e2e secure microsoft auth

2024-06-28 11:00:55 +12:00 · 2023-09-23 00:10:12 +01:00 · 2023-09-23 00:10:12 +01:00 · b979b29313
parent 7db7159b4c
commit b979b29313
9 changed files with 55 additions and 8 deletions
--- a/packages/backend-core/src/db/views.ts
+++ b/packages/backend-core/src/db/views.ts
@ -190,6 +190,10 @@ export const createPlatformUserView = async () => {
    if (doc.tenantId) {
      emit(doc._id.toLowerCase(), doc._id)
    }
+
+    if (doc.ssoId) {
+      emit(doc.ssoId, doc._id)
+    }
  }`
  await createPlatformView(viewJs, ViewName.PLATFORM_USERS_LOWERCASE)
 }
--- a/packages/backend-core/src/platform/users.ts
+++ b/packages/backend-core/src/platform/users.ts
@ -4,7 +4,7 @@ import env from "../environment"
 import {
  PlatformUser,
  PlatformUserByEmail,
-  PlatformUserById,
+  PlatformUserById, PlatformUserBySsoId,
  User,
 } from "@budibase/types"

@ -45,6 +45,20 @@ function newUserEmailDoc(
  }
 }

+function newUserSsoIdDoc(
+  ssoId: string,
+  email: string,
+  userId: string,
+  tenantId: string,
+): PlatformUserBySsoId {
+  return {
+    _id: ssoId,
+    userId,
+    email,
+    tenantId,
+  }
+}
+
 /**
 * Add a new user id or email doc if it doesn't exist.
 */
@ -64,11 +78,17 @@ async function addUserDoc(emailOrId: string, newDocFn: () => PlatformUser) {
  }
 }

-export async function addUser(tenantId: string, userId: string, email: string) {
-  await Promise.all([
+export async function addUser(tenantId: string, userId: string, email: string, ssoId?: string) {
+  const promises = [
    addUserDoc(userId, () => newUserIdDoc(userId, tenantId)),
    addUserDoc(email, () => newUserEmailDoc(userId, email, tenantId)),
-  ])
+  ]
+
+  if (ssoId) {
+    promises.push(addUserDoc(ssoId, () => newUserSsoIdDoc(ssoId, email, userId, tenantId)))
+  }
+
+  await Promise.all(promises)
 }

 // DELETE
--- a/packages/backend-core/src/users/db.ts
+++ b/packages/backend-core/src/users/db.ts
@ -278,7 +278,7 @@ export class UserDB {
        builtUser._rev = response.rev

        await eventHelpers.handleSaveEvents(builtUser, dbUser)
-        await platform.users.addUser(tenantId, builtUser._id!, builtUser.email)
+        await platform.users.addUser(tenantId, builtUser._id!, builtUser.email, builtUser.ssoId)
        await cache.user.invalidateUser(response.id)

        await Promise.all(groupPromises)
--- a/packages/types/src/api/account/accounts.ts
+++ b/packages/types/src/api/account/accounts.ts
@ -1,4 +1,4 @@
-import { Account } from "../../documents"
+import { Account, AccountSSOProvider } from "../../documents"
 import { Hosting } from "../../sdk"

 export interface CreateAccountRequest {
@ -11,6 +11,8 @@ export interface CreateAccountRequest {
  tenantName?: string
  name?: string
  password: string
+  provider?: AccountSSOProvider
+  thirdPartyProfile: object
 }

 export interface SearchAccountsRequest {
--- a/packages/types/src/documents/account/account.ts
+++ b/packages/types/src/documents/account/account.ts
@ -20,6 +20,11 @@ export interface CreatePassswordAccount extends CreateAccount {
  password: string
 }

+export interface CreateVerifiableSSOAccount extends CreateAccount {
+  provider?: AccountSSOProvider
+  thirdPartyProfile?: any
+}
+
 export const isCreatePasswordAccount = (
  account: CreateAccount
 ): account is CreatePassswordAccount => account.authType === AuthType.PASSWORD
@ -50,6 +55,8 @@ export interface Account extends CreateAccount {
  licenseKeyActivatedAt?: number
  licenseRequestedAt?: number
  licenseOverrides?: LicenseOverrides
+  provider?: AccountSSOProvider
+  providerType?: AccountSSOProviderType
  quotaUsage?: QuotaUsage
  offlineLicenseToken?: string
 }
--- a/packages/types/src/documents/global/user.ts
+++ b/packages/types/src/documents/global/user.ts
@ -55,6 +55,7 @@ export interface User extends Document {
  userGroups?: string[]
  onboardedAt?: string
  scimInfo?: { isSync: true } & Record<string, any>
+  ssoId?: string
 }

 export enum UserStatus {
--- a/packages/types/src/documents/platform/users.ts
+++ b/packages/types/src/documents/platform/users.ts
@ -15,4 +15,13 @@ export interface PlatformUserById extends Document {
  tenantId: string
 }

-export type PlatformUser = PlatformUserByEmail | PlatformUserById
+/**
+ * doc id is a unique SSO provider ID for the user
+ */
+export interface PlatformUserBySsoId extends Document {
+  tenantId: string
+  userId: string
+  email: string
+}
+
+export type PlatformUser = PlatformUserByEmail | PlatformUserById | PlatformUserBySsoId
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@ -95,7 +95,8 @@ const parseBooleanParam = (param: any) => {
 export const adminUser = async (
  ctx: Ctx<CreateAdminUserRequest, CreateAdminUserResponse>
 ) => {
-  const { email, password, tenantId } = ctx.request.body
+  // @ts-ignore
+  const { email, password, tenantId, ssoId } = ctx.request.body

  if (await platform.tenants.exists(tenantId)) {
    ctx.throw(403, "Organisation already exists.")
@ -136,6 +137,8 @@ export const adminUser = async (
        global: true,
      },
      tenantId,
+      // @ts-ignore
+      ssoId,
    }
    try {
      // always bust checklist beforehand, if an error occurs but can proceed, don't get
--- a/packages/worker/src/api/routes/global/users.ts
+++ b/packages/worker/src/api/routes/global/users.ts
@ -14,6 +14,7 @@ function buildAdminInitValidation() {
      email: Joi.string().required(),
      password: Joi.string(),
      tenantId: Joi.string().required(),
+      ssoId: Joi.string(),
    })
      .required()
      .unknown(false)