admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(auth): streamline SSO auth callback logic (#9668)

Browse Source 
Removed unused UserService dependency and simplified authCallback
function by using destructured parameters. Added checks for user email
and integrated invitation lookup and access validation for enhanced SSO
sign-in/up flow.
This commit is contained in:
Antoine Moreaux
2025-01-16 16:07:06 +01:00
committed by GitHub
parent 91eac86520
commit ad0dc7d664
1 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
packages/twenty-server/src/engine/core-modules/auth/controllers/sso-auth.controller.ts
View File

@ -32,7 +32,6 @@ import {
} from 'src/engine/core-modules/sso/workspace-sso-identity-provider.entity'; } from 'src/engine/core-modules/sso/workspace-sso-identity-provider.entity';
import { DomainManagerService } from 'src/engine/core-modules/domain-manager/service/domain-manager.service'; import { DomainManagerService } from 'src/engine/core-modules/domain-manager/service/domain-manager.service';
import { User } from 'src/engine/core-modules/user/user.entity'; import { User } from 'src/engine/core-modules/user/user.entity';
import { UserService } from 'src/engine/core-modules/user/services/user.service';
@Controller('auth') @Controller('auth')
@UseFilters(AuthRestApiExceptionFilter) @UseFilters(AuthRestApiExceptionFilter)
@ -41,7 +40,6 @@ export class SSOAuthController {
private readonly loginTokenService: LoginTokenService, private readonly loginTokenService: LoginTokenService,
private readonly authService: AuthService, private readonly authService: AuthService,
private readonly domainManagerService: DomainManagerService, private readonly domainManagerService: DomainManagerService,
private readonly userService: UserService,
private readonly ssoService: SSOService, private readonly ssoService: SSOService,
@InjectRepository(User, 'core') @InjectRepository(User, 'core')
private readonly userRepository: Repository<User>, private readonly userRepository: Repository<User>,
@ -91,10 +89,10 @@ export class SSOAuthController {
return this.authCallback(req, res); return this.authCallback(req, res);
} }
private async authCallback(req: any, res: Response) { private async authCallback({ user }: any, res: Response) {
const workspaceIdentityProvider = const workspaceIdentityProvider =
await this.findWorkspaceIdentityProviderByIdentityProviderId( await this.findWorkspaceIdentityProviderByIdentityProviderId(
req.user.identityProviderId, user.identityProviderId,
); );
if (!workspaceIdentityProvider) { if (!workspaceIdentityProvider) {
@ -103,9 +101,17 @@ export class SSOAuthController {
AuthExceptionCode.INVALID_DATA, AuthExceptionCode.INVALID_DATA,
); );
} }
if (!user.user.email) {
throw new AuthException(
'Email not found',
AuthExceptionCode.INVALID_DATA,
);
}
try { try {
const { loginToken, identityProvider } = await this.generateLoginToken( const { loginToken, identityProvider } = await this.generateLoginToken(
req.user, user.user,
workspaceIdentityProvider, workspaceIdentityProvider,
); );
@ -147,6 +153,11 @@ export class SSOAuthController {
); );
} }
const invitation = await this.authService.findInvitationForSignInUp({
currentWorkspace: identityProvider.workspace,
email: payload.email,
});
const existingUser = await this.userRepository.findOne({ const existingUser = await this.userRepository.findOne({
where: { where: {
email: payload.email, email: payload.email,
@ -158,9 +169,16 @@ export class SSOAuthController {
existingUser, existingUser,
); );
await this.authService.checkAccessForSignIn({
userData,
invitation,
workspace: identityProvider.workspace,
});
const { workspace, user } = await this.authService.signInUp({ const { workspace, user } = await this.authService.signInUp({
userData, userData,
workspace: identityProvider.workspace, workspace: identityProvider.workspace,
invitation,
authParams: { authParams: {
provider: 'sso', provider: 'sso',
}, },