npm - @oneuptime/common - Versions diffs - 11.0.3 → 11.0.4 - Mend

@oneuptime/common 11.0.3 → 11.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (167) hide show

package/Tests/Server/Middleware/UserAuthorizationSSOProvider.test.ts ADDED Viewed

@@ -0,0 +1,163 @@
+import UserMiddleware from "../../../Server/Middleware/UserAuthorization";
+import CookieUtil from "../../../Server/Utils/Cookie";
+import { ExpressRequest } from "../../../Server/Utils/Express";
+import Email from "../../../Types/Email";
+import ObjectID from "../../../Types/ObjectID";
+import SsoProviderType from "../../../Types/SSO/SsoProviderType";
+import User from "../../../Models/DatabaseModels/User";
+import { describe, expect, test, jest } from "@jest/globals";
+jest.mock("../../../Server/Utils/Logger");
+/*
+ * Tests for UserMiddleware.doesSsoTokenForProjectExist's `requiredSsoProviderId`
+ * param. When provided, an SSO token only satisfies the project if it ALSO
+ * carries a matching `ssoProviderId` discriminator. Legacy tokens (no
+ * discriminator) must pass when no provider is required but fail a
+ * specific-provider requirement.
+ *
+ * These use REAL tokens minted by CookieUtil.getSSOToken and the REAL
+ * JSONWebToken.decode() path (no mocking) so they verify the full production
+ * wiring end to end — including that decode() surfaces ssoProviderId.
+ */
+describe("UserMiddleware.doesSsoTokenForProjectExist - requiredSsoProviderId", () => {
+  const projectId: ObjectID = ObjectID.generate();
+  const userId: ObjectID = ObjectID.generate();
+  const ssoProviderId: ObjectID = ObjectID.generate();
+  const otherProviderId: ObjectID = ObjectID.generate();
+  const buildUser: () => User = (): User => {
+    const u: User = new User();
+    u.id = userId;
+    u.email = new Email("sso-user@oneuptime.com");
+    return u;
+  };
+  // Build a request whose cookies carry a real `sso-<projectId>` token.
+  const buildRequestWithSsoToken: (data: {
+    tokenProjectId: ObjectID;
+    discriminatorProviderId?: ObjectID | undefined;
+  }) => ExpressRequest = (data: {
+    tokenProjectId: ObjectID;
+    discriminatorProviderId?: ObjectID | undefined;
+  }): ExpressRequest => {
+    const token: string = CookieUtil.getSSOToken({
+      user: buildUser(),
+      projectId: data.tokenProjectId,
+      ssoProviderId: data.discriminatorProviderId,
+      ssoProviderType: data.discriminatorProviderId
+        ? SsoProviderType.GlobalSSO
+        : undefined,
+    });
+    return {
+      cookies: {
+        [CookieUtil.getUserSSOKey(data.tokenProjectId)]: token,
+      },
+      headers: {},
+    } as unknown as ExpressRequest;
+  };
+  test("matching project+user, NO requiredProviderId -> true", () => {
+    const req: ExpressRequest = buildRequestWithSsoToken({
+      tokenProjectId: projectId,
+      discriminatorProviderId: ssoProviderId,
+    });
+    expect(
+      UserMiddleware.doesSsoTokenForProjectExist(req, projectId, userId),
+    ).toBe(true);
+  });
+  test("matching project+user, requiredProviderId EQUALS token's ssoProviderId -> true", () => {
+    const req: ExpressRequest = buildRequestWithSsoToken({
+      tokenProjectId: projectId,
+      discriminatorProviderId: ssoProviderId,
+    });
+    expect(
+      UserMiddleware.doesSsoTokenForProjectExist(
+        req,
+        projectId,
+        userId,
+        ssoProviderId,
+      ),
+    ).toBe(true);
+  });
+  test("matching project+user, requiredProviderId DIFFERENT from token's ssoProviderId -> false", () => {
+    const req: ExpressRequest = buildRequestWithSsoToken({
+      tokenProjectId: projectId,
+      discriminatorProviderId: ssoProviderId,
+    });
+    expect(
+      UserMiddleware.doesSsoTokenForProjectExist(
+        req,
+        projectId,
+        userId,
+        otherProviderId,
+      ),
+    ).toBe(false);
+  });
+  test("legacy token (NO discriminator) + requiredProviderId given -> false", () => {
+    const req: ExpressRequest = buildRequestWithSsoToken({
+      tokenProjectId: projectId,
+      // no discriminatorProviderId -> legacy token shape
+    });
+    expect(
+      UserMiddleware.doesSsoTokenForProjectExist(
+        req,
+        projectId,
+        userId,
+        ssoProviderId,
+      ),
+    ).toBe(false);
+  });
+  test("legacy token (NO discriminator) + NO requiredProviderId -> true (backwards compatible)", () => {
+    const req: ExpressRequest = buildRequestWithSsoToken({
+      tokenProjectId: projectId,
+    });
+    expect(
+      UserMiddleware.doesSsoTokenForProjectExist(req, projectId, userId),
+    ).toBe(true);
+  });
+  test("wrong userId -> false (even with matching provider)", () => {
+    const req: ExpressRequest = buildRequestWithSsoToken({
+      tokenProjectId: projectId,
+      discriminatorProviderId: ssoProviderId,
+    });
+    const differentUserId: ObjectID = ObjectID.generate();
+    expect(
+      UserMiddleware.doesSsoTokenForProjectExist(
+        req,
+        projectId,
+        differentUserId,
+        ssoProviderId,
+      ),
+    ).toBe(false);
+  });
+  test("no sso cookie for the project -> false", () => {
+    const req: ExpressRequest = {
+      cookies: {},
+      headers: {},
+    } as unknown as ExpressRequest;
+    expect(
+      UserMiddleware.doesSsoTokenForProjectExist(
+        req,
+        projectId,
+        userId,
+        ssoProviderId,
+      ),
+    ).toBe(false);
+  });
+});

