Merge pull request #1126 from Infisical/stv3-update
Multipart Update to Authentication (ST V3, Modularization of Auth Validation Methods, SSO logic)pull/1157/head
commit
32882848ba
@ -1,435 +0,0 @@
|
||||
import express from "express";
|
||||
import passport from "passport";
|
||||
import { Types } from "mongoose";
|
||||
import { AuthData } from "../interfaces/middleware";
|
||||
import {
|
||||
AuthMethod,
|
||||
MembershipOrg,
|
||||
Organization,
|
||||
ServiceAccount,
|
||||
ServiceTokenData,
|
||||
ServiceTokenDataV3,
|
||||
User
|
||||
} from "../models";
|
||||
import { createToken } from "../helpers/auth";
|
||||
import {
|
||||
getAuthSecret,
|
||||
getClientIdGitHubLogin,
|
||||
getClientIdGitLabLogin,
|
||||
getClientIdGoogleLogin,
|
||||
getClientSecretGitHubLogin,
|
||||
getClientSecretGitLabLogin,
|
||||
getClientSecretGoogleLogin,
|
||||
getJwtProviderAuthLifetime,
|
||||
getSiteURL,
|
||||
getUrlGitLabLogin
|
||||
} from "../config";
|
||||
import { getSSOConfigHelper } from "../ee/helpers/organizations";
|
||||
import { InternalServerError, OrganizationNotFoundError } from "./errors";
|
||||
import { ACCEPTED, AuthTokenType, INTEGRATION_GITHUB_API_URL, INVITED, MEMBER } from "../variables";
|
||||
import { standardRequest } from "../config/request";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GoogleStrategy = require("passport-google-oauth20").Strategy;
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GitHubStrategy = require("passport-github").Strategy;
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GitLabStrategy = require("passport-gitlab2").Strategy;
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const { MultiSamlStrategy } = require("@node-saml/passport-saml");
|
||||
|
||||
/**
|
||||
* Returns an object containing the id of the authentication data payload
|
||||
* @param {AuthData} authData - authentication data object
|
||||
* @returns
|
||||
*/
|
||||
const getAuthDataPayloadIdObj = (authData: AuthData) => {
|
||||
if (authData.authPayload instanceof User) {
|
||||
return { userId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceAccount) {
|
||||
return { serviceAccountId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenData) {
|
||||
return { serviceTokenDataId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenDataV3) {
|
||||
return { serviceTokenDataId: authData.authPayload._id };
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns an object containing the user associated with the authentication data payload
|
||||
* @param {AuthData} authData - authentication data object
|
||||
* @returns
|
||||
*/
|
||||
const getAuthDataPayloadUserObj = (authData: AuthData) => {
|
||||
if (authData.authPayload instanceof User) {
|
||||
return { user: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceAccount) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenData) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenDataV3) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
}
|
||||
|
||||
const initializePassport = async () => {
|
||||
const clientIdGoogleLogin = await getClientIdGoogleLogin();
|
||||
const clientSecretGoogleLogin = await getClientSecretGoogleLogin();
|
||||
const clientIdGitHubLogin = await getClientIdGitHubLogin();
|
||||
const clientSecretGitHubLogin = await getClientSecretGitHubLogin();
|
||||
const urlGitLab = await getUrlGitLabLogin();
|
||||
const clientIdGitLabLogin = await getClientIdGitLabLogin();
|
||||
const clientSecretGitLabLogin = await getClientSecretGitLabLogin();
|
||||
|
||||
if (clientIdGoogleLogin && clientSecretGoogleLogin) {
|
||||
passport.use(new GoogleStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGoogleLogin,
|
||||
clientSecret: clientSecretGoogleLogin,
|
||||
callbackURL: "/api/v1/sso/google",
|
||||
scope: ["profile", " email"],
|
||||
}, async (
|
||||
req: express.Request,
|
||||
accessToken: string,
|
||||
refreshToken: string,
|
||||
profile: any,
|
||||
done: any
|
||||
) => {
|
||||
try {
|
||||
const email = profile.emails[0].value;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) {
|
||||
user = await new User({
|
||||
email,
|
||||
authMethods: [AuthMethod.GOOGLE],
|
||||
firstName: profile.name.givenName,
|
||||
lastName: profile.name.familyName
|
||||
}).save();
|
||||
}
|
||||
|
||||
let isLinkingRequired = false;
|
||||
if (!user.authMethods.includes(AuthMethod.GOOGLE)) {
|
||||
isLinkingRequired = true;
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName: user.firstName,
|
||||
lastName: user.lastName,
|
||||
authMethod: AuthMethod.GOOGLE,
|
||||
isUserCompleted,
|
||||
isLinkingRequired,
|
||||
...(req.query.state ? {
|
||||
callbackPort: req.query.state as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
