Release 0.30.7

.github/workflows/ci.yml

@@ -81,7 +81,7 @@ jobs:
           MITOL_COOKIE_NAME: cookie_monster
 
       - name: Upload coverage to CodeCov
-        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
         with:
           file: ./coverage.xml
 
@@ -138,7 +138,7 @@ jobs:
           NODE_ENV: test
 
       - name: Upload coverage to CodeCov
-        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
         with:
           file: coverage/lcov.info
 
@@ -151,7 +151,7 @@ jobs:
 
       - name: Build the Docker image
         env:
-          ORIGIN: https://next.rc.learn.mit.edu
+          ORIGIN: https://rc.learn.mit.edu
           MITOL_API_BASE_URL: https://api.rc.learn.mit.edu
           SITE_NAME: MIT Learn
           SUPPORT_EMAIL: [email protected]

.github/workflows/production.yml

@@ -28,7 +28,7 @@ jobs:
         run: heroku container:login
 
       - name: Release Backend on Heroku
-        uses: akhileshns/heroku-deploy@c3187cbbeceea824a6f5d9e0e14e2995a611059c
+        uses: akhileshns/heroku-deploy@e3eb99d45a8e2ec5dca08735e089607befa4bf28
         with:
           heroku_api_key: ${{ secrets.HEROKU_API_KEY }}
           heroku_app_name: mitopen-production
@@ -61,7 +61,8 @@ jobs:
           LEARN_AI_RECOMMENDATION_ENDPOINT: ${{ secrets.LEARN_AI_RECOMMENDATION_ENDPOINT_PROD }}
           LEARN_AI_SYLLABUS_ENDPOINT: ${{ secrets.LEARN_AI_SYLLABUS_ENDPOINT_PROD }}
           VERSION: ${{ github.sha }}
-        run: |
+          MITOL_API_LOGOUT_SUFFIX: ${{ secrets.MITOL_API_LOGOUT_SUFFIX_PROD }}
+        run: | # NOTE: The --args must be comma separated and NOT have spaces
           heroku container:push web \
           --app $HEROKU_APP_NAME \
           --recursive \
@@ -83,7 +84,8 @@ jobs:
           NEXT_PUBLIC_APPZI_URL=$APPZI_URL,\
           NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT=$LEARN_AI_RECOMMENDATION_ENDPOINT,\
           NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT=$LEARN_AI_SYLLABUS_ENDPOINT,\
-          NEXT_PUBLIC_VERSION=$VERSION \
+          NEXT_PUBLIC_VERSION=$VERSION,\
+          NEXT_PUBLIC_MITOL_API_LOGOUT_SUFFIX=$MITOL_API_LOGOUT_SUFFIX \
           --context-path .
 
       - name: Release Frontend on Heroku

.github/workflows/release-candidate.yml

@@ -28,7 +28,7 @@ jobs:
         run: heroku container:login
 
       - name: Release Backend on Heroku
-        uses: akhileshns/heroku-deploy@c3187cbbeceea824a6f5d9e0e14e2995a611059c
+        uses: akhileshns/heroku-deploy@e3eb99d45a8e2ec5dca08735e089607befa4bf28
         with:
           heroku_api_key: ${{ secrets.HEROKU_API_KEY }}
           heroku_app_name: mitopen-rc
@@ -42,7 +42,7 @@ jobs:
         env:
           HEROKU_APP_NAME: mitopen-rc-nextjs
           HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }}
-          ORIGIN: https://next.rc.learn.mit.edu
+          ORIGIN: https://rc.learn.mit.edu
           MITOL_API_BASE_URL: https://api.rc.learn.mit.edu
           SITE_NAME: MIT Learn
           SUPPORT_EMAIL: [email protected]
@@ -61,7 +61,8 @@ jobs:
           LEARN_AI_RECOMMENDATION_ENDPOINT: ${{ secrets.LEARN_AI_RECOMMENDATION_ENDPOINT_RC }}
           LEARN_AI_SYLLABUS_ENDPOINT: ${{ secrets.LEARN_AI_SYLLABUS_ENDPOINT_RC }}
           VERSION: ${{ github.sha }}
-        run: |
+          MITOL_API_LOGOUT_SUFFIX: ${{ secrets.MITOL_API_LOGOUT_SUFFIX_RC }}
+        run: | # NOTE: The --args must be comma separated and NOT have spaces
           heroku container:push web \
           --app $HEROKU_APP_NAME \
           --recursive \
@@ -83,7 +84,8 @@ jobs:
           NEXT_PUBLIC_APPZI_URL=$APPZI_URL,\
           NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT=$LEARN_AI_RECOMMENDATION_ENDPOINT,\
           NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT=$LEARN_AI_SYLLABUS_ENDPOINT,\
-          NEXT_PUBLIC_VERSION=$VERSION \
+          NEXT_PUBLIC_VERSION=$VERSION,\
+          NEXT_PUBLIC_MITOL_API_LOGOUT_SUFFIX=$MITOL_API_LOGOUT_SUFFIX \
           --context-path .
 