package/Tests/Server/Utils/CookieSSOToken.test.ts ADDED Viewed

@@ -0,0 +1,130 @@
+import CookieUtil from "../../../Server/Utils/Cookie";
+import JSONWebToken from "../../../Server/Utils/JsonWebToken";
+import { JSONObject } from "../../../Types/JSON";
+import JSONWebTokenData from "../../../Types/JsonWebTokenData";
+import Email from "../../../Types/Email";
+import Name from "../../../Types/Name";
+import ObjectID from "../../../Types/ObjectID";
+import SsoProviderType from "../../../Types/SSO/SsoProviderType";
+import User from "../../../Models/DatabaseModels/User";
+import { describe, expect, test } from "@jest/globals";
+/*
+ * Tests for the SSO-provider discriminator that CookieUtil.getSSOToken stamps
+ * onto a per-project SSO token. These run real JWT signing (no mocks): the JWT
+ * secret falls back to EncryptionSecret = "secret" when ENCRYPTION_SECRET is
+ * unset (see Common/Server/EnvironmentConfig.ts), so no env setup is required.
+ */
+describe("CookieUtil.getSSOToken - SSO provider discriminator", () => {
+  const buildUser: () => User = (): User => {
+    const user: User = new User();
+    user.id = ObjectID.generate();
+    user.name = new Name("Test User");
+    user.email = new Email("test@oneuptime.com");
+    return user;
+  };
+  test("token carries userId and projectId (round-trips through JSONWebToken.decode)", () => {
+    const user: User = buildUser();
+    const projectId: ObjectID = ObjectID.generate();
+    const token: string = CookieUtil.getSSOToken({
+      user,
+      projectId,
+    });
+    expect(typeof token).toBe("string");
+    expect(token.length).toBeGreaterThan(0);
+    const decoded: JSONWebTokenData = JSONWebToken.decode(token);
+    expect(decoded.userId?.toString()).toBe(user.id!.toString());
+    expect(decoded.projectId?.toString()).toBe(projectId.toString());
+  });
+  test("token carries the ssoProviderId + ssoProviderType discriminator when provided", () => {
+    const user: User = buildUser();
+    const projectId: ObjectID = ObjectID.generate();
+    const ssoProviderId: ObjectID = ObjectID.generate();
+    const token: string = CookieUtil.getSSOToken({
+      user,
+      projectId,
+      ssoProviderId,
+      ssoProviderType: SsoProviderType.GlobalSSO,
+    });
+    /*
+     * The discriminator lives on the raw JWT payload. JSONWebToken.decode()
+     * intentionally re-shapes the payload into JSONWebTokenData and does not
+     * surface ssoProviderId / ssoProviderType, so we assert the round-trip on
+     * the raw payload (decodeJsonPayload), which is the actual transport layer.
+     */
+    const payload: JSONObject = JSONWebToken.decodeJsonPayload(token);
+    expect(payload["userId"]).toBe(user.id!.toString());
+    expect(payload["projectId"]).toBe(projectId.toString());
+    expect(payload["ssoProviderId"]).toBe(ssoProviderId.toString());
+    expect(payload["ssoProviderType"]).toBe(SsoProviderType.GlobalSSO);
+  });
+  test("each SsoProviderType enum value round-trips on the token", () => {
