authorizationUrl = configurationService.get('OIDC_AUTHORIZATION_URL');
+  const issuer = configurationService.get('OIDC_ISSUER');
+  const tokenUrl = configurationService.get('OIDC_TOKEN_URL');
+  const userInfoUrl = configurationService.get('OIDC_USER_INFO_URL');
+
+  const hasAutomaticConfig = !!issuer;
+  const hasManualConfig = authorizationUrl || tokenUrl || userInfoUrl;
+
+  if (!hasAutomaticConfig && !hasManualConfig) {
+    missingVariables.push(
+      'OIDC_ISSUER (for automatic configuration) or OIDC_AUTHORIZATION_URL, OIDC_TOKEN_URL, OIDC_USER_INFO_URL (for manual configuration)'
+    );
+  } else if (!hasAutomaticConfig && hasManualConfig) {
+    // Manual configuration: all three URLs are required
+    if (!authorizationUrl) {
+      missingVariables.push('OIDC_AUTHORIZATION_URL');
+    }
+
+    if (!tokenUrl) {
+      missingVariables.push('OIDC_TOKEN_URL');
+    }
+
+    if (!userInfoUrl) {
+      missingVariables.push('OIDC_USER_INFO_URL');
+    }
+  }
+
+  if (missingVariables.length > 0) {
+    const formattedVariables = missingVariables
+      .map(
+        (variable) =>
+          `    ${colors.blue}${variable}:${colors.white} undefined${colors.reset}`
+      )
+      .join('\n');
+
+    const errorMessage = `
+================================
+ ${colors.yellow}Missing${colors.white} OIDC environment variables:${colors.reset}
+${formattedVariables}
+
+ ${colors.white}Configuration options:${colors.reset}
+   1. Automatic: Set ${colors.blue}OIDC_ISSUER${colors.reset} (endpoints discovered automatically)
+   2. Manual: Set ${colors.blue}OIDC_AUTHORIZATION_URL${colors.reset}, ${colors.blue}OIDC_TOKEN_URL${colors.reset}, ${colors.blue}OIDC_USER_INFO_URL${colors.reset}
+
+ Both options require: ${colors.blue}ROOT_URL${colors.reset}, ${colors.blue}OIDC_CLIENT_ID${colors.reset}, ${colors.blue}OIDC_CLIENT_SECRET${colors.reset}
+================================
+`;
+    Logger.error(errorMessage, 'OidcStrategy');
+    process.exit(1);
+  }
+}
+
 @Module({
   controllers: [AuthController],
   imports: [
@@ -46,6 +129,16 @@ import { OidcStrategy } from './oidc.strategy';
         authService: AuthService,
         configurationService: ConfigurationService
       ) => {
+        const isOidcEnabled = configurationService.get(
+          'ENABLE_FEATURE_AUTH_OIDC'
+        );
+
+        if (!isOidcEnabled) {
+          return null;
+        }
+
+        validateOidcConfiguration(configurationService);
+
         const issuer = configurationService.get('OIDC_ISSUER');
         const scope = configurationService.get('OIDC_SCOPE');
 
diff --git a/apps/client/src/app/components/login-with-access-token-dialog/login-with-access-token-dialog.html b/apps/client/src/app/components/login-with-access-token-dialog/login-with-access-token-dialog.html
index 055699d7f..d345c4df5 100644
--- a/apps/client/src/app/components/login-with-access-token-dialog/login-with-access-token-dialog.html
+++ b/apps/client/src/app/components/login-with-access-token-dialog/login-with-access-token-dialog.html
@@ -56,17 +56,6 @@
           >
         </div>
       }
-
-      @if (data.hasPermissionToUseAuthOidc) {
-        <div class="d-flex flex-column mt-2">
-          <a
-            class="px-4 rounded-pill"
-            href="../api/auth/oidc"
-            mat-stroked-button
-            ><ng-container i18n>Sign in with OIDC</ng-container></a
-          >
-        </div>
-      }
     </form>
   </div>
 </div>