Microsoft-multi-tenant (#9801)

Microsoft fixes
2025-01-23 12:08:08 +01:00
parent bddca09451
commit 2f0fa7ae3e
11 changed files with 43 additions and 26 deletions
--- a/packages/twenty-server/src/engine/core-modules/auth/auth.exception.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/auth.exception.ts
@ -14,6 +14,7 @@ export enum AuthExceptionCode {
  WORKSPACE_NOT_FOUND = 'WORKSPACE_NOT_FOUND',
  INVALID_INPUT = 'INVALID_INPUT',
  FORBIDDEN_EXCEPTION = 'FORBIDDEN_EXCEPTION',
+  INSUFFICIENT_SCOPES = 'INSUFFICIENT_SCOPES',
  UNAUTHENTICATED = 'UNAUTHENTICATED',
  INVALID_DATA = 'INVALID_DATA',
  INTERNAL_SERVER_ERROR = 'INTERNAL_SERVER_ERROR',
--- a/packages/twenty-server/src/engine/core-modules/auth/guards/microsoft-apis-oauth-exchange-code-for-token.guard.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/guards/microsoft-apis-oauth-exchange-code-for-token.guard.ts
@ -1,6 +1,10 @@
 import { ExecutionContext, Injectable } from '@nestjs/common';
 import { AuthGuard } from '@nestjs/passport';

+import {
+  AuthException,
+  AuthExceptionCode,
+} from 'src/engine/core-modules/auth/auth.exception';
 import { MicrosoftAPIsOauthExchangeCodeForTokenStrategy } from 'src/engine/core-modules/auth/strategies/microsoft-apis-oauth-exchange-code-for-token.auth.strategy';
 import { setRequestExtraParams } from 'src/engine/core-modules/auth/utils/google-apis-set-request-extra-params.util';
 import { EnvironmentService } from 'src/engine/core-modules/environment/environment.service';
@ -14,18 +18,31 @@ export class MicrosoftAPIsOauthExchangeCodeForTokenGuard extends AuthGuard(
  }

  async canActivate(context: ExecutionContext) {
-    const request = context.switchToHttp().getRequest();
-    const state = JSON.parse(request.query.state);
+    try {
+      const request = context.switchToHttp().getRequest();
+      const state = JSON.parse(request.query.state);

-    new MicrosoftAPIsOauthExchangeCodeForTokenStrategy(this.environmentService);
+      new MicrosoftAPIsOauthExchangeCodeForTokenStrategy(
+        this.environmentService,
+      );

-    setRequestExtraParams(request, {
-      transientToken: state.transientToken,
-      redirectLocation: state.redirectLocation,
-      calendarVisibility: state.calendarVisibility,
-      messageVisibility: state.messageVisibility,
-    });
+      setRequestExtraParams(request, {
+        transientToken: state.transientToken,
+        redirectLocation: state.redirectLocation,
+        calendarVisibility: state.calendarVisibility,
+        messageVisibility: state.messageVisibility,
+      });

-    return (await super.canActivate(context)) as boolean;
+      return (await super.canActivate(context)) as boolean;
+    } catch (error) {
+      if (error?.oauthError?.statusCode === 403) {
+        throw new AuthException(
+          `Insufficient privileges to access this microsoft resource. Make sure you have the correct scopes or ask your admin to update your scopes. ${error?.message}`,
+          AuthExceptionCode.INSUFFICIENT_SCOPES,
+        );
+      }
+
+      return false;
+    }
  }
 }
--- a/packages/twenty-server/src/engine/core-modules/auth/strategies/microsoft-apis-oauth-common.auth.strategy.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/strategies/microsoft-apis-oauth-common.auth.strategy.ts
@ -22,7 +22,7 @@ export class MicrosoftAPIsOauthCommonStrategy extends PassportStrategy(
    super({
      clientID: environmentService.get('AUTH_MICROSOFT_CLIENT_ID'),
      clientSecret: environmentService.get('AUTH_MICROSOFT_CLIENT_SECRET'),
-      tenant: environmentService.get('AUTH_MICROSOFT_TENANT_ID'),
+      tenant: 'common',
      callbackURL: environmentService.get('AUTH_MICROSOFT_APIS_CALLBACK_URL'),
      scope: scopes,
      passReqToCallback: true,
--- a/packages/twenty-server/src/engine/core-modules/auth/strategies/microsoft.auth.strategy.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/strategies/microsoft.auth.strategy.ts
@ -32,7 +32,7 @@ export class MicrosoftStrategy extends PassportStrategy(Strategy, 'microsoft') {
      clientID: environmentService.get('AUTH_MICROSOFT_CLIENT_ID'),
      clientSecret: environmentService.get('AUTH_MICROSOFT_CLIENT_SECRET'),
      callbackURL: environmentService.get('AUTH_MICROSOFT_CALLBACK_URL'),
-      tenant: environmentService.get('AUTH_MICROSOFT_TENANT_ID'),
+      tenant: 'common',
      scope: ['user.read'],
      passReqToCallback: true,
    });
--- a/packages/twenty-server/src/engine/core-modules/auth/utils/get-microsoft-apis-oauth-scopes.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/utils/get-microsoft-apis-oauth-scopes.ts
@ -6,6 +6,7 @@ export const getMicrosoftApisOauthScopes = () => {
    'offline_access',
    'Mail.Read',
    'Calendars.Read',
+    'User.Read',
  ];

  return scopes;
--- a/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts
+++ b/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts
@ -204,10 +204,6 @@ export class EnvironmentVariables {
  @ValidateIf((env) => env.AUTH_MICROSOFT_ENABLED)
  AUTH_MICROSOFT_CLIENT_ID: string;

-  @IsString()
-  @ValidateIf((env) => env.AUTH_MICROSOFT_ENABLED)
-  AUTH_MICROSOFT_TENANT_ID: string;
-
  @IsString()
  @ValidateIf((env) => env.AUTH_MICROSOFT_ENABLED)
  AUTH_MICROSOFT_CLIENT_SECRET: string;