+    const user: User = buildUser();
+    const projectId: ObjectID = ObjectID.generate();
+    const ssoProviderId: ObjectID = ObjectID.generate();
+    const providerTypes: Array<SsoProviderType> = [
+      SsoProviderType.ProjectSSO,
+      SsoProviderType.ProjectOIDC,
+      SsoProviderType.GlobalSSO,
+      SsoProviderType.GlobalOIDC,
+    ];
+    for (const providerType of providerTypes) {
+      const token: string = CookieUtil.getSSOToken({
+        user,
+        projectId,
+        ssoProviderId,
+        ssoProviderType: providerType,
+      });
+      const payload: JSONObject = JSONWebToken.decodeJsonPayload(token);
+      expect(payload["ssoProviderId"]).toBe(ssoProviderId.toString());
+      expect(payload["ssoProviderType"]).toBe(providerType);
+    }
+  });
+  test("ssoProviderId / ssoProviderType are absent (undefined) when not provided (legacy token shape)", () => {
+    const user: User = buildUser();
+    const projectId: ObjectID = ObjectID.generate();
+    const token: string = CookieUtil.getSSOToken({
+      user,
+      projectId,
+    });
+    const payload: JSONObject = JSONWebToken.decodeJsonPayload(token);
+    // No discriminator was provided, so neither field should carry a value.
+    expect(payload["ssoProviderId"]).toBeUndefined();
+    expect(payload["ssoProviderType"]).toBeUndefined();
+  });
+  test("ssoProviderId without ssoProviderType still records the provider id", () => {
+    const user: User = buildUser();
+    const projectId: ObjectID = ObjectID.generate();
+    const ssoProviderId: ObjectID = ObjectID.generate();
+    const token: string = CookieUtil.getSSOToken({
+      user,
+      projectId,
+      ssoProviderId,
+    });
+    const payload: JSONObject = JSONWebToken.decodeJsonPayload(token);
+    expect(payload["ssoProviderId"]).toBe(ssoProviderId.toString());
+    expect(payload["ssoProviderType"]).toBeUndefined();
+  });
+});

package/Types/JsonWebTokenData.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import Email from "./Email";
 import { JSONObject } from "./JSON";
 import Name from "./Name";
 import ObjectID from "./ObjectID";
+import SsoProviderType from "./SSO/SsoProviderType";
 export default interface JSONWebTokenData extends JSONObject {
   userId: ObjectID;
@@ -12,4 +13,6 @@ export default interface JSONWebTokenData extends JSONObject {
   projectId?: ObjectID | undefined; // for SSO logins.
   isGlobalLogin: boolean; // If this is OneUptime username and password login. This is true, if this is SSO login. Then, this is false.
   sessionId?: ObjectID | undefined;
+  ssoProviderId?: ObjectID | undefined; // which SSO provider (Project or Global SSO/OIDC) issued this per-project SSO token.
+  ssoProviderType?: SsoProviderType | undefined;
 }

package/Types/SSO/SsoProviderType.ts ADDED Viewed

@@ -0,0 +1,8 @@
+enum SsoProviderType {
+  ProjectSSO = "ProjectSSO",
+  ProjectOIDC = "ProjectOIDC",
+  GlobalSSO = "GlobalSSO",
+  GlobalOIDC = "GlobalOIDC",
+}
+export default SsoProviderType;

