@checkstack/auth-backend 0.3.0 → 0.4.1

package/CHANGELOG.md

@@ -1,5 +1,42 @@
 # @checkstack/auth-backend
 
+## 0.4.1
+
+### Patch Changes
+
+- Updated dependencies [83557c7]
+- Updated dependencies [83557c7]
+  - @checkstack/backend-api@0.4.0
+  - @checkstack/common@0.4.0
+  - @checkstack/command-backend@0.1.4
+  - @checkstack/auth-common@0.5.1
+  - @checkstack/notification-common@0.2.1
+
+## 0.4.0
+
+### Minor Changes
+
+- d94121b: Add group-to-role mapping for SAML and LDAP authentication
+
+  **Features:**
+
+  - SAML and LDAP users can now be automatically assigned Checkstack roles based on their directory group memberships
+  - Configure group mappings in the authentication strategy settings with dynamic role dropdowns
+  - Managed role sync: roles configured in mappings are fully synchronized (added when user gains group, removed when user leaves group)
+  - Unmanaged roles (manually assigned, not in any mapping) are preserved during sync
+  - Optional default role for all users from a directory
+
+  **Bug Fix:**
+
+  - Fixed `x-options-resolver` not working for fields inside arrays with `.default([])` in DynamicForm schemas
+
+### Patch Changes
+
+- Updated dependencies [d94121b]
+  - @checkstack/backend-api@0.3.3
+  - @checkstack/auth-common@0.5.0
+  - @checkstack/command-backend@0.1.3
+
 ## 0.3.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-backend",
-  "version": "0.3.0",
+  "version": "0.4.1",
   "type": "module",
   "main": "src/index.ts",
   "scripts": {

package/src/router.test.ts

@@ -368,6 +368,271 @@ describe("Auth Router", () => {
     expect(mockDb.insert).toHaveBeenCalled();
   });
 
