mirror of
https://github.com/ToolJet/ToolJet
synced 2026-04-30 18:07:20 +00:00
3ea8d6e3ca
* working on replacing workspace id with workspace name * experimenting with zustand * added slug column to workspace table * working on workspace url * working on backward compatibility * fixing bugs * added not found error * fixed workspace switching issue * fix: switching b/w workspaces * fix: workspace login * changed workspace login url link * resolved conflicts * added create organization design * added backend validation * fixed constraint errors issue * fixed: creating new workspace * fixed: update workspace * fixed: update workspace bugs * fixed: auto created slug bugs * fixed: login slug * design changes * added folder slug * fixed: lint error * fixed: invite and first user issues * fixed: login page redirection * fixed: redirect path * added reserved word check * fix: edit workspace design * fix: folder query issue * fix: create and edit workspace modal validation issues * fixing failed test cases * fixing failed test cases - app.e2e * fixed organizations specs * fixed public app issue * working on app slug * Added app slug design to the general settings * Working on appId -> slug changes - Handling appId cases - Fixing issues * Worked on share modal design change - replaced slug functionality - Fixed backend slug issues - Fixed page handle issues * changed switch label * replace version param with query param * fix: possible uuid bug * fix: login app slug redirection issue * Worked on unique app slug * moved all apps related api calls to apps.service.js file * refactoring the code and fixing minor issues * Refactored and fixed some bugs * Fixed bugs: redirect cookie issue * Fixed dark-mode issues * removed duplicate code * Worked on develop branch conflicts * Moved handle app access check to private route * Added fix for navigate * Refactored the code. Added slug to failed sso login redirection path * again some redirect url fixes * onbaord navbar tj-icon onclick * Fix: viewer version id undefined issue * fix: multi-pages, invalid workspace slug * fix: removing the version search param while switching the pages * fix-sso: redirecting to prev tab's login organization slug * fix-sso: google signup * fix: preivew permission issue * Fixing merge issues * Fixed tjdb issues * dark mode fix of manage users button * fix: extra slash in url, tj-logo on click wrong org id * subpath workspace login url * resolved lint issue * fix: cannot clone apps * fixed switch workspace issue * fix: login page flashing issue * fix: back button issue * fix: private endless redirection * Update the modal with new UX * fixed all ui issues * fixed placeholder translation issues * fix: sso multi-request issues * fix: multi-pages crash while promoting a version * fix: error text msg delay * added default slug to the first workspace in the instance * subpath-fix: slug preview url * fix: same value check * fixed switch page query params issue * fix: folder query * fix: manage app users ui responsive issue * Backend PR changes --------- Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
356 lines
13 KiB
TypeScript
356 lines
13 KiB
TypeScript
import { Injectable, UnauthorizedException } from '@nestjs/common';
|
|
import { ConfigService } from '@nestjs/config';
|
|
import { AuthService } from '@services/auth.service';
|
|
import { OrganizationsService } from '@services/organizations.service';
|
|
import { OrganizationUsersService } from '@services/organization_users.service';
|
|
import { UsersService } from '@services/users.service';
|
|
import { decamelizeKeys } from 'humps';
|
|
import { Organization } from 'src/entities/organization.entity';
|
|
import { OrganizationUser } from 'src/entities/organization_user.entity';
|
|
import { SSOConfigs } from 'src/entities/sso_config.entity';
|
|
import { User } from 'src/entities/user.entity';
|
|
import {
|
|