done(null, profile);
|
||||
} catch (err) {
|
||||
done(null, false);
|
||||
}
|
||||
}));
|
||||
}
|
||||
|
||||
if (clientIdGitHubLogin && clientSecretGitHubLogin) {
|
||||
passport.use(new GitHubStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGitHubLogin,
|
||||
clientSecret: clientSecretGitHubLogin,
|
||||
callbackURL: "/api/v1/sso/github",
|
||||
scope: ["user:email"]
|
||||
},
|
||||
async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
|
||||
interface GitHubEmail {
|
||||
email: string;
|
||||
primary: boolean;
|
||||
verified: boolean;
|
||||
visibility: null | string;
|
||||
}
|
||||
|
||||
const { data }: { data: GitHubEmail[] } = await standardRequest.get(
|
||||
`${INTEGRATION_GITHUB_API_URL}/user/emails`,
|
||||
{
|
||||
headers: {
|
||||
Authorization: `Bearer ${accessToken}`
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
const primaryEmail = data.filter((gitHubEmail: GitHubEmail) => gitHubEmail.primary)[0];
|
||||
const email = primaryEmail.email;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) {
|
||||
user = await new User({
|
||||
email: email,
|
||||
authMethods: [AuthMethod.GITHUB],
|
||||
firstName: profile.displayName,
|
||||
lastName: ""
|
||||
}).save();
|
||||
}
|
||||
|
||||
let isLinkingRequired = false;
|
||||
if (!user.authMethods.includes(AuthMethod.GITHUB)) {
|
||||
isLinkingRequired = true;
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName: user.firstName,
|
||||
lastName: user.lastName,
|
||||
authMethod: AuthMethod.GITHUB,
|
||||
isUserCompleted,
|
||||
isLinkingRequired,
|
||||
...(req.query.state ? {
|
||||
callbackPort: req.query.state as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
return done(null, profile);
|
||||
}
|
||||
));
|
||||
}
|
||||
|
||||
if (urlGitLab && clientIdGitLabLogin && clientSecretGitLabLogin) {
|
||||
passport.use(new GitLabStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGitLabLogin,
|
||||
clientSecret: clientSecretGitLabLogin,
|
||||
callbackURL: "/api/v1/sso/gitlab",
|
||||
baseURL: urlGitLab
|
||||
},
|
||||
async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
|
||||
const email = profile.emails[0].value;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) {
|
||||
user = await new User({
|
||||
email: email,
|
||||
authMethods: [AuthMethod.GITLAB],
|
||||
firstName: profile.displayName,
|
||||
lastName: ""
|
||||
}).save();
|
||||
}
|
||||
|
||||
let isLinkingRequired = false;
|
||||
if (!user.authMethods.includes(AuthMethod.GITLAB)) {
|
||||
isLinkingRequired = true;
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName: user.firstName,
|
||||
lastName: user.lastName,
|
||||
authMethod: AuthMethod.GITLAB,
|
||||
isUserCompleted,
|
||||
isLinkingRequired,
|
||||
...(req.query.state ? {
|
||||
callbackPort: req.query.state as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
return done(null, profile);
|
||||
}
|
||||
));
|
||||
}
|
||||
|
||||
passport.use("saml", new MultiSamlStrategy(
|
||||
{
|
||||
passReqToCallback: true,
|
||||
getSamlOptions: async (req: any, done: any) => {
|
||||
const { ssoIdentifier } = req.params;
|
||||
|
||||
const ssoConfig = await getSSOConfigHelper({
|
||||
ssoConfigId: new Types.ObjectId(ssoIdentifier)
|
||||
});
|
||||
|
||||
interface ISAMLConfig {
|
||||
callbackUrl: string;
|
||||
entryPoint: string;
|
||||
issuer: string;
|
||||
cert: string;
|
||||
audience: string;
|
||||
wantAuthnResponseSigned?: boolean;
|
||||
}
|
||||
|
||||
const samlConfig: ISAMLConfig = ({
|
||||
callbackUrl: `${await getSiteURL()}/api/v1/sso/saml2/${ssoIdentifier}`,
|
||||
entryPoint: ssoConfig.entryPoint,
|
||||
issuer: ssoConfig.issuer,
|
||||
cert: ssoConfig.cert,
|
||||
audience: await getSiteURL()
|
||||
});
|
||||
|
||||
if (ssoConfig.authProvider.toString() === AuthMethod.JUMPCLOUD_SAML.toString()) {
|
||||
samlConfig.wantAuthnResponseSigned = false;
|
||||
}
|
||||
|
||||
if (ssoConfig.authProvider.toString() === AuthMethod.AZURE_SAML.toString()) {
|
||||
if (req.body.RelayState && JSON.parse(req.body.RelayState).spInitiated) {
|
||||
samlConfig.audience = `spn:${ssoConfig.issuer}`;
|
||||
}
|
||||
}
|
||||
|
||||
req.ssoConfig = ssoConfig;
|
||||
|
||||
done(null, samlConfig);
|
||||
},
|
||||
},
|
||||
async (req: any, profile: any, done: any) => {
|
||||
if (!req.ssoConfig.isActive) return done(InternalServerError());
|
||||
|
||||
const organization = await Organization.findById(req.ssoConfig.organization);
|
||||
|
||||
if (!organization) return done(OrganizationNotFoundError());
|
||||
|
||||
const email = profile.email;
|
||||
const firstName = profile.firstName;
|
||||
const lastName = profile.lastName;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (user) {
|
||||
