Add Entra ID authentication with role-based access control

Implement Microsoft Entra ID (Azure AD) authentication with user and admin roles.

Features:
- OAuth 2.0 authentication flow using MSAL
- User and admin role-based access control
- Tenant ownership and access management
- Server-side session storage
- Protected routes with authentication decorators

Authentication:
- Users authenticate via Microsoft organizational accounts
- Admin role automatically assigned to DEFAULT_ADMIN_EMAIL
- User profiles synced from Microsoft Graph API

Access Control:
- Admins: Full access to all tenants and server settings
- Users: Can create and manage their own tenants only
- Tenant association: Auto-created when user adds products
- API endpoints remain open for AR application access

Database Changes:
- New users table with email, azure_oid, name, and role
- New user_tenants table for many-to-many tenant ownership
- Case-insensitive admin email comparison

Configuration:
- Environment-based config via .env file
- Azure AD credentials (client ID, secret, tenant ID)
- Configurable redirect URI and admin email
- Updated to Flask 2.2.5 for compatibility
This commit is contained in:
2025-10-20 19:36:52 -04:00
parent 32ce69057b
commit 795068c015
17 changed files with 775 additions and 15 deletions

24
.env.example Normal file
View File

@@ -0,0 +1,24 @@
# Flask Configuration
SECRET_KEY=your-secret-key-change-this-in-production
FLASK_DEBUG=1
# Entra ID (Azure AD) Configuration
# Get these values from your Azure Portal > App Registrations
AZURE_CLIENT_ID=your-client-id-here
AZURE_CLIENT_SECRET=your-client-secret-here
AZURE_TENANT_ID=your-tenant-id-here
# Redirect URI - Update this to match your deployment URL
# For local development: http://localhost:5555/auth/callback
# For production: https://yourdomain.com/auth/callback
REDIRECT_URI=http://localhost:5555/auth/callback
# Azure AD Authority URL (usually don't need to change this)
AUTHORITY=https://login.microsoftonline.com/
# Scopes for Microsoft Graph API (to get user info)
SCOPE=User.Read
# Application Settings
# Default admin email (this user will have admin role automatically)
DEFAULT_ADMIN_EMAIL=admin@yourdomain.com