getUserErrorMessages,
|
|
getUserStatusAndSource,
|
|
USER_STATUS,
|
|
lifecycleEvents,
|
|
URL_SSO_SOURCE,
|
|
WORKSPACE_USER_STATUS,
|
|
} from 'src/helpers/user_lifecycle';
|
|
import { dbTransactionWrap, generateInviteURL, generateNextNameAndSlug } from 'src/helpers/utils.helper';
|
|
import { DeepPartial, EntityManager } from 'typeorm';
|
|
import { GitOAuthService } from './git_oauth.service';
|
|
import { GoogleOAuthService } from './google_oauth.service';
|
|
import UserResponse from './models/user_response';
|
|
import { Response } from 'express';
|
|
|
|
@Injectable()
|
|
export class OauthService {
|
|
constructor(
|
|
private readonly usersService: UsersService,
|
|
private readonly authService: AuthService,
|
|
private readonly organizationService: OrganizationsService,
|
|
private readonly organizationUsersService: OrganizationUsersService,
|
|
private readonly googleOAuthService: GoogleOAuthService,
|
|
private readonly gitOAuthService: GitOAuthService,
|
|
private configService: ConfigService
|
|
) {}
|
|
|
|
#isValidDomain(email: string, restrictedDomain: string): boolean {
|
|
if (!email) {
|
|
return false;
|
|
}
|
|
const domain = email.substring(email.lastIndexOf('@') + 1);
|
|
|
|
if (!restrictedDomain) {
|
|
return true;
|
|
}
|
|
if (!domain) {
|
|
return false;
|
|
}
|
|
if (
|
|
!restrictedDomain
|
|
.split(',')
|
|
.map((e) => e && e.trim())
|
|
.filter((e) => !!e)
|
|
.includes(domain)
|
|
) {
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
async #findOrCreateUser(
|
|
{ firstName, lastName, email, sso }: UserResponse,
|
|
organization: DeepPartial<Organization>,
|
|
manager?: EntityManager
|
|
): Promise<User> {
|
|
// User not exist in the workspace, creating
|
|
let user: User;
|
|
let defaultOrganization: Organization;
|
|
user = await this.usersService.findByEmail(email);
|
|
|
|
const organizationUser: OrganizationUser = user?.organizationUsers?.find(
|
|
(ou) => ou.organizationId === organization.id
|
|
);
|
|
|
|
if (organizationUser?.status === WORKSPACE_USER_STATUS.ARCHIVED) {
|
|
throw new UnauthorizedException('User does not exist in the workspace');
|
|
}
|
|
|
|
if (!user) {
|
|
const { name, slug } = generateNextNameAndSlug('My workspace');
|
|
defaultOrganization = await this.organizationService.create(name, slug, null, manager);
|
|
}
|
|
|
|
const groups = ['all_users'];
|
|
user = await this.usersService.create(
|
|
{ firstName, lastName, email, ...getUserStatusAndSource(lifecycleEvents.USER_SSO_VERIFY, sso) },
|
|
organization.id,
|
|
groups,
|
|
user,
|
|
true,
|
|
defaultOrganization?.id,
|
|
manager
|
|
);
|
|
// Setting up invited organization, organization user status should be invited if user status is invited
|
|
await this.organizationUsersService.create(user, organization, !!user.invitationToken, manager);
|
|
|
|
if (defaultOrganization) {
|
|
// Setting up default organization
|
|
await this.organizationUsersService.create(user, defaultOrganization, true, manager);
|
|
await this.usersService.attachUserGroup(['all_users', 'admin'], defaultOrganization.id, user.id, manager);
|
|
}
|
|
return user;
|
|
}
|
|
|
|
#getSSOConfigs(ssoType: 'google' | 'git'): Partial<SSOConfigs> {
|
|
switch (ssoType) {
|
|
case 'google':
|
|
return {
|
|
enabled: !!this.configService.get<string>('SSO_GOOGLE_OAUTH2_CLIENT_ID'),
|
|
configs: { clientId: this.configService.get<string>('SSO_GOOGLE_OAUTH2_CLIENT_ID') },
|
|
};
|
|
case 'git':
|
|
return {
|
|
enabled: !!this.configService.get<string>('SSO_GIT_OAUTH2_CLIENT_ID'),
|
|
configs: {
|
|
clientId: this.configService.get<string>('SSO_GIT_OAUTH2_CLIENT_ID'),
|
|
clientSecret: this.configService.get<string>('SSO_GIT_OAUTH2_CLIENT_SECRET'),
|
|
hostName: this.configService.get<string>('SSO_GIT_OAUTH2_HOST'),
|
|
},
|
|
};
|
|
default:
|
|
return;
|
|
}
|
|
}
|
|
|
|
#getInstanceSSOConfigs(ssoType: 'google' | 'git'): DeepPartial<SSOConfigs> {
|
|
