From 0f261e0ba56bcb2299d5be6284990df25105e29d Mon Sep 17 00:00:00 2001
From: Markbeep <mrkswrn@gmail.com>
Date: Fri, 14 Mar 2025 16:25:26 +0100
Subject: [PATCH] fix typos and adjust hint texts

---
 README.md                             | 11 +++----
 app/routers/settings.py               | 47 ++++++++++++++-------------
 app/util/cache.py                     | 17 ++++++++--
 templates/invalid_oidc.html           |  2 +-
 templates/settings_page/security.html | 14 ++++++--
 5 files changed, 55 insertions(+), 36 deletions(-)

diff --git a/README.md b/README.md
index e01b6d0..1ecd36c 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,8 @@ OIDC allows you to use an external authentication service (Authentik, Keycloak,
 - client id
 - client secret
 
+In your auth server settings, make sure you allow for redirecting to `/auth/oidc`. The oidc-login flow will redirect you there after you log in.
+
 Applying settings does not directly invalidate your current session. To test OIDC-settings, press the "log out" button to invalidate your current session.
 
 #### Getting locked out
@@ -97,9 +99,7 @@ services:
   web:
     image: markbeep/audiobookrequest:1
     ports:
-      - "8000:8765"
-    environment:
-      ABR_APP__PORT: 8765
+      - "8000:8000"
     volumes:
       - ./config:/config
 ```
@@ -130,12 +130,9 @@ spec:
           volumeMounts:
             - mountPath: /config
               name: abr-config
-          env:
-            - name: ABR_APP__PORT
-              value: "8765"
           ports:
             - name: http-request
-              containerPort: 8765
+              containerPort: 8000
       volumes:
         - name: abr-config
           hostPath:
diff --git a/app/routers/settings.py b/app/routers/settings.py
index ef8055a..fabfe89 100644
--- a/app/routers/settings.py
+++ b/app/routers/settings.py
@@ -693,20 +693,22 @@ async def update_security(
             headers={"HX-Retarget": "#message"},
         )
 
-    if login_type in [LoginTypeEnum.basic, LoginTypeEnum.forms]:
-        if access_token_expiry is not None:
-            if access_token_expiry < 1:
-                return error_response("Access token expiry can't be 0 or negative")
-            else:
-                auth_config.set_access_token_expiry_minutes(
-                    session, Minute(access_token_expiry)
-                )
+    if (
+        login_type in [LoginTypeEnum.basic, LoginTypeEnum.forms]
+        and min_password_length is not None
+    ):
+        if min_password_length < 1:
+            return error_response("Minimum password length can't be 0 or negative")
+        else:
+            auth_config.set_min_password_length(session, min_password_length)
 
-        if min_password_length is not None:
-            if min_password_length < 1:
-                return error_response("Minimum password length can't be 0 or negative")
-            else:
-                auth_config.set_min_password_length(session, min_password_length)
+    if access_token_expiry is not None:
+        if access_token_expiry < 1:
+            return error_response("Access token expiry can't be 0 or negative")
+        else:
+            auth_config.set_access_token_expiry_minutes(
+                session, Minute(access_token_expiry)
+            )
 
     if login_type == LoginTypeEnum.oidc:
         if oidc_endpoint:
@@ -722,9 +724,9 @@ async def update_security(
         if oidc_group_claim:
             oidc_config.set(session, "oidc_group_claim", oidc_group_claim)
 
-        error = await oidc_config.validate(session, client_session)
-        if error:
-            return error_response(error)
+        error_message = await oidc_config.validate(session, client_session)
+        if error_message:
+            return error_response(error_message)
 
     old = auth_config.get_login_type(session)
     auth_config.set_login_type(session, login_type)
@@ -736,13 +738,12 @@ async def update_security(
             "page": "security",
