admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(auth): enhance SSO handling and workspace auth logic (#9858)

Browse Source 
- Return only SSO providers with an `activate` status
- If only 1 SSO provider is enabled for auth, redirect the user to the
provider login page.
- if only SSO auth is available set the step to SSO selection.

---------

Co-authored-by: Charles Bochet <charles@twenty.com>
This commit is contained in:
Antoine Moreaux
2025-01-29 19:28:21 +01:00
committed by GitHub
parent 85df6ada52
commit 4edeb7f991
12 changed files with 215 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
packages/twenty-front/src/modules/auth/hooks/__tests__/useAuth.test.tsx
View File

@ -124,13 +124,7 @@ describe('useAuth', () => {
const { state } = result.current; const { state } = result.current;
expect(state.icons).toEqual({}); expect(state.icons).toEqual({});
expect(state.workspaceAuthProviders).toEqual({ expect(state.workspaceAuthProviders).toEqual(null);
google: true,
microsoft: false,
magicLink: false,
password: true,
sso: [],
});
expect(state.billing).toBeNull(); expect(state.billing).toBeNull();
expect(state.isDeveloperDefaultSignInPrefilled).toBe(false); expect(state.isDeveloperDefaultSignInPrefilled).toBe(false);
expect(state.supportChat).toEqual({ expect(state.supportChat).toEqual({

6
packages/twenty-front/src/modules/auth/sign-in-up/components/SignInUpWithSSO.tsx
View File

@ -7,6 +7,7 @@ import { workspaceAuthProvidersState } from '@/workspace/states/workspaceAuthPro
import { useTheme } from '@emotion/react'; import { useTheme } from '@emotion/react';
import { useRecoilValue, useSetRecoilState } from 'recoil'; import { useRecoilValue, useSetRecoilState } from 'recoil';
import { HorizontalSeparator, IconLock, MainButton } from 'twenty-ui'; import { HorizontalSeparator, IconLock, MainButton } from 'twenty-ui';
import { isDefined } from '~/utils/isDefined';
export const SignInUpWithSSO = () => { export const SignInUpWithSSO = () => {
const theme = useTheme(); const theme = useTheme();
@ -18,7 +19,10 @@ export const SignInUpWithSSO = () => {
const { redirectToSSOLoginPage } = useSSO(); const { redirectToSSOLoginPage } = useSSO();
const signInWithSSO = () => { const signInWithSSO = () => {
if (workspaceAuthProviders.sso.length === 1) { if (
isDefined(workspaceAuthProviders) &&
workspaceAuthProviders.sso.length === 1
) {
return redirectToSSOLoginPage(workspaceAuthProviders.sso[0].id); return redirectToSSOLoginPage(workspaceAuthProviders.sso[0].id);
} }

4
packages/twenty-front/src/modules/auth/sign-in-up/components/SignInUpWorkspaceScopeForm.tsx
View File

@ -26,6 +26,10 @@ export const SignInUpWorkspaceScopeForm = () => {
const { signInUpStep } = useSignInUp(form); const { signInUpStep } = useSignInUp(form);
if (!workspaceAuthProviders) {
return null;
}
return ( return (
<> <>
<StyledContentContainer> <StyledContentContainer>

37
packages/twenty-front/src/modules/auth/sign-in-up/components/SignInUpWorkspaceScopeFormEffect.tsx
View File

