npm - @open-mercato/enterprise - Versions diffs - 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6 - Mend

@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/dist/modules/sso/services/ssoConfigService.js ADDED Viewed

@@ -0,0 +1,254 @@
+import { escapeLikePattern } from "@open-mercato/shared/lib/db/escapeLikePattern";
+import { SsoConfig, ScimToken } from "../data/entities.js";
+import { emitSsoEvent } from "../events.js";
+import { validateDomain, normalizeDomain, uniqueDomains, checkDomainLimit } from "../lib/domains.js";
+class SsoConfigService {
+  constructor(em, tenantEncryptionService, ssoProviderRegistry) {
+    this.em = em;
+    this.tenantEncryptionService = tenantEncryptionService;
+    this.ssoProviderRegistry = ssoProviderRegistry;
+  }
+  async list(scope, query) {
+    const where = { deletedAt: null };
+    if (!scope.isSuperAdmin) {
+      if (!scope.organizationId) {
+        throw new SsoConfigError("Organization context is required", 403);
+      }
+      where.organizationId = scope.organizationId;
+    } else {
+      if (query.organizationId) where.organizationId = query.organizationId;
+      if (query.tenantId) where.tenantId = query.tenantId;
+    }
+    if (query.search) {
+      const pattern = `%${escapeLikePattern(query.search)}%`;
+      where.$or = [
+        { name: { $ilike: pattern } },
+        { issuer: { $ilike: pattern } },
+        { clientId: { $ilike: pattern } }
+      ];
+    }
+    const [configs, total] = await this.em.findAndCount(SsoConfig, where, {
+      orderBy: { createdAt: "desc" },
+      limit: query.pageSize,
+      offset: (query.page - 1) * query.pageSize
+    });
+    return {
+      items: configs.map((c) => this.toPublic(c)),
+      total,
+      totalPages: Math.ceil(total / query.pageSize) || 1
+    };
+  }
+  async getById(scope, id) {
+    const where = { id, deletedAt: null };
+    if (!scope.isSuperAdmin) {
+      if (!scope.organizationId) throw new SsoConfigError("Organization context is required", 403);
+      where.organizationId = scope.organizationId;
+    }
+    const config = await this.em.findOne(SsoConfig, where);
+    return config ? this.toPublic(config) : null;
+  }
+  async create(scope, input) {
+    const orgId = scope.isSuperAdmin ? input.organizationId : scope.organizationId;
+    const tenId = scope.isSuperAdmin ? input.tenantId ?? null : scope.tenantId;
+    const existing = await this.em.findOne(SsoConfig, {
+      organizationId: orgId,
+      deletedAt: null
+    });
+    if (existing) {
+      throw new SsoConfigError("An SSO configuration already exists for this organization", 409);
+    }
+    const domains = uniqueDomains(input.allowedDomains);
+    for (const d of domains) {
+      const result = validateDomain(d);
+      if (!result.valid) throw new SsoConfigError(`Invalid domain "${d}": ${result.error}`, 400);
+    }
+    const encrypted = await this.tenantEncryptionService.encryptEntityPayload(
+      "SsoConfig",
+      { clientSecretEnc: input.clientSecret },
+      tenId,
+      orgId
+    );
+    const config = this.em.create(SsoConfig, {
+      name: input.name,
+      tenantId: tenId,
+      organizationId: orgId,
+      protocol: input.protocol,
+      issuer: input.issuer,
+      clientId: input.clientId,
+      clientSecretEnc: encrypted.clientSecretEnc,
+      allowedDomains: domains,
+      jitEnabled: input.jitEnabled,
+      autoLinkByEmail: input.autoLinkByEmail,
+      isActive: false,
+      ssoRequired: false,
+      appRoleMappings: input.appRoleMappings ?? {}
+    });
+    await this.em.persistAndFlush(config);
+    void emitSsoEvent("sso.config.created", {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId
+    }).catch((e) => console.error("[SSO Event]", e));
+    return this.toPublic(config);
+  }
+  async update(scope, id, input) {
+    const config = await this.resolveConfig(scope, id);
+    if (input.name !== void 0) config.name = input.name;
+    if (input.protocol !== void 0) config.protocol = input.protocol;
+    if (input.issuer !== void 0) config.issuer = input.issuer;
+    if (input.clientId !== void 0) config.clientId = input.clientId;
+    if (input.jitEnabled !== void 0) {
+      if (input.jitEnabled) {
+        const activeScimCount = await this.em.count(ScimToken, { ssoConfigId: id, isActive: true });
+        if (activeScimCount > 0) {
+          throw new SsoConfigError("Cannot enable JIT provisioning while SCIM directory sync is active. Revoke all SCIM tokens first.", 409);
+        }
+      }
+      config.jitEnabled = input.jitEnabled;
+    }
+    if (input.autoLinkByEmail !== void 0) config.autoLinkByEmail = input.autoLinkByEmail;
+    if (input.appRoleMappings !== void 0) config.appRoleMappings = input.appRoleMappings;
+    if (input.clientSecret !== void 0) {
+      const encrypted = await this.tenantEncryptionService.encryptEntityPayload(
+        "SsoConfig",
+        { clientSecretEnc: input.clientSecret },
+        config.tenantId,
+        config.organizationId
+      );
+      config.clientSecretEnc = encrypted.clientSecretEnc;
+    }
+    await this.em.flush();
+    void emitSsoEvent("sso.config.updated", {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId
+    }).catch((e) => console.error("[SSO Event]", e));
+    return this.toPublic(config);
+  }
+  async delete(scope, id) {
+    const config = await this.resolveConfig(scope, id);
+    if (config.isActive) {
+      throw new SsoConfigError("Cannot delete an active SSO configuration \u2014 deactivate it first", 400);
+    }
+    config.deletedAt = /* @__PURE__ */ new Date();
+    await this.em.flush();
+    void emitSsoEvent("sso.config.deleted", {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId
+    }).catch((e) => console.error("[SSO Event]", e));
+  }
+  async activate(scope, id, active) {
+    const config = await this.resolveConfig(scope, id);
+    if (active) {
+      if (config.allowedDomains.length === 0) {
+        throw new SsoConfigError("Cannot activate SSO configuration with no allowed domains", 400);
+      }
+      const testResult = await this.testConnectionInternal(config);
+      if (!testResult.ok) {
+        throw new SsoConfigError(`Cannot activate \u2014 discovery failed: ${testResult.error}`, 400);
+      }
+    }
+    const wasActive = config.isActive;
+    config.isActive = active;
+    await this.em.flush();
+    if (active && !wasActive) {
+      void emitSsoEvent("sso.config.activated", {
+        id: config.id,
+        tenantId: config.tenantId,
+        organizationId: config.organizationId
+      }).catch((e) => console.error("[SSO Event]", e));
+    } else if (!active && wasActive) {
+      void emitSsoEvent("sso.config.deactivated", {
+        id: config.id,
+        tenantId: config.tenantId,
+        organizationId: config.organizationId