package/UI/Components/Accordion/Accordion.tsx CHANGED Viewed

@@ -60,7 +60,9 @@ const Accordion: FunctionComponent<ComponentProps> = (
     className = "-ml-5 -mr-5 p-5 mt-1";
   }
-  const accordionId: string = `accordion-content-${React.useId()}`;
+  const generatedId: string = React.useId();
+  const accordionId: string = `accordion-content-${generatedId}`;
+  const accordionTitleId: string = `accordion-title-${generatedId}`;
   const handleKeyDown: (event: React.KeyboardEvent) => void = (
     event: React.KeyboardEvent,
@@ -84,6 +86,7 @@ const Accordion: FunctionComponent<ComponentProps> = (
           tabIndex={0}
           aria-expanded={isOpen}
           aria-controls={accordionId}
+          aria-labelledby={props.title ? accordionTitleId : undefined}
           onClick={() => {
             setIsOpen(!isOpen);
           }}
@@ -121,6 +124,7 @@ const Accordion: FunctionComponent<ComponentProps> = (
                 }`}
               >
                 <div
+                  id={accordionTitleId}
                   className={`text-gray-900 leading-snug ${props.titleClassName || ""}`}
                 >
                   {props.title}

package/UI/Components/CardSelect/CardSelect.tsx CHANGED Viewed

@@ -30,6 +30,7 @@ export interface ComponentProps {
   error?: string | undefined;
   tabIndex?: number | undefined;
   dataTestId?: string | undefined;
+  ariaLabelledby?: string | undefined;
   // Force single-column (1 item per row). Default: responsive 1/2/3 grid.
   singleColumn?: boolean | undefined;
 }
@@ -67,7 +68,11 @@ const CardSelect: FunctionComponent<ComponentProps> = (
   return (
     <div data-testid={props.dataTestId}>
-      <div role="radiogroup" aria-label="Select an option">
+      <div
+        role="radiogroup"
+        aria-label="Select an option"
+        aria-labelledby={props.ariaLabelledby}
+      >
         {groups.map((group: RenderGroup, groupIndex: number) => {
           return (
             <div key={groupIndex} className={groupIndex > 0 ? "mt-8" : ""}>

package/UI/Components/CategoryCheckbox/Index.tsx CHANGED Viewed

@@ -19,6 +19,7 @@ export interface CategoryCheckboxProps
   initialValue?: undefined | Array<CategoryCheckboxValue | BaseModel>;
   error?: string | undefined;
   dataTestId?: string | undefined;
+  ariaLabelledby?: string | undefined;
 }
 const CategoryCheckbox: FunctionComponent<CategoryCheckboxProps> = (
@@ -152,7 +153,7 @@ const CategoryCheckbox: FunctionComponent<CategoryCheckboxProps> = (
   };
   return (
-    <div>
+    <div role="group" aria-labelledby={props.ariaLabelledby}>
       {getCategory(undefined, categories.length === 0)}
       {categories.map((category: CheckboxCategory, i: number) => {
         return (

package/UI/Components/CodeEditor/CodeEditor.tsx CHANGED Viewed

@@ -25,6 +25,7 @@ export interface ComponentProps {
   value?: string | undefined;
   showLineNumbers?: boolean | undefined;
   disableSpellCheck?: boolean | undefined;
+  ariaLabelledby?: string | undefined;
 }
 const CodeEditor: FunctionComponent<ComponentProps> = (
@@ -119,6 +120,7 @@ const CodeEditor: FunctionComponent<ComponentProps> = (
   return (
     <div
       data-testid={props.dataTestId}
+      aria-labelledby={props.ariaLabelledby}
       onClick={() => {
         if (props.onClick) {
           props.onClick();

package/UI/Components/CollapsibleSection/CollapsibleSection.tsx CHANGED Viewed

@@ -46,6 +46,9 @@ const CollapsibleSection: FunctionComponent<ComponentProps> = (
   const variant: CollapsibleSectionVariant = props.variant || "default";
+  // Associate the role="button" header with its visible title text (WCAG 4.1.2).
+  const collapsibleTitleId: string = `collapsible-title-${React.useId()}`;
   const getContainerClassName: () => string = (): string => {
     const baseClassName: string = props.className || "";
@@ -97,6 +100,7 @@ const CollapsibleSection: FunctionComponent<ComponentProps> = (
           }
         }}
         aria-expanded={!isCollapsed}
+        aria-labelledby={collapsibleTitleId}
       >
         <div className="flex items-center flex-1 min-w-0">
           <Icon
@@ -105,7 +109,10 @@ const CollapsibleSection: FunctionComponent<ComponentProps> = (
           />
           <div className="flex-1 min-w-0">
             <div className="flex items-center">
-              <span className="text-sm font-medium text-gray-900 truncate">
+              <span
+                id={collapsibleTitleId}
+                className="text-sm font-medium text-gray-900 truncate"
+              >
                 {props.title}
               </span>
               {isCollapsed && props.badge && (