@ -1,11 +1,15 @@
import { useSSO } from '@/auth/sign-in-up/hooks/useSSO';
import { useSignInUp } from '@/auth/sign-in-up/hooks/useSignInUp'; import { useSignInUp } from '@/auth/sign-in-up/hooks/useSignInUp';
import { useSignInUpForm } from '@/auth/sign-in-up/hooks/useSignInUpForm'; import { useSignInUpForm } from '@/auth/sign-in-up/hooks/useSignInUpForm';
import { SignInUpStep } from '@/auth/states/signInUpStepState'; import {
SignInUpStep,
signInUpStepState,
} from '@/auth/states/signInUpStepState';
import { isRequestingCaptchaTokenState } from '@/captcha/states/isRequestingCaptchaTokenState'; import { isRequestingCaptchaTokenState } from '@/captcha/states/isRequestingCaptchaTokenState';
import { captchaState } from '@/client-config/states/captchaState'; import { captchaState } from '@/client-config/states/captchaState';
import { workspaceAuthProvidersState } from '@/workspace/states/workspaceAuthProvidersState'; import { workspaceAuthProvidersState } from '@/workspace/states/workspaceAuthProvidersState';
import { useEffect, useState } from 'react'; import { useEffect, useState } from 'react';
import { useRecoilValue } from 'recoil'; import { useRecoilValue, useSetRecoilState } from 'recoil';
import { isDefined } from '~/utils/isDefined'; import { isDefined } from '~/utils/isDefined';
const searchParams = new URLSearchParams(window.location.search); const searchParams = new URLSearchParams(window.location.search);
@ -31,10 +35,32 @@ export const SignInUpWorkspaceScopeFormEffect = () => {
); );
const { form } = useSignInUpForm(); const { form } = useSignInUpForm();
const { redirectToSSOLoginPage } = useSSO();
const { signInUpStep, continueWithEmail, continueWithCredentials } = const { signInUpStep, continueWithEmail, continueWithCredentials } =
useSignInUp(form); useSignInUp(form);
const setSignInUpStep = useSetRecoilState(signInUpStepState);
useEffect(() => {
if (!workspaceAuthProviders) {
return;
}
if (workspaceAuthProviders.sso.length > 1) {
return setSignInUpStep(SignInUpStep.SSOIdentityProviderSelection);
}
const hasOnlySSOProvidersEnabled =
!workspaceAuthProviders.google &&
!workspaceAuthProviders.microsoft &&
!workspaceAuthProviders.password;
if (hasOnlySSOProvidersEnabled && workspaceAuthProviders.sso.length === 1) {
redirectToSSOLoginPage(workspaceAuthProviders.sso[0].id);
}
}, [redirectToSSOLoginPage, setSignInUpStep, workspaceAuthProviders]);
useEffect(() => { useEffect(() => {
if (loadingStatus === LoadingStatus.Done) { if (loadingStatus === LoadingStatus.Done) {
return; return;
@ -58,6 +84,8 @@ export const SignInUpWorkspaceScopeFormEffect = () => {
}, [captcha?.provider, isRequestingCaptchaToken, loadingStatus]); }, [captcha?.provider, isRequestingCaptchaToken, loadingStatus]);
useEffect(() => { useEffect(() => {
if (!workspaceAuthProviders) return;
if ( if (
signInUpStep === SignInUpStep.Init && signInUpStep === SignInUpStep.Init &&
!workspaceAuthProviders.google && !workspaceAuthProviders.google &&
@ -77,10 +105,7 @@ export const SignInUpWorkspaceScopeFormEffect = () => {
} }
}, [ }, [
signInUpStep, signInUpStep,
workspaceAuthProviders.google, workspaceAuthProviders,
workspaceAuthProviders.microsoft,
workspaceAuthProviders.sso,
workspaceAuthProviders.password,
continueWithEmail, continueWithEmail,
continueWithCredentials, continueWithCredentials,
loadingStatus, loadingStatus,

73
packages/twenty-front/src/modules/auth/sign-in-up/hooks/__tests__/useSSO.test.ts
View File