             "login_type": auth_config.get_login_type(session),
             "access_token_expiry": auth_config.get_access_token_expiry_minutes(session),
-            "oidc_client_id": oidc_config.get(session, "oidc_client_id") or "",
-            "oidc_scope": oidc_config.get(session, "oidc_scope") or "",
-            "oidc_username_claim": oidc_config.get(session, "oidc_username_claim")
-            or "",
-            "oidc_group_claim": oidc_config.get(session, "oidc_group_claim") or "",
-            "oidc_client_secret": oidc_config.get(session, "oidc_client_secret") or "",
-            "oidc_endpoint": oidc_config.get(session, "oidc_endpoint") or "",
+            "oidc_client_id": oidc_config.get(session, "oidc_client_id", ""),
+            "oidc_scope": oidc_config.get(session, "oidc_scope", ""),
+            "oidc_username_claim": oidc_config.get(session, "oidc_username_claim", ""),
+            "oidc_group_claim": oidc_config.get(session, "oidc_group_claim", ""),
+            "oidc_client_secret": oidc_config.get(session, "oidc_client_secret", ""),
+            "oidc_endpoint": oidc_config.get(session, "oidc_endpoint", ""),
             "success": "Settings updated",
         },
         block_name="form",
diff --git a/app/util/cache.py b/app/util/cache.py
index 257fe55..3705012 100644
--- a/app/util/cache.py
+++ b/app/util/cache.py
@@ -35,10 +35,23 @@ L = TypeVar("L", bound=str)
 class StringConfigCache(Generic[L], ABC):
     _cache: dict[L, str] = {}
 
+    @overload
     def get(self, session: Session, key: L) -> Optional[str]:
+        pass
+
+    @overload
+    def get(self, session: Session, key: L, default: str) -> str:
+        pass
+
+    def get(
+        self, session: Session, key: L, default: Optional[str] = None
+    ) -> Optional[str]:
         if key in self._cache:
             return self._cache[key]
-        return session.exec(select(Config.value).where(Config.key == key)).one_or_none()
+        return (
+            session.exec(select(Config.value).where(Config.key == key)).one_or_none()
+            or default
+        )
 
     def set(self, session: Session, key: L, value: str):
         old = session.exec(select(Config).where(Config.key == key)).one_or_none()
@@ -59,7 +72,7 @@ class StringConfigCache(Generic[L], ABC):
             del self._cache[key]
 
     @overload
-    def get_int(self, session: Session, key: L, default: None = None) -> Optional[int]:
+    def get_int(self, session: Session, key: L) -> Optional[int]:
         pass
 
     @overload
diff --git a/templates/invalid_oidc.html b/templates/invalid_oidc.html
index 471d36e..878ce75 100644
--- a/templates/invalid_oidc.html
+++ b/templates/invalid_oidc.html
@@ -7,7 +7,7 @@
     <p>Error: <span class="font-mono text-error">{{ error }}</span></p>
 
     <p>
-      Click the button below to log in with an admin account (without oidc):
+      Click the button below to log in with a root admin account as a backup:
     </p>
     <a class="btn" href="/login?backup=1">Backup Login</a>
   </div>
diff --git a/templates/settings_page/security.html b/templates/settings_page/security.html
index c2d2c1e..410e93f 100644
--- a/templates/settings_page/security.html
+++ b/templates/settings_page/security.html
@@ -155,9 +155,17 @@
         />
 
         <p class="text-error">
-          Make sure all the settings are correct. Once you save you'll be
-          redirected to your auth server. If there is a configuration error the
-          login type will be reset to the forms login.
+          Make sure all the settings are correct. In the case of a
+          miconfiguration, you can log in at
+          <a
+            href="/login?backup=1"
+            class="font-mono link whitespace-nowrap inline-block"
+            >/login?backup=1</a
+          >
+          to fix the settings.
+          <br />
+          Note: To test your OpenID Connect settings you have to log out to
+          invalidate your current session first.
         </p>
       </div>
     </template>