// if user does not have SAML enabled then update
|
||||
const hasSamlEnabled = user.authMethods
|
||||
.some(
|
||||
(authMethod: AuthMethod) => [
|
||||
AuthMethod.OKTA_SAML,
|
||||
AuthMethod.AZURE_SAML,
|
||||
AuthMethod.JUMPCLOUD_SAML
|
||||
].includes(authMethod)
|
||||
);
|
||||
|
||||
if (!hasSamlEnabled) {
|
||||
await User.findByIdAndUpdate(
|
||||
user._id,
|
||||
{
|
||||
authMethods: [req.ssoConfig.authProvider]
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
let membershipOrg = await MembershipOrg.findOne(
|
||||
{
|
||||
user: user._id,
|
||||
organization: organization._id
|
||||
}
|
||||
);
|
||||
|
||||
if (!membershipOrg) {
|
||||
membershipOrg = await new MembershipOrg({
|
||||
inviteEmail: email,
|
||||
user: user._id,
|
||||
organization: organization._id,
|
||||
role: MEMBER,
|
||||
status: ACCEPTED
|
||||
}).save();
|
||||
}
|
||||
|
||||
if (membershipOrg.status === INVITED) {
|
||||
membershipOrg.status = ACCEPTED;
|
||||
await membershipOrg.save();
|
||||
}
|
||||
} else {
|
||||
user = await new User({
|
||||
email,
|
||||
authMethods: [req.ssoConfig.authProvider],
|
||||
firstName,
|
||||
lastName
|
||||
}).save();
|
||||
|
||||
await new MembershipOrg({
|
||||
inviteEmail: email,
|
||||
user: user._id,
|
||||
organization: organization._id,
|
||||
role: MEMBER,
|
||||
status: INVITED
|
||||
}).save();
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName,
|
||||
lastName,
|
||||
organizationName: organization?.name,
|
||||
authMethod: req.ssoConfig.authProvider,
|
||||
isUserCompleted,
|
||||
...(req.body.RelayState ? {
|
||||
callbackPort: JSON.parse(req.body.RelayState).callbackPort as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
|
||||
done(null, profile);
|
||||
}
|
||||
));
|
||||
}
|
||||
|
||||
export {
|
||||
getAuthDataPayloadIdObj,
|
||||
getAuthDataPayloadUserObj,
|
||||
initializePassport,
|
||||
}
|
@ -0,0 +1,50 @@
|
||||
import { Types } from "mongoose";
|
||||
import {
|
||||
APIKeyData,
|
||||
IUser,
|
||||
User
|
||||
} from "../../../models";
|
||||
import { AccountNotFoundError, UnauthorizedRequestError } from "../../errors";
|
||||
import bcrypt from "bcrypt";
|
||||
|
||||
interface ValidateAPIKeyParams {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateAPIKey = async ({
|
||||
authTokenValue
|
||||
}: ValidateAPIKeyParams) => {
|
||||
|
||||
const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
|
||||
|
||||
let apiKeyData = await APIKeyData
|
||||
.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
|
||||
.populate<{ user: IUser }>("user", "+publicKey");
|
||||
|
||||
if (!apiKeyData) {
|
||||
throw UnauthorizedRequestError();
|
||||
} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
|
||||
// case: API key expired
|
||||
await APIKeyData.findByIdAndDelete(apiKeyData._id);
|
||||
throw UnauthorizedRequestError();
|
||||
}
|
||||
|
||||
const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
|
||||
if (!isMatch) throw UnauthorizedRequestError();
|
||||
|
||||
apiKeyData = await APIKeyData.findOneAndUpdate({
|
||||
_id: new Types.ObjectId(TOKEN_IDENTIFIER),
|
||||
}, {
|
||||
lastUsed: new Date(),
|
||||
}, {
|
||||
new: true,
|
||||
});
|
||||
|
||||
if (!apiKeyData) throw UnauthorizedRequestError();
|
||||
|
||||
const user = await User.findById(apiKeyData.user).select("+publicKey");
|
||||
|
||||
if (!user) throw AccountNotFoundError();
|
||||
|
||||
return user;
|
||||
}
|
@ -0,0 +1,39 @@
|
||||
import jwt from "jsonwebtoken";
|
||||
import { APIKeyDataV2, User } from "../../../models";
|
||||
import { getAuthSecret } from "../../../config";
|
||||
import { AuthTokenType } from "../../../variables";
|
||||
import { AccountNotFoundError, UnauthorizedRequestError } from "../../errors";
|
||||
|
||||
interface ValidateAPIKeyV2Params {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateAPIKeyV2 = async ({
|
||||
authTokenValue
|
||||
}: ValidateAPIKeyV2Params) => {
|
||||
|
||||
const decodedToken = <jwt.UserIDJwtPayload>(
|
||||
jwt.verify(authTokenValue, await getAuthSecret())
|
||||
);
|
||||
|
||||
if (decodedToken.authTokenType !== AuthTokenType.API_KEY) throw UnauthorizedRequestError();
|
||||
|
||||
const apiKeyData = await APIKeyDataV2.findByIdAndUpdate(
|
||||
decodedToken.apiKeyDataId,
|
||||
{
|
||||
lastUsed: new Date(),
|
||||
$inc: { usageCount: 1 }
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
|
||||
if (!apiKeyData) throw UnauthorizedRequestError();
|
||||
|
||||
const user = await User.findById(apiKeyData.user).select("+publicKey");
|
||||
|
||||
if (!user) throw AccountNotFoundError();
|
||||
|
||||
return user;
|
||||
}
|
@ -0,0 +1,5 @@
|
||||
export * from "./apiKey";
|
||||
export * from "./apiKeyV2";
|
||||
export * from "./jwt";
|
||||
export * from "./serviceTokenV2";