@ -1,73 +0,0 @@
import { renderHook } from '@testing-library/react';
import { useSnackBar } from '@/ui/feedback/snack-bar-manager/hooks/useSnackBar';
import { useGetAuthorizationUrlMutation } from '~/generated/graphql';
import { useSSO } from '@/auth/sign-in-up/hooks/useSSO';
// Mock dependencies
jest.mock('@/ui/feedback/snack-bar-manager/hooks/useSnackBar');
jest.mock('~/generated/graphql');
// Helpers
const mockEnqueueSnackBar = jest.fn();
const mockGetAuthorizationUrlMutation = jest.fn();
// Mock return values
(useSnackBar as jest.Mock).mockReturnValue({
enqueueSnackBar: mockEnqueueSnackBar,
});
(useGetAuthorizationUrlMutation as jest.Mock).mockReturnValue([
mockGetAuthorizationUrlMutation,
]);
describe('useSSO', () => {
beforeEach(() => {
jest.clearAllMocks();
});
it('should call getAuthorizationUrlForSSO with correct parameters', async () => {
const { result } = renderHook(() => useSSO());
const identityProviderId = 'test-id';
mockGetAuthorizationUrlMutation.mockResolvedValueOnce({
data: {
getAuthorizationUrl: {
authorizationURL: 'http://example.com',
},
},
});
await result.current.getAuthorizationUrlForSSO({ identityProviderId });
expect(mockGetAuthorizationUrlMutation).toHaveBeenCalledWith({
variables: { input: { identityProviderId } },
});
});
it('should enqueue error snackbar when URL retrieval fails', async () => {
const { result } = renderHook(() => useSSO());
const identityProviderId = 'test-id';
mockGetAuthorizationUrlMutation.mockResolvedValueOnce({
errors: [{ message: 'Error message' }],
});
await result.current.redirectToSSOLoginPage(identityProviderId);
expect(mockEnqueueSnackBar).toHaveBeenCalledWith('Error message', {
variant: 'error',
});
});
it('should enqueue default error snackbar when error message is not provided', async () => {
const { result } = renderHook(() => useSSO());
const identityProviderId = 'test-id';
mockGetAuthorizationUrlMutation.mockResolvedValueOnce({ errors: [{}] });
await result.current.redirectToSSOLoginPage(identityProviderId);
expect(mockEnqueueSnackBar).toHaveBeenCalledWith('Unknown error', {
variant: 'error',
});
});
});

88
packages/twenty-front/src/modules/auth/sign-in-up/hooks/__tests__/useSSO.test.tsx Normal file
View File

@ -0,0 +1,88 @@
import { GET_AUTHORIZATION_URL } from '@/auth/graphql/mutations/getAuthorizationUrl';
import { useSSO } from '@/auth/sign-in-up/hooks/useSSO';
import { useRedirect } from '@/domain-manager/hooks/useRedirect';
import { useSnackBar } from '@/ui/feedback/snack-bar-manager/hooks/useSnackBar';
import { MockedProvider } from '@apollo/client/testing';
import { renderHook } from '@testing-library/react';
jest.mock('@/ui/feedback/snack-bar-manager/hooks/useSnackBar');
jest.mock('@/domain-manager/hooks/useRedirect');
jest.mock('~/generated/graphql');
const mockEnqueueSnackBar = jest.fn();
const mockRedirect = jest.fn();
(useSnackBar as jest.Mock).mockReturnValue({
enqueueSnackBar: mockEnqueueSnackBar,
});
(useRedirect as jest.Mock).mockReturnValue({
redirect: mockRedirect,
});
const apolloMocks = [
{
request: {
query: GET_AUTHORIZATION_URL,
variables: {
input: {
identityProviderId: 'success-id',
},
},
},
result: {
data: {
getAuthorizationUrl: { authorizationURL: 'http://example.com' },
},
},
},
{
request: {
query: GET_AUTHORIZATION_URL,
variables: {
input: {
identityProviderId: 'error-id',
},
},
},
result: {
data: null,
errors: [{ message: 'Error message' }],
},
},
];
const Wrapper = ({ children }: { children: React.ReactNode }) => (
<MockedProvider mocks={apolloMocks} addTypename={false}>
{children}
</MockedProvider>
);
describe('useSSO', () => {
beforeEach(() => {
jest.clearAllMocks();
});
it('should call getAuthorizationUrlForSSO with correct parameters', async () => {
const { result } = renderHook(() => useSSO(), {
wrapper: Wrapper,
});
const identityProviderId = 'success-id';
await result.current.redirectToSSOLoginPage(identityProviderId);
expect(mockRedirect).toHaveBeenCalledWith('http://example.com');
});
it('should enqueue error snackbar when URL retrieval fails', async () => {
const { result } = renderHook(() => useSSO(), {
wrapper: Wrapper,
});
const identityProviderId = 'error-id';
await result.current.redirectToSSOLoginPage(identityProviderId);
expect(mockEnqueueSnackBar).toHaveBeenCalledWith('Error message', {
variant: 'error',
});
});
});

