Elgato_dark/ToolJet
1
0
Fork 0
mirror of https://github.com/ToolJet/ToolJet synced 2026-05-21 16:08:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
ToolJet/server/ee/services/oauth/oauth.service.ts
Muhsin Shah C P 32740743e1
[Improvement] URLs scoped with workspace id (#5487) 
* add: new URL prefix

* fix: working on home page

* add: profile path

* playing with rxjs

* removed context part

* working on path changes

* changing routes
- TODO: replace the workspaceId with actual id

* redo: public apps path

* initial commit

* added authorize API

* remove privileges from auth response

* fixed some api issue
- added subscriptions

* fix: redirect url workspace-id null issue

* fix: switch workspace

* fix: organization list mapping
- menu item paths

* fix: preview url
- editor, viewer permission mapping

* jwt fix

* fix: some url issue
- permission mappings
- workspace login

* fixed some issues
- user invite workspace-id
- org settings menu item default selected item issue

* app viewer fixes

* fixing workspace login issues

* fix

* fixing issues
- tooljet db
- path issues
- refatoring the code

* fix: workspace vars permissions

* fix: multi-page handle

* fix: create app from template

* fix: bulk user upload

* fix: import app
- clone app
- upload profile image

* fix: onboarding

* fix: log out

* fixed multi-workspace logout issue

* fix: launch btn

* fix: oauth2

* fixes

* fix: sso login

* fix: workspace sso login

* fixing sso issues

* fix: moved list of orgs to rxjs
- fixed switching issues

* reverting some changes

* fixed some minor bugs

* fixing sso redirect url issues

* fix: switching network timing issues

* fix: back to workspace-id

* fix: tj-database
- refactored the code - removed org id from some pages
- will get the org id from the service file only

* fix: multi-pages

* fix: infinite loop issue

* fixing workspace switching issue

* fixes
- comment link
- logout & private route redirect url

* fix: wrong uuid error

* fixing subpath
- fixed most of the places
- need to test & fix workspace login, sso, new account

* fix: subpath workspace login

* fix: rxjs handle bug

* Revert "fix: tj-database"

This reverts commit 9632ec2ff0.

* fix: reverted tj-db changes

* fix: subpath sso

* typo fix

* fix: existing session issues

* new: switch workspace page

* fix: modal dark-mode

* added default sso support

* fixes
- subpath workspace switching
- handle wrong routes

* fix: manager user button
- refactored the code

* removed SINGLE Workspace feature

* rebase

* add: change modal text

* fix: added validation

* fixed private app 401 issue

* initial commit

* fix: logged out session multi-tab issue

* refactoring the code

* fix: redirect url issue

* added auth-token in cookies

* Fix: failing e2e specs

* added session API

* fix: backend session guard

* fix: removing user details from local storage

* fix: null wid

* undo and redo

* fix: login page

* fix: viewer login redirection

* fix: login page redirection

* fix: public apps logout issue

* added session storage and scheduler

* added profile api

* fix: sso login
- switch workspace
- login page
- setup admin

* working on fixes

* fix: socket issue

* fix: setup admin api

* connected profile & logout apis

* fix: malfunctioned auth token case

* fix: realtime avatar

* fix: profile avatar

* fix: Realtime cursors avatar

* setting max age for auth token cookie

* add: Go to login page if logout api returns 401

* fix: subpath login

* fix

* fix: app logout [viewer]

* fix: authorize page

* remove expiry from jwt

* fix: integrations route
- session api

* small fix

* fix: updated profile

* fix: workspace login [logged user]

* fix: oauth and another workspace page issue

* fixed app preview logout issue

* subpath fix

* fix: subpath app id

* fix: selected state didnt change for apps page [subpath]

* fix

* add cookie parser to test app

* specs added

* increased user session expiry time

* test: session & new apis

* working on test cases

* fix: onboarding issue

* fixing specs

* fix: test cases

* fix: removing profile api calls

* some fixes

* fixing rebase issues

* fix: global ds issues

* fix: app is crashing

* fix: back to text

* fix: oauth test cases

* fix: test-helper

* fix: onboarding test cases

* fix: tests again

* refactoring the code

* latest develop merging precautions
- fixed a minor null issue

* fix: typo

* fix :menu issues due to the merging

* fix: - clicking on tooljet logo didnt redirect to login page for public apps
- private app preview doesnt load after login