|
||||
export * from "./serviceTokenV3";
|
@ -0,0 +1,41 @@
|
||||
import jwt from "jsonwebtoken";
|
||||
import { Types } from "mongoose";
|
||||
import { TokenVersion, User } from "../../../models";
|
||||
import { getAuthSecret } from "../../../config";
|
||||
import { AuthTokenType } from "../../../variables";
|
||||
import { AccountNotFoundError, UnauthorizedRequestError } from "../../errors";
|
||||
|
||||
interface ValidateJWTParams {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateJWT = async ({
|
||||
authTokenValue
|
||||
}: ValidateJWTParams) => {
|
||||
|
||||
const decodedToken = <jwt.UserIDJwtPayload>(
|
||||
jwt.verify(authTokenValue, await getAuthSecret())
|
||||
);
|
||||
|
||||
if (decodedToken.authTokenType !== AuthTokenType.ACCESS_TOKEN) throw UnauthorizedRequestError();
|
||||
|
||||
const tokenVersion = await TokenVersion.findOneAndUpdate({
|
||||
_id: new Types.ObjectId(decodedToken.tokenVersionId),
|
||||
user: decodedToken.userId
|
||||
}, {
|
||||
lastUsed: new Date(),
|
||||
});
|
||||
|
||||
if (!tokenVersion) throw UnauthorizedRequestError();
|
||||
if (decodedToken.accessVersion !== tokenVersion.accessVersion) throw UnauthorizedRequestError();
|
||||
|
||||
const user = await User.findOne({
|
||||
_id: new Types.ObjectId(decodedToken.userId),
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) throw AccountNotFoundError({ message: "Failed to find user" });
|
||||
|
||||
if (!user?.publicKey) throw UnauthorizedRequestError({ message: "Failed to authenticate user with partially set up account" });
|
||||
|
||||
return user;
|
||||
}
|
@ -0,0 +1,44 @@
|
||||
import { Types } from "mongoose";
|
||||
import { ServiceTokenData } from "../../../models";
|
||||
import { ResourceNotFoundError, UnauthorizedRequestError } from "../../errors";
|
||||
import bcrypt from "bcrypt";
|
||||
|
||||
interface ValidateServiceTokenV2Params {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateServiceTokenV2 = async ({
|
||||
authTokenValue
|
||||
}: ValidateServiceTokenV2Params) => {
|
||||
const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
|
||||
|
||||
const serviceTokenData = await ServiceTokenData
|
||||
.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
|
||||
|
||||
if (!serviceTokenData) {
|
||||
throw UnauthorizedRequestError();
|
||||
} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
|
||||
// case: service token expired
|
||||
await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate expired service token",
|
||||
});
|
||||
}
|
||||
|
||||
const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
|
||||
if (!isMatch) throw UnauthorizedRequestError();
|
||||
|
||||
const serviceTokenDataToReturn = await ServiceTokenData
|
||||
.findOneAndUpdate({
|
||||
_id: new Types.ObjectId(TOKEN_IDENTIFIER),
|
||||
}, {
|
||||
lastUsed: new Date(),
|
||||
}, {
|
||||
new: true,
|
||||
})
|
||||
.select("+encryptedKey +iv +tag")
|
||||
|
||||
if (!serviceTokenDataToReturn) throw ResourceNotFoundError();
|
||||
|
||||
return serviceTokenDataToReturn;
|
||||
}
|
@ -0,0 +1,64 @@
|
||||
import jwt from "jsonwebtoken";
|
||||
import { Types } from "mongoose";
|
||||
import { ServiceTokenDataV3 } from "../../../models";
|
||||
import { getAuthSecret } from "../../../config";
|
||||
import { AuthTokenType } from "../../../variables";
|
||||
import { UnauthorizedRequestError } from "../../errors";
|
||||
|
||||
interface ValidateServiceTokenV3Params {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateServiceTokenV3 = async ({
|
||||
authTokenValue
|
||||
}: ValidateServiceTokenV3Params) => {
|
||||
const decodedToken = <jwt.ServiceRefreshTokenJwtPayload>(
|
||||
jwt.verify(authTokenValue, await getAuthSecret())
|
||||
);
|
||||
|
||||
if (decodedToken.authTokenType !== AuthTokenType.SERVICE_ACCESS_TOKEN) throw UnauthorizedRequestError();
|
||||
|
||||
const serviceTokenData = await ServiceTokenDataV3.findOne({
|
||||
_id: new Types.ObjectId(decodedToken.serviceTokenDataId),
|
||||
isActive: true
|
||||
});
|
||||
|
||||
if (!serviceTokenData) {
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate"
|
||||
});
|
||||
} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
|
||||
// case: service token expired
|
||||
await ServiceTokenDataV3.findByIdAndUpdate(
|
||||
serviceTokenData._id,
|
||||
{
|
||||
isActive: false
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate",
|
||||
});
|
||||
} else if (decodedToken.tokenVersion !== serviceTokenData.tokenVersion) {
|
||||
// TODO: raise alarm
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate",
|
||||
});
|
||||
}
|
||||
|
||||
await ServiceTokenDataV3.findByIdAndUpdate(
|
||||
serviceTokenData._id,
|
||||
{
|
||||
accessTokenLastUsed: new Date(),