53
packages/twenty-front/src/modules/auth/sign-in-up/hooks/useSSO.ts
View File

@ -1,53 +1,38 @@
/* @license Enterprise */ /* @license Enterprise */
import { GET_AUTHORIZATION_URL } from '@/auth/graphql/mutations/getAuthorizationUrl';
import { useRedirect } from '@/domain-manager/hooks/useRedirect';
import { SnackBarVariant } from '@/ui/feedback/snack-bar-manager/components/SnackBar'; import { SnackBarVariant } from '@/ui/feedback/snack-bar-manager/components/SnackBar';
import { useSnackBar } from '@/ui/feedback/snack-bar-manager/hooks/useSnackBar'; import { useSnackBar } from '@/ui/feedback/snack-bar-manager/hooks/useSnackBar';
import { import { useApolloClient } from '@apollo/client';
GetAuthorizationUrlMutationVariables,
useGetAuthorizationUrlMutation,
} from '~/generated/graphql';
import { isDefined } from '~/utils/isDefined';
export const useSSO = () => { export const useSSO = () => {
const apolloClient = useApolloClient();
const { enqueueSnackBar } = useSnackBar(); const { enqueueSnackBar } = useSnackBar();
const [getAuthorizationUrlMutation] = useGetAuthorizationUrlMutation(); const { redirect } = useRedirect();
const getAuthorizationUrlForSSO = async ({
identityProviderId,
}: GetAuthorizationUrlMutationVariables['input']) => {
return await getAuthorizationUrlMutation({
variables: {
input: { identityProviderId },
},
});
};
const redirectToSSOLoginPage = async (identityProviderId: string) => { const redirectToSSOLoginPage = async (identityProviderId: string) => {
const authorizationUrlForSSOResult = await getAuthorizationUrlForSSO({ let authorizationUrlForSSOResult;
identityProviderId, try {
}); authorizationUrlForSSOResult = await apolloClient.mutate({
mutation: GET_AUTHORIZATION_URL,
if ( variables: {
isDefined(authorizationUrlForSSOResult.errors) || input: { identityProviderId },
!authorizationUrlForSSOResult.data ||
!authorizationUrlForSSOResult.data?.getAuthorizationUrl.authorizationURL
) {
return enqueueSnackBar(
authorizationUrlForSSOResult.errors?.[0]?.message ?? 'Unknown error',
{
variant: SnackBarVariant.Error,
}, },
); });
} catch (error: any) {
return enqueueSnackBar(error?.message ?? 'Unknown error', {
variant: SnackBarVariant.Error,
});
} }
window.location.href = redirect(
authorizationUrlForSSOResult.data?.getAuthorizationUrl.authorizationURL; authorizationUrlForSSOResult.data?.getAuthorizationUrl.authorizationURL,
return; );
}; };
return { return {
redirectToSSOLoginPage, redirectToSSOLoginPage,
getAuthorizationUrlForSSO,
}; };
}; };

8
packages/twenty-front/src/modules/workspace/components/WorkspaceProviderEffect.tsx
View File