return {
|
|
organization: {
|
|
enableSignUp: this.configService.get<string>('SSO_DISABLE_SIGNUPS') !== 'true',
|
|
domain: this.configService.get<string>('SSO_ACCEPTED_DOMAINS'),
|
|
},
|
|
sso: ssoType,
|
|
...this.#getSSOConfigs(ssoType),
|
|
};
|
|
}
|
|
|
|
async signIn(
|
|
response: Response,
|
|
ssoResponse: SSOResponse,
|
|
configId?: string,
|
|
ssoType?: 'google' | 'git',
|
|
user?: User
|
|
): Promise<any> {
|
|
const { organizationId } = ssoResponse;
|
|
let ssoConfigs: DeepPartial<SSOConfigs>;
|
|
let organization: DeepPartial<Organization>;
|
|
const isInstanceSSOLogin = !!(!configId && ssoType && !organizationId);
|
|
const isInstanceSSOOrganizationLogin = !!(!configId && ssoType && organizationId);
|
|
|
|
if (configId) {
|
|
// SSO under an organization
|
|
ssoConfigs = await this.organizationService.getConfigs(configId);
|
|
organization = ssoConfigs?.organization;
|
|
} else if (isInstanceSSOOrganizationLogin) {
|
|
// Instance SSO login from organization login page
|
|
organization = await this.organizationService.fetchOrganizationDetails(organizationId, [true], false, true);
|
|
ssoConfigs = organization?.ssoConfigs?.find((conf) => conf.sso === ssoType);
|
|
} else if (isInstanceSSOLogin) {
|
|
// Instance SSO login from common login page
|
|
ssoConfigs = this.#getInstanceSSOConfigs(ssoType);
|
|
organization = ssoConfigs?.organization;
|
|
} else {
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
if ((isInstanceSSOLogin || isInstanceSSOOrganizationLogin) && ssoConfigs?.id) {
|
|
// if instance sso login and sso configs returned stored in db, id will be present -> throwing error
|
|
throw new UnauthorizedException();
|
|
}
|
|
|
|
if (!organization || !ssoConfigs) {
|
|
// Should obtain organization configs
|
|
throw new UnauthorizedException();
|
|
}
|
|
const { enableSignUp, domain } = organization;
|
|
const { sso, configs } = ssoConfigs;
|
|
const { token } = ssoResponse;
|
|
|
|
let userResponse: UserResponse;
|
|
switch (sso) {
|
|
case 'google':
|
|
userResponse = await this.googleOAuthService.signIn(token, configs);
|
|
break;
|
|
|
|
case 'git':
|
|
userResponse = await this.gitOAuthService.signIn(token, configs);
|
|
break;
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
if (!(userResponse.userSSOId && userResponse.email)) {
|
|
throw new UnauthorizedException('Invalid credentials');
|
|
}
|
|
if (!this.#isValidDomain(userResponse.email, domain)) {
|
|
throw new UnauthorizedException(`You cannot sign in using the mail id - Domain verification failed`);
|
|
}
|
|
|
|
if (!userResponse.firstName) {
|
|
// If firstName not found
|
|
userResponse.firstName = userResponse.email?.split('@')?.[0];
|
|
}
|
|
|
|
return await dbTransactionWrap(async (manager: EntityManager) => {
|
|
let userDetails: User;
|
|
let organizationDetails: DeepPartial<Organization>;
|
|
|
|
if (isInstanceSSOLogin) {
|
|
// Login from main login page - Multi-Workspace enabled
|
|
userDetails = await this.usersService.findByEmail(userResponse.email);
|
|
|
|
if (userDetails?.status === USER_STATUS.ARCHIVED) {
|
|
throw new UnauthorizedException(getUserErrorMessages(userDetails.status));
|
|
}
|
|
|
|
if (!userDetails && enableSignUp) {
|
|
// Create new user
|
|
let defaultOrganization: DeepPartial<Organization> = organization;
|
|
|
|
// Not logging in to specific organization, creating new
|
|
const { name, slug } = generateNextNameAndSlug('My workspace');
|
|
defaultOrganization = await this.organizationService.create(name, slug, null, manager);
|
|
|
|
const groups = ['all_users', 'admin'];
|
|
userDetails = await this.usersService.create(
|
|
{
|
|
firstName: userResponse.firstName,
|
|
lastName: userResponse.lastName,
|
|
email: userResponse.email,
|
|
...getUserStatusAndSource(lifecycleEvents.USER_SSO_VERIFY, sso),
|
|
},
|
|
defaultOrganization.id,
|
|
groups,
|
|
null,
|
|
true,
|
|
null,
|
|
manager
|
|
);
|
|