+  it("upsertExternalUser syncs roles when syncRoles provided for new user", async () => {
+    const context = createMockRpcContext({ user: mockServiceUser });
+
+    // Mock user not found (empty result)
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([])),
+    }));
+
+    // Mock registration allowed
+    mockConfigService.get.mockResolvedValueOnce({ allowRegistration: true });
+
+    // Mock valid roles lookup
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() =>
+        createChain([{ id: USERS_ROLE_ID }, { id: "custom-role" }]),
+      ),
+    }));
+
+    // Mock current roles lookup (empty for new user)
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([])),
+    }));
+
+    const result = await call(
+      router.upsertExternalUser,
+      {
+        email: "saml-user@example.com",
+        name: "SAML User",
+        providerId: "saml",
+        accountId: "samluser",
+        password: "hashed-password",
+        syncRoles: [USERS_ROLE_ID, "custom-role", "invalid-role"],
+      },
+      { context },
+    );
+
+    expect(result.created).toBe(true);
+    expect(mockDb.insert).toHaveBeenCalled();
+  });
+
+  it("upsertExternalUser additively syncs roles for existing user", async () => {
+    const context = createMockRpcContext({ user: mockServiceUser });
+
+    // Mock existing user found
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([{ id: "existing-user-id" }])),
+    }));
+
+    // Mock update chain
+    mockDb.update = mock(() => ({
+      set: mock(() => ({
+        where: mock(() => Promise.resolve()),
+      })),
+    }));
+
+    // Mock valid roles lookup
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([{ id: "new-role" }])),
+    }));
+
+    // Mock current roles lookup (user already has existing role)
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([{ roleId: USERS_ROLE_ID }])),
+    }));
+
+    const result = await call(
+      router.upsertExternalUser,
+      {
+        email: "existing@example.com",
+        name: "Existing User",
+        providerId: "ldap",
+        accountId: "existinguser",
+        password: "hashed-password",
+        autoUpdateUser: true,
+        syncRoles: ["new-role"],
+      },
+      { context },
+    );
+
+    expect(result.created).toBe(false);
+    expect(result.userId).toBe("existing-user-id");
+    // New role should be added (insert called)
+    expect(mockDb.insert).toHaveBeenCalled();
+  });
+
+  it("upsertExternalUser ignores invalid role IDs silently", async () => {
+    const context = createMockRpcContext({ user: mockServiceUser });
+
+    // Mock user not found (empty result)
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([])),
+    }));
+
+    // Mock registration allowed
+    mockConfigService.get.mockResolvedValueOnce({ allowRegistration: true });
+
+    // Mock valid roles lookup - none of the provided roles are valid
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([])), // No valid roles
+    }));
+
+    const result = await call(
+      router.upsertExternalUser,
+      {
+        email: "user@example.com",
+        name: "User",
+        providerId: "saml",
+        accountId: "user123",
+        password: "hashed-password",
+        syncRoles: ["invalid-role-1", "invalid-role-2"],
+      },
+      { context },
+    );
+
+    // Should still succeed even with all invalid roles
+    expect(result.created).toBe(true);
+    expect(result.userId).toBeDefined();
+  });
+
+  it("upsertExternalUser does not sync roles when syncRoles not provided", async () => {
+    const context = createMockRpcContext({ user: mockServiceUser });
+
+    // Mock user not found (empty result)
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([])),
+    }));
+
+    // Mock registration allowed
+    mockConfigService.get.mockResolvedValueOnce({ allowRegistration: true });
+
+    // Reset insert mock to track calls
+    const insertMock = mock(() => ({
+      values: mock(() => createChain()),
+    }));
+    mockDb.insert = insertMock;
+
+    const result = await call(
+      router.upsertExternalUser,
+      {
+        email: "user@example.com",
+        name: "User",
+        providerId: "saml",
+        accountId: "user123",
+        password: "hashed-password",
+        // No syncRoles provided
+      },
+      { context },
+    );
+
+    expect(result.created).toBe(true);
+    // Transaction should be called for user creation, but no role sync
+    expect(mockDb.transaction).toHaveBeenCalled();
+  });
+
+  it("upsertExternalUser removes managed roles when user leaves directory groups", async () => {
+    const context = createMockRpcContext({ user: mockServiceUser });
+
+    // Mock existing user found
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([{ id: "existing-user-id" }])),
+    }));
+
+    // Mock update chain (for autoUpdateUser)
+    mockDb.update = mock(() => ({
+      set: mock(() => ({
+        where: mock(() => Promise.resolve()),
+      })),
+    }));
+
+    // Note: When syncRoles is empty [], we skip the valid roles query
+    // So next select is the current roles lookup
+
+    // Mock current roles lookup - user has managed role that should be removed
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() =>
+        createChain([
+          { roleId: "managed-role-1" }, // Should be removed - managed but not in syncRoles
+          { roleId: "manual-role" }, // Should be preserved - not in managedRoleIds
+        ]),
+      ),
+    }));
+
+    // Mock delete
+    mockDb.delete = mock(() => ({
+      where: mock(() => Promise.resolve()),
+    }));
+
+    const result = await call(
+      router.upsertExternalUser,
+      {
+        email: "user@example.com",
+        name: "User",
+        providerId: "ldap",
+        accountId: "user123",
+        password: "hashed-password",
+        autoUpdateUser: true,
+        syncRoles: [], // User no longer has any groups
+        managedRoleIds: ["managed-role-1", "managed-role-2"], // Roles controlled by directory
+      },
+      { context },
+    );
+
+    expect(result.created).toBe(false);
+    // Delete should be called to remove the managed role
+    expect(mockDb.delete).toHaveBeenCalled();
+  });
+
+  it("upsertExternalUser preserves unmanaged roles during sync", async () => {
+    const context = createMockRpcContext({ user: mockServiceUser });
+
+    // Mock existing user found
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([{ id: "existing-user-id" }])),
+    }));
+
+    // Mock update chain
+    mockDb.update = mock(() => ({
+      set: mock(() => ({
+        where: mock(() => Promise.resolve()),
+      })),
+    }));
+
+    // Mock valid sync roles lookup
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() => createChain([{ id: "new-managed-role" }])),
+    }));
+
+    // Mock current roles - user has both managed and unmanaged roles
+    mockDb.select.mockImplementationOnce(() => ({
+      from: mock(() =>
+        createChain([
+          { roleId: "old-managed-role" }, // Should be removed - managed but not in syncRoles
+          { roleId: "admin-role" }, // Should be preserved - manually assigned, not managed
+        ]),
+      ),
+    }));
+
+    // Mock delete
+    const deleteMock = mock(() => ({
+      where: mock(() => Promise.resolve()),
+    }));
+    mockDb.delete = deleteMock;
+
+    const result = await call(
+      router.upsertExternalUser,
+      {
+        email: "user@example.com",
+        name: "User",
+        providerId: "ldap",
+        accountId: "user123",
+        password: "hashed-password",
+        autoUpdateUser: true,
+        syncRoles: ["new-managed-role"],
+        managedRoleIds: ["old-managed-role", "new-managed-role"], // Only these are managed
+      },
+      { context },
+    );
+
+    expect(result.created).toBe(false);
+    // Insert should be called to add new role
+    expect(mockDb.insert).toHaveBeenCalled();
+    // Delete should be called to remove old-managed-role (but NOT admin-role)
+    expect(deleteMock).toHaveBeenCalled();
+  });
+
   // ==========================================================================
   // ADMIN USER CREATION TESTS
   // ==========================================================================

package/src/router.ts

@@ -856,8 +856,16 @@ export const createAuthRouter = (
 
   const upsertExternalUser = os.upsertExternalUser.handler(
     async ({ input, context }) => {
-      const { email, name, providerId, accountId, password, autoUpdateUser } =
-        input;
+      const {
+        email,
+        name,
+        providerId,
+        accountId,
+        password,
+        autoUpdateUser,
+        syncRoles,
+        managedRoleIds,
+      } = input;
 