@ -1,14 +1,14 @@
import { useRecoilValue } from 'recoil'; import { useRecoilValue } from 'recoil';
import { useEffect } from 'react';
import { isDefined } from '~/utils/isDefined';
import { isMultiWorkspaceEnabledState } from '@/client-config/states/isMultiWorkspaceEnabledState'; import { isMultiWorkspaceEnabledState } from '@/client-config/states/isMultiWorkspaceEnabledState';
import { useReadWorkspaceSubdomainFromCurrentLocation } from '@/domain-manager/hooks/useReadWorkspaceSubdomainFromCurrentLocation';
import { useRedirectToWorkspaceDomain } from '@/domain-manager/hooks/useRedirectToWorkspaceDomain'; import { useRedirectToWorkspaceDomain } from '@/domain-manager/hooks/useRedirectToWorkspaceDomain';
import { lastAuthenticatedWorkspaceDomainState } from '@/domain-manager/states/lastAuthenticatedWorkspaceDomainState'; import { lastAuthenticatedWorkspaceDomainState } from '@/domain-manager/states/lastAuthenticatedWorkspaceDomainState';
import { useReadWorkspaceSubdomainFromCurrentLocation } from '@/domain-manager/hooks/useReadWorkspaceSubdomainFromCurrentLocation'; import { useEffect } from 'react';
import { isDefined } from '~/utils/isDefined';
import { useIsCurrentLocationOnDefaultDomain } from '@/domain-manager/hooks/useIsCurrentLocationOnDefaultDomain';
import { useGetPublicWorkspaceDataBySubdomain } from '@/domain-manager/hooks/useGetPublicWorkspaceDataBySubdomain'; import { useGetPublicWorkspaceDataBySubdomain } from '@/domain-manager/hooks/useGetPublicWorkspaceDataBySubdomain';
import { useIsCurrentLocationOnDefaultDomain } from '@/domain-manager/hooks/useIsCurrentLocationOnDefaultDomain';
export const WorkspaceProviderEffect = () => { export const WorkspaceProviderEffect = () => {
const { data: getPublicWorkspaceData } = const { data: getPublicWorkspaceData } =
useGetPublicWorkspaceDataBySubdomain(); useGetPublicWorkspaceDataBySubdomain();

10
packages/twenty-front/src/modules/workspace/states/workspaceAuthProvidersState.ts
View File

@ -2,13 +2,7 @@ import { createState } from '@ui/utilities/state/utils/createState';
import { AuthProviders } from '~/generated/graphql'; import { AuthProviders } from '~/generated/graphql';
export const workspaceAuthProvidersState = createState<AuthProviders>({ export const workspaceAuthProvidersState = createState<AuthProviders | null>({
key: 'workspaceAuthProvidersState', key: 'workspaceAuthProvidersState',
defaultValue: { defaultValue: null,
google: true,
magicLink: false,
password: true,
microsoft: false,
sso: [],
},
}); });

51
packages/twenty-server/src/engine/core-modules/workspace/utils/__tests__/get-auth-providers-by-workspace.util.spec.ts
View File

