huanld/speckle-server
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
1c19f67dd2d451aedcc4a74836cf01c662c52d0e
speckle-server/packages/server/modules/workspaces/helpers/sso.ts
T
Chuck Driesler 0ab53111a9 fix(sso): gatekeeper (#3442) 
* feat(workspaces): add workspace sso feature flag

* feat(workspaceSso): wip validate sso

* feat(workspaces): validate and add sso provider to the workspace with user sso sessions

* feat(workspaces): validate and add sso provider to the workspace with user sso sessions

* WIP

* fix(sso): restructure to handle all branches at end of flow

* fix(sso): add and validate emails used for sso

* fix(sso): park progress

* chore(workspaces): review sso login/valdate

* fix(sso): adjust validate url

* chore(sso): auth header puzzle

* fix(sso): happy-path config

* chore(gql): gqlgen

* fix(sso): almost almost

* fix(sso): auth endpoint

* a lil more terse

* fix(sso): light at the end of the tunnel

* fix(sso): improve catch block error messages

* fix(sso): session lifespan => validUntil

* fix(sso): I think we've got it

* feat(sso): limited workspace values for public sso login

* fix(sso): use factory functions

* fix(sso): til decrypt is single-use

* fix(sso): correct usage of access codes

* fix(sso): use finalize middleware in all routes

* chore(sso): cheeky tweak

* fix(sso): move some types around

* fix(sso): stencil final shape I'm sleepy

* fix(sso): more factories more factories

* fix(sso): on to final boss of factories

* fix(sso): needs a haircut but she works

* fix(sso): init rest w function, not side-effects

* fix(sso): /authn => /sso

* chore(sso): errors

* chore(sso): test test test

* chore(sso): test all the corners

* feat(sso): list workspace sso memberships

* chore(sso): tests, expose in rest

* fix(sso): sketch active user auth

* fix(sso): expose search via gql

* fix(sso): active user session information

* chore(sso): sso session test utils

* chore(sso): test sso session repo/services

* chore(sso): gqlgen

* feat(sso): throw error on missing or expired sso session

* chore(sso): tests for SSO access protection

* fix(sso): use gatekeeper to protect sso access

---------

Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
Co-authored-by: Mike Tasset <mike.tasset@gmail.com>
2024-11-06 16:29:49 +00:00

75 lines
2.4 KiB
TypeScript
Raw Blame History

import { getEncryptionKeyPair } from '@/modules/automate/services/encryption'
import { getFrontendOrigin, getServerOrigin } from '@/modules/shared/helpers/envHelper'
import { buildDecryptor, buildEncryptor } from '@/modules/shared/utils/libsodium'
import { SsoVerificationCodeMissingError } from '@/modules/workspaces/errors/sso'
import { Request } from 'express'
declare module 'express-session' {
interface SessionData {
workspaceId?: string
}
}
/**
* Generate Speckle URL to redirect users to after they complete authorization
* with the given SSO provider.
*/
export const buildAuthRedirectUrl = (
workspaceSlug: string,
isValidationFlow: boolean
): URL => {
const urlFragments = [`/api/v1/workspaces/${workspaceSlug}/sso/oidc/callback`]
if (isValidationFlow) {
urlFragments.push('?validate=true')
}
return new URL(urlFragments.join(''), getServerOrigin())
}
/**
* Generate Speckle URL to redirect users to after successfully completing the
* SSO authorization flow.
* @remarks Append params to this URL to preserve information about errors
*/
export const buildFinalizeUrl = (workspaceSlug: string): URL => {
return new URL(`workspaces/${workspaceSlug}/sso`, getFrontendOrigin())
}
/**
* Generate Speckle URL to redirect users to after an error occurs during SSO.
*/
export const buildErrorUrl = (err: unknown, workspaceSlug: string) => {
const errorRedirectUrl = buildFinalizeUrl(workspaceSlug)
const errorMessage = err instanceof Error ? err.message : `Unknown error: ${err}`
errorRedirectUrl.searchParams.set('error', errorMessage)
return errorRedirectUrl.toString()
}
export const getEncryptor = () => async (data: string) => {
const encryptionKeyPair = await getEncryptionKeyPair()
const encryptor = await buildEncryptor(encryptionKeyPair.publicKey)
const encryptedData = await encryptor.encrypt(data)
encryptor.dispose()
return encryptedData
}
export const getDecryptor = () => async (data: string) => {
const encryptionKeyPair = await getEncryptionKeyPair()
const decryptor = await buildDecryptor(encryptionKeyPair)
const decryptedData = await decryptor.decrypt(data)
decryptor.dispose()
return decryptedData
}
export const parseCodeVerifier = async (req: Request<unknown>): Promise<string> => {
const encryptedCodeVerifier = req.session.codeVerifier
if (!encryptedCodeVerifier) throw new SsoVerificationCodeMissingError()
const codeVerifier = await getDecryptor()(encryptedCodeVerifier)
return codeVerifier
}
Reference in New Issue View Git Blame Copy Permalink