+      }).catch((e) => console.error("[SSO Event]", e));
+    }
+    return this.toPublic(config);
+  }
+  async testConnection(scope, id) {
+    const config = await this.resolveConfig(scope, id);
+    return this.testConnectionInternal(config);
+  }
+  async addDomain(scope, id, domain) {
+    const normalized = normalizeDomain(domain);
+    const validation = validateDomain(normalized);
+    if (!validation.valid) throw new SsoConfigError(validation.error, 400);
+    const config = await this.resolveConfig(scope, id);
+    if (config.allowedDomains.includes(normalized)) {
+      return this.toPublic(config);
+    }
+    const limitCheck = checkDomainLimit(config.allowedDomains.length, 1);
+    if (!limitCheck.ok) throw new SsoConfigError(limitCheck.error, 400);
+    config.allowedDomains = [...config.allowedDomains, normalized];
+    await this.em.flush();
+    void emitSsoEvent("sso.domain.added", {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId,
+      domain: normalized
+    }).catch((e) => console.error("[SSO Event]", e));
+    return this.toPublic(config);
+  }
+  async removeDomain(scope, id, domain) {
+    const normalized = normalizeDomain(domain);
+    const config = await this.resolveConfig(scope, id);
+    config.allowedDomains = config.allowedDomains.filter((d) => d !== normalized);
+    await this.em.flush();
+    void emitSsoEvent("sso.domain.removed", {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId,
+      domain: normalized
+    }).catch((e) => console.error("[SSO Event]", e));
+    return this.toPublic(config);
+  }
+  toPublic(config) {
+    return {
+      id: config.id,
+      name: config.name ?? null,
+      tenantId: config.tenantId ?? null,
+      organizationId: config.organizationId,
+      protocol: config.protocol,
+      issuer: config.issuer ?? null,
+      clientId: config.clientId ?? null,
+      hasClientSecret: !!config.clientSecretEnc,
+      allowedDomains: config.allowedDomains,
+      jitEnabled: config.jitEnabled,
+      autoLinkByEmail: config.autoLinkByEmail,
+      isActive: config.isActive,
+      ssoRequired: config.ssoRequired,
+      appRoleMappings: config.appRoleMappings ?? {},
+      createdAt: config.createdAt,
+      updatedAt: config.updatedAt
+    };
+  }
+  async resolveConfig(scope, id) {
+    const where = { id, deletedAt: null };
+    if (!scope.isSuperAdmin) {
+      if (!scope.organizationId) throw new SsoConfigError("Organization context is required", 403);
+      where.organizationId = scope.organizationId;
+    }
+    const config = await this.em.findOne(SsoConfig, where);
+    if (!config) throw new SsoConfigError("SSO configuration not found", 404);
+    return config;
+  }
+  async testConnectionInternal(config) {
+    const provider = this.ssoProviderRegistry.resolve(config.protocol);
+    if (!provider) return { ok: false, error: `No provider for protocol: ${config.protocol}` };
+    return provider.validateConfig(config);
+  }
+}
+class SsoConfigError extends Error {
+  constructor(message, statusCode) {
+    super(message);
+    this.statusCode = statusCode;
+    this.name = "SsoConfigError";
+  }
+}
+export {
+  SsoConfigError,
+  SsoConfigService
+};
+//# sourceMappingURL=ssoConfigService.js.map

package/dist/modules/sso/services/ssoConfigService.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/services/ssoConfigService.ts"],
+  "sourcesContent": ["import type { FilterQuery, RequiredEntityData } from '@mikro-orm/core'\nimport { EntityManager } from '@mikro-orm/postgresql'\nimport { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport type { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'\nimport { SsoConfig, ScimToken } from '../data/entities'\nimport type { SsoConfigAdminCreateInput, SsoConfigAdminUpdateInput, SsoConfigListQuery } from '../data/validators'\nimport { emitSsoEvent } from '../events'\nimport { validateDomain, normalizeDomain, uniqueDomains, checkDomainLimit } from '../lib/domains'\nimport type { SsoProviderRegistry } from '../lib/registry'\n\nexport interface SsoAdminScope {\n  isSuperAdmin: boolean\n  organizationId: string | null\n  tenantId: string | null\n}\n\nexport interface SsoConfigPublic {\n  id: string\n  name: string | null\n  tenantId: string | null\n  organizationId: string\n  protocol: string\n  issuer: string | null\n  clientId: string | null\n  hasClientSecret: boolean\n  allowedDomains: string[]\n  jitEnabled: boolean\n  autoLinkByEmail: boolean\n  isActive: boolean\n  ssoRequired: boolean\n  appRoleMappings: Record<string, string>\n  createdAt: Date\n  updatedAt: Date\n}\n\nexport class SsoConfigService {\n  constructor(\n    private em: EntityManager,\n    private tenantEncryptionService: TenantDataEncryptionService,\n    private ssoProviderRegistry: SsoProviderRegistry,\n  ) {}\n\n  async list(scope: SsoAdminScope, query: SsoConfigListQuery): Promise<{\n    items: SsoConfigPublic[]\n    total: number\n    totalPages: number\n  }> {\n    const where: FilterQuery<SsoConfig> = { deletedAt: null }\n\n    if (!scope.isSuperAdmin) {\n      if (!scope.organizationId) {\n        throw new SsoConfigError('Organization context is required', 403)\n      }\n      where.organizationId = scope.organizationId\n    } else {\n      if (query.organizationId) where.organizationId = query.organizationId\n      if (query.tenantId) where.tenantId = query.tenantId\n    }\n\n    if (query.search) {\n      const pattern = `%${escapeLikePattern(query.search)}%`\n      where.$or = [\n        { name: { $ilike: pattern } },\n        { issuer: { $ilike: pattern } },\n        { clientId: { $ilike: pattern } },\n      ]\n    }\n\n    const [configs, total] = await this.em.findAndCount(SsoConfig, where, {\n      orderBy: { createdAt: 'desc' },\n      limit: query.pageSize,\n      offset: (query.page - 1) * query.pageSize,\n    })\n\n    return {\n      items: configs.map((c) => this.toPublic(c)),\n      total,\n      totalPages: Math.ceil(total / query.pageSize) || 1,\n    }\n  }\n\n  async getById(scope: SsoAdminScope, id: string): Promise<SsoConfigPublic | null> {\n    const where: FilterQuery<SsoConfig> = { id, deletedAt: null }\n    if (!scope.isSuperAdmin) {\n      if (!scope.organizationId) throw new SsoConfigError('Organization context is required', 403)\n      where.organizationId = scope.organizationId\n    }\n\n    const config = await this.em.findOne(SsoConfig, where)\n    return config ? this.toPublic(config) : null\n  }\n\n  async create(scope: SsoAdminScope, input: SsoConfigAdminCreateInput): Promise<SsoConfigPublic> {\n    const orgId = scope.isSuperAdmin ? input.organizationId : scope.organizationId!