       - name: Release Frontend on Heroku

.pre-commit-config.yaml

@@ -72,6 +72,10 @@ repos:
           - yarn.lock
           - --exclude-files
           - ".*/generated/"
+          - --exclude-files
+          - "config/keycloak/tls/*"
+          - --exclude-files
+          - "config/keycloak/realms/default-realm.json"
         additional_dependencies: ["gibberish-detector"]
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: "v0.9.4"

.secrets.baseline

@@ -100,7 +100,8 @@
         "test_.*.py",
         "poetry.lock",
         "yarn.lock",
-        ".*/generated/"
+        ".*/generated/",
+        "config/keycloak/tls/*"
       ]
     }
   ],

Dockerfile

@@ -54,7 +54,7 @@ RUN poetry install
 USER root
 COPY . /src
 WORKDIR /src
-RUN mkdir /src/staticfiles
+RUN mkdir -p /src/staticfiles
 
 RUN apt-get clean && apt-get purge
 

README-keycloak.md

@@ -0,0 +1,35 @@
+# Keycloak and APISIX Integration
+
+The "docker-compose.services.yml" file includes Keycloak and APISIX containers that you can use for authentication instead of spinning up separate ones or using the deployed instances. It's not enabled by default, but you can run it if you prefer not to run your own Keycloak/APISIX instances.
+
+## Default Settings
+
+There are some defaults that are part of this.
+
+_SSL Certificate_: There's a self-signed cert that's in `config/keycloak/tls` - if you'd rather set up your own (or you have a real cert or something to use), you can drop the PEM files in there. See the README there for info.
+
+_Realm_: There's a `default-realm.json` in `config/keycloak` that will get loaded by Keycloak when it starts up, and will set up a realm for you with some users and a client so you don't have to set it up yourself. The realm it creates is called `ol-local`.
+
+The users it sets up are:
+
+| User                | Password  |
+| ------------------- | --------- |
+| `[email protected]` | `student` |
+| `[email protected]`    | `prof`    |
+| `[email protected]`   | `admin`   |
+
+The client it sets up is called `apisix`. You can change the passwords and get the secret in the admin.
+
+## Making it Work
+
+The Keycloak instance is part of the `keycloak` profile in the Composer file, so if you want to interact with it, you'll need to run `COMPOSE_PROFILES=backend,frontend,keycloak,apisix docker compose up`. (If you start the app without the profile, you can still start Keycloak later by specifying the profile.)
+
+If you want to use the Keycloak and APISIX instances, follow these steps:
+
+1. Change the value of `MITOL_API_BASE_URL` to `http://api.open.odl.local:8065` and `MITOL_API_LOGOUT_SUFFIX` to `logout/oidc` in your `shared.local.env` file.
+2. Add `MITOL_NEW_USER_LOGIN_URL=http://open.odl.local:8062/onboarding` to your `shared.local.env` file
+3. Copy all the env values under the "# APISIX/Keycloak " section of `backend.local.example.env` to your `backend.local.env` file. You can leave all the values as is.
+4. Keycloak needs to create its own database, which will only happen if you first destroy your current mit-learn database container: `docker compose down db`. If you prefer not to do this, you can manually create it by running the SQL in `config/postgres/init-keycloak.sql` in a postgres shell.
+5. Start containers with the command `COMPOSE_PROFILES=backend,frontend,keycloak,apisix docker compose up`
+
+The Keycloak and APISIX containers should start up and stay running. APISIX is on port 8065, Keycloak on port 8066. Now you should be able to log in at `https://open.odl.local:8065/login` with one of the users mentioned above, or just click "Log in" from the home page at http://open.odl.local:8062. Try logging out and back in a couple times to make sure it works.