* subpath fixes

* fixed back to issue

* PR changes

* fix: spec fixes for EE

* doc: URL scoped for workspace

---------

Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
Co-authored-by: Shubhendra <withshubh@gmail.com>
2023-04-06 16:42:58 +05:30

352 lines
13 KiB
TypeScript
Raw Blame History

import { Injectable, UnauthorizedException } from '@nestjs/common';
import { ConfigService } from '@nestjs/config';
import { AuthService } from '@services/auth.service';
import { OrganizationsService } from '@services/organizations.service';
import { OrganizationUsersService } from '@services/organization_users.service';
import { UsersService } from '@services/users.service';
import { decamelizeKeys } from 'humps';
import { Organization } from 'src/entities/organization.entity';
import { OrganizationUser } from 'src/entities/organization_user.entity';
import { SSOConfigs } from 'src/entities/sso_config.entity';
import { User } from 'src/entities/user.entity';
import {
getUserErrorMessages,
getUserStatusAndSource,
USER_STATUS,
lifecycleEvents,
URL_SSO_SOURCE,
WORKSPACE_USER_STATUS,
} from 'src/helpers/user_lifecycle';
import { dbTransactionWrap } from 'src/helpers/utils.helper';
import { DeepPartial, EntityManager } from 'typeorm';
import { GitOAuthService } from './git_oauth.service';
import { GoogleOAuthService } from './google_oauth.service';
import UserResponse from './models/user_response';
import { Response } from 'express';
@Injectable()
export class OauthService {
constructor(
private readonly usersService: UsersService,
private readonly authService: AuthService,
private readonly organizationService: OrganizationsService,
private readonly organizationUsersService: OrganizationUsersService,
private readonly googleOAuthService: GoogleOAuthService,
private readonly gitOAuthService: GitOAuthService,
private configService: ConfigService
) {}
#isValidDomain(email: string, restrictedDomain: string): boolean {
if (!email) {
return false;
}
const domain = email.substring(email.lastIndexOf('@') + 1);
if (!restrictedDomain) {
return true;
}
if (!domain) {
return false;
}
if (
!restrictedDomain
.split(',')
.map((e) => e && e.trim())
.filter((e) => !!e)
.includes(domain)
) {
return false;
}
return true;
}
async #findOrCreateUser(
{ firstName, lastName, email, sso }: UserResponse,
organization: DeepPartial<Organization>,
manager?: EntityManager
): Promise<User> {
// User not exist in the workspace, creating
let user: User;
let defaultOrganization: Organization;
user = await this.usersService.findByEmail(email);
const organizationUser: OrganizationUser = user?.organizationUsers?.find(
(ou) => ou.organizationId === organization.id
);
if (organizationUser?.status === WORKSPACE_USER_STATUS.ARCHIVED) {
throw new UnauthorizedException('User does not exist in the workspace');
}
if (!user) {
defaultOrganization = await this.organizationService.create('Untitled workspace', null, manager);
}
const groups = ['all_users'];
user = await this.usersService.create(
{ firstName, lastName, email, ...getUserStatusAndSource(lifecycleEvents.USER_SSO_VERIFY, sso) },
organization.id,
groups,
user,
true,
defaultOrganization?.id,
manager
);
// Setting up invited organization, organization user status should be invited if user status is invited
await this.organizationUsersService.create(user, organization, !!user.invitationToken, manager);
if (defaultOrganization) {
// Setting up default organization
await this.organizationUsersService.create(user, defaultOrganization, true, manager);
await this.usersService.attachUserGroup(['all_users', 'admin'], defaultOrganization.id, user.id, manager);
}
return user;
}
#getSSOConfigs(ssoType: 'google' | 'git'): Partial<SSOConfigs> {
switch (ssoType) {
case 'google':
return {
