@checkstack/auth-frontend 0.4.1 → 0.5.1

package/CHANGELOG.md

@@ -1,5 +1,51 @@
 # @checkstack/auth-frontend
 
+## 0.5.1
+
+### Patch Changes
+
+- Updated dependencies [83557c7]
+- Updated dependencies [83557c7]
+- Updated dependencies [d316128]
+- Updated dependencies [6dbfab8]
+  - @checkstack/ui@0.3.0
+  - @checkstack/common@0.4.0
+  - @checkstack/auth-common@0.5.1
+  - @checkstack/frontend-api@0.3.1
+
+## 0.5.0
+
+### Minor Changes
+
+- d94121b: Add group-to-role mapping for SAML and LDAP authentication
+
+  **Features:**
+
+  - SAML and LDAP users can now be automatically assigned Checkstack roles based on their directory group memberships
+  - Configure group mappings in the authentication strategy settings with dynamic role dropdowns
+  - Managed role sync: roles configured in mappings are fully synchronized (added when user gains group, removed when user leaves group)
+  - Unmanaged roles (manually assigned, not in any mapping) are preserved during sync
+  - Optional default role for all users from a directory
+
+  **Bug Fix:**
+
+  - Fixed `x-options-resolver` not working for fields inside arrays with `.default([])` in DynamicForm schemas
+
+### Patch Changes
+
+- 10aa9fb: Add SAML 2.0 SSO support
+
+  - Added new `auth-saml-backend` plugin for SAML 2.0 Single Sign-On authentication
+  - Supports SP-initiated SSO with configurable IdP metadata (URL or manual configuration)
+  - Uses samlify library for SAML protocol handling
+  - Configurable attribute mapping for user email/name extraction
+  - Automatic user creation and updates via S2S Identity API
+  - Added SAML redirect handling in LoginPage for seamless SSO flow
+
+- Updated dependencies [d94121b]
+  - @checkstack/auth-common@0.5.0
+  - @checkstack/ui@0.2.4
+
 ## 0.4.1
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-frontend",
-  "version": "0.4.1",
+  "version": "0.5.1",
   "type": "module",
   "main": "src/index.tsx",
   "exports": {

package/src/components/AuthStrategyCard.tsx

@@ -1,8 +1,12 @@
+import { useCallback, useMemo } from "react";
 import {
   StrategyConfigCard,
   type ConfigSection,
   type LucideIconName,
+  type OptionsResolver,
 } from "@checkstack/ui";
+import { usePluginClient } from "@checkstack/frontend-api";
+import { AuthApi } from "@checkstack/auth-common";
 import type { AuthStrategy } from "../api";
 
 export interface AuthStrategyCardProps {
@@ -30,6 +34,28 @@ export function AuthStrategyCard({
   onExpandedChange,
   config,
 }: AuthStrategyCardProps) {
+  const authClient = usePluginClient(AuthApi);
+
+  // Fetch all roles once for the dropdown options
+  const { data: roles = [] } = authClient.getRoles.useQuery({});
+
+  // Create resolver for dynamic role selection in group mapping
+  // Uses the already-fetched roles data
+  const roleOptionsResolver: OptionsResolver = useCallback(async () => {
+    return roles.map((role) => ({
+      value: role.id,
+      label: role.name,
+    }));
+  }, [roles]);
+
+  // Memoize the resolvers object to prevent unnecessary re-renders
+  const optionsResolvers = useMemo(
+    () => ({
+      roleOptions: roleOptionsResolver,
+    }),
+    [roleOptionsResolver],
+  );
+
   // Check if config schema has properties
   const hasConfigSchema =
     strategy.configSchema &&
@@ -40,7 +66,7 @@ export function AuthStrategyCard({
   // Config is missing if schema has properties but no saved config
   const configMissing = hasConfigSchema && strategy.config === undefined;
 
-  // Build config sections
+  // Build config sections with role options resolver
   const configSections: ConfigSection[] = [];
   if (hasConfigSchema) {
     configSections.push({
@@ -48,6 +74,7 @@ export function AuthStrategyCard({
       title: "Configuration",
       schema: strategy.configSchema,
       value: config ?? strategy.config,
+      optionsResolvers,
       onSave: async (newConfig) => {
         await onSaveConfig(strategy.id, newConfig);
       },

package/src/components/LoginPage.tsx

@@ -54,7 +54,7 @@ export const LoginPage = () => {
 
   // Query: Registration status
   const { data: registrationData } = authClient.getRegistrationStatus.useQuery(
-    {}
+    {},
   );
   const registrationAllowed = registrationData?.allowRegistration ?? true;
 
@@ -76,6 +76,11 @@ export const LoginPage = () => {
 
   const handleSocialLogin = async (provider: string) => {
     try {
+      // SAML uses a custom endpoint, not the better-auth OAuth flow
+      if (provider === "saml") {
+        globalThis.location.href = "/api/auth-saml/saml/login";
+        return;
+      }
       await authApi.signInWithSocial(provider);
       // Navigation will happen automatically after OAuth redirect
     } catch (error) {
@@ -142,8 +147,8 @@ export const LoginPage = () => {
             {hasCredential && hasSocial
               ? "Choose your preferred sign-in method"
               : hasCredential
-              ? "Enter your credentials to access the dashboard"
-              : "Continue with your account"}
+                ? "Enter your credentials to access the dashboard"
+                : "Continue with your account"}
           </CardDescription>
         </CardHeader>
         <CardContent>
@@ -280,7 +285,7 @@ export const LoginNavbarAction = () => {
     authClient.listAccounts().then((result) => {
       if (result.data) {
         const hasCredential = result.data.some(
-          (account) => account.providerId === "credential"
+          (account) => account.providerId === "credential",
         );
         setHasCredentialAccount(hasCredential);
       }
@@ -295,7 +300,7 @@ export const LoginNavbarAction = () => {
   if (session?.user) {
     // Check if we have any bottom items to decide if we need a separator
     const bottomExtensions = pluginRegistry.getExtensions(
-      UserMenuItemsBottomSlot.id
+      UserMenuItemsBottomSlot.id,
     );
     const hasBottomItems = bottomExtensions.length > 0;
     const menuContext: UserMenuItemsContext = {