\n    const tenId = scope.isSuperAdmin ? (input.tenantId ?? null) : scope.tenantId\n\n    const existing = await this.em.findOne(SsoConfig, {\n      organizationId: orgId,\n      deletedAt: null,\n    })\n    if (existing) {\n      throw new SsoConfigError('An SSO configuration already exists for this organization', 409)\n    }\n\n    const domains = uniqueDomains(input.allowedDomains)\n    for (const d of domains) {\n      const result = validateDomain(d)\n      if (!result.valid) throw new SsoConfigError(`Invalid domain \"${d}\": ${result.error}`, 400)\n    }\n\n    const encrypted = await this.tenantEncryptionService.encryptEntityPayload(\n      'SsoConfig',\n      { clientSecretEnc: input.clientSecret },\n      tenId,\n      orgId,\n    )\n\n    const config = this.em.create(SsoConfig, {\n      name: input.name,\n      tenantId: tenId,\n      organizationId: orgId,\n      protocol: input.protocol,\n      issuer: input.issuer,\n      clientId: input.clientId,\n      clientSecretEnc: encrypted.clientSecretEnc as string,\n      allowedDomains: domains,\n      jitEnabled: input.jitEnabled,\n      autoLinkByEmail: input.autoLinkByEmail,\n      isActive: false,\n      ssoRequired: false,\n      appRoleMappings: input.appRoleMappings ?? {},\n    } as RequiredEntityData<SsoConfig>)\n\n    await this.em.persistAndFlush(config)\n\n    void emitSsoEvent('sso.config.created', {\n      id: config.id,\n      tenantId: config.tenantId,\n      organizationId: config.organizationId,\n    }).catch((e) => console.error('[SSO Event]', e))\n\n    return this.toPublic(config)\n  }\n\n  async update(scope: SsoAdminScope, id: string, input: SsoConfigAdminUpdateInput): Promise<SsoConfigPublic> {\n    const config = await this.resolveConfig(scope, id)\n\n    if (input.name !== undefined) config.name = input.name\n    if (input.protocol !== undefined) config.protocol = input.protocol\n    if (input.issuer !== undefined) config.issuer = input.issuer\n    if (input.clientId !== undefined) config.clientId = input.clientId\n    if (input.jitEnabled !== undefined) {\n      if (input.jitEnabled) {\n        const activeScimCount = await this.em.count(ScimToken, { ssoConfigId: id, isActive: true })\n        if (activeScimCount > 0) {\n          throw new SsoConfigError('Cannot enable JIT provisioning while SCIM directory sync is active. Revoke all SCIM tokens first.', 409)\n        }\n      }\n      config.jitEnabled = input.jitEnabled\n    }\n    if (input.autoLinkByEmail !== undefined) config.autoLinkByEmail = input.autoLinkByEmail\n    if (input.appRoleMappings !== undefined) config.appRoleMappings = input.appRoleMappings\n\n    if (input.clientSecret !== undefined) {\n      const encrypted = await this.tenantEncryptionService.encryptEntityPayload(\n        'SsoConfig',\n        { clientSecretEnc: input.clientSecret },\n        config.tenantId,\n        config.organizationId,\n      )\n      config.clientSecretEnc = encrypted.clientSecretEnc as string\n    }\n\n    await this.em.flush()\n\n    void emitSsoEvent('sso.config.updated', {\n      id: config.id,\n      tenantId: config.tenantId,\n      organizationId: config.organizationId,\n    }).catch((e) => console.error('[SSO Event]', e))\n\n    return this.toPublic(config)\n  }\n\n  async delete(scope: SsoAdminScope, id: string): Promise<void> {\n    const config = await this.resolveConfig(scope, id)\n\n    if (config.isActive) {\n      throw new SsoConfigError('Cannot delete an active SSO configuration \u2014 deactivate it first', 400)\n    }\n\n    config.deletedAt = new Date()\n    await this.em.flush()\n\n    void emitSsoEvent('sso.config.deleted', {\n      id: config.id,\n      tenantId: config.tenantId,\n      organizationId: config.organizationId,\n    }).catch((e) => console.error('[SSO Event]', e))\n  }\n\n  async activate(scope: SsoAdminScope, id: string, active: boolean): Promise<SsoConfigPublic> {\n    const config = await this.resolveConfig(scope, id)\n\n    if (active) {\n      if (config.allowedDomains.length === 0) {\n        throw new SsoConfigError('Cannot activate SSO configuration with no allowed domains', 400)\n      }\n\n      const testResult = await this.testConnectionInternal(config)\n      if (!testResult.ok) {\n        throw new SsoConfigError(`Cannot activate \u2014 discovery failed: ${testResult.error}`, 400)\n      }\n    }\n\n    const wasActive = config.isActive\n    config.isActive = active\n    await this.em.flush()\n\n    if (active && !wasActive) {\n      void emitSsoEvent('sso.config.activated', {\n        id: config.id,\n        tenantId: config.tenantId,\n        organizationId: config.organizationId,\n      }).catch((e) => console.error('[SSO Event]', e))\n    } else if (!active && wasActive) {\n      void emitSsoEvent('sso.config.deactivated', {\n        id: config.id,\n        tenantId: config.tenantId,\n        organizationId: config.organizationId,\n      }).catch((e) => console.error('[SSO Event]', e))\n    }\n\n    return this.toPublic(config)\n  }\n\n  async testConnection(scope: SsoAdminScope, id: string): Promise<{ ok: boolean; error?: string }> {\n    const config = await this.resolveConfig(scope, id)\n    return this.testConnectionInternal(config)\n  }\n\n  async addDomain(scope: SsoAdminScope, id: string, domain: string): Promise<SsoConfigPublic> {\n    const normalized = normalizeDomain(domain)\n    const validation = validateDomain(normalized)\n    if (!validation.valid) throw new SsoConfigError(validation.error!, 400)\n\n    const config = await this.resolveConfig(scope, id)\n\n    if (config.allowedDomains.includes(normalized)) {\n      return this.toPublic(config)\n    }\n\n    const limitCheck = checkDomainLimit(config.allowedDomains.length, 1)\n    if (!limitCheck.ok) throw new SsoConfigError(limitCheck.error!, 400)\n\n    config.allowedDomains = [...config.allowedDomains, normalized]\n    await this.em.flush()\n\n    void emitSsoEvent('sso.domain.added', {\n      id: config.id,\n      tenantId: config.tenantId,\n      organizationId: config.organizationId,\n      domain: normalized,\n    }).catch((e) => console.error('[SSO Event]', e))\n\n    return this.toPublic(config)\n  }\n\n  async removeDomain(scope: SsoAdminScope, id: string, domain: string): Promise<SsoConfigPublic> {\n    const normalized = normalizeDomain(domain)\n    const config = await this.resolveConfig(scope, id)\n\n    config.allowedDomains = config.allowedDomains.filter((d) => d !