2025-04-12 15:39:15 -04:00
|
|
|
import { Request, Response, NextFunction } from "express";
|
|
|
|
|
import { z } from "zod";
|
|
|
|
|
import { db } from "@server/db";
|
|
|
|
|
import response from "@server/lib/response";
|
|
|
|
|
import HttpCode from "@server/types/HttpCode";
|
|
|
|
|
import createHttpError from "http-errors";
|
|
|
|
|
import logger from "@server/logger";
|
|
|
|
|
import { fromError } from "zod-validation-error";
|
|
|
|
|
import {
|
|
|
|
|
idp,
|
|
|
|
|
idpOidcConfig,
|
|
|
|
|
idpOrg,
|
|
|
|
|
Role,
|
2025-04-13 17:57:27 -04:00
|
|
|
roles,
|
|
|
|
|
userOrgs,
|
|
|
|
|
users
|
2025-04-12 15:39:15 -04:00
|
|
|
} from "@server/db/schemas";
|
2025-04-13 17:57:27 -04:00
|
|
|
import { and, eq, inArray } from "drizzle-orm";
|
2025-04-12 15:39:15 -04:00
|
|
|
import * as arctic from "arctic";
|
|
|
|
|
import { generateOidcRedirectUrl } from "@server/lib/idp/generateRedirectUrl";
|
|
|
|
|
import jmespath from "jmespath";
|
2025-04-13 17:57:27 -04:00
|
|
|
import jsonwebtoken from "jsonwebtoken";
|
|
|
|
|
import config from "@server/lib/config";
|
|
|
|
|
import { UserType } from "@server/types/UserTypes";
|
2025-04-12 15:39:15 -04:00
|
|
|
import {
|
2025-04-13 17:57:27 -04:00
|
|
|
createSession,
|
|
|
|
|
generateId,
|
|
|
|
|
generateSessionToken,
|
|
|
|
|
serializeSessionCookie
|
|
|
|
|
} from "@server/auth/sessions/app";
|
2025-04-14 20:56:45 -04:00
|
|
|
import { decrypt } from "@server/lib/crypto";
|
2025-04-12 15:39:15 -04:00
|
|
|
|
|
|
|
|
const paramsSchema = z
|
|
|
|
|
.object({
|
|
|
|
|
idpId: z.coerce.number()
|
|
|
|
|
})
|
|
|
|
|
.strict();
|
|
|
|
|
|
|
|
|
|
const bodySchema = z.object({
|
|
|
|
|
code: z.string().nonempty(),
|
2025-04-13 17:57:27 -04:00
|
|
|
state: z.string().nonempty(),
|
|
|
|
|
storedState: z.string().nonempty()
|
2025-04-12 15:39:15 -04:00
|
|
|
});
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
export type ValidateOidcUrlCallbackResponse = {
|
|
|
|
|
redirectUrl: string;
|
|
|
|
|
};
|
2025-04-12 15:39:15 -04:00
|
|
|
|
|
|
|
|
export async function validateOidcCallback(
|
|
|
|
|
req: Request,
|
|
|
|
|
res: Response,
|
|
|
|
|
next: NextFunction
|
|
|
|
|
): Promise<any> {
|
|
|
|
|
try {
|
|
|
|
|
const parsedParams = paramsSchema.safeParse(req.params);
|
|
|
|
|
if (!parsedParams.success) {
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(
|
|
|
|
|
HttpCode.BAD_REQUEST,
|
|
|
|
|
fromError(parsedParams.error).toString()
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
const { idpId } = parsedParams.data;
|
2025-04-12 15:39:15 -04:00
|
|
|
|
|
|
|
|
const parsedBody = bodySchema.safeParse(req.body);
|
|
|
|
|
if (!parsedBody.success) {
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(
|
|
|
|
|
HttpCode.BAD_REQUEST,
|
|
|
|
|
fromError(parsedBody.error).toString()
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
const { storedState, code, state: expectedState } = parsedBody.data;
|
2025-04-12 15:39:15 -04:00
|
|
|
|
|
|
|
|
const [existingIdp] = await db
|
|
|
|
|
.select()
|
|
|
|
|
.from(idp)
|
|
|
|
|
.innerJoin(idpOidcConfig, eq(idpOidcConfig.idpId, idp.idpId))
|
2025-04-13 17:57:27 -04:00
|
|
|
.where(and(eq(idp.type, "oidc"), eq(idp.idpId, idpId)));
|
2025-04-12 15:39:15 -04:00
|
|
|
|
|
|
|
|
if (!existingIdp) {
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(
|
|
|
|
|
HttpCode.BAD_REQUEST,
|
|
|
|
|