enabled: !!this.configService.get<string>('SSO_GOOGLE_OAUTH2_CLIENT_ID'),
configs: { clientId: this.configService.get<string>('SSO_GOOGLE_OAUTH2_CLIENT_ID') },
};
case 'git':
return {
enabled: !!this.configService.get<string>('SSO_GIT_OAUTH2_CLIENT_ID'),
configs: {
clientId: this.configService.get<string>('SSO_GIT_OAUTH2_CLIENT_ID'),
clientSecret: this.configService.get<string>('SSO_GIT_OAUTH2_CLIENT_SECRET'),
hostName: this.configService.get<string>('SSO_GIT_OAUTH2_HOST'),
},
};
default:
return;
}
}
#getInstanceSSOConfigs(ssoType: 'google' | 'git'): DeepPartial<SSOConfigs> {
return {
organization: {
enableSignUp: this.configService.get<string>('SSO_DISABLE_SIGNUPS') !== 'true',
domain: this.configService.get<string>('SSO_ACCEPTED_DOMAINS'),
},
sso: ssoType,
...this.#getSSOConfigs(ssoType),
};
}
async signIn(
response: Response,
ssoResponse: SSOResponse,
configId?: string,
ssoType?: 'google' | 'git',
user?: User
): Promise<any> {
const { organizationId } = ssoResponse;
let ssoConfigs: DeepPartial<SSOConfigs>;
let organization: DeepPartial<Organization>;
const isInstanceSSOLogin = !!(!configId && ssoType && !organizationId);
const isInstanceSSOOrganizationLogin = !!(!configId && ssoType && organizationId);
if (configId) {
// SSO under an organization
ssoConfigs = await this.organizationService.getConfigs(configId);
organization = ssoConfigs?.organization;
} else if (isInstanceSSOOrganizationLogin) {
// Instance SSO login from organization login page
organization = await this.organizationService.fetchOrganizationDetails(organizationId, [true], false, true);
ssoConfigs = organization?.ssoConfigs?.find((conf) => conf.sso === ssoType);
} else if (isInstanceSSOLogin) {
// Instance SSO login from common login page
ssoConfigs = this.#getInstanceSSOConfigs(ssoType);
organization = ssoConfigs?.organization;
} else {
throw new UnauthorizedException();
}
if ((isInstanceSSOLogin || isInstanceSSOOrganizationLogin) && ssoConfigs?.id) {
// if instance sso login and sso configs returned stored in db, id will be present -> throwing error
throw new UnauthorizedException();
}
if (!organization || !ssoConfigs) {
// Should obtain organization configs
throw new UnauthorizedException();
}
const { enableSignUp, domain } = organization;
const { sso, configs } = ssoConfigs;
const { token } = ssoResponse;
let userResponse: UserResponse;
switch (sso) {
case 'google':
userResponse = await this.googleOAuthService.signIn(token, configs);
break;
case 'git':
userResponse = await this.gitOAuthService.signIn(token, configs);
break;
default:
break;
}
if (!(userResponse.userSSOId && userResponse.email)) {
throw new UnauthorizedException('Invalid credentials');
}
if (!this.#isValidDomain(userResponse.email, domain)) {
throw new UnauthorizedException(`You cannot sign in using the mail id - Domain verification failed`);
}
if (!userResponse.firstName) {
// If firstName not found
userResponse.firstName = userResponse.email?.split('@')?.[0];
}
return await dbTransactionWrap(async (manager: EntityManager) => {
let userDetails: User;
let organizationDetails: DeepPartial<Organization>;
if (isInstanceSSOLogin) {
// Login from main login page - Multi-Workspace enabled
userDetails = await this.usersService.findByEmail(userResponse.email);
if (userDetails?.status === USER_STATUS.ARCHIVED) {
throw new UnauthorizedException(getUserErrorMessages(userDetails.status));
}
if (!userDetails && enableSignUp) {
// Create new user
let defaultOrganization: DeepPartial<Organization> = organization;
// Not logging in to specific organization, creating new
defaultOrganization = await this.organizationService.create('Untitled workspace', null, manager);
const groups = ['all_users', 'admin'];
userDetails = await this.usersService.create(
{
firstName: userResponse.firstName,