       // Check if user exists
       const existingUsers = await internalDb
@@ -866,9 +874,12 @@ export const createAuthRouter = (
         .where(eq(schema.user.email, email))
         .limit(1);
 
+      let userId: string;
+      let created = false;
+
       if (existingUsers.length > 0) {
         // User exists - update if autoUpdateUser is enabled
-        const userId = existingUsers[0].id;
+        userId = existingUsers[0].id;
 
         if (autoUpdateUser) {
           await internalDb
@@ -876,49 +887,106 @@ export const createAuthRouter = (
             .set({ name, updatedAt: new Date() })
             .where(eq(schema.user.id, userId));
         }
+      } else {
+        // Check if registration is allowed before creating new user
+        const registrationAllowed = await isRegistrationAllowed(configService);
+        if (!registrationAllowed) {
+          throw new ORPCError("FORBIDDEN", {
+            message:
+              "Registration is disabled. Please contact an administrator.",
+          });
+        }
 
-        return { userId, created: false };
-      }
+        // Create new user and account in a transaction
+        userId = crypto.randomUUID();
+        const accountEntryId = crypto.randomUUID();
+        const now = new Date();
+
+        await internalDb.transaction(async (tx) => {
+          // Create user
+          await tx.insert(schema.user).values({
+            id: userId,
+            email,
+            name,
+            emailVerified: false,
+            createdAt: now,
+            updatedAt: now,
+          });
 
-      // Check if registration is allowed before creating new user
-      const registrationAllowed = await isRegistrationAllowed(configService);
-      if (!registrationAllowed) {
-        throw new ORPCError("FORBIDDEN", {
-          message: "Registration is disabled. Please contact an administrator.",
+          // Create account
+          await tx.insert(schema.account).values({
+            id: accountEntryId,
+            accountId,
+            providerId,
+            userId,
+            password,
+            createdAt: now,
+            updatedAt: now,
+          });
         });
-      }
 
-      // Create new user and account in a transaction
-      const userId = crypto.randomUUID();
-      const accountEntryId = crypto.randomUUID();
-      const now = new Date();
+        context.logger.info(`Created new user from ${providerId}: ${email}`);
+        created = true;
+      }
 
-      await internalDb.transaction(async (tx) => {
-        // Create user
-        await tx.insert(schema.user).values({
-          id: userId,
-          email,
-          name,
-          emailVerified: false,
-          createdAt: now,
-          updatedAt: now,
-        });
+      // Handle role sync if syncRoles is provided
+      // Uses managedRoleIds to determine which roles are controlled by directory
+      if (syncRoles) {
+        const syncRoleSet = new Set(syncRoles);
+
+        // Validate which sync roles actually exist in the database
+        const validSyncRoles =
+          syncRoles.length > 0
+            ? await internalDb
+                .select({ id: schema.role.id })
+                .from(schema.role)
+                .where(inArray(schema.role.id, syncRoles))
+            : [];
+        const validSyncRoleIds = new Set(validSyncRoles.map((r) => r.id));
+
+        // Get current user roles
+        const currentRoles = await internalDb
+          .select({ roleId: schema.userRole.roleId })
+          .from(schema.userRole)
+          .where(eq(schema.userRole.userId, userId));
+        const currentRoleIds = new Set(currentRoles.map((r) => r.roleId));
 
-        // Create account
-        await tx.insert(schema.account).values({
-          id: accountEntryId,
-          accountId,
-          providerId,
-          userId,
-          password,
-          createdAt: now,
-          updatedAt: now,
-        });
-      });
+        // Add new roles that user should have
+        const rolesToAdd = [...validSyncRoleIds].filter(
+          (id) => !currentRoleIds.has(id),
+        );
+        if (rolesToAdd.length > 0) {
+          await internalDb
+            .insert(schema.userRole)
+            .values(rolesToAdd.map((roleId) => ({ userId, roleId })));
+          context.logger.info(
+            `Added ${rolesToAdd.length} roles for external user: ${email}`,
+          );
+        }
 
-      context.logger.info(`Created new user from ${providerId}: ${email}`);
+        // Remove roles that are managed but user no longer has in directory
+        if (managedRoleIds && managedRoleIds.length > 0) {
+          // Roles to remove: currently has + is managed + NOT in sync roles
+          const rolesToRemove = [...currentRoleIds].filter(
+            (id) => managedRoleIds.includes(id) && !syncRoleSet.has(id),
+          );
+          if (rolesToRemove.length > 0) {
+            await internalDb
+              .delete(schema.userRole)
+              .where(
+                and(
+                  eq(schema.userRole.userId, userId),
+                  inArray(schema.userRole.roleId, rolesToRemove),
+                ),
+              );
+            context.logger.info(
+              `Removed ${rolesToRemove.length} managed roles for external user: ${email}`,
+            );
+          }
+        }
+      }
 
-      return { userId, created: true };
+      return { userId, created };
     },
   );