README.md

@@ -211,26 +211,10 @@ This repo includes a config for running a [Jupyter notebook](https://jupyter.org
 
 From there, you should be able to run code snippets with a live Django app just like you would in a Django shell.
 
-### Connecting with an OpenID Connect provider for authentication
+### Connecting with Keycloak for authentication
 
-The MIT Learn application relies on an OpenID Connect client provided by Keycloak for authentication.
-
-The following environment variables must be defined using values from a Keycloak instance:
-
-- SOCIAL_AUTH_OL_OIDC_OIDC_ENDPOINT - The base URI for OpenID Connect discovery, https://<OIDC_ENDPOINT>/ without .well-known/openid-configuration.
-- OIDC_ENDPOINT - The base URI for OpenID Connect discovery, https://<OIDC_ENDPOINT>/ without .well-known/openid-configuration.
-
-- SOCIAL_AUTH_OL_OIDC_KEY - The client ID provided by the OpenID Connect provider.
-- SOCIAL_AUTH_OL_OIDC_SECRET - The client secret provided by the OpenID Connect provider.
-- AUTHORIZATION_URL - Provider endpoint where the user is asked to authenticate.
-- ACCESS_TOKEN_URL - Provider endpoint where client exchanges the authorization code for tokens.
-- USERINFO_URL - Provder endpoint where client sends requests for identity claims.
-- KEYCLOAK_BASE_URL - The base URL of the Keycloak instance. Used for generating the
-- KEYCLOAK_REALM_NAME - The Keycloak realm that the OpenID Connect client exists in.
-
-To login via the Keycloak client, open http://od.odl.local:8063/login/ol-oidc in your browser.
-
-Additional details can be found at https://docs.google.com/document/d/17tJ-C2EwWoSpJWZKjuhMVgsqGtyPH0IN9KakXvSKU0M/edit
+Please read [the Keycloak README](README-keycloak.md) for instructions on authenticating via
+local Keycloak and APISIX containers.
 
 ### Configuring PostHog Support
 

RELEASE.rst

@@ -1,6 +1,41 @@
 Release Notes
 =============
 
+Version 0.30.7
+--------------
+
+- Increase nginx header size limit to 12k (#2107)
+- Handle "next" query string param in CustomLogoutView (#2064)
+- Fix SCIM startIndex parsing (#2105)
+- Update README to point to separate keycloak readme (#2103)
+- add a comment in release actions about spaces (#2093)
+- chore(deps): update codecov/codecov-action action to v5.4.0 (#2098)
+- fix(deps): update dependency ruff to v0.9.9 (#2097)
+- chore(deps): update opensearchproject/opensearch docker tag to v2.19.1 (#2094)
+- fix(deps): update dependency litellm to v1.61.20 (#2096)
+- Fix the casing of the sort field for SCIM search (#2089)
+- remove an erroneous space (#2090)
+- remove next prefix from app origin (#2087)
+- fix: env based _JAVA_OPTIONS for opensearch container (#2082)
+- Add comma between build args (#2083)
+- Fix the user search URL (#2084)
+- Tie chatbots to URL parameters (#2076)
+- Add all Contentfile metadata to chunk responses (#2075)
+- Make embedding generation task use correct run (#2074)
+- add MITOL_LOGOUT_SUFFIX to github actions (#2079)
+- Fix user migrations for SCIM (#2078)
+- Fix SCIM view tests (#2073)
+- Accessibility improvements (#2071)
+- APISIX integration (#2061)
+- Added SCIM fields to User and populate (#2062)
+- Fix SCIM search API sort and pagination (#2066)
+- fix: Opensearch container on ARM64 based architecture (#2069)
+- Update dependency @dnd-kit/sortable to v10 (#1974)
+- Update akhileshns/heroku-deploy digest to e3eb99d (#2068)
+- Update dependency @sentry/nextjs to v9 (#2034)
+- Update dependency @mui/lab to v6.0.0-beta.28 (#2051)
+- Update dependency tldextract to v5 (#2031)
+
 Version 0.30.6 (Released February 26, 2025)
 --------------
 

authentication/views.py

@@ -5,6 +5,7 @@
 from django.conf import settings
 from django.contrib.auth import views
 from django.shortcuts import redirect
+from social_core.utils import sanitize_redirect
 from social_django.utils import load_strategy
 