package/UI/Components/Dropdown/Dropdown.tsx CHANGED Viewed

@@ -59,6 +59,7 @@ export interface ComponentProps {
   id?: string | undefined;
   dataTestId?: string | undefined;
   ariaLabel?: string | undefined;
+  ariaLabelledby?: string | undefined;
 }
 const Dropdown: FunctionComponent<ComponentProps> = (
@@ -537,6 +538,7 @@ const Dropdown: FunctionComponent<ComponentProps> = (
           props.onFocus?.();
         }}
         aria-label={props.ariaLabel}
+        aria-labelledby={props.ariaLabelledby}
         aria-invalid={props.error ? true : undefined}
         aria-describedby={props.error ? errorId : undefined}
         classNames={{

package/UI/Components/EntityDropdown/EntityDropdown.tsx CHANGED Viewed

@@ -86,6 +86,7 @@ export interface EntityDropdownProps {
   id?: string | undefined;
   dataTestId?: string | undefined;
   ariaLabel?: string | undefined;
+  ariaLabelledby?: string | undefined;
   disabled?: boolean | undefined;
   /*
@@ -1115,6 +1116,7 @@ const EntityDropdown: FunctionComponent<EntityDropdownProps> = (
           <button
             type="button"
             disabled={props.disabled}
+            aria-labelledby={props.ariaLabelledby}
             onClick={(): void => {
               if (props.disabled) {
                 return;
@@ -1204,6 +1206,7 @@ const EntityDropdown: FunctionComponent<EntityDropdownProps> = (
               aria-autocomplete="list"
               aria-expanded={isOpen}
               aria-label={props.ariaLabel}
+              aria-labelledby={props.ariaLabelledby}
               aria-invalid={props.error ? true : undefined}
               data-testid={props.dataTestId}
               role="combobox"

package/UI/Components/FilePicker/FilePicker.tsx CHANGED Viewed

@@ -32,6 +32,7 @@ export interface ComponentProps {
   isMultiFilePicker?: boolean | undefined;
   tabIndex?: number | undefined;
   error?: string | undefined;
+  ariaLabelledby?: string | undefined;
 }
 type UploadStatus = {
@@ -449,6 +450,7 @@ const FilePicker: FunctionComponent<ComponentProps> = (
                       id="file-upload"
                       name="file-upload"
                       type="file"
+                      aria-labelledby={props.ariaLabelledby}
                       className="sr-only"
                     />
                   </label>

package/UI/Components/Forms/Fields/ColorPicker.tsx CHANGED Viewed

@@ -24,6 +24,7 @@ export interface ComponentProps {
   dataTestId?: string | undefined;
   onEnterPress?: (() => void) | undefined;
   error?: string | undefined;
+  ariaLabelledby?: string | undefined;
 }
 const ColorPicker: FunctionComponent<ComponentProps> = (
@@ -83,6 +84,7 @@ const ColorPicker: FunctionComponent<ComponentProps> = (
           readOnly={true}
           type={InputType.TEXT}
           tabIndex={props.tabIndex}
+          ariaLabelledby={props.ariaLabelledby}
           onChange={(value: string) => {
             if (!value) {
               return handleChange("");

package/UI/Components/Forms/Fields/FieldLabel.tsx CHANGED Viewed

@@ -5,6 +5,8 @@ import React, { FunctionComponent, ReactElement } from "react";
 export interface ComponentProps {
   title: string;
+  id?: string | undefined;
+  htmlFor?: string | undefined;
   required?: boolean | undefined;
   sideLink?: FormFieldSideLink | undefined;
   description?: string | ReactElement | undefined;
@@ -26,6 +28,8 @@ const FieldLabelElement: FunctionComponent<ComponentProps> = (
   return (
     <>
       <label
+        id={props.id}
+        htmlFor={props.htmlFor}
         className={
           props.className ||
           `block ${