Add Hanko SSO authentication

Author: hg1g

.env.example

@@ -40,11 +40,20 @@ S3_BUCKET_NAME=${S3_BUCKET_NAME:-dtm-bucket}
 S3_ACCESS_KEY=${S3_ACCESS_KEY:-admin}
 S3_SECRET_KEY=${S3_SECRET_KEY:-somelongpassword}
 
-# ---- Auth (frontend login) ----
+# ---- Authentication ----
+# Options: "legacy" (Google OAuth) or "hanko" (Hanko SSO)
+AUTH_PROVIDER=${AUTH_PROVIDER:-legacy}
+
+# Legacy Google OAuth (when AUTH_PROVIDER="legacy")
 GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:-}
 GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET:-}
 GOOGLE_LOGIN_REDIRECT_URI=${GOOGLE_LOGIN_REDIRECT_URI:-http://localhost:$FRONTEND_WEB_APP_PORT/auth}
 
+# Hanko SSO (when AUTH_PROVIDER="hanko")
+HANKO_API_URL=${HANKO_API_URL:-https://dev.login.hotosm.org}
+COOKIE_SECRET=${COOKIE_SECRET:-your-secret-key-min-32-bytes-long}
+COOKIE_DOMAIN=${COOKIE_DOMAIN:-}
+
 # ---- External APIs ----
 # ODM endpoint (NodeODM typically) for processing
 ODM_ENDPOINT=${ODM_ENDPOINT:-http://nodeodm:9900}
@@ -60,3 +69,7 @@ SMTP_USER=${SMTP_USER:-}
 SMTP_PASSWORD=${SMTP_PASSWORD:-}
 EMAILS_FROM_EMAIL=${EMAILS_FROM_EMAIL:-}
 EMAILS_FROM_NAME=${EMAILS_FROM_NAME:-"Drone Tasking Manager"}
+
+# ---- CORS ----
+# Required for Hanko SSO cookies to work cross-origin
+EXTRA_CORS_ORIGINS=${EXTRA_CORS_ORIGINS:-["http://localhost:3040"]}

.github/workflows/deploy-login-hanko.yml

@@ -0,0 +1,118 @@
+name: Deploy login-hanko to testlogin.dronetm.hotosm.org
+
+on:
+  push:
+    branches:
+      - feature/hanko-auth-v2
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_PREFIX: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push backend
+        run: |
+          docker build -t ghcr.io/${{ env.IMAGE_PREFIX }}/backend:login-hanko \
+            --target service ./src/backend
+          docker push ghcr.io/${{ env.IMAGE_PREFIX }}/backend:login-hanko
+
+      - name: Build and push frontend
+        run: |
+          docker build -t ghcr.io/${{ env.IMAGE_PREFIX }}/frontend:login-hanko \
+            --target prod \
+            --build-arg VITE_AUTH_PROVIDER=${{ vars.AUTH_PROVIDER || 'hanko' }} \
+            --build-arg VITE_HANKO_URL=https://dev.login.hotosm.org \
+            --build-arg VITE_FRONTEND_URL=https://testlogin.dronetm.hotosm.org \
+            --build-arg VITE_API_URL=https://testlogin.dronetm.hotosm.org/api \
+            --build-arg API_URL=https://testlogin.dronetm.hotosm.org/api \
+            --build-arg BASE_URL=https://testlogin.dronetm.hotosm.org/api \
+            --build-arg SITE_NAME="Drone TM Test" \
+            ./src/frontend
+          docker push ghcr.io/${{ env.IMAGE_PREFIX }}/frontend:login-hanko
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: testlogin
+    steps:
+      - uses: actions/checkout@v4
+      - uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.EC2_SSH_KEY }}
+
+      - name: Add host to known_hosts
+        run: ssh-keyscan -H ${{ secrets.EC2_HOST }} >> ~/.ssh/known_hosts
+
+      - name: Deploy
+        env:
+          EC2_HOST: ${{ secrets.EC2_HOST }}
+          EC2_USER: ${{ secrets.EC2_USER }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_ACTOR: ${{ github.actor }}
+          AUTH_PROVIDER: ${{ vars.AUTH_PROVIDER || 'hanko' }}
+        run: |
+          ssh $EC2_USER@$EC2_HOST << ENDSSH
+            set -e
+
+            # Ensure Traefik is running
+            if ! docker ps | grep -q traefik; then
+              echo "ERROR: Traefik not running. Run setup-test-server.sh first."
+              exit 1
+            fi
+
+            APP_DIR="/opt/dronetm-test"
+
+            # Setup inicial si no existe
+            if [ ! -d "\$APP_DIR" ]; then
+              sudo mkdir -p \$APP_DIR
+              sudo chown \$USER:\$USER \$APP_DIR
+              git clone -b login-hanko https://github.com/hotosm/drone-tm.git \$APP_DIR
+              echo "✓ Cloned repository"
+            fi
+
+            cd \$APP_DIR
+
+            # Pull latest changes
+            git fetch origin login-hanko
+            git reset --hard origin/login-hanko
+            echo "✓ Updated to latest login-hanko"
+
+            # Create .env with defaults (ok for testing)
+            cat > .env << EOF
+          POSTGRES_USER=dtm
+          POSTGRES_PASSWORD=dtm
+          POSTGRES_DB=dtm_db
+          SECRET_KEY=test-secret-key-for-testing-only-min-32-chars
+          S3_ACCESS_KEY=minioadmin
+          S3_SECRET_KEY=minioadmin
+          AUTH_PROVIDER=${AUTH_PROVIDER}
+          EOF
+            echo "✓ Created .env"
+
+            # Login to GHCR
+            echo "${GH_TOKEN}" | docker login ghcr.io -u ${GH_ACTOR} --password-stdin
+
+            # Pull and deploy
+            docker compose -f compose.login-hanko.yaml pull
+            docker compose -f compose.login-hanko.yaml up -d --force-recreate
+
+            # Cleanup
+            docker image prune -af
+
+            echo "✓ Deployment complete"
+          ENDSSH