 from authentication.backends.ol_open_id_connect import OlOpenIdConnectAuth
@@ -33,12 +34,16 @@
             user, provider=OlOpenIdConnectAuth.name
         ).first()
         id_token = user_social_auth_record.extra_data.get("id_token")
+        qs_next = self.request.GET.get("next")
+        if qs_next:
+            allowed_hosts = settings.SOCIAL_AUTH_ALLOWED_REDIRECT_HOSTS or []
+            qs_next = sanitize_redirect(allowed_hosts, qs_next)
         qs = urlencode(
             {
                 "id_token_hint": id_token,
-                "post_logout_redirect_uri": self.request.build_absolute_uri(
-                    settings.LOGOUT_REDIRECT_URL
-                ),
+                "post_logout_redirect_uri": qs_next
+                if qs_next
+                else self.request.build_absolute_uri(settings.LOGOUT_REDIRECT_URL),
             }
         )
 
@@ -55,7 +60,7 @@
         **kwargs,  # noqa: ARG002
     ):
         """
-        GET endpoint for loggin a user out.
+        GET endpoint for logging a user out.
 
         The logout redirect path the user follows is:
 
@@ -68,6 +73,6 @@
         user = getattr(request, "user", None)
         if user and user.is_authenticated:
             super().get(request)
             return redirect(self._keycloak_logout_url(user))
         else:
             return redirect("/app")

config/apisix/apisix.yaml

@@ -0,0 +1,79 @@
+upstreams:
+  - id: 1
+    nodes:
+      "nginx:${{NGINX_PORT}}": 1
+    type: roundrobin
+
+routes:
+  - id: 1
+    name: "passauth"
+    desc: "Wildcard route that can use auth but doesn't require it."
+    priority: 0
+    upstream_id: 1
+    plugins:
+      openid-connect:
+        client_id: ${{KEYCLOAK_CLIENT_ID}}
+        client_secret: ${{KEYCLOAK_CLIENT_SECRET}}
+        discovery: ${{KEYCLOAK_DISCOVERY_URL}}
+        realm: ${{KEYCLOAK_REALM_NAME}}
+        scope: ${{KEYCLOAK_SCOPES}}
+        bearer_only: false
+        introspection_endpoint_auth_method: "client_secret_post"
+        ssl_verify: false
+        session:
+          secret: ${{APISIX_SESSION_SECRET_KEY}}
+        logout_path: "/logout/oidc"
+        post_logout_redirect_uri: ${{APISIX_LOGOUT_URL}}
+        unauth_action: "pass"
+      cors:
+        allow_origins: "**"
+        allow_methods: "**"
+        allow_headers: "**"
+        allow_credential: true
+      response-rewrite:
+        headers:
+          set:
+            Referrer-Policy: "origin"
+    uri: "*"
+  - id: 2
+    name: "logout-redirect"
+    desc: "Strip trailing slash from logout redirect."
+    priority: 10
+    upstream_id: 1
+    uri: "/logout/oidc/*"
+    plugins:
+      redirect:
+        uri: "/logout/oidc"
+  - id: 3
+    name: "reqauth"
+    desc: "Routes that require authentication."
+    priority: 10
+    upstream_id: 1
+    plugins:
+      openid-connect:
+        client_id: ${{KEYCLOAK_CLIENT_ID}}
+        client_secret: ${{KEYCLOAK_CLIENT_SECRET}}
+        discovery: ${{KEYCLOAK_DISCOVERY_URL}}
+        realm: ${{KEYCLOAK_REALM_NAME}}
+        scope: ${{KEYCLOAK_SCOPES}}
+        bearer_only: false
+        introspection_endpoint_auth_method: "client_secret_post"
+        ssl_verify: false
+        session:
+          secret: ${{APISIX_SESSION_SECRET_KEY}}
+        logout_path: "/logout/oidc"
+        post_logout_redirect_uri: ${{APISIX_LOGOUT_URL}}
+        unauth_action: "auth"
+      cors:
+        allow_origins: "**"
+        allow_methods: "**"
+        allow_headers: "**"
+        allow_credential: true
+      response-rewrite:
+        headers:
+          set:
+            Referrer-Policy: "origin"
+    uris:
+      - "/admin/login/*"
+      - "/login/*"
+#END

config/apisix/config.yaml

@@ -0,0 +1,11 @@
+apisix:
+  enable_admin: false
+  enable_dev_mode: false
+  node_listen:
+    - port: ${{APISIX_PORT}}
+
+deployment:
+  role: data_plane
+  role_data_plane:
+    config_provider: yaml
+#END