From 3dd88c487aceb95be87fee6b9a93bf57043d350a Mon Sep 17 00:00:00 2001
From: Youri Westerman <y.westerman@amsterdam.nl>
Date: Tue, 11 Mar 2025 10:36:16 +0100
Subject: [PATCH 1/6] Only add model backend when local admin login is enabled

---
 app/signals/settings.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/signals/settings.py b/app/signals/settings.py
index 1a5d245d2..a6c489832 100644
--- a/app/signals/settings.py
+++ b/app/signals/settings.py
@@ -173,9 +173,12 @@ def is_super_user(user) -> bool:
 
 AUTHENTICATION_BACKENDS: list[str] = [
     'signals.admin.oidc.backends.AuthenticationBackend',
-    'django.contrib.auth.backends.ModelBackend',
 ]
 
+ADMIN_ENABLE_LOCAL_LOGIN: bool = os.getenv('ADMIN_ENABLE_LOCAL_LOGIN', False) in TRUE_VALUES
+if ADMIN_ENABLE_LOCAL_LOGIN:
+    AUTHENTICATION_BACKENDS.append("django.contrib.auth.backends.ModelBackend")
+
 LOGIN_REDIRECT_URL: str = '/signals/admin/'
 LOGIN_REDIRECT_URL_FAILURE: str = '/signals/oidc/login_failure/'
 LOGOUT_REDIRECT_URL: str = '/signals/admin/'

From cc5a376d92747e89f77d706a4a83809100ca0434 Mon Sep 17 00:00:00 2001
From: Youri Westerman <y.westerman@amsterdam.nl>
Date: Tue, 11 Mar 2025 10:37:04 +0100
Subject: [PATCH 2/6] Move password reset link outside of form

---
 app/signals/templates/admin/login.html | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/signals/templates/admin/login.html b/app/signals/templates/admin/login.html
index 70dd1cb45..b9d59cd4c 100644
--- a/app/signals/templates/admin/login.html
+++ b/app/signals/templates/admin/login.html
@@ -66,16 +66,16 @@
     {{ form.password.label_tag }} {{ form.password }}
     <input type="hidden" name="next" value="{{ next }}">
 </div>
+<div class="submit-row">
+    <label>&nbsp;</label><input type="submit" value="{% trans 'Log in' %}">
+</div>
+</form>
 {% url 'admin_password_reset' as password_reset_url %}
 {% if password_reset_url %}
 <div class="password-reset-link">
     <a href="{{ password_reset_url }}">{% trans 'Forgotten your password or username?' %}</a>
 </div>
 {% endif %}
-<div class="submit-row">
-    <label>&nbsp;</label><input type="submit" value="{% trans 'Log in' %}">
-</div>
-</form>
 
 {% if OIDC_RP_CLIENT_ID %}
 <div class="sso">

From 5d1ba1371a37aa0f1c94bdacefed3aa043e29b5c Mon Sep 17 00:00:00 2001
From: Youri Westerman <y.westerman@amsterdam.nl>
Date: Tue, 11 Mar 2025 10:51:48 +0100
Subject: [PATCH 3/6] Do not display login form if local login for admin is
 disabled

---
 app/signals/templates/admin/login.html | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/signals/templates/admin/login.html b/app/signals/templates/admin/login.html
index b9d59cd4c..4c2dd6e3b 100644
--- a/app/signals/templates/admin/login.html
+++ b/app/signals/templates/admin/login.html
@@ -56,6 +56,7 @@
 </p>
 {% endif %}
 
+{% if ADMIN_ENABLE_LOCAL_LOGIN %}
 <form action="{{ app_path }}" method="post" id="login-form">{% csrf_token %}
 <div class="form-row">
     {{ form.username.errors }}
@@ -70,6 +71,7 @@
     <label>&nbsp;</label><input type="submit" value="{% trans 'Log in' %}">
 </div>
 </form>
+{% endif %}
 {% url 'admin_password_reset' as password_reset_url %}
 {% if password_reset_url %}
 <div class="password-reset-link">

From 4c811b0f335ee50d14645f35e116d8258a5b9184 Mon Sep 17 00:00:00 2001
From: Youri Westerman <y.westerman@amsterdam.nl>
Date: Tue, 11 Mar 2025 10:57:10 +0100
Subject: [PATCH 4/6] Disable nonce checking, as the nonce claim will only be
 present in id tokens, which we don't use in the backend

---
 docker-compose/environments/.api | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker-compose/environments/.api b/docker-compose/environments/.api
index 713877ff2..8788e2963 100644
--- a/docker-compose/environments/.api
+++ b/docker-compose/environments/.api
@@ -29,6 +29,7 @@ OIDC_OP_USER_ENDPOINT=http://keycloak:8002/realms/signals/protocol/openid-connec
 OIDC_OP_JWKS_ENDPOINT=http://keycloak:8002/realms/signals/protocol/openid-connect/certs
 OIDC_OP_ISSUER=http://localhost:8002/realms/signals
 OIDC_VERIFY_AUDIENCE=False
+OIDC_USE_NONCE=False
 SILK_ENABLED=False
 SILK_PROFILING_ENABLED=False
 SILK_AUTHENTICATION_ENABLED=False

From f2c7d3ee2944b17b5ce8843ca16c6b0b72b1f260 Mon Sep 17 00:00:00 2001
From: Youri Westerman <y.westerman@amsterdam.nl>
Date: Tue, 11 Mar 2025 11:16:21 +0100
Subject: [PATCH 5/6] Correct typo

---
 app/signals/apps/signals/tests/test_span_creation.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/signals/apps/signals/tests/test_span_creation.py b/app/signals/apps/signals/tests/test_span_creation.py
index 2fc8fd312..8828d4b45 100644
--- a/app/signals/apps/signals/tests/test_span_creation.py
+++ b/app/signals/apps/signals/tests/test_span_creation.py
@@ -42,7 +42,7 @@ def setUp(self):
 
     def test_span_creation(self):
         """
-        Test if the app succesfully creates spans by creating a
+        Test if the app successfully creates spans by creating a
         custom trace and performing a query inside it.
         """
 

From 7ca37e7d5123ef94259788251c394d3790b1b826 Mon Sep 17 00:00:00 2001
From: Youri Westerman <y.westerman@amsterdam.nl>
Date: Tue, 11 Mar 2025 11:16:41 +0100
Subject: [PATCH 6/6] Keep local admin login enabled in test suite

---
 docker-compose/environments/.test | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker-compose/environments/.test b/docker-compose/environments/.test
index 8d338d5dd..cab6974ca 100644
--- a/docker-compose/environments/.test
+++ b/docker-compose/environments/.test
@@ -31,6 +31,7 @@ OIDC_OP_AUTHORIZATION_ENDPOINT=http://127.0.0.1:5556/auth
 OIDC_OP_TOKEN_ENDPOINT=http://dex:5556/token
 OIDC_OP_USER_ENDPOINT=http://dex:5556/userinfo
 OIDC_OP_JWKS_ENDPOINT=http://dex:5556/keys
+ADMIN_ENABLE_LOCAL_LOGIN=True
 SILK_ENABLED=False
 SILK_PROFILING_ENABLED=False
 SILK_AUTHENTICATION_ENABLED=False