lastName: userResponse.lastName,
email: userResponse.email,
...getUserStatusAndSource(lifecycleEvents.USER_SSO_VERIFY, sso),
},
defaultOrganization.id,
groups,
null,
true,
null,
manager
);
await this.organizationUsersService.create(userDetails, defaultOrganization, true, manager);
organizationDetails = defaultOrganization;
} else if (userDetails) {
// Finding organization to be loaded
const organizationList: Organization[] = await this.organizationService.findOrganizationWithLoginSupport(
userDetails,
'sso',
userDetails.invitationToken
? [WORKSPACE_USER_STATUS.ACTIVE, WORKSPACE_USER_STATUS.INVITED]
: WORKSPACE_USER_STATUS.ACTIVE
);
const defaultOrgDetails: Organization = organizationList?.find(
(og) => og.id === userDetails.defaultOrganizationId
);
if (defaultOrgDetails) {
// default organization SSO login enabled
organizationDetails = defaultOrgDetails;
} else if (organizationList?.length > 0) {
// default organization SSO login not enabled, picking first one from SSO enabled list
organizationDetails = organizationList[0];
} else {
// no SSO login enabled organization available for user - creating new one
organizationDetails = await this.organizationService.create('Untitled workspace', userDetails, manager);
}
} else if (!userDetails) {
throw new UnauthorizedException('User does not exist, please sign up');
}
} else {
// workspace login
userDetails = await this.usersService.findByEmail(userResponse.email, organization.id, [
WORKSPACE_USER_STATUS.ACTIVE,
WORKSPACE_USER_STATUS.INVITED,
]);
if (userDetails?.status === USER_STATUS.ARCHIVED) {
throw new UnauthorizedException(getUserErrorMessages(userDetails.status));
}
if (userDetails) {
// user already exist
if (
!userDetails.invitationToken &&
userDetails.organizationUsers[0].status === WORKSPACE_USER_STATUS.INVITED
) {
// user exists. onboarding completed, but invited status in the organization
// Activating invited workspace
await this.organizationUsersService.activateOrganization(userDetails.organizationUsers[0], manager);
}
} else if (!userDetails && enableSignUp) {
userDetails = await this.#findOrCreateUser(userResponse, organization, manager);
} else if (!userDetails) {
throw new UnauthorizedException('User does not exist in the workspace');
}
organizationDetails = organization;
userDetails = await this.usersService.findByEmail(
userResponse.email,
organization.id,
[WORKSPACE_USER_STATUS.ACTIVE, WORKSPACE_USER_STATUS.INVITED],
manager
);
if (userDetails.invitationToken) {
// User account setup not done, updating source and status
await this.usersService.updateUser(
userDetails.id,
getUserStatusAndSource(lifecycleEvents.USER_SSO_VERIFY, sso),
manager
);
// New user created and invited to the organization
const organizationToken = userDetails.organizationUsers?.find(
(ou) => ou.organizationId === organization.id
)?.invitationToken;
return decamelizeKeys({
redirectUrl: `${this.configService.get<string>('TOOLJET_HOST')}/invitations/${
userDetails.invitationToken
}/workspaces/${organizationToken}?oid=${organization.id}&source=${URL_SSO_SOURCE}`,
});
}
}
if (userDetails.invitationToken) {
// User account setup not done, updating source and status
await this.usersService.updateUser(
userDetails.id,
getUserStatusAndSource(lifecycleEvents.USER_SSO_VERIFY, sso),
manager
);
return decamelizeKeys({
redirectUrl: `${this.configService.get<string>('TOOLJET_HOST')}/invitations/${
userDetails.invitationToken
}?source=${URL_SSO_SOURCE}`,
});
}
return await this.authService.generateLoginResultPayload(
response,
userDetails,
organizationDetails,
isInstanceSSOLogin || isInstanceSSOOrganizationLogin,
false,
user
);
});
}
}
interface SSOResponse {
token: string;
state?: string;
organizationId?: string;
}
Reference in a new issue View git blame Copy permalink