|
||||
$inc: { accessTokenUsageCount: 1 }
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
|
||||
return serviceTokenData;
|
||||
}
|
@ -0,0 +1,53 @@
|
||||
import { AuthData } from "../../../interfaces/middleware";
|
||||
import {
|
||||
ServiceAccount,
|
||||
ServiceTokenData,
|
||||
ServiceTokenDataV3,
|
||||
User
|
||||
} from "../../../models";
|
||||
|
||||
/**
|
||||
* Returns an object containing the id of the authentication data payload
|
||||
* @param {AuthData} authData - authentication data object
|
||||
* @returns
|
||||
*/
|
||||
export const getAuthDataPayloadIdObj = (authData: AuthData) => {
|
||||
if (authData.authPayload instanceof User) {
|
||||
return { userId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceAccount) {
|
||||
return { serviceAccountId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenData) {
|
||||
return { serviceTokenDataId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenDataV3) {
|
||||
return { serviceTokenDataId: authData.authPayload._id };
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns an object containing the user associated with the authentication data payload
|
||||
* @param {AuthData} authData - authentication data object
|
||||
* @returns
|
||||
*/
|
||||
export const getAuthDataPayloadUserObj = (authData: AuthData) => {
|
||||
if (authData.authPayload instanceof User) {
|
||||
return { user: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceAccount) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenData) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenDataV3) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
}
|
@ -0,0 +1,195 @@
|
||||
import { AuthData } from "../../../interfaces/middleware";
|
||||
import jwt from "jsonwebtoken";
|
||||
import { getAuthSecret } from "../../../config";
|
||||
import { ActorType } from "../../../ee/models";
|
||||
import { AuthMode, AuthTokenType } from "../../../variables";
|
||||
import { UnauthorizedRequestError } from "../../errors";
|
||||
import {
|
||||
validateAPIKey,
|
||||
validateAPIKeyV2,
|
||||
validateJWT,
|
||||
validateServiceTokenV2,
|
||||
validateServiceTokenV3
|
||||
} from "../authModeValidators";
|
||||
import { getUserAgentType } from "../../posthog";
|
||||
|
||||
export * from "./authDataExtractors";
|
||||
|
||||
interface ExtractAuthModeParams {
|
||||
headers: { [key: string]: string | string[] | undefined }
|
||||
}
|
||||
|
||||
interface ExtractAuthModeReturn {
|
||||
authMode: AuthMode;
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
interface GetAuthDataParams {
|
||||
authMode: AuthMode;
|
||||
authTokenValue: string;
|
||||
ipAddress: string;
|
||||
userAgent: string;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the recognized authentication mode based on token in [headers]; accepted token types include:
|
||||
* - SERVICE_TOKEN
|
||||
* - API_KEY
|
||||
* - JWT
|
||||
* - SERVICE_ACCESS_TOKEN (from ST V3)
|
||||
* - API_KEY_V2
|
||||
* @param {Object} params
|
||||
* @param {Object.<string, (string|string[]|undefined)>} params.headers - The HTTP request headers, usually from Express's `req.headers`.
|
||||
* @returns {Promise<AuthMode>} The derived authentication mode based on the headers.
|
||||
* @throws {UnauthorizedError} Throws an error if no applicable authMode is found.
|
||||
*/
|
||||
export const extractAuthMode = async ({
|
||||
headers
|
||||
}: ExtractAuthModeParams): Promise<ExtractAuthModeReturn> => {
|
||||
|
||||
const apiKey = headers["x-api-key"] as string;
|
||||
const authHeader = headers["authorization"] as string;
|
||||
|
||||
if (apiKey) {
|
||||
return { authMode: AuthMode.API_KEY, authTokenValue: apiKey };
|
||||
}
|
||||
|
||||
if (!authHeader) throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate unknown authentication method"
|
||||
});
|
||||
|
||||
if (!authHeader.startsWith("Bearer ")) throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate unknown authentication method"
|
||||
});
|
||||
|
||||
const authTokenValue = authHeader.slice(7);
|
||||
|
||||
if (authTokenValue.startsWith("st.")) {
|
||||
return { authMode: AuthMode.SERVICE_TOKEN, authTokenValue };
|
||||
}
|
||||
|
||||
const decodedToken = <jwt.AuthnJwtPayload>(
|
||||
jwt.verify(authTokenValue, await getAuthSecret())
|
||||
);
|
||||
|
||||
switch (decodedToken.authTokenType) {
|
||||
case AuthTokenType.ACCESS_TOKEN:
|
||||
return { authMode: AuthMode.JWT, authTokenValue };
|
||||
case AuthTokenType.API_KEY:
|
||||
return { authMode: AuthMode.API_KEY_V2, authTokenValue };
|
||||
case AuthTokenType.SERVICE_ACCESS_TOKEN:
|
||||
return { authMode: AuthMode.SERVICE_ACCESS_TOKEN, authTokenValue };
|
||||
default:
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate unknown authentication method"
