sso to thirdpart website (#5401)

frontend/src/components/common/account.js

@@ -3,7 +3,7 @@ import PropTypes from 'prop-types';
 import ReactDOM from 'react-dom';
 import { Utils } from '../../utils/utils';
 import { seafileAPI } from '../../utils/seafile-api';
-import { siteRoot, gettext, appAvatarURL } from '../../utils/constants';
+import { siteRoot, gettext, appAvatarURL, enableSSOToThirdpartWebsite } from '../../utils/constants';
 import toaster from '../toast';
 
 const propTypes = {
@@ -122,7 +122,7 @@ class Account extends Component {
         };
       } else if (isOrgStaff) {
         data = {
-          url: `${siteRoot}org/info/`,
+          url: enableSSOToThirdpartWebsite ? `${siteRoot}sso-to-thirdpart/` : `${siteRoot}org/info/`,
           text: gettext('Organization Admin')
         };
       } else if (isInstAdmin) {

frontend/src/utils/constants.js

@@ -76,6 +76,7 @@ export const maxNumberOfFilesForFileupload = window.app.pageOptions.maxNumberOfF
 export const enableOCM = window.app.pageOptions.enableOCM;
 export const ocmRemoteServers = window.app.pageOptions.ocmRemoteServers;
 export const enableOCMViaWebdav = window.app.pageOptions.enableOCMViaWebdav;
+export const enableSSOToThirdpartWebsite = window.app.pageOptions.enableSSOToThirdpartWebsite;
 
 export const curNoteMsg = window.app.pageOptions.curNoteMsg;
 export const curNoteID = window.app.pageOptions.curNoteID;

seahub/settings.py

@@ -728,6 +728,11 @@ WEBDAV_SECRET_STRENGTH_LEVEL = 1
 
 ENABLE_USER_SET_CONTACT_EMAIL = False
 
+# SSO to thirdparty website
+ENABLE_SSO_TO_THIRDPART_WEBSITE = False
+THIRDPART_WEBSITE_SECRET_KEY = ''
+THIRDPART_WEBSITE_URL = ''
+
 #####################
 # Global AddressBook #
 #####################

seahub/templates/base_for_react.html

@@ -135,6 +135,7 @@
             curNoteID: '{{ request.cur_note.id }}',
             {% endif %}
             enableTC: {% if enable_terms_and_conditions %} true {% else %} false {% endif %},
+            enableSSOToThirdpartWebsite: {% if enable_sso_to_thirdpart_website %} true {% else %} false {% endif %},
             enableVideoThumbnail: {% if enable_video_thumbnail %} true {% else %} false {% endif %},
             showLogoutIcon: {% if show_logout_icon %} true {% else %} false {% endif %},
             additionalShareDialogNote: {% if additional_share_dialog_note %} {{ additional_share_dialog_note|safe }} {% else %} null {% endif %},

seahub/urls.py

@@ -6,6 +6,7 @@ from seahub.views import *
 from seahub.views.sysadmin import *
 from seahub.views.ajax import *
 from seahub.views.sso import *
+from seahub.views.sso_to_thirdpart import sso_to_thirdpart
 
 from seahub.views.file import view_history_file, view_trash_file,\
     view_snapshot_file, view_shared_file, view_file_via_shared_dir,\
@@ -203,6 +204,8 @@ urlpatterns = [
     url(r'^ocm-via-webdav/', include('seahub.ocm_via_webdav.urls')),
     url(r'^cad/', include('seahub.cad.urls')),
 
+    url(r'^sso-to-thirdpart/$', sso_to_thirdpart, name='sso-to-thirdpart'),
+
     url(r'^$', react_fake_view, name='libraries'),
     url(r'^robots\.txt$', TemplateView.as_view(template_name='robots.txt', content_type='text/plain')),
 

seahub/views/__init__.py

@@ -1209,4 +1209,5 @@ def react_fake_view(request, **kwargs):
         'enable_video_thumbnail': settings.ENABLE_VIDEO_THUMBNAIL,
         'group_import_members_extra_msg': GROUP_IMPORT_MEMBERS_EXTRA_MSG,
         'request_from_onlyoffice_desktop_editor': ONLYOFFICE_DESKTOP_EDITOR_HTTP_USER_AGENT in request.META.get('HTTP_USER_AGENT', ''),
+        'enable_sso_to_thirdpart_website': settings.ENABLE_SSO_TO_THIRDPART_WEBSITE,
     })

seahub/views/sso_to_thirdpart.py

@@ -0,0 +1,46 @@
+# -*- coding: utf-8 -*-
+import time
+import logging
+
+import jwt
+from django.http import HttpResponseRedirect
+
+from seahub.auth.decorators import login_required
+from seahub.utils import render_error
+from seahub.api2.models import Token
+try:
+    from seahub.settings import ENABLE_SSO_TO_THIRDPART_WEBSITE, THIRDPART_WEBSITE_SECRET_KEY, THIRDPART_WEBSITE_URL
+except ImportError:
+    ENABLE_SSO_TO_THIRDPART_WEBSITE = False
+    THIRDPART_WEBSITE_SECRET_KEY = ''
+    THIRDPART_WEBSITE_URL = ''
+
+logger = logging.getLogger(__name__)
+
+
+@login_required
+def sso_to_thirdpart(request):
+    if not ENABLE_SSO_TO_THIRDPART_WEBSITE or not THIRDPART_WEBSITE_SECRET_KEY or not THIRDPART_WEBSITE_URL:
+        return render_error(request, 'Feature is not enabled.')
+
+    username = request.user.username
+    try:
+        api_token, _ = Token.objects.get_or_create(user=username)
+    except Exception as e:
+        logger.error(e)
+        return render_error(request, 'Internal Server Error')
+
+    payload = {
+        'exp': int(time.time()) + 100,
+        'user_id': username,
+        'api_token': api_token.key,
+    }
+
+    try:
+        access_token = jwt.encode(payload, THIRDPART_WEBSITE_SECRET_KEY, algorithm='HS256')
+    except Exception as e:
+        logger.error(e)
+        return render_error(request, 'Internal Server Error')
+
+    redirect_to = THIRDPART_WEBSITE_URL.strip('/') + '/?token=%s' % access_token
+    return HttpResponseRedirect(redirect_to)