.gitignore

@@ -4,6 +4,9 @@ env/
 ./build/
 develop-eggs/
 dist/
+# Allow auth-libs dist (distributed from auth-libs repo)
+!src/frontend/auth-libs/**/dist/
+!src/backend/auth-libs/dist/
 downloads/
 eggs/
 .eggs/

compose.login-hanko.yaml

@@ -0,0 +1,149 @@
+# compose.test.yaml - Test environment for login-hanko branch
+# Deploy to: testlogin.dronetm.hotosm.org
+# Requires: Traefik running in /opt/traefik with hotosm-test network
+
+services:
+  # Frontend syncs built files to a shared volume
+  frontend:
+    image: ghcr.io/hotosm/drone-tm/frontend:login-hanko
+    restart: unless-stopped
+    volumes:
+      - frontend-html:/frontend_html
+    networks:
+      - internal
+
+  # Nginx serves the static files
+  nginx:
+    image: nginx:alpine
+    restart: unless-stopped
+    depends_on:
+      - frontend
+    volumes:
+      - frontend-html:/usr/share/nginx/html:ro
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+    networks:
+      - hotosm-test
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dronetm-frontend.rule=Host(`testlogin.dronetm.hotosm.org`) && !PathPrefix(`/api`)"
+      - "traefik.http.routers.dronetm-frontend.entrypoints=websecure"
+      - "traefik.http.routers.dronetm-frontend.tls.certresolver=letsencrypt"
+      - "traefik.http.services.dronetm-frontend.loadbalancer.server.port=80"
+
+  backend:
+    image: ghcr.io/hotosm/drone-tm/backend:login-hanko
+    restart: unless-stopped
+    deploy:
+      replicas: 4
+    depends_on:
+      - db
+      - redis
+    environment:
+      - DATABASE_URL=postgresql+asyncpg://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+      - AUTH_PROVIDER=${AUTH_PROVIDER:-hanko}
+      - HANKO_API_URL=https://dev.login.hotosm.org
+      - JWT_ISSUER=https://dev.login.hotosm.org
+      - SECRET_KEY=${SECRET_KEY}
+      - COOKIE_SECRET=${SECRET_KEY}
+      - S3_ENDPOINT=http://minio:9000
+      - S3_ACCESS_KEY=${S3_ACCESS_KEY}
+      - S3_SECRET_KEY=${S3_SECRET_KEY}
+      - S3_BUCKET_NAME=dronetm
+      - S3_DOWNLOAD_ROOT=https://s3.testlogin.dronetm.hotosm.org
+      - DRAGONFLY_DSN=redis://redis:6379/0
+      - FRONTEND_URL=https://testlogin.dronetm.hotosm.org
+      - BACKEND_URL=https://testlogin.dronetm.hotosm.org/api
+      - EXTRA_CORS_ORIGINS=["https://testlogin.dronetm.hotosm.org","https://portal.hotosm.org","https://dev.login.hotosm.org"]
+      - ADMIN_EMAILS=hernangigena@gmail.com,justina@animus.com.ar,andreatchirillano@hotmail.com,emilio.mariscal@hotosm.org
+    networks:
+      - hotosm-test
+      - internal
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dronetm-backend.rule=Host(`testlogin.dronetm.hotosm.org`) && PathPrefix(`/api`)"
+      - "traefik.http.routers.dronetm-backend.entrypoints=websecure"
+      - "traefik.http.routers.dronetm-backend.tls.certresolver=letsencrypt"
+      - "traefik.http.services.dronetm-backend.loadbalancer.server.port=8000"
+
+  db:
+    image: postgis/postgis:14-3.4
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - POSTGRES_DB=${POSTGRES_DB}