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
export const getAuthData = async ({
|
||||
authMode,
|
||||
authTokenValue,
|
||||
ipAddress,
|
||||
userAgent
|
||||
}: GetAuthDataParams): Promise<AuthData> => {
|
||||
|
||||
const userAgentType = getUserAgentType(userAgent);
|
||||
|
||||
switch (authMode) {
|
||||
case AuthMode.SERVICE_TOKEN: {
|
||||
const serviceTokenData = await validateServiceTokenV2({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.SERVICE,
|
||||
metadata: {
|
||||
serviceId: serviceTokenData._id.toString(),
|
||||
name: serviceTokenData.name
|
||||
}
|
||||
},
|
||||
authPayload: serviceTokenData,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
case AuthMode.SERVICE_ACCESS_TOKEN: {
|
||||
const serviceTokenData = await validateServiceTokenV3({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.SERVICE_V3,
|
||||
metadata: {
|
||||
serviceId: serviceTokenData._id.toString(),
|
||||
name: serviceTokenData.name
|
||||
}
|
||||
},
|
||||
authPayload: serviceTokenData,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
case AuthMode.API_KEY: {
|
||||
const user = await validateAPIKey({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.USER,
|
||||
metadata: {
|
||||
userId: user._id.toString(),
|
||||
email: user.email
|
||||
}
|
||||
},
|
||||
authPayload: user,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
case AuthMode.API_KEY_V2: {
|
||||
const user = await validateAPIKeyV2({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.USER,
|
||||
metadata: {
|
||||
userId: user._id.toString(),
|
||||
email: user.email
|
||||
}
|
||||
},
|
||||
authPayload: user,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
case AuthMode.JWT: {
|
||||
const user = await validateJWT({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.USER,
|
||||
metadata: {
|
||||
userId: user._id.toString(),
|
||||
email: user.email
|
||||
}
|
||||
},
|
||||
authPayload: user,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,60 @@
|
||||
import express from "express";
|
||||
import passport from "passport";
|
||||
import {
|
||||
getClientIdGitHubLogin,
|
||||
getClientSecretGitHubLogin,
|
||||
} from "../../../config";
|
||||
import { standardRequest } from "../../../config/request";
|
||||
import { AuthMethod } from "../../../models";
|
||||
import { INTEGRATION_GITHUB_API_URL } from "../../../variables";
|
||||
import { handleSSOUserTokenFlow } from "./helpers";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GitHubStrategy = require("passport-github").Strategy;
|
||||
|
||||
export const initializeGitHubStrategy = async () => {
|
||||
const clientIdGitHubLogin = await getClientIdGitHubLogin();
|
||||
const clientSecretGitHubLogin = await getClientSecretGitHubLogin();
|
||||
if (clientIdGitHubLogin && clientSecretGitHubLogin) {
|
||||
passport.use(
|
||||
new GitHubStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGitHubLogin,
|
||||
clientSecret: clientSecretGitHubLogin,
|
||||
callbackURL: "/api/v1/sso/github",
|
||||
scope: ["user:email"]
|
||||
}, async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
|
||||
interface GitHubEmail {
|
||||
email: string;
|
||||
primary: boolean;
|
||||
verified: boolean;
|
||||
visibility: null | string;
|
||||
}
|
||||
|
||||
const { data }: { data: GitHubEmail[] } = await standardRequest.get(
|
||||
`${INTEGRATION_GITHUB_API_URL}/user/emails`,
|
||||
{
|
||||
headers: {
|
||||
Authorization: `Bearer ${accessToken}`
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
const primaryEmail = data.filter((gitHubEmail: GitHubEmail) => gitHubEmail.primary)[0];
|
||||
const email = primaryEmail.email;
|
||||
|
||||
const { isUserCompleted, providerAuthToken } = await handleSSOUserTokenFlow({
|
||||
email,
|
||||
firstName: profile.displayName,
|
||||
lastName: "",
|
||||
authMethod: AuthMethod.GITHUB,
|
||||
callbackPort: req.query.state as string
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
return done(null, profile);
|
||||
})
|
||||
);
|
||||
}
|
||||
}
|
@ -0,0 +1,44 @@
|
||||
import express from "express";
|
||||
import passport from "passport";
|
||||
import {
|
||||
getClientIdGitLabLogin,
|
||||
getClientSecretGitLabLogin,
|
||||
getUrlGitLabLogin
|
||||
} from "../../../config";
|
||||
import { AuthMethod } from "../../../models";
|
||||
import { handleSSOUserTokenFlow } from "./helpers";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GitLabStrategy = require("passport-gitlab2").Strategy;
|
||||
|
||||
export const initializeGitLabStrategy = async () => {
|
||||
const urlGitLab = await getUrlGitLabLogin();
|
||||
const clientIdGitLabLogin = await getClientIdGitLabLogin();
|
||||
const clientSecretGitLabLogin = await getClientSecretGitLabLogin();