== normalized)\n    await this.em.flush()\n\n    void emitSsoEvent('sso.domain.removed', {\n      id: config.id,\n      tenantId: config.tenantId,\n      organizationId: config.organizationId,\n      domain: normalized,\n    }).catch((e) => console.error('[SSO Event]', e))\n\n    return this.toPublic(config)\n  }\n\n  toPublic(config: SsoConfig): SsoConfigPublic {\n    return {\n      id: config.id,\n      name: config.name ?? null,\n      tenantId: config.tenantId ?? null,\n      organizationId: config.organizationId,\n      protocol: config.protocol,\n      issuer: config.issuer ?? null,\n      clientId: config.clientId ?? null,\n      hasClientSecret: !!config.clientSecretEnc,\n      allowedDomains: config.allowedDomains,\n      jitEnabled: config.jitEnabled,\n      autoLinkByEmail: config.autoLinkByEmail,\n      isActive: config.isActive,\n      ssoRequired: config.ssoRequired,\n      appRoleMappings: config.appRoleMappings ?? {},\n      createdAt: config.createdAt,\n      updatedAt: config.updatedAt,\n    }\n  }\n\n  private async resolveConfig(scope: SsoAdminScope, id: string): Promise<SsoConfig> {\n    const where: FilterQuery<SsoConfig> = { id, deletedAt: null }\n    if (!scope.isSuperAdmin) {\n      if (!scope.organizationId) throw new SsoConfigError('Organization context is required', 403)\n      where.organizationId = scope.organizationId\n    }\n\n    const config = await this.em.findOne(SsoConfig, where)\n    if (!config) throw new SsoConfigError('SSO configuration not found', 404)\n\n    return config\n  }\n\n  private async testConnectionInternal(config: SsoConfig): Promise<{ ok: boolean; error?: string }> {\n    const provider = this.ssoProviderRegistry.resolve(config.protocol)\n    if (!provider) return { ok: false, error: `No provider for protocol: ${config.protocol}` }\n\n    return provider.validateConfig(config)\n  }\n}\n\nexport class SsoConfigError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode: number,\n  ) {\n    super(message)\n    this.name = 'SsoConfigError'\n  }\n}\n"],
+  "mappings": "AAIA,SAAS,yBAAyB;AAClC,SAAS,WAAW,iBAAiB;AAErC,SAAS,oBAAoB;AAC7B,SAAS,gBAAgB,iBAAiB,eAAe,wBAAwB;AA4B1E,MAAM,iBAAiB;AAAA,EAC5B,YACU,IACA,yBACA,qBACR;AAHQ;AACA;AACA;AAAA,EACP;AAAA,EAEH,MAAM,KAAK,OAAsB,OAI9B;AACD,UAAM,QAAgC,EAAE,WAAW,KAAK;AAExD,QAAI,CAAC,MAAM,cAAc;AACvB,UAAI,CAAC,MAAM,gBAAgB;AACzB,cAAM,IAAI,eAAe,oCAAoC,GAAG;AAAA,MAClE;AACA,YAAM,iBAAiB,MAAM;AAAA,IAC/B,OAAO;AACL,UAAI,MAAM,eAAgB,OAAM,iBAAiB,MAAM;AACvD,UAAI,MAAM,SAAU,OAAM,WAAW,MAAM;AAAA,IAC7C;AAEA,QAAI,MAAM,QAAQ;AAChB,YAAM,UAAU,IAAI,kBAAkB,MAAM,MAAM,CAAC;AACnD,YAAM,MAAM;AAAA,QACV,EAAE,MAAM,EAAE,QAAQ,QAAQ,EAAE;AAAA,QAC5B,EAAE,QAAQ,EAAE,QAAQ,QAAQ,EAAE;AAAA,QAC9B,EAAE,UAAU,EAAE,QAAQ,QAAQ,EAAE;AAAA,MAClC;AAAA,IACF;AAEA,UAAM,CAAC,SAAS,KAAK,IAAI,MAAM,KAAK,GAAG,aAAa,WAAW,OAAO;AAAA,MACpE,SAAS,EAAE,WAAW,OAAO;AAAA,MAC7B,OAAO,MAAM;AAAA,MACb,SAAS,MAAM,OAAO,KAAK,MAAM;AAAA,IACnC,CAAC;AAED,WAAO;AAAA,MACL,OAAO,QAAQ,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;AAAA,MAC1C;AAAA,MACA,YAAY,KAAK,KAAK,QAAQ,MAAM,QAAQ,KAAK;AAAA,IACnD;AAAA,EACF;AAAA,EAEA,MAAM,QAAQ,OAAsB,IAA6C;AAC/E,UAAM,QAAgC,EAAE,IAAI,WAAW,KAAK;AAC5D,QAAI,CAAC,MAAM,cAAc;AACvB,UAAI,CAAC,MAAM,eAAgB,OAAM,IAAI,eAAe,oCAAoC,GAAG;AAC3F,YAAM,iBAAiB,MAAM;AAAA,IAC/B;AAEA,UAAM,SAAS,MAAM,KAAK,GAAG,QAAQ,WAAW,KAAK;AACrD,WAAO,SAAS,KAAK,SAAS,MAAM,IAAI;AAAA,EAC1C;AAAA,EAEA,MAAM,OAAO,OAAsB,OAA4D;AAC7F,UAAM,QAAQ,MAAM,eAAe,MAAM,iBAAiB,MAAM;AAChE,UAAM,QAAQ,MAAM,eAAgB,MAAM,YAAY,OAAQ,MAAM;AAEpE,UAAM,WAAW,MAAM,KAAK,GAAG,QAAQ,WAAW;AAAA,MAChD,gBAAgB;AAAA,MAChB,WAAW;AAAA,IACb,CAAC;AACD,QAAI,UAAU;AACZ,YAAM,IAAI,eAAe,6DAA6D,GAAG;AAAA,IAC3F;AAEA,UAAM,UAAU,cAAc,MAAM,cAAc;AAClD,eAAW,KAAK,SAAS;AACvB,YAAM,SAAS,eAAe,CAAC;AAC/B,UAAI,CAAC,OAAO,MAAO,OAAM,IAAI,eAAe,mBAAmB,CAAC,MAAM,OAAO,KAAK,IAAI,GAAG;AAAA,IAC3F;AAEA,UAAM,YAAY,MAAM,KAAK,wBAAwB;AAAA,MACnD;AAAA,MACA,EAAE,iBAAiB,MAAM,aAAa;AAAA,MACtC;AAAA,MACA;AAAA,IACF;AAEA,UAAM,SAAS,KAAK,GAAG,OAAO,WAAW;AAAA,MACvC,MAAM,MAAM;AAAA,MACZ,UAAU;AAAA,MACV,gBAAgB;AAAA,MAChB,UAAU,MAAM;AAAA,MAChB,QAAQ,MAAM;AAAA,MACd,UAAU,MAAM;AAAA,MAChB,iBAAiB,UAAU;AAAA,MAC3B,gBAAgB;AAAA,MAChB,YAAY,MAAM;AAAA,MAClB,iBAAiB,MAAM;AAAA,MACvB,UAAU;AAAA,MACV,aAAa;AAAA,MACb,iBAAiB,MAAM,mBAAmB,CAAC;AAAA,IAC7C,CAAkC;AAElC,UAAM,KAAK,GAAG,gBAAgB,MAAM;AAEpC,SAAK,aAAa,sBAAsB;AAAA,MACtC,IAAI,OAAO;AAAA,MACX,UAAU,OAAO;AAAA,MACjB,gBAAgB,OAAO;AAAA,IACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,WAAO,KAAK,SAAS,MAAM;AAAA,EAC7B;AAAA,EAEA,MAAM,OAAO,OAAsB,IAAY,OAA4D;AACzG,UAAM,SAAS,MAAM,KAAK,cAAc,OAAO,EAAE;AAEjD,QAAI,MAAM,SAAS,OAAW,QAAO,OAAO,MAAM;AAClD,QAAI,MAAM,aAAa,OAAW,QAAO,WAAW,MAAM;AAC1D,QAAI,MAAM,WAAW,OAAW,QAAO,SAAS,MAAM;AACtD,QAAI,MAAM,aAAa,OAAW,QAAO,WAAW,MAAM;AAC1D,QAAI,MAAM,eAAe,QAAW;AAClC,UAAI,MAAM,YAAY;AACpB,cAAM,kBAAkB,MAAM,KAAK,GAAG,MAAM,WAAW,EAAE,aAAa,IAAI,UAAU,KAAK,CAAC;AAC1F,YAAI,kBAAkB,GAAG;AACvB,gBAAM,IAAI,eAAe,qGAAqG,GAAG;AAAA,QACnI;AAAA,MACF;AACA,aAAO,aAAa,MAAM;AAAA,IAC5B;AACA,QAAI,MAAM,oBAAoB,OAAW,QAAO,kBAAkB,MAAM;AACxE,QAAI,MAAM,oBAAoB,OAAW,QAAO,kBAAkB,MAAM;AAExE,QAAI,MAAM,iBAAiB,QAAW;AACpC,YAAM,YAAY,MAAM,KAAK,wBAAwB;AAAA,QACnD;AAAA,QACA,EAAE,iBAAiB,MAAM,aAAa;AAAA,QACtC,OAAO;AAAA,QACP,OAAO;AAAA,MACT;AACA,aAAO,kBAAkB,UAAU;AAAA,IACrC;AAEA,UAAM,KAAK,GAAG,MAAM;AAEpB,SAAK,aAAa,sBAAsB;AAAA,MACtC,IAAI,OAAO;AAAA,MACX,UAAU,OAAO;AAAA,MACjB,gBAAgB,OAAO;AAAA,IACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,WAAO,KAAK,SAAS,MAAM;AAAA,EAC7B;AAAA,EAEA,MAAM,OAAO,OAAsB,IAA2B;AAC5D,UAAM,SAAS,MAAM,KAAK,cAAc,OAAO,EAAE;AAEjD,QAAI,OAAO,UAAU;AACnB,YAAM,IAAI,eAAe,wEAAmE,GAAG;AAAA,IACjG;AAEA,WAAO,YAAY,oBAAI,KAAK;AAC5B,UAAM,KAAK,GAAG,MAAM;AAEpB,SAAK,aAAa,sBAAsB;AAAA,MACtC,IAAI,OAAO;AAAA,MACX,UAAU,OAAO;AAAA,MACjB,gBAAgB,OAAO;AAAA,IACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAAA,EACjD;AAAA,EAEA,MAAM,SAAS,OAAsB,IAAY,QAA2C;AAC1F,UAAM,SAAS,MAAM,KAAK,cAAc,OAAO,EAAE;AAEjD,QAAI,QAAQ;AACV,UAAI,OAAO,eAAe,WAAW,GAAG;AACtC,cAAM,IAAI,eAAe,6DAA6D,GAAG;AAAA,MAC3F;AAEA,YAAM,aAAa,MAAM,KAAK,uBAAuB,MAAM;AAC3D,UAAI,CAAC,WAAW,IAAI;AAClB,cAAM,IAAI,eAAe,4CAAuC,WAAW,KAAK,IAAI,GAAG;AAAA,MACzF;AAAA,IACF;AAEA,UAAM,YAAY,OAAO;AACzB,WAAO,WAAW;AAClB,UAAM,KAAK,GAAG,MAAM;AAEpB,QAAI,UAAU,CAAC,WAAW;AACxB,WAAK,aAAa,wBAAwB;AAAA,QACxC,IAAI,OAAO;AAAA,QACX,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO;AAAA,MACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAAA,IACjD,WAAW,CAAC,UAAU,WAAW;AAC/B,WAAK,aAAa,0BAA0B;AAAA,QAC1C,IAAI,OAAO;AAAA,QACX,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO;AAAA,MACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAAA,IACjD;AAEA,WAAO,KAAK,SAAS,MAAM;AAAA,EAC7B;AAAA,EAEA,MAAM,eAAe,OAAsB,IAAsD;AAC/F,UAAM,SAAS,MAAM,KAAK,cAAc,OAAO,EAAE;AACjD,WAAO,KAAK,uBAAuB,MAAM;AAAA,EAC3C;AAAA,EAEA,MAAM,UAAU,OAAsB,IAAY,QAA0C;AAC1F,UAAM,aAAa,gBAAgB,MAAM;AACzC,UAAM,aAAa,eAAe,UAAU;AAC5C,QAAI,CAAC,WAAW,MAAO,OAAM,IAAI,eAAe,WAAW,OAAQ,GAAG;AAEtE,UAAM,SAAS,MAAM,KAAK,cAAc,OAAO,EAAE;AAEjD,QAAI,OAAO,eAAe,SAAS,UAAU,GAAG;AAC9C,aAAO,KAAK,SAAS,MAAM;AAAA,IAC7B;AAEA,UAAM,aAAa,iBAAiB,OAAO,eAAe,QAAQ,CAAC;AACnE,QAAI,CAAC,WAAW,GAAI,OAAM,IAAI,eAAe,WAAW,OAAQ,GAAG;AAEnE,WAAO,iBAAiB,CAAC,GAAG,OAAO,gBAAgB,UAAU;AAC7D,UAAM,KAAK,GAAG,MAAM;AAEpB,SAAK,aAAa,oBAAoB;AAAA,MACpC,IAAI,OAAO;AAAA,MACX,UAAU,OAAO;AAAA,MACjB,gBAAgB,OAAO;AAAA,MACvB,QAAQ;AAAA,IACV,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,WAAO,KAAK,SAAS,MAAM;AAAA,EAC7B;AAAA,EAEA,MAAM,aAAa,OAAsB,IAAY,QAA0C;AAC7F,UAAM,aAAa,gBAAgB,MAAM;AACzC,UAAM,SAAS,MAAM,KAAK,cAAc,OAAO,EAAE;AAEjD,WAAO,iBAAiB,OAAO,eAAe,OAAO,CAAC,MAAM,MAAM,UAAU;AAC5E,UAAM,KAAK,GAAG,MAAM;AAEpB,SAAK,aAAa,sBAAsB;AAAA,MACtC,IAAI,OAAO;AAAA,MACX,UAAU,OAAO;AAAA,MACjB,gBAAgB,OAAO;AAAA,MACvB,QAAQ;AAAA,IACV,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,WAAO,KAAK,SAAS,MAAM;AAAA,EAC7B;AAAA,EAEA,SAAS,QAAoC;AAC3C,WAAO;AAAA,MACL,IAAI,OAAO;AAAA,MACX,MAAM,OAAO,QAAQ;AAAA,MACrB,UAAU,OAAO,YAAY;AAAA,MAC7B,gBAAgB,OAAO;AAAA,MACvB,UAAU,OAAO;AAAA,MACjB,QAAQ,OAAO,UAAU;AAAA,MACzB,UAAU,OAAO,YAAY;AAAA,MAC7B,iBAAiB,CAAC,CAAC,OAAO;AAAA,MAC1B,gBAAgB,OAAO;AAAA,MACvB,YAAY,OAAO;AAAA,MACnB,iBAAiB,OAAO;AAAA,MACxB,UAAU,OAAO;AAAA,MACjB,aAAa,OAAO;AAAA,MACpB,iBAAiB,OAAO,mBAAmB,CAAC;AAAA,MAC5C,WAAW,OAAO;AAAA,MAClB,WAAW,OAAO;AAAA,IACpB;AAAA,EACF;AAAA,EAEA,MAAc,cAAc,OAAsB,IAAgC;AAChF,UAAM,QAAgC,EAAE,IAAI,WAAW,KAAK;AAC5D,QAAI,CAAC,MAAM,cAAc;AACvB,UAAI,CAAC,MAAM,eAAgB,OAAM,IAAI,eAAe,oCAAoC,GAAG;AAC3F,YAAM,iBAAiB,MAAM;AAAA,IAC/B;AAEA,UAAM,SAAS,MAAM,KAAK,GAAG,QAAQ,WAAW,KAAK;AACrD,QAAI,CAAC,OAAQ,OAAM,IAAI,eAAe,+BAA+B,GAAG;AAExE,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,uBAAuB,QAA6D;AAChG,UAAM,WAAW,KAAK,oBAAoB,QAAQ,OAAO,QAAQ;AACjE,QAAI,CAAC,SAAU,QAAO,EAAE,IAAI,OAAO,OAAO,6BAA6B,OAAO,QAAQ,GAAG;AAEzF,WAAO,SAAS,eAAe,MAAM;AAAA,EACvC;AACF;AAEO,MAAM,uBAAuB,MAAM;AAAA,EACxC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;",
+  "names": []
+}

package/dist/modules/sso/services/ssoService.js ADDED Viewed

@@ -0,0 +1,125 @@
+import crypto from "node:crypto";
+import { findOneWithDecryption, findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { signJwt } from "@open-mercato/shared/lib/auth/jwt";
+import { SsoConfig } from "../data/entities.js";
+import { encryptStateCookie, decryptStateCookie, createFlowState } from "../lib/state-cookie.js";
+import { emitSsoEvent } from "../events.js";
+class SsoService {
+  constructor(em, ssoProviderRegistry, accountLinkingService, tenantEncryptionService, authService, rbacService) {
+    this.em = em;
+    this.ssoProviderRegistry = ssoProviderRegistry;
+    this.accountLinkingService = accountLinkingService;
+    this.tenantEncryptionService = tenantEncryptionService;
+    this.authService = authService;
+    this.rbacService = rbacService;
+  }
+  async findConfigByEmail(email) {
+    const domain = email.split("@")[1]?.toLowerCase();
+    if (!domain) return null;
+    const configs = await findWithDecryption(
+      this.em,
+      SsoConfig,
+      { isActive: true, deletedAt: null },
+      {},
+      { tenantId: null }
+    );
+    return configs.find((c) => c.allowedDomains.some((d) => d.toLowerCase() === domain)) ?? null;
+  }
+  async initiateLogin(configId, returnUrl, redirectUri) {
+    const config = await findOneWithDecryption(
+      this.em,
+      SsoConfig,
+      { id: configId, isActive: true, deletedAt: null },
+      {},
+      { tenantId: null }
+    );
+    if (!config) throw new Error("SSO configuration not found or inactive");
+    const provider = this.ssoProviderRegistry.resolve(config.protocol);
+    if (!provider) throw new Error(`No provider registered for protocol: ${config.protocol}`);
+    const clientSecret = await this.decryptClientSecret(config);
+    const { state } = createFlowState({ configId, returnUrl });
+    void emitSsoEvent("sso.login.initiated", {
+      tenantId: config.tenantId,
+      organizationId: config.organizationId
+    }).catch((e) => console.error("[SSO Event]", e));
+    const authUrl = await provider.buildAuthUrl(config, {
+      state: state.state,
+      nonce: state.nonce,
+      redirectUri,
+      codeVerifier: state.codeVerifier,
+      clientSecret
+    });
+    const stateCookie = encryptStateCookie(state);
+    return { redirectUrl: authUrl, stateCookie };
+  }
+  async handleOidcCallback(callbackParams, stateCookie, redirectUri) {
+    const flowState = decryptStateCookie(stateCookie);
+    if (!flowState) throw new Error("Invalid or expired SSO state");
+    const receivedState = Buffer.from(callbackParams.state || "");
+    const expectedState = Buffer.from(flowState.state);
+    if (receivedState.length !== expectedState.length || !crypto.timingSafeEqual(receivedState, expectedState)) {
+      throw new Error("State mismatch \u2014 possible CSRF attack");
+    }
+    const config = await findOneWithDecryption(
+      this.em,
+      SsoConfig,
+      { id: flowState.configId, isActive: true, deletedAt: null },
+      {},
+      { tenantId: null }
+    );
+    if (!config) throw new Error("SSO configuration no longer active");
+    const provider = this.ssoProviderRegistry.resolve(config.protocol);
+    if (!provider) throw new Error(`No provider for protocol: ${config.protocol}`);
+    const clientSecret = await this.decryptClientSecret(config);
+    const idpPayload = await provider.handleCallback(config, {
+      callbackParams,
+      redirectUri,
+      expectedState: flowState.state,
+      expectedNonce: flowState.nonce,
+      codeVerifier: flowState.codeVerifier,
+      clientSecret
+    });
+    const tenantId = config.tenantId ?? "";
+    const { user } = await this.accountLinkingService.resolveUser(config, idpPayload, tenantId);
+    await this.rbacService.invalidateUserCache(String(user.id));
+    const roles = await this.authService.getUserRoles(user, tenantId || null);
+    const token = signJwt({
+      sub: String(user.id),
+      tenantId: tenantId || null,
+      orgId: user.organizationId ? String(user.organizationId) : null,
+      email: user.email,
+      roles
+    });
+    await this.authService.updateLastLoginAt(user);
+    const days = Number(process.env.REMEMBER_ME_DAYS || "30");
+    const sessionExpiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1e3);
+    const session = await this.authService.createSession(user, sessionExpiresAt);
+    void emitSsoEvent("sso.login.completed", {
+      id: String(user.id),
+      tenantId: config.tenantId,
+      organizationId: config.organizationId
+    }).catch((e) => console.error("[SSO Event]", e));
+    return {
+      token,
+      sessionToken: session.token,
+      sessionExpiresAt,
+      redirectUrl: flowState.returnUrl || "/backend",
+      tenantId: config.tenantId ?? null,
+      organizationId: config.organizationId
+    };
+  }
+  async decryptClientSecret(config) {
+    if (!config.clientSecretEnc) return void 0;
+    const decrypted = await this.tenantEncryptionService.decryptEntityPayload(
+      config.id,
+      { clientSecretEnc: config.clientSecretEnc },
+      config.tenantId,
+      config.organizationId
+    );
+    return decrypted.clientSecretEnc ?? void 0;
+  }
+}
+export {
+  SsoService
+};
+//# sourceMappingURL=ssoService.js.map

package/dist/modules/sso/services/ssoService.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/services/ssoService.ts"],
