From d588469bb579285ba70d793451651aeeccdbd207 Mon Sep 17 00:00:00 2001
From: Helmut Merz <helmutm@cy55.de>
Date: Sat, 25 Oct 2025 17:31:25 +0200
Subject: [PATCH] authentication methods: allow selection on personal info
 page, set cookie, check on login page

---
 loops/organize/browser/member.py      |  8 +++++++
 loops/organize/browser/view_macros.pt | 14 +++++++++++
 loops/server/auth.py                  | 34 ++++++++++++++++++++++++++-
 loops/server/loginform.pt             |  3 ++-
 loops/server/loginform.zcml           |  6 ++---
 5 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/loops/organize/browser/member.py b/loops/organize/browser/member.py
index fb6997a..c2b6362 100644
--- a/loops/organize/browser/member.py
+++ b/loops/organize/browser/member.py
@@ -39,6 +39,7 @@ from loops.organize.util import getPrincipalFolder
 import loops.browser.util
 from loops.util import _
 
+import config
 
 organize_macros = ViewPageTemplateFile('view_macros.pt')
 
@@ -60,6 +61,13 @@ class PersonalInfo(ConceptView):
     def view(self):
         return self
 
+    @Lazy
+    def selectAuthMethod(self):
+        return getattr(config, 'authentication_method', 'legacy') == 'cookie'
+
+    def getAuthMethod(self):
+        return self.request.cookies.get('loops_auth_method') or 'legacy'
+
     @Lazy
     def extUserLink(self):
         from scopes.web.auth.oidc import IExternalPrincipal
diff --git a/loops/organize/browser/view_macros.pt b/loops/organize/browser/view_macros.pt
index efb50f4..0fc6f5c 100644
--- a/loops/organize/browser/view_macros.pt
+++ b/loops/organize/browser/view_macros.pt
@@ -60,6 +60,20 @@
           <li tal:condition="python:item.globalOptions('organize.useFilters')">
             <a href="edit_filters.html"
                i18n:translate="">Edit Filters</a></li>
+		  <li tal:condition="item/selectAuthMethod">
+			<span>Authentication Method:</span>
+			<select name="auth_method"
+				   onchange="document.cookie=`loops_auth_method=${this.value}; path=/`"
+				   tal:define="meth item/getAuthMethod"
+			       tal:attributes="value meth">
+              <option value="legacy"
+			          tal:attributes="selected python:meth=='legacy'">Legacy</option>
+              <option value="oidc"
+			          tal:attributes="selected python:meth=='oidc'">OpenID Connect</option>
+              <option value="select"
+			          tal:attributes="selected python:meth=='select'">Selection</option>
+			</select>
+		  </li>
         </ul>
       </metal:block>
     </metal:block>
diff --git a/loops/server/auth.py b/loops/server/auth.py
index 0373bc1..039d720 100644
--- a/loops/server/auth.py
+++ b/loops/server/auth.py
@@ -5,24 +5,56 @@
 
 from scopes.web.auth import oidc
 from zope.authentication.interfaces import IAuthentication
+from zope.browserpage import ViewPageTemplateFile
 from zope.component import provideAdapter, getUtility, provideUtility
 from zope.interface import implementer, Interface
 from zope.publisher.interfaces.browser import IBrowserRequest, IBrowserPage
 from zope.publisher.browser import BrowserPage
 from zope.security.proxy import removeSecurityProxy
 
+import config
+
 def registerAuthUtility(config):
     baseAuth = getUtility(IAuthentication)
     print('*** registerAuthUtility, baseAuth:', baseAuth)
     provideUtility(oidc.OidcAuthentication(baseAuth))
 
 
-class LoginView:
+class LoginPage:
+
+    index = ViewPageTemplateFile('loginform.pt')
+
+    def __init__(self, context, request):
+        self.context = context
+        self.request = request
+        self.authMethod = getattr(config, 'authentication_method', 'legacy')
+        if self.authMethod == 'cookie':
+            self.authMethod = getAuthMethodCookieValue(request)
+        self.oidc_allowed = self.authMethod in ('oidc', 'select')
 
     def __call__(self):
+        print('***', self.request.principal.id)
+        print('***', self.authMethod)
+        if self.authMethod == 'oidc':
+            return self.authOidc()
+        return self.index()
+
+    def authOidc(self):
         oidc.Authenticator(self.request).login()
         return ''
 
+def getAuthMethodCookieValue(request):
+    print('***', dict(request.cookies))
+    return request.cookies.get('loops_auth_method') or 'legacy'
+
+
+# OIDC authentication
+
+class LoginView(LoginPage):
+
+    def __call__(self):
+        return self.authOidc()
+
 
 class CallbackView:
 
diff --git a/loops/server/loginform.pt b/loops/server/loginform.pt
index 7bbfc3f..2f80420 100644
--- a/loops/server/loginform.pt
+++ b/loops/server/loginform.pt
@@ -25,7 +25,8 @@
     <p i18n:translate="" tal:condition="python: principal != 'zope.anybody'">
       You are not authorized to perform this action. However, you may login as a
       different user who is authorized.</p>
-	<p i18n:domain="loops">
+	<p i18n:domain="loops"
+	   tal:condition="view/oidc_allowed">
 	  <a tal:attributes="href string:/@@auth_login?camefrom=$camefrom"
 	    i18n:translate="login-with-oidc">Login with OpenID Connect (Zitadel)</a>
 	</p>
diff --git a/loops/server/loginform.zcml b/loops/server/loginform.zcml
index 7ef04e4..ccf6dd5 100644
--- a/loops/server/loginform.zcml
+++ b/loops/server/loginform.zcml
@@ -2,9 +2,9 @@
    xmlns="http://namespaces.zope.org/zope"
    xmlns:browser="http://namespaces.zope.org/browser">
 
-  <browser:page
-    name="loginForm.html" for="*"
-    template="loginform.pt"
+  <browser:page for="*"
+    name="loginForm.html"
+	class="loops.server.auth.LoginPage"
     permission="zope.Public"
     layer="cybertools.browser.loops.Loops" />