|
||||
|
||||
if (urlGitLab && clientIdGitLabLogin && clientSecretGitLabLogin) {
|
||||
passport.use(
|
||||
new GitLabStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGitLabLogin,
|
||||
clientSecret: clientSecretGitLabLogin,
|
||||
callbackURL: "/api/v1/sso/gitlab",
|
||||
baseURL: urlGitLab
|
||||
}, async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
|
||||
const email = profile.emails[0].value;
|
||||
|
||||
const { isUserCompleted, providerAuthToken } = await handleSSOUserTokenFlow({
|
||||
email,
|
||||
firstName: profile.displayName,
|
||||
lastName: "",
|
||||
authMethod: AuthMethod.GITLAB,
|
||||
callbackPort: req.query.state as string
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
return done(null, profile);
|
||||
})
|
||||
);
|
||||
}
|
||||
}
|
@ -0,0 +1,48 @@
|
||||
import express from "express";
|
||||
import passport from "passport";
|
||||
import { getClientIdGoogleLogin, getClientSecretGoogleLogin } from "../../../config";
|
||||
import { AuthMethod } from "../../../models";
|
||||
|
||||
import { handleSSOUserTokenFlow } from "./helpers";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GoogleStrategy = require("passport-google-oauth20").Strategy;
|
||||
|
||||
export const initializeGoogleStrategy = async () => {
|
||||
const clientIdGoogleLogin = await getClientIdGoogleLogin();
|
||||
const clientSecretGoogleLogin = await getClientSecretGoogleLogin();
|
||||
|
||||
if (clientIdGoogleLogin && clientSecretGoogleLogin) {
|
||||
passport.use(new GoogleStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGoogleLogin,
|
||||
clientSecret: clientSecretGoogleLogin,
|
||||
callbackURL: "/api/v1/sso/google",
|
||||
scope: ["profile", " email"],
|
||||
}, async (
|
||||
req: express.Request,
|
||||
accessToken: string,
|
||||
refreshToken: string,
|
||||
profile: any,
|
||||
done: any
|
||||
) => {
|
||||
try {
|
||||
const email = profile.emails[0].value;
|
||||
|
||||
const { isUserCompleted, providerAuthToken } = await handleSSOUserTokenFlow({
|
||||
email,
|
||||
firstName: profile.name.givenName,
|
||||
lastName: profile.name.familyName,
|
||||
authMethod: AuthMethod.GOOGLE,
|
||||
callbackPort: req.query.state as string
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
done(null, profile);
|
||||
} catch (err) {
|
||||
done(null, false);
|
||||
}
|
||||
}));
|
||||
}
|
||||
}
|
@ -0,0 +1,62 @@
|
||||
import {
|
||||
AuthMethod,
|
||||
User
|
||||
} from "../../../models";
|
||||
import { createToken } from "../../../helpers/auth";
|
||||
import { AuthTokenType } from "../../../variables";
|
||||
import { getAuthSecret, getJwtProviderAuthLifetime} from "../../../config";
|
||||
|
||||
interface SSOUserTokenFlowParams {
|
||||
email: string;
|
||||
firstName: string;
|
||||
lastName: string;
|
||||
authMethod: AuthMethod;
|
||||
callbackPort?: string;
|
||||
}
|
||||
|
||||
export const handleSSOUserTokenFlow = async ({
|
||||
email,
|
||||
firstName,
|
||||
lastName,
|
||||
authMethod,
|
||||
callbackPort
|
||||
}: SSOUserTokenFlowParams) => {
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) {
|
||||
user = await new User({
|
||||
email,
|
||||
authMethods: [authMethod],
|
||||
firstName,
|
||||
lastName
|
||||
}).save();
|
||||
}
|
||||
|
||||
let isLinkingRequired = false;
|
||||
if (!user.authMethods.includes(authMethod)) {
|
||||
isLinkingRequired = true;
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName: user.firstName,
|
||||
lastName: user.lastName,
|
||||
authMethod,
|
||||
isUserCompleted,
|
||||
isLinkingRequired,
|
||||
...(callbackPort ? {
|
||||
callbackPort
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
return { isUserCompleted, providerAuthToken };
|
||||
}
|
@ -0,0 +1,4 @@
|
||||
export { initializeGoogleStrategy } from "./google";
|
||||
export { initializeGitHubStrategy } from "./github";
|
||||
export { initializeGitLabStrategy } from "./gitlab";
|
||||
export { initializeSamlStrategy } from "./saml";
|
@ -0,0 +1,173 @@
|
||||
import passport from "passport";
|
||||
import {
|
||||
getAuthSecret,
|
||||
getJwtProviderAuthLifetime,
|
||||
getSiteURL
|
||||
} from "../../../config";
|
||||
import {
|
||||
AuthMethod,
|
||||
MembershipOrg,
|
||||
Organization,
|
||||
User
|
||||
} from "../../../models";
|
||||
import {
|
||||
createToken
|
||||
} from "../../../helpers/auth";
|
||||
import {
|
||||
ACCEPTED,
|
||||
AuthTokenType,
|
||||
INVITED,
|
||||
MEMBER
|
||||
} from "../../../variables";
|
||||
import { Types } from "mongoose";
|
||||
import { getSSOConfigHelper } from "../../../ee/helpers/organizations";
|
||||
import { InternalServerError, OrganizationNotFoundError } from "../../errors";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const { MultiSamlStrategy } = require("@node-saml/passport-saml");