+  "sourcesContent": ["import crypto from 'node:crypto'\nimport { EntityManager } from '@mikro-orm/postgresql'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { signJwt } from '@open-mercato/shared/lib/auth/jwt'\nimport type { AuthService } from '@open-mercato/core/modules/auth/services/authService'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { SsoConfig } from '../data/entities'\nimport type { SsoProviderRegistry } from '../lib/registry'\nimport type { AccountLinkingService } from './accountLinkingService'\nimport { encryptStateCookie, decryptStateCookie, createFlowState } from '../lib/state-cookie'\nimport { emitSsoEvent } from '../events'\nimport type { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\n\nexport class SsoService {\n  constructor(\n    private em: EntityManager,\n    private ssoProviderRegistry: SsoProviderRegistry,\n    private accountLinkingService: AccountLinkingService,\n    private tenantEncryptionService: TenantDataEncryptionService,\n    private authService: AuthService,\n    private rbacService: RbacService,\n  ) {}\n\n  async findConfigByEmail(email: string): Promise<SsoConfig | null> {\n    const domain = email.split('@')[1]?.toLowerCase()\n    if (!domain) return null\n\n    const configs = await findWithDecryption(\n      this.em,\n      SsoConfig,\n      { isActive: true, deletedAt: null },\n      {},\n      { tenantId: null },\n    )\n    return configs.find((c) => c.allowedDomains.some((d) => d.toLowerCase() === domain)) ?? null\n  }\n\n  async initiateLogin(\n    configId: string,\n    returnUrl: string,\n    redirectUri: string,\n  ): Promise<{ redirectUrl: string; stateCookie: string }> {\n    const config = await findOneWithDecryption(\n      this.em,\n      SsoConfig,\n      { id: configId, isActive: true, deletedAt: null },\n      {},\n      { tenantId: null },\n    )\n    if (!config) throw new Error('SSO configuration not found or inactive')\n\n    const provider = this.ssoProviderRegistry.resolve(config.protocol)\n    if (!provider) throw new Error(`No provider registered for protocol: ${config.protocol}`)\n\n    const clientSecret = await this.decryptClientSecret(config)\n\n    const { state } = createFlowState({ configId, returnUrl })\n\n    void emitSsoEvent('sso.login.initiated', {\n      tenantId: config.tenantId,\n      organizationId: config.organizationId,\n    }).catch((e) => console.error('[SSO Event]', e))\n\n    const authUrl = await provider.buildAuthUrl(config, {\n      state: state.state,\n      nonce: state.nonce,\n      redirectUri,\n      codeVerifier: state.codeVerifier,\n      clientSecret,\n    })\n\n    const stateCookie = encryptStateCookie(state)\n    return { redirectUrl: authUrl, stateCookie }\n  }\n\n  async handleOidcCallback(\n    callbackParams: Record<string, string>,\n    stateCookie: string,\n    redirectUri: string,\n  ): Promise<{\n    token: string\n    sessionToken: string\n    sessionExpiresAt: Date\n    redirectUrl: string\n    tenantId: string | null\n    organizationId: string\n  }> {\n    const flowState = decryptStateCookie(stateCookie)\n    if (!flowState) throw new Error('Invalid or expired SSO state')\n\n    const receivedState = Buffer.from(callbackParams.state || '')\n    const expectedState = Buffer.from(flowState.state)\n    if (receivedState.length !== expectedState.length || !crypto.timingSafeEqual(receivedState, expectedState)) {\n      throw new Error('State mismatch \u2014 possible CSRF attack')\n    }\n\n    const config = await findOneWithDecryption(\n      this.em,\n      SsoConfig,\n      { id: flowState.configId, isActive: true, deletedAt: null },\n      {},\n      { tenantId: null },\n    )\n    if (!config) throw new Error('SSO configuration no longer active')\n\n    const provider = this.ssoProviderRegistry.resolve(config.protocol)\n    if (!provider) throw new Error(`No provider for protocol: ${config.protocol}`)\n\n    const clientSecret = await this.decryptClientSecret(config)\n\n    const idpPayload = await provider.handleCallback(config, {\n      callbackParams,\n      redirectUri,\n      expectedState: flowState.state,\n      expectedNonce: flowState.nonce,\n      codeVerifier: flowState.codeVerifier,\n      clientSecret,\n    })\n\n    const tenantId = config.tenantId ?? ''\n    const { user } = await this.accountLinkingService.resolveUser(config, idpPayload, tenantId)\n\n    await this.rbacService.invalidateUserCache(String(user.id))\n\n    const roles = await this.authService.getUserRoles(user, tenantId || null)\n    const token = signJwt({\n      sub: String(user.id),\n      tenantId: tenantId || null,\n      orgId: user.organizationId ? String(user.organizationId) : null,\n      email: user.email,\n      roles,\n    })\n\n    await this.authService.updateLastLoginAt(user)\n\n    const days = Number(process.env.REMEMBER_ME_DAYS || '30')\n    const sessionExpiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000)\n    const session = await this.authService.createSession(user, sessionExpiresAt)\n\n    void emitSsoEvent('sso.login.completed', {\n      id: String(user.id),\n      tenantId: config.tenantId,\n      organizationId: config.organizationId,\n    }).catch((e) => console.error('[SSO Event]', e))\n\n    return {\n      token,\n      sessionToken: session.token,\n      sessionExpiresAt,\n      redirectUrl: flowState.returnUrl || '/backend',\n      tenantId: config.tenantId ?? null,\n      organizationId: config.organizationId,\n    }\n  }\n\n  private async decryptClientSecret(config: SsoConfig): Promise<string | undefined> {\n    if (!config.clientSecretEnc) return undefined\n\n    const decrypted = await this.tenantEncryptionService.decryptEntityPayload(\n      config.id,\n      { clientSecretEnc: config.clientSecretEnc },\n      config.tenantId,\n      config.organizationId,\n    )\n    return (decrypted.clientSecretEnc as string) ?? undefined\n  }\n}\n"],
+  "mappings": "AAAA,OAAO,YAAY;AAEnB,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,eAAe;AAGxB,SAAS,iBAAiB;AAG1B,SAAS,oBAAoB,oBAAoB,uBAAuB;AACxE,SAAS,oBAAoB;AAGtB,MAAM,WAAW;AAAA,EACtB,YACU,IACA,qBACA,uBACA,yBACA,aACA,aACR;AANQ;AACA;AACA;AACA;AACA;AACA;AAAA,EACP;AAAA,EAEH,MAAM,kBAAkB,OAA0C;AAChE,UAAM,SAAS,MAAM,MAAM,GAAG,EAAE,CAAC,GAAG,YAAY;AAChD,QAAI,CAAC,OAAQ,QAAO;AAEpB,UAAM,UAAU,MAAM;AAAA,MACpB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,UAAU,MAAM,WAAW,KAAK;AAAA,MAClC,CAAC;AAAA,MACD,EAAE,UAAU,KAAK;AAAA,IACnB;AACA,WAAO,QAAQ,KAAK,CAAC,MAAM,EAAE,eAAe,KAAK,CAAC,MAAM,EAAE,YAAY,MAAM,MAAM,CAAC,KAAK;AAAA,EAC1F;AAAA,EAEA,MAAM,cACJ,UACA,WACA,aACuD;AACvD,UAAM,SAAS,MAAM;AAAA,MACnB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,IAAI,UAAU,UAAU,MAAM,WAAW,KAAK;AAAA,MAChD,CAAC;AAAA,MACD,EAAE,UAAU,KAAK;AAAA,IACnB;AACA,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,yCAAyC;AAEtE,UAAM,WAAW,KAAK,oBAAoB,QAAQ,OAAO,QAAQ;AACjE,QAAI,CAAC,SAAU,OAAM,IAAI,MAAM,wCAAwC,OAAO,QAAQ,EAAE;AAExF,UAAM,eAAe,MAAM,KAAK,oBAAoB,MAAM;AAE1D,UAAM,EAAE,MAAM,IAAI,gBAAgB,EAAE,UAAU,UAAU,CAAC;AAEzD,SAAK,aAAa,uBAAuB;AAAA,MACvC,UAAU,OAAO;AAAA,MACjB,gBAAgB,OAAO;AAAA,IACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,UAAM,UAAU,MAAM,SAAS,aAAa,QAAQ;AAAA,MAClD,OAAO,MAAM;AAAA,MACb,OAAO,MAAM;AAAA,MACb;AAAA,MACA,cAAc,MAAM;AAAA,MACpB;AAAA,IACF,CAAC;AAED,UAAM,cAAc,mBAAmB,KAAK;AAC5C,WAAO,EAAE,aAAa,SAAS,YAAY;AAAA,EAC7C;AAAA,EAEA,MAAM,mBACJ,gBACA,aACA,aAQC;AACD,UAAM,YAAY,mBAAmB,WAAW;AAChD,QAAI,CAAC,UAAW,OAAM,IAAI,MAAM,8BAA8B;AAE9D,UAAM,gBAAgB,OAAO,KAAK,eAAe,SAAS,EAAE;AAC5D,UAAM,gBAAgB,OAAO,KAAK,UAAU,KAAK;AACjD,QAAI,cAAc,WAAW,cAAc,UAAU,CAAC,OAAO,gBAAgB,eAAe,aAAa,GAAG;AAC1G,YAAM,IAAI,MAAM,4CAAuC;AAAA,IACzD;AAEA,UAAM,SAAS,MAAM;AAAA,MACnB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,IAAI,UAAU,UAAU,UAAU,MAAM,WAAW,KAAK;AAAA,MAC1D,CAAC;AAAA,MACD,EAAE,UAAU,KAAK;AAAA,IACnB;AACA,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,oCAAoC;AAEjE,UAAM,WAAW,KAAK,oBAAoB,QAAQ,OAAO,QAAQ;AACjE,QAAI,CAAC,SAAU,OAAM,IAAI,MAAM,6BAA6B,OAAO,QAAQ,EAAE;AAE7E,UAAM,eAAe,MAAM,KAAK,oBAAoB,MAAM;AAE1D,UAAM,aAAa,MAAM,SAAS,eAAe,QAAQ;AAAA,MACvD;AAAA,MACA;AAAA,MACA,eAAe,UAAU;AAAA,MACzB,eAAe,UAAU;AAAA,MACzB,cAAc,UAAU;AAAA,MACxB;AAAA,IACF,CAAC;AAED,UAAM,WAAW,OAAO,YAAY;AACpC,UAAM,EAAE,KAAK,IAAI,MAAM,KAAK,sBAAsB,YAAY,QAAQ,YAAY,QAAQ;AAE1F,UAAM,KAAK,YAAY,oBAAoB,OAAO,KAAK,EAAE,CAAC;AAE1D,UAAM,QAAQ,MAAM,KAAK,YAAY,aAAa,MAAM,YAAY,IAAI;AACxE,UAAM,QAAQ,QAAQ;AAAA,MACpB,KAAK,OAAO,KAAK,EAAE;AAAA,MACnB,UAAU,YAAY;AAAA,MACtB,OAAO,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MAC3D,OAAO,KAAK;AAAA,MACZ;AAAA,IACF,CAAC;AAED,UAAM,KAAK,YAAY,kBAAkB,IAAI;AAE7C,UAAM,OAAO,OAAO,QAAQ,IAAI,oBAAoB,IAAI;AACxD,UAAM,mBAAmB,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,KAAK,GAAI;AACzE,UAAM,UAAU,MAAM,KAAK,YAAY,cAAc,MAAM,gBAAgB;AAE3E,SAAK,aAAa,uBAAuB;AAAA,MACvC,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,UAAU,OAAO;AAAA,MACjB,gBAAgB,OAAO;AAAA,IACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,WAAO;AAAA,MACL;AAAA,MACA,cAAc,QAAQ;AAAA,MACtB;AAAA,MACA,aAAa,UAAU,aAAa;AAAA,MACpC,UAAU,OAAO,YAAY;AAAA,MAC7B,gBAAgB,OAAO;AAAA,IACzB;AAAA,EACF;AAAA,EAEA,MAAc,oBAAoB,QAAgD;AAChF,QAAI,CAAC,OAAO,gBAAiB,QAAO;AAEpC,UAAM,YAAY,MAAM,KAAK,wBAAwB;AAAA,MACnD,OAAO;AAAA,MACP,EAAE,iBAAiB,OAAO,gBAAgB;AAAA,MAC1C,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,WAAQ,UAAU,mBAA8B;AAAA,EAClD;AACF;",
+  "names": []
+}

package/dist/modules/sso/setup.js ADDED Viewed

@@ -0,0 +1,47 @@
+import { SsoConfig } from "./data/entities.js";
+const setup = {
+  defaultRoleFeatures: {
+    superadmin: ["sso.*"],
+    admin: ["sso.config.view", "sso.config.manage", "sso.scim.manage"]
+  },
+  async seedDefaults({ em, tenantId, organizationId, container }) {
+    if (process.env.NODE_ENV !== "development") return;
+    if (process.env.SSO_DEV_SEED !== "true") return;
+    const clientSecret = process.env.SSO_DEV_CLIENT_SECRET;
+    if (!clientSecret) return;
+    const domains = (process.env.SSO_DEV_ALLOWED_DOMAINS || "example.com").split(",").map((d) => d.trim()).filter(Boolean);
+    const existing = await em.findOne(SsoConfig, { organizationId });
+    if (existing) {
+      existing.allowedDomains = domains;
+      await em.flush();
+      return;
+    }
+    const encryptionService = container.resolve("tenantEncryptionService");
+    const encrypted = await encryptionService.encryptEntityPayload(
+      "SsoConfig",
+      { clientSecretEnc: clientSecret },
+      tenantId,
+      organizationId
+    );
+    const config = em.create(SsoConfig, {
+      tenantId,
+      organizationId,
+      protocol: "oidc",
+      issuer: process.env.SSO_DEV_ISSUER || "http://localhost:8080/realms/open-mercato",
+      clientId: process.env.SSO_DEV_CLIENT_ID || "open-mercato-app",
+      clientSecretEnc: encrypted.clientSecretEnc,
+      allowedDomains: domains,
+      jitEnabled: true,
+      autoLinkByEmail: true,
+      isActive: true,
+      ssoRequired: false
+    });
+    await em.persistAndFlush(config);
+  }
+};
+var setup_default = setup;
+export {
+  setup_default as default,
+  setup
+};
+//# sourceMappingURL=setup.js.map

package/dist/modules/sso/setup.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/modules/sso/setup.ts"],
+  "sourcesContent": ["import type { RequiredEntityData } from '@mikro-orm/core'\nimport type { ModuleSetupConfig } from '@open-mercato/shared/modules/setup'\nimport type { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { SsoConfig } from './data/entities'\n\nexport const setup: ModuleSetupConfig = {\n  defaultRoleFeatures: {\n    superadmin: ['sso.*'],\n    admin: ['sso.config.view', 'sso.config.manage', 'sso.scim.manage'],\n  },\n\n  async seedDefaults({ em, tenantId, organizationId, container }) {\n    if (process.env.NODE_ENV !== 'development') return\n    if (process.env.SSO_DEV_SEED !== 'true') return\n\n    const clientSecret = process.env.SSO_DEV_CLIENT_SECRET\n    if (!clientSecret) return\n\n    const domains = (process.env.SSO_DEV_ALLOWED_DOMAINS || 'example.com')\n      .split(',')\n      .map((d) => d.trim())\n      .filter(Boolean)\n\n    const existing = await em.findOne(SsoConfig, { organizationId })\n    if (existing) {\n      existing.allowedDomains = domains\n      await em.flush()\n      return\n    }\n\n    const encryptionService = container.resolve<TenantDataEncryptionService>('tenantEncryptionService')\n    const encrypted = await encryptionService.encryptEntityPayload(\n      'SsoConfig',\n      { clientSecretEnc: clientSecret },\n      tenantId,\n      organizationId,\n    )\n\n    const config = em.create(SsoConfig, {\n      tenantId,\n      organizationId,\n      protocol: 'oidc',\n      issuer: process.env.SSO_DEV_ISSUER || 'http://localhost:8080/realms/open-mercato',\n      clientId: process.env.SSO_DEV_CLIENT_ID || 'open-mercato-app',\n      clientSecretEnc: encrypted.clientSecretEnc as string,\n      allowedDomains: domains,\n      jitEnabled: true,\n      autoLinkByEmail: true,\n      isActive: true,\n      ssoRequired: false,\n    } as RequiredEntityData<SsoConfig>)\n    await em.persistAndFlush(config)\n  },\n}\n\nexport default setup\n"],
+  "mappings": "AAGA,SAAS,iBAAiB;AAEnB,MAAM,QAA2B;AAAA,EACtC,qBAAqB;AAAA,IACnB,YAAY,CAAC,OAAO;AAAA,IACpB,OAAO,CAAC,mBAAmB,qBAAqB,iBAAiB;AAAA,EACnE;AAAA,EAEA,MAAM,aAAa,EAAE,IAAI,UAAU,gBAAgB,UAAU,GAAG;AAC9D,QAAI,QAAQ,IAAI,aAAa,cAAe;AAC5C,QAAI,QAAQ,IAAI,iBAAiB,OAAQ;AAEzC,UAAM,eAAe,QAAQ,IAAI;AACjC,QAAI,CAAC,aAAc;AAEnB,UAAM,WAAW,QAAQ,IAAI,2BAA2B,eACrD,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EACnB,OAAO,OAAO;AAEjB,UAAM,WAAW,MAAM,GAAG,QAAQ,WAAW,EAAE,eAAe,CAAC;AAC/D,QAAI,UAAU;AACZ,eAAS,iBAAiB;AAC1B,YAAM,GAAG,MAAM;AACf;AAAA,IACF;AAEA,UAAM,oBAAoB,UAAU,QAAqC,yBAAyB;AAClG,UAAM,YAAY,MAAM,kBAAkB;AAAA,MACxC;AAAA,MACA,EAAE,iBAAiB,aAAa;AAAA,MAChC;AAAA,MACA;AAAA,IACF;AAEA,UAAM,SAAS,GAAG,OAAO,WAAW;AAAA,MAClC;AAAA,MACA;AAAA,MACA,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,kBAAkB;AAAA,MACtC,UAAU,QAAQ,IAAI,qBAAqB;AAAA,MAC3C,iBAAiB,UAAU;AAAA,MAC3B,gBAAgB;AAAA,MAChB,YAAY;AAAA,MACZ,iBAAiB;AAAA,MACjB,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAkC;AAClC,UAAM,GAAG,gBAAgB,MAAM;AAAA,EACjC;AACF;AAEA,IAAO,gBAAQ;",
