@boxyhq/saml-jackson 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/controller/oauth.js +19 -6
- package/package.json +1 -1
package/dist/controller/oauth.js
CHANGED
|
@@ -79,6 +79,8 @@ class OAuthController {
|
|
|
79
79
|
const { response_type = 'code', client_id, redirect_uri, state, tenant, product, code_challenge, code_challenge_method = '',
|
|
80
80
|
// eslint-disable-next-line @typescript-eslint/no-unused-vars
|
|
81
81
|
provider = 'saml', } = body;
|
|
82
|
+
let requestedTenant = tenant;
|
|
83
|
+
let requestedProduct = product;
|
|
82
84
|
metrics.increment('oauthAuthorize');
|
|
83
85
|
if (!redirect_uri) {
|
|
84
86
|
throw new error_1.JacksonError('Please specify a redirect URL.', 400);
|
|
@@ -102,6 +104,8 @@ class OAuthController {
|
|
|
102
104
|
// if tenant and product are encoded in the client_id then we parse it and check for the relevant config(s)
|
|
103
105
|
const sp = getEncodedClientId(client_id);
|
|
104
106
|
if (sp === null || sp === void 0 ? void 0 : sp.tenant) {
|
|
107
|
+
requestedTenant = sp.tenant;
|
|
108
|
+
requestedProduct = sp.product || '';
|
|
105
109
|
const samlConfigs = yield this.configStore.getByIndex({
|
|
106
110
|
name: utils_1.IndexNames.TenantProduct,
|
|
107
111
|
value: dbutils.keyFromParts(sp.tenant, sp.product || ''),
|
|
@@ -145,9 +149,9 @@ class OAuthController {
|
|
|
145
149
|
publicKey: samlConfig.certs.publicKey,
|
|
146
150
|
});
|
|
147
151
|
const sessionId = crypto_1.default.randomBytes(16).toString('hex');
|
|
148
|
-
const
|
|
149
|
-
tenant,
|
|
150
|
-
product,
|
|
152
|
+
const requested = {
|
|
153
|
+
tenant: requestedTenant,
|
|
154
|
+
product: requestedProduct,
|
|
151
155
|
client_id,
|
|
152
156
|
state,
|
|
153
157
|
};
|
|
@@ -158,7 +162,7 @@ class OAuthController {
|
|
|
158
162
|
state,
|
|
159
163
|
code_challenge,
|
|
160
164
|
code_challenge_method,
|
|
161
|
-
requested
|
|
165
|
+
requested,
|
|
162
166
|
});
|
|
163
167
|
const relayState = relayStatePrefix + sessionId;
|
|
164
168
|
let redirectUrl;
|
|
@@ -201,8 +205,6 @@ class OAuthController {
|
|
|
201
205
|
if (!samlConfigs || samlConfigs.length === 0) {
|
|
202
206
|
throw new error_1.JacksonError('SAML configuration not found.', 403);
|
|
203
207
|
}
|
|
204
|
-
// TODO: Support multiple matches
|
|
205
|
-
const samlConfig = samlConfigs[0];
|
|
206
208
|
let session;
|
|
207
209
|
if (RelayState !== '') {
|
|
208
210
|
session = yield this.sessionStore.get(RelayState);
|
|
@@ -210,6 +212,17 @@ class OAuthController {
|
|
|
210
212
|
throw new error_1.JacksonError('Unable to validate state from the origin request.', 403);
|
|
211
213
|
}
|
|
212
214
|
}
|
|
215
|
+
// Resolve if there are multiple matches for SP login. TODO: Support multiple matches for IdP login
|
|
216
|
+
const samlConfig = samlConfigs.length === 1
|
|
217
|
+
? samlConfigs[0]
|
|
218
|
+
: samlConfigs.filter((c) => {
|
|
219
|
+
var _a, _b, _c;
|
|
220
|
+
return (c.clientID === ((_a = session === null || session === void 0 ? void 0 : session.requested) === null || _a === void 0 ? void 0 : _a.client_id) ||
|
|
221
|
+
(c.tenant === ((_b = session === null || session === void 0 ? void 0 : session.requested) === null || _b === void 0 ? void 0 : _b.tenant) && c.product === ((_c = session === null || session === void 0 ? void 0 : session.requested) === null || _c === void 0 ? void 0 : _c.product)));
|
|
222
|
+
})[0];
|
|
223
|
+
if (!samlConfig) {
|
|
224
|
+
throw new error_1.JacksonError('SAML configuration not found.', 403);
|
|
225
|
+
}
|
|
213
226
|
const validateOpts = {
|
|
214
227
|
thumbprint: samlConfig.idpMetadata.thumbprint,
|
|
215
228
|
audience: this.opts.samlAudience,
|