@boxyhq/saml-jackson 0.2.2-beta.171 → 0.2.2-beta.176

package/README.md

@@ -242,6 +242,26 @@ curl -G --location 'http://localhost:6000/api/v1/saml/config' \
 
 The response returns a JSON with `provider` indicating the domain of your Identity Provider. If an empty JSON payload is returned then we do not have any configuration stored for the attributes you requested.
 
+#### 2.2 SAML delete config API
+
+This endpoint can be used to delete an existing IdP metadata.
+
+```
+curl -X "DELETE" --location 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'tenant=boxyhq.com' \
+--data-urlencode 'product=demo'
+```
+
+```
+curl -X "DELETE" --location 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'clientID=<Client ID>'
+--data-urlencode 'clientSecret=<Client Secret>'
+```
+
 ### 3. OAuth 2.0 Flow
 
 Jackson has been designed to abstract the SAML login flow as a pure OAuth 2.0 flow. This means it's compatible with any standard OAuth 2.0 library out there, both client-side and server-side. It is important to remember that SAML is configured per customer unlike OAuth 2.0 where you can have a single OAuth app supporting logins for all customers.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.2.2-beta.171",
+  "version": "0.2.2-beta.176",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "src/index.js",

package/src/controller/api.js

@@ -128,10 +128,21 @@ const getConfig = async (body) => {
 };
 
 const deleteConfig = async (body) => {
-  const { clientID, tenant, product } = body;
+  const { clientID, clientSecret, tenant, product } = body;
 
   if (clientID) {
-    await configStore.delete(clientID);
+    if (!clientSecret) {
+      throw new JacksonError('Please provide clientSecret', 400);
+    }
+    const samlConfig = await configStore.get(clientID);
+    if (!samlConfig) {
+      return;
+    }
+    if (samlConfig.clientSecret === clientSecret) {
+      await configStore.delete(clientID);
+    } else {
+      throw new JacksonError('clientSecret mismatch', 400);
+    }
   } else {
     const samlConfigs = await configStore.getByIndex({
       name: indexNames.tenantProduct,

package/src/test/api.test.js

@@ -147,12 +147,31 @@ tap.test('controller/api', async (t) => {
         clientID: CLIENT_ID,
       });
       t.equal(savedConf.provider, PROVIDER);
-
-      await apiController.deleteConfig({ clientID: CLIENT_ID });
+      try {
+        await apiController.deleteConfig({ clientID: CLIENT_ID });
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(err.message, 'Please provide clientSecret');
+        t.equal(err.statusCode, 400);
+      }
+      try {
+        await apiController.deleteConfig({
+          clientID: CLIENT_ID,
+          clientSecret: 'xxxxx',
+        });
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(err.message, 'clientSecret mismatch');
+        t.equal(err.statusCode, 400);
+      }
+      await apiController.deleteConfig({
+        clientID: CLIENT_ID,
+        clientSecret: 'f3b0f91eb8f4a9f7cc2254e08682d50b05b5d36262929e7f',
+      });
       savedConf = await apiController.getConfig({
         clientID: CLIENT_ID,
       });
-      t.same(savedConf, {});
+      t.same(savedConf, {}, 'should return empty config');
 
       dbutils.keyDigest.restore();
       crypto.randomBytes.restore();