"IdP not found for the organization"
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-14 20:56:45 -04:00
|
|
|
const key = config.getRawConfig().server.secret;
|
|
|
|
|
|
|
|
|
|
const decryptedClientId = decrypt(
|
2025-04-12 15:39:15 -04:00
|
|
|
existingIdp.idpOidcConfig.clientId,
|
2025-04-14 20:56:45 -04:00
|
|
|
key
|
|
|
|
|
);
|
|
|
|
|
const decryptedClientSecret = decrypt(
|
2025-04-12 15:39:15 -04:00
|
|
|
existingIdp.idpOidcConfig.clientSecret,
|
2025-04-14 20:56:45 -04:00
|
|
|
key
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const redirectUrl = generateOidcRedirectUrl(existingIdp.idp.idpId);
|
|
|
|
|
const client = new arctic.OAuth2Client(
|
|
|
|
|
decryptedClientId,
|
|
|
|
|
decryptedClientSecret,
|
2025-04-12 15:39:15 -04:00
|
|
|
redirectUrl
|
|
|
|
|
);
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
const statePayload = jsonwebtoken.verify(
|
|
|
|
|
storedState,
|
|
|
|
|
config.getRawConfig().server.secret,
|
|
|
|
|
function (err, decoded) {
|
|
|
|
|
if (err) {
|
|
|
|
|
logger.error("Error verifying state JWT", { err });
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(
|
|
|
|
|
HttpCode.BAD_REQUEST,
|
|
|
|
|
"Invalid state JWT"
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
return decoded;
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const stateObj = z
|
|
|
|
|
.object({
|
|
|
|
|
redirectUrl: z.string(),
|
|
|
|
|
state: z.string(),
|
|
|
|
|
codeVerifier: z.string()
|
|
|
|
|
})
|
|
|
|
|
.safeParse(statePayload);
|
|
|
|
|
|
|
|
|
|
if (!stateObj.success) {
|
|
|
|
|
logger.error("Error parsing state JWT");
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(
|
|
|
|
|
HttpCode.BAD_REQUEST,
|
|
|
|
|
fromError(stateObj.error).toString()
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const {
|
|
|
|
|
codeVerifier,
|
|
|
|
|
state,
|
|
|
|
|
redirectUrl: postAuthRedirectUrl
|
|
|
|
|
} = stateObj.data;
|
|
|
|
|
|
|
|
|
|
if (state !== expectedState) {
|
|
|
|
|
logger.error("State mismatch", { expectedState, state });
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(HttpCode.BAD_REQUEST, "State mismatch")
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-12 15:39:15 -04:00
|
|
|
const tokens = await client.validateAuthorizationCode(
|
|
|
|
|
existingIdp.idpOidcConfig.tokenUrl,
|
|
|
|
|
code,
|
|
|
|
|
codeVerifier
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const idToken = tokens.idToken();
|
|
|
|
|
const claims = arctic.decodeIdToken(idToken);
|
|
|
|
|
|
|
|
|
|
const userIdentifier = jmespath.search(
|
|
|
|
|
claims,
|
|
|
|
|
existingIdp.idpOidcConfig.identifierPath
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (!userIdentifier) {
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(
|
|
|
|
|
HttpCode.BAD_REQUEST,
|
|
|
|
|
"User identifier not found in the ID token"
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
logger.debug("User identifier", { userIdentifier });
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
let email = null;
|
|
|
|
|
let name = null;
|
|
|
|
|
try {
|
|
|
|
|
if (existingIdp.idpOidcConfig.emailPath) {
|
|
|
|
|
email = jmespath.search(
|
|
|
|
|
claims,
|
|
|
|
|
existingIdp.idpOidcConfig.emailPath
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (existingIdp.idpOidcConfig.namePath) {
|
|
|
|
|
name = jmespath.search(
|
|
|
|
|
claims,
|
|
|
|
|
existingIdp.idpOidcConfig.namePath || ""