@ -1,5 +1,10 @@
import { getAuthProvidersByWorkspace } from 'src/engine/core-modules/workspace/utils/get-auth-providers-by-workspace.util'; import { getAuthProvidersByWorkspace } from 'src/engine/core-modules/workspace/utils/get-auth-providers-by-workspace.util';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity'; import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import {
IdentityProviderType,
SSOIdentityProviderStatus,
WorkspaceSSOIdentityProvider,
} from 'src/engine/core-modules/sso/workspace-sso-identity-provider.entity';
describe('getAuthProvidersByWorkspace', () => { describe('getAuthProvidersByWorkspace', () => {
const mockWorkspace = { const mockWorkspace = {
@ -10,8 +15,9 @@ describe('getAuthProvidersByWorkspace', () => {
{ {
id: 'sso1', id: 'sso1',
name: 'SSO Provider 1', name: 'SSO Provider 1',
type: 'SAML', type: IdentityProviderType.SAML,
status: 'active',
status: SSOIdentityProviderStatus.Active,
issuer: 'sso1.example.com', issuer: 'sso1.example.com',
}, },
], ],
@ -38,8 +44,9 @@ describe('getAuthProvidersByWorkspace', () => {
{ {
id: 'sso1', id: 'sso1',
name: 'SSO Provider 1', name: 'SSO Provider 1',
type: 'SAML', type: IdentityProviderType.SAML,
status: 'active',
status: SSOIdentityProviderStatus.Active,
issuer: 'sso1.example.com', issuer: 'sso1.example.com',
}, },
], ],
@ -66,6 +73,37 @@ describe('getAuthProvidersByWorkspace', () => {
sso: [], sso: [],
}); });
}); });
it('should handle workspace with SSO providers inactive', () => {
const result = getAuthProvidersByWorkspace({
workspace: {
...mockWorkspace,
workspaceSSOIdentityProviders: [
{
id: 'sso1',
name: 'SSO Provider 1',
type: IdentityProviderType.SAML,
status: SSOIdentityProviderStatus.Inactive,
issuer: 'sso1.example.com',
} as WorkspaceSSOIdentityProvider,
],
},
systemEnabledProviders: {
google: true,
magicLink: false,
password: true,
microsoft: true,
sso: [],
},
});
expect(result).toEqual({
google: true,
magicLink: false,
password: true,
microsoft: false,
sso: [],
});
});
it('should disable Microsoft auth if isMicrosoftAuthEnabled is false', () => { it('should disable Microsoft auth if isMicrosoftAuthEnabled is false', () => {
const result = getAuthProvidersByWorkspace({ const result = getAuthProvidersByWorkspace({
@ -88,8 +126,9 @@ describe('getAuthProvidersByWorkspace', () => {
{ {
id: 'sso1', id: 'sso1',
name: 'SSO Provider 1', name: 'SSO Provider 1',
type: 'SAML', type: IdentityProviderType.SAML,
status: 'active',
status: SSOIdentityProviderStatus.Active,
issuer: 'sso1.example.com', issuer: 'sso1.example.com',
}, },
], ],

22
packages/twenty-server/src/engine/core-modules/workspace/utils/get-auth-providers-by-workspace.util.ts
View File

@ -1,5 +1,7 @@
import { SSOIdentityProviderStatus } from 'src/engine/core-modules/sso/workspace-sso-identity-provider.entity';
import { AuthProviders } from 'src/engine/core-modules/workspace/dtos/public-workspace-data-output'; import { AuthProviders } from 'src/engine/core-modules/workspace/dtos/public-workspace-data-output';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity'; import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { isDefined } from 'src/utils/is-defined';
export const getAuthProvidersByWorkspace = ({ export const getAuthProvidersByWorkspace = ({
workspace, workspace,
@ -21,12 +23,18 @@ export const getAuthProvidersByWorkspace = ({
workspace.isPasswordAuthEnabled && systemEnabledProviders.password, workspace.isPasswordAuthEnabled && systemEnabledProviders.password,
microsoft: microsoft:
workspace.isMicrosoftAuthEnabled && systemEnabledProviders.microsoft, workspace.isMicrosoftAuthEnabled && systemEnabledProviders.microsoft,
sso: workspace.workspaceSSOIdentityProviders.map((identityProvider) => ({ sso: workspace.workspaceSSOIdentityProviders
id: identityProvider.id, .map((identityProvider) =>
name: identityProvider.name, identityProvider.status === SSOIdentityProviderStatus.Active
type: identityProvider.type, ? {
status: identityProvider.status, id: identityProvider.id,
issuer: identityProvider.issuer, name: identityProvider.name,
})), type: identityProvider.type,
status: identityProvider.status,
issuer: identityProvider.issuer,
}
: undefined,
)
.filter(isDefined),
}; };
}; };

4
packages/twenty-server/src/engine/core-modules/workspace/workspace.resolver.ts
View File

@ -148,11 +148,9 @@ export class WorkspaceResolver {
workspace.id, workspace.id,
); );
const filteredFeatureFlags = featureFlags.filter((flag) => return featureFlags.filter((flag) =>
Object.values(FeatureFlagKey).includes(flag.key), Object.values(FeatureFlagKey).includes(flag.key),
); );
return filteredFeatureFlags;
} }
@Mutation(() => Workspace) @Mutation(() => Workspace)