+  "names": []
+}

package/dist/modules/sso/subscribers/user-deleted-cleanup.js ADDED Viewed

@@ -0,0 +1,21 @@
+import { SsoIdentity, SsoRoleGrant, SsoUserDeactivation } from "../data/entities.js";
+const metadata = {
+  event: "auth.user.deleted",
+  persistent: true,
+  id: "sso:user-deleted-cleanup"
+};
+async function handle(payload, ctx) {
+  const em = ctx.resolve("em");
+  await em.nativeUpdate(
+    SsoIdentity,
+    { userId: payload.userId, deletedAt: null },
+    { deletedAt: /* @__PURE__ */ new Date() }
+  );
+  await em.nativeDelete(SsoRoleGrant, { userId: payload.userId });
+  await em.nativeDelete(SsoUserDeactivation, { userId: payload.userId });
+}
+export {
+  handle as default,
+  metadata
+};
+//# sourceMappingURL=user-deleted-cleanup.js.map

package/dist/modules/sso/subscribers/user-deleted-cleanup.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/subscribers/user-deleted-cleanup.ts"],
+  "sourcesContent": ["import type { EntityData } from '@mikro-orm/core'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { SsoIdentity, SsoRoleGrant, SsoUserDeactivation } from '../data/entities'\n\nexport const metadata = {\n  event: 'auth.user.deleted',\n  persistent: true,\n  id: 'sso:user-deleted-cleanup',\n}\n\ntype UserDeletedPayload = {\n  userId: string\n  tenantId: string\n  organizationId: string\n}\n\ntype ResolverContext = {\n  resolve: <T = unknown>(name: string) => T\n}\n\nexport default async function handle(payload: UserDeletedPayload, ctx: ResolverContext) {\n  const em = ctx.resolve<EntityManager>('em')\n\n  await em.nativeUpdate(\n    SsoIdentity,\n    { userId: payload.userId, deletedAt: null },\n    { deletedAt: new Date() } as EntityData<SsoIdentity>,\n  )\n\n  await em.nativeDelete(SsoRoleGrant, { userId: payload.userId })\n\n  await em.nativeDelete(SsoUserDeactivation, { userId: payload.userId })\n}\n"],
+  "mappings": "AAEA,SAAS,aAAa,cAAc,2BAA2B;AAExD,MAAM,WAAW;AAAA,EACtB,OAAO;AAAA,EACP,YAAY;AAAA,EACZ,IAAI;AACN;AAYA,eAAO,OAA8B,SAA6B,KAAsB;AACtF,QAAM,KAAK,IAAI,QAAuB,IAAI;AAE1C,QAAM,GAAG;AAAA,IACP;AAAA,IACA,EAAE,QAAQ,QAAQ,QAAQ,WAAW,KAAK;AAAA,IAC1C,EAAE,WAAW,oBAAI,KAAK,EAAE;AAAA,EAC1B;AAEA,QAAM,GAAG,aAAa,cAAc,EAAE,QAAQ,QAAQ,OAAO,CAAC;AAE9D,QAAM,GAAG,aAAa,qBAAqB,EAAE,QAAQ,QAAQ,OAAO,CAAC;AACvE;",
+  "names": []
+}

package/dist/modules/sso/widgets/injection/login-sso/widget.client.js ADDED Viewed

@@ -0,0 +1,106 @@
+"use client";
+import { jsx } from "react/jsx-runtime";
+import { useCallback, useEffect, useRef, useState } from "react";
+import { apiCall } from "@open-mercato/ui/backend/utils/apiCall";
+import { useT } from "@open-mercato/shared/lib/i18n/context";
+import { translateWithFallback } from "@open-mercato/shared/lib/i18n/translate";
+const SSO_ERROR_CODES = [
+  "sso_failed",
+  "sso_missing_config",
+  "sso_email_not_verified",
+  "sso_state_missing",
+  "sso_idp_error",
+  "sso_missing_params"
+];
+const HRD_DEBOUNCE_MS = 300;
+function SsoLoginWidget({ context }) {
+  const t = useT();
+  const translate = useCallback(
+    (key, fallback) => translateWithFallback(t, key, fallback),
+    [t]
+  );
+  const [ssoActive, setSsoActive] = useState(false);
+  const lastCheckedEmail = useRef("");
+  const debounceTimer = useRef(null);
+  useEffect(() => {
+    const errorParam = context.searchParams.get("error");
+    if (!errorParam) return;
+    const errorMessages = {
+      sso_failed: translate("sso.login.errors.failed", "SSO login failed. Please try again."),
+      sso_missing_config: translate("sso.login.errors.missingConfig", "SSO is not configured for this account."),
+      sso_email_not_verified: translate("sso.login.errors.emailNotVerified", "Your email address is not verified by the identity provider. Please verify your email and try again."),
+      sso_state_missing: translate("sso.login.errors.stateMissing", "SSO session expired. Please try again."),
+      sso_idp_error: translate("sso.login.errors.idpError", "The identity provider returned an error. Please try again or contact your administrator."),
+      sso_missing_params: translate("sso.login.errors.missingParams", "SSO callback was incomplete. Please try again.")
+    };
+    if (SSO_ERROR_CODES.includes(errorParam)) {
+      context.setError(errorMessages[errorParam] ?? errorMessages.sso_failed);
+    }
+  }, [context.searchParams, context.setError, translate]);
+  const checkHrd = useCallback(async (email) => {
+    if (!email || !email.includes("@")) {
+      context.setAuthOverride(null);
+      setSsoActive(false);
+      lastCheckedEmail.current = "";
+      return;
+    }
+    if (email === lastCheckedEmail.current) return;
+    lastCheckedEmail.current = email;
+    try {
+      const body = { email };
+      if (context.tenantId) {
+        body.tenantId = context.tenantId;
+      }
+      const res = await apiCall(
+        "/api/sso/hrd",
+        { method: "POST", body: JSON.stringify(body), headers: { "Content-Type": "application/json" } }
+      );
+      if (res.result?.hasSso && res.result.configId) {
+        const configId = res.result.configId;
+        setSsoActive(true);
+        context.setAuthOverride({
+          providerId: "sso",
+          providerLabel: translate("sso.login.continueWithSso", "Continue with SSO"),
+          onSubmit: () => {
+            const returnUrl = context.searchParams.get("returnUrl") || "/backend";
+            window.location.href = `/api/sso/initiate?configId=${encodeURIComponent(configId)}&returnUrl=${encodeURIComponent(returnUrl)}`;
+          },
+          hidePassword: true,
+          hideRememberMe: true,
+          hideForgotPassword: true
+        });
+      } else {
+        setSsoActive(false);
+        context.setAuthOverride(null);
+      }
+    } catch {
+      setSsoActive(false);
+      context.setAuthOverride(null);
+    }
+  }, [context, translate]);
+  useEffect(() => {
+    if (debounceTimer.current) {
+      clearTimeout(debounceTimer.current);
+    }
+    if (!context.email) {
+      setSsoActive(false);
+      context.setAuthOverride(null);
+      lastCheckedEmail.current = "";
+      return;
+    }
+    debounceTimer.current = setTimeout(() => {
+      checkHrd(context.email);
+    }, HRD_DEBOUNCE_MS);
+    return () => {
+      if (debounceTimer.current) {
+        clearTimeout(debounceTimer.current);
+      }
+    };
+  }, [context.email, checkHrd]);
+  if (!ssoActive) return null;
+  return /* @__PURE__ */ jsx("div", { className: "rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-800", children: translate("sso.login.ssoEnabled", "SSO is enabled for this account") });
+}
+export {
+  SsoLoginWidget as default
+};
+//# sourceMappingURL=widget.client.js.map