+    volumes:
+      - dronetm-db:/var/lib/postgresql/data
+    networks:
+      - internal
+
+  redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    networks:
+      - internal
+
+  minio:
+    image: minio/minio:latest
+    restart: unless-stopped
+    command: server /data --console-address ":9001"
+    environment:
+      - MINIO_ROOT_USER=${S3_ACCESS_KEY}
+      - MINIO_ROOT_PASSWORD=${S3_SECRET_KEY}
+    volumes:
+      - dronetm-minio:/data
+    networks:
+      - internal
+      - hotosm-test
+    labels:
+      - "traefik.enable=true"
+      # MinIO Console (Web UI)
+      - "traefik.http.routers.dronetm-minio-console.rule=Host(`minio.testlogin.dronetm.hotosm.org`)"
+      - "traefik.http.routers.dronetm-minio-console.entrypoints=websecure"
+      - "traefik.http.routers.dronetm-minio-console.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.dronetm-minio-console.service=dronetm-minio-console"
+      - "traefik.http.services.dronetm-minio-console.loadbalancer.server.port=9001"
+      # MinIO S3 API (for presigned URLs)
+      - "traefik.http.routers.dronetm-minio-api.rule=Host(`s3.testlogin.dronetm.hotosm.org`)"
+      - "traefik.http.routers.dronetm-minio-api.entrypoints=websecure"
+      - "traefik.http.routers.dronetm-minio-api.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.dronetm-minio-api.service=dronetm-minio-api"
+      - "traefik.http.services.dronetm-minio-api.loadbalancer.server.port=9000"
+
+  migrations:
+    image: ghcr.io/hotosm/drone-tm/backend:login-hanko
+    command: alembic upgrade head
+    depends_on:
+      - db
+    environment:
+      - DATABASE_URL=postgresql+asyncpg://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+    networks:
+      - internal
+
+  arq-worker:
+    image: ghcr.io/hotosm/drone-tm/backend:login-hanko
+    command: arq app.arq.tasks.WorkerSettings
+    restart: unless-stopped
+    depends_on:
+      - db
+      - redis
+    environment:
+      - DATABASE_URL=postgresql+asyncpg://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+      - DRAGONFLY_DSN=redis://redis:6379/0
+      - S3_ENDPOINT=http://minio:9000
+      - S3_ACCESS_KEY=${S3_ACCESS_KEY}
+      - S3_SECRET_KEY=${S3_SECRET_KEY}
+      - S3_BUCKET_NAME=dronetm
+      - S3_DOWNLOAD_ROOT=https://s3.testlogin.dronetm.hotosm.org
+    networks:
+      - internal
+
+networks:
+  hotosm-test:
+    external: true
+  internal:
+
+volumes:
+  dronetm-db:
+  dronetm-minio:
+  frontend-html:

compose.yaml

@@ -46,6 +46,8 @@ services:
       S3_ENDPOINT_DOWNLOAD: ${S3_ENDPOINT_DOWNLOAD:-http://localhost:9000}
     networks:
       - dtm-network
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8000/__lbheartbeat__"]

nginx.conf

@@ -0,0 +1,17 @@
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # SPA routing - serve index.html for all routes
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Cache static assets
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}