|
|
await this.organizationUsersService.create(userDetails, defaultOrganization, true, manager);
|
|
organizationDetails = defaultOrganization;
|
|
} else if (userDetails) {
|
|
// Finding organization to be loaded
|
|
const organizationList: Organization[] = await this.organizationService.findOrganizationWithLoginSupport(
|
|
userDetails,
|
|
'sso',
|
|
userDetails.invitationToken
|
|
? [WORKSPACE_USER_STATUS.ACTIVE, WORKSPACE_USER_STATUS.INVITED]
|
|
: WORKSPACE_USER_STATUS.ACTIVE
|
|
);
|
|
|
|
const defaultOrgDetails: Organization = organizationList?.find(
|
|
(og) => og.id === userDetails.defaultOrganizationId
|
|
);
|
|
if (defaultOrgDetails) {
|
|
// default organization SSO login enabled
|
|
organizationDetails = defaultOrgDetails;
|
|
} else if (organizationList?.length > 0) {
|
|
// default organization SSO login not enabled, picking first one from SSO enabled list
|
|
organizationDetails = organizationList[0];
|
|
} else {
|
|
// no SSO login enabled organization available for user - creating new one
|
|
const { name, slug } = generateNextNameAndSlug('My workspace');
|
|
organizationDetails = await this.organizationService.create(name, slug, userDetails, manager);
|
|
}
|
|
} else if (!userDetails) {
|
|
throw new UnauthorizedException('User does not exist, please sign up');
|
|
}
|
|
} else {
|
|
// workspace login
|
|
userDetails = await this.usersService.findByEmail(userResponse.email, organization.id, [
|
|
WORKSPACE_USER_STATUS.ACTIVE,
|
|
WORKSPACE_USER_STATUS.INVITED,
|
|
]);
|
|
|
|
if (userDetails?.status === USER_STATUS.ARCHIVED) {
|
|
throw new UnauthorizedException(getUserErrorMessages(userDetails.status));
|
|
}
|
|
if (userDetails) {
|
|
// user already exist
|
|
if (
|
|
!userDetails.invitationToken &&
|
|
userDetails.organizationUsers[0].status === WORKSPACE_USER_STATUS.INVITED
|
|
) {
|
|
// user exists. onboarding completed, but invited status in the organization
|
|
// Activating invited workspace
|
|
await this.organizationUsersService.activateOrganization(userDetails.organizationUsers[0], manager);
|
|
}
|
|
} else if (!userDetails && enableSignUp) {
|
|
userDetails = await this.#findOrCreateUser(userResponse, organization, manager);
|
|
} else if (!userDetails) {
|
|
throw new UnauthorizedException('User does not exist in the workspace');
|
|
}
|
|
organizationDetails = organization;
|
|
|
|
userDetails = await this.usersService.findByEmail(
|
|
userResponse.email,
|
|
organization.id,
|
|
[WORKSPACE_USER_STATUS.ACTIVE, WORKSPACE_USER_STATUS.INVITED],
|
|
manager
|
|
);
|
|
|
|
if (userDetails.invitationToken) {
|
|
// User account setup not done, updating source and status
|
|
await this.usersService.updateUser(
|
|
userDetails.id,
|
|
getUserStatusAndSource(lifecycleEvents.USER_SSO_VERIFY, sso),
|
|
manager
|
|
);
|
|
// New user created and invited to the organization
|
|
const organizationToken = userDetails.organizationUsers?.find(
|
|
(ou) => ou.organizationId === organization.id
|
|
)?.invitationToken;
|
|
|
|
return decamelizeKeys({
|
|
redirectUrl: generateInviteURL(
|
|
userDetails.invitationToken,
|
|
organizationToken,
|
|
organization.id,
|
|
URL_SSO_SOURCE
|
|
),
|
|
});
|
|
}
|
|
}
|
|
|
|
if (userDetails.invitationToken) {
|
|
// User account setup not done, updating source and status
|
|
await this.usersService.updateUser(
|
|
userDetails.id,
|
|
getUserStatusAndSource(lifecycleEvents.USER_SSO_VERIFY, sso),
|
|
manager
|
|
);
|
|
return decamelizeKeys({
|
|
redirectUrl: generateInviteURL(userDetails.invitationToken, null, null, URL_SSO_SOURCE),
|
|
});
|
|
}
|
|
return await this.authService.generateLoginResultPayload(
|
|
response,
|
|
userDetails,
|
|
organizationDetails,
|
|
isInstanceSSOLogin || isInstanceSSOOrganizationLogin,
|
|
false,
|
|
user
|
|
);
|
|
});
|
|
}
|
|
}
|
|
|
|
interface SSOResponse {
|
|
token: string;
|
|
state?: string;
|
|
organizationId?: string;
|
|
}
|