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
} catch (error) {}
|
2025-04-12 15:39:15 -04:00
|
|
|
|
|
|
|
|
logger.debug("User email", { email });
|
|
|
|
|
logger.debug("User name", { name });
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
const [existingUser] = await db
|
2025-04-12 15:39:15 -04:00
|
|
|
.select()
|
2025-04-13 17:57:27 -04:00
|
|
|
.from(users)
|
2025-04-12 15:39:15 -04:00
|
|
|
.where(
|
|
|
|
|
and(
|
2025-04-13 17:57:27 -04:00
|
|
|
eq(users.username, userIdentifier),
|
|
|
|
|
eq(users.idpId, existingIdp.idp.idpId)
|
2025-04-12 15:39:15 -04:00
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
const idpOrgs = await db
|
|
|
|
|
.select()
|
|
|
|
|
.from(idpOrg)
|
|
|
|
|
.where(eq(idpOrg.idpId, existingIdp.idp.idpId));
|
|
|
|
|
|
|
|
|
|
let userOrgInfo: { orgId: string; roleId: number }[] = [];
|
|
|
|
|
for (const idpOrg of idpOrgs) {
|
|
|
|
|
let roleId: number | undefined = undefined;
|
|
|
|
|
|
|
|
|
|
if (idpOrg.orgMapping) {
|
|
|
|
|
const orgId = jmespath.search(claims, idpOrg.orgMapping);
|
|
|
|
|
if (!orgId) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2025-04-12 15:39:15 -04:00
|
|
|
}
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
if (idpOrg.roleMapping) {
|
|
|
|
|
const roleName = jmespath.search(claims, idpOrg.roleMapping);
|
2025-04-12 15:39:15 -04:00
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
if (!roleName) {
|
|
|
|
|
logger.error("Role name not found in the ID token", {
|
|
|
|
|
roleName
|
|
|
|
|
});
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const [roleRes] = await db
|
|
|
|
|
.select()
|
|
|
|
|
.from(roles)
|
|
|
|
|
.where(
|
|
|
|
|
and(
|
|
|
|
|
eq(roles.orgId, idpOrg.orgId),
|
|
|
|
|
eq(roles.name, roleName)
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (!roleRes) {
|
|
|
|
|
logger.error("Role not found", {
|
|
|
|
|
orgId: idpOrg.orgId,
|
|
|
|
|
roleName
|
|
|
|
|
});
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2025-04-12 15:39:15 -04:00
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
roleId = roleRes.roleId;
|
2025-04-12 15:39:15 -04:00
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
userOrgInfo.push({
|
|
|
|
|
orgId: idpOrg.orgId,
|
|
|
|
|
roleId
|
|
|
|
|
});
|
|
|
|
|
}
|
2025-04-12 15:39:15 -04:00
|
|
|
}
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
logger.debug("User org info", { userOrgInfo });
|
2025-04-12 15:39:15 -04:00
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
let existingUserId = existingUser?.userId;
|
|
|
|
|
|
|
|
|
|
// sync the user with the orgs and roles
|
|
|
|
|
await db.transaction(async (trx) => {
|
|
|
|
|
let userId = existingUser?.userId;
|
|
|
|
|
|
|
|
|
|
// create user if not exists
|
|
|
|
|
if (!existingUser) {
|
|
|
|
|
userId = generateId(15);
|
|
|
|
|
|
|
|
|
|
await trx.insert(users).values({
|
|
|
|
|
userId,
|
|
|
|
|
username: userIdentifier,
|
|
|
|
|
email: email || null,
|
|
|
|
|
name: name || null,
|
|
|
|
|
type: UserType.OIDC,
|
|
|
|
|
idpId: existingIdp.idp.idpId,
|
|
|
|
|
emailVerified: true, // OIDC users are always verified
|
|
|
|
|
dateCreated: new Date().toISOString()
|
2025-04-12 15:39:15 -04:00
|
|
|
});
|
|
|
|
|
} else {
|
2025-04-13 17:57:27 -04:00
|
|
|
// set the name and email
|
|
|
|
|
await trx
|
|
|
|
|
.update(users)
|
|
|
|
|
.set({
|
|
|
|
|
username: userIdentifier,
|
|
|