|
||||
|
||||
export const initializeSamlStrategy = async () => {
|
||||
passport.use("saml", new MultiSamlStrategy(
|
||||
{
|
||||
passReqToCallback: true,
|
||||
getSamlOptions: async (req: any, done: any) => {
|
||||
const { ssoIdentifier } = req.params;
|
||||
|
||||
const ssoConfig = await getSSOConfigHelper({
|
||||
ssoConfigId: new Types.ObjectId(ssoIdentifier)
|
||||
});
|
||||
|
||||
interface ISAMLConfig {
|
||||
callbackUrl: string;
|
||||
entryPoint: string;
|
||||
issuer: string;
|
||||
cert: string;
|
||||
audience: string;
|
||||
wantAuthnResponseSigned?: boolean;
|
||||
}
|
||||
|
||||
const samlConfig: ISAMLConfig = ({
|
||||
callbackUrl: `${await getSiteURL()}/api/v1/sso/saml2/${ssoIdentifier}`,
|
||||
entryPoint: ssoConfig.entryPoint,
|
||||
issuer: ssoConfig.issuer,
|
||||
cert: ssoConfig.cert,
|
||||
audience: await getSiteURL()
|
||||
});
|
||||
|
||||
if (ssoConfig.authProvider.toString() === AuthMethod.JUMPCLOUD_SAML.toString()) {
|
||||
samlConfig.wantAuthnResponseSigned = false;
|
||||
}
|
||||
|
||||
if (ssoConfig.authProvider.toString() === AuthMethod.AZURE_SAML.toString()) {
|
||||
if (req.body.RelayState && JSON.parse(req.body.RelayState).spInitiated) {
|
||||
samlConfig.audience = `spn:${ssoConfig.issuer}`;
|
||||
}
|
||||
}
|
||||
|
||||
req.ssoConfig = ssoConfig;
|
||||
|
||||
done(null, samlConfig);
|
||||
},
|
||||
},
|
||||
async (req: any, profile: any, done: any) => {
|
||||
if (!req.ssoConfig.isActive) return done(InternalServerError());
|
||||
|
||||
const organization = await Organization.findById(req.ssoConfig.organization);
|
||||
|
||||
if (!organization) return done(OrganizationNotFoundError());
|
||||
|
||||
const email = profile.email;
|
||||
const firstName = profile.firstName;
|
||||
const lastName = profile.lastName;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (user) {
|
||||
// if user does not have SAML enabled then update
|
||||
const hasSamlEnabled = user.authMethods
|
||||
.some(
|
||||
(authMethod: AuthMethod) => [
|
||||
AuthMethod.OKTA_SAML,
|
||||
AuthMethod.AZURE_SAML,
|
||||
AuthMethod.JUMPCLOUD_SAML
|
||||
].includes(authMethod)
|
||||
);
|
||||
|
||||
if (!hasSamlEnabled) {
|
||||
await User.findByIdAndUpdate(
|
||||
user._id,
|
||||
{
|
||||
authMethods: [req.ssoConfig.authProvider]
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
let membershipOrg = await MembershipOrg.findOne(
|
||||
{
|
||||
user: user._id,
|
||||
organization: organization._id
|
||||
}
|
||||
);
|
||||
|
||||
if (!membershipOrg) {
|
||||
membershipOrg = await new MembershipOrg({
|
||||
inviteEmail: email,
|
||||
user: user._id,
|
||||
organization: organization._id,
|
||||
role: MEMBER,
|
||||
status: ACCEPTED
|
||||
}).save();
|
||||
}
|
||||
|
||||
if (membershipOrg.status === INVITED) {
|
||||
membershipOrg.status = ACCEPTED;
|
||||
await membershipOrg.save();
|
||||
}
|
||||
} else {
|
||||
user = await new User({
|
||||
email,
|
||||
authMethods: [req.ssoConfig.authProvider],
|
||||
firstName,
|
||||
lastName
|
||||
}).save();
|
||||
|
||||
await new MembershipOrg({
|
||||
inviteEmail: email,
|
||||
user: user._id,
|
||||
organization: organization._id,
|
||||
role: MEMBER,
|
||||
status: INVITED
|
||||
}).save();
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName,
|
||||
lastName,
|
||||
organizationName: organization?.name,
|
||||
authMethod: req.ssoConfig.authProvider,
|
||||
isUserCompleted,
|
||||
...(req.body.RelayState ? {
|
||||
callbackPort: JSON.parse(req.body.RelayState).callbackPort as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
|
||||
done(null, profile);
|
||||
}
|
||||
));
|
||||
}
|
@ -1,17 +1,22 @@
|
||||
// TODO: merge [AuthTokenType] and [AuthMode]
|
||||
|
||||
export enum AuthTokenType {
|
||||
ACCESS_TOKEN = "accessToken",
|
||||
REFRESH_TOKEN = "refreshToken",
|
||||
SIGNUP_TOKEN = "signupToken",
|
||||
MFA_TOKEN = "mfaToken",
|
||||
PROVIDER_TOKEN = "providerToken",
|
||||
API_KEY = "apiKey"
|
||||
SIGNUP_TOKEN = "signupToken", // TODO: remove in favor of claim
|
||||
MFA_TOKEN = "mfaToken", // TODO: remove in favor of claim
|
||||
PROVIDER_TOKEN = "providerToken", // TODO: remove in favor of claim
|
||||
API_KEY = "apiKey",
|
||||
SERVICE_ACCESS_TOKEN = "serviceAccessToken",
|
||||
SERVICE_REFRESH_TOKEN = "serviceRefreshToken"
|
||||
}
|
||||
|
||||
export enum AuthMode {
|
||||
JWT = "jwt",
|
||||
SERVICE_TOKEN = "serviceToken",
|
||||
SERVICE_TOKEN_V3 = "serviceTokenV3",
|
||||
API_KEY = "apiKey"
|
||||
SERVICE_ACCESS_TOKEN = "serviceAccessToken",
|
||||
API_KEY = "apiKey",
|
||||
API_KEY_V2 = "apiKeyV2"
|
||||
}
|
||||
|
||||
export const K8_USER_AGENT_NAME = "k8-operator"
|
Loading…
Reference in new issue