|
|
email: email || null,
|
|
|
|
|
name: name || null
|
|
|
|
|
})
|
|
|
|
|
.where(eq(users.userId, userId));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
existingUserId = userId;
|
|
|
|
|
|
|
|
|
|
// get all current user orgs
|
|
|
|
|
const currentUserOrgs = await trx
|
|
|
|
|
.select()
|
|
|
|
|
.from(userOrgs)
|
|
|
|
|
.where(eq(userOrgs.userId, userId));
|
|
|
|
|
|
|
|
|
|
// Delete orgs that are no longer valid
|
|
|
|
|
const orgsToDelete = currentUserOrgs.filter(
|
|
|
|
|
(currentOrg) =>
|
|
|
|
|
!userOrgInfo.some(
|
|
|
|
|
(newOrg) => newOrg.orgId === currentOrg.orgId
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (orgsToDelete.length > 0) {
|
|
|
|
|
await trx.delete(userOrgs).where(
|
|
|
|
|
and(
|
|
|
|
|
eq(userOrgs.userId, userId),
|
|
|
|
|
inArray(
|
|
|
|
|
userOrgs.orgId,
|
|
|
|
|
orgsToDelete.map((org) => org.orgId)
|
|
|
|
|
)
|
2025-04-12 15:39:15 -04:00
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
2025-04-13 17:57:27 -04:00
|
|
|
|
|
|
|
|
// Update roles for existing orgs where the role has changed
|
|
|
|
|
const orgsToUpdate = currentUserOrgs.filter((currentOrg) => {
|
|
|
|
|
const newOrg = userOrgInfo.find(
|
|
|
|
|
(newOrg) => newOrg.orgId === currentOrg.orgId
|
|
|
|
|
);
|
|
|
|
|
return newOrg && newOrg.roleId !== currentOrg.roleId;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (orgsToUpdate.length > 0) {
|
|
|
|
|
for (const org of orgsToUpdate) {
|
|
|
|
|
const newRole = userOrgInfo.find(
|
|
|
|
|
(newOrg) => newOrg.orgId === org.orgId
|
|
|
|
|
);
|
|
|
|
|
if (newRole) {
|
|
|
|
|
await trx
|
|
|
|
|
.update(userOrgs)
|
|
|
|
|
.set({ roleId: newRole.roleId })
|
|
|
|
|
.where(
|
|
|
|
|
and(
|
|
|
|
|
eq(userOrgs.userId, userId),
|
|
|
|
|
eq(userOrgs.orgId, org.orgId)
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add new orgs that don't exist yet
|
|
|
|
|
const orgsToAdd = userOrgInfo.filter(
|
|
|
|
|
(newOrg) =>
|
|
|
|
|
!currentUserOrgs.some(
|
|
|
|
|
(currentOrg) => currentOrg.orgId === newOrg.orgId
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (orgsToAdd.length > 0) {
|
|
|
|
|
await trx.insert(userOrgs).values(
|
|
|
|
|
orgsToAdd.map((org) => ({
|
|
|
|
|
userId,
|
|
|
|
|
orgId: org.orgId,
|
|
|
|
|
roleId: org.roleId,
|
|
|
|
|
dateCreated: new Date().toISOString()
|
|
|
|
|
}))
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
});
|
2025-04-12 15:39:15 -04:00
|
|
|
|
|
|
|
|
const token = generateSessionToken();
|
2025-04-13 17:57:27 -04:00
|
|
|
const sess = await createSession(token, existingUserId);
|
|
|
|
|
const isSecure = req.protocol === "https";
|
|
|
|
|
const cookie = serializeSessionCookie(
|
|
|
|
|
token,
|
|
|
|
|
isSecure,
|
2025-04-12 15:39:15 -04:00
|
|
|
new Date(sess.expiresAt)
|
|
|
|
|
);
|
|
|
|
|
|
2025-04-13 17:57:27 -04:00
|
|
|
res.appendHeader("Set-Cookie", cookie);
|
2025-04-12 15:39:15 -04:00
|
|
|
|
|
|
|
|
return response<ValidateOidcUrlCallbackResponse>(res, {
|
2025-04-13 17:57:27 -04:00
|
|
|
data: {
|
|
|
|
|
redirectUrl: postAuthRedirectUrl
|
|
|
|
|
},
|
2025-04-12 15:39:15 -04:00
|
|
|
success: true,
|
|
|
|
|
error: false,
|
|
|
|
|
message: "OIDC callback validated successfully",
|
|
|
|
|
status: HttpCode.CREATED
|
|
|
|
|
});
|
|
|
|
|
} catch (error) {
|
|
|
|
|
logger.error(error);
|
|
|
|
|
return next(
|
|
|
|
|
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
