@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

package/src/modules/sso/services/ssoConfigService.ts

@@ -0,0 +1,337 @@
+import type { FilterQuery, RequiredEntityData } from '@mikro-orm/core'
+import { EntityManager } from '@mikro-orm/postgresql'
+import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import type { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'
+import { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'
+import { SsoConfig, ScimToken } from '../data/entities'
+import type { SsoConfigAdminCreateInput, SsoConfigAdminUpdateInput, SsoConfigListQuery } from '../data/validators'
+import { emitSsoEvent } from '../events'
+import { validateDomain, normalizeDomain, uniqueDomains, checkDomainLimit } from '../lib/domains'
+import type { SsoProviderRegistry } from '../lib/registry'
+
+export interface SsoAdminScope {
+  isSuperAdmin: boolean
+  organizationId: string | null
+  tenantId: string | null
+}
+
+export interface SsoConfigPublic {
+  id: string
+  name: string | null
+  tenantId: string | null
+  organizationId: string
+  protocol: string
+  issuer: string | null
+  clientId: string | null
+  hasClientSecret: boolean
+  allowedDomains: string[]
+  jitEnabled: boolean
+  autoLinkByEmail: boolean
+  isActive: boolean
+  ssoRequired: boolean
+  appRoleMappings: Record<string, string>
+  createdAt: Date
+  updatedAt: Date
+}
+
+export class SsoConfigService {
+  constructor(
+    private em: EntityManager,
+    private tenantEncryptionService: TenantDataEncryptionService,
+    private ssoProviderRegistry: SsoProviderRegistry,
+  ) {}
+
+  async list(scope: SsoAdminScope, query: SsoConfigListQuery): Promise<{
+    items: SsoConfigPublic[]
+    total: number
+    totalPages: number
+  }> {
+    const where: FilterQuery<SsoConfig> = { deletedAt: null }
+
+    if (!scope.isSuperAdmin) {
+      if (!scope.organizationId) {
+        throw new SsoConfigError('Organization context is required', 403)
+      }
+      where.organizationId = scope.organizationId
+    } else {
+      if (query.organizationId) where.organizationId = query.organizationId
+      if (query.tenantId) where.tenantId = query.tenantId
+    }
+
+    if (query.search) {
+      const pattern = `%${escapeLikePattern(query.search)}%`
+      where.$or = [
+        { name: { $ilike: pattern } },
+        { issuer: { $ilike: pattern } },
+        { clientId: { $ilike: pattern } },
+      ]
+    }
+
+    const [configs, total] = await this.em.findAndCount(SsoConfig, where, {
+      orderBy: { createdAt: 'desc' },
+      limit: query.pageSize,
+      offset: (query.page - 1) * query.pageSize,
+    })
+
+    return {
+      items: configs.map((c) => this.toPublic(c)),
+      total,
+      totalPages: Math.ceil(total / query.pageSize) || 1,
+    }
+  }
+
+  async getById(scope: SsoAdminScope, id: string): Promise<SsoConfigPublic | null> {
+    const where: FilterQuery<SsoConfig> = { id, deletedAt: null }
+    if (!scope.isSuperAdmin) {
+      if (!scope.organizationId) throw new SsoConfigError('Organization context is required', 403)
+      where.organizationId = scope.organizationId
+    }
+
+    const config = await this.em.findOne(SsoConfig, where)
+    return config ? this.toPublic(config) : null
+  }
+
+  async create(scope: SsoAdminScope, input: SsoConfigAdminCreateInput): Promise<SsoConfigPublic> {
+    const orgId = scope.isSuperAdmin ? input.organizationId : scope.organizationId!
+    const tenId = scope.isSuperAdmin ? (input.tenantId ?? null) : scope.tenantId
+
+    const existing = await this.em.findOne(SsoConfig, {
+      organizationId: orgId,
+      deletedAt: null,
+    })
+    if (existing) {
+      throw new SsoConfigError('An SSO configuration already exists for this organization', 409)
+    }
+
+    const domains = uniqueDomains(input.allowedDomains)
+    for (const d of domains) {
+      const result = validateDomain(d)
+      if (!result.valid) throw new SsoConfigError(`Invalid domain "${d}": ${result.error}`, 400)
+    }
+
+    const encrypted = await this.tenantEncryptionService.encryptEntityPayload(
+      'SsoConfig',
+      { clientSecretEnc: input.clientSecret },
+      tenId,
+      orgId,
+    )
+
+    const config = this.em.create(SsoConfig, {
+      name: input.name,
+      tenantId: tenId,
+      organizationId: orgId,
+      protocol: input.protocol,
+      issuer: input.issuer,
+      clientId: input.clientId,
+      clientSecretEnc: encrypted.clientSecretEnc as string,
+      allowedDomains: domains,
+      jitEnabled: input.jitEnabled,
+      autoLinkByEmail: input.autoLinkByEmail,
+      isActive: false,
+      ssoRequired: false,
+      appRoleMappings: input.appRoleMappings ?? {},
+    } as RequiredEntityData<SsoConfig>)
+
+    await this.em.persistAndFlush(config)
+
+    void emitSsoEvent('sso.config.created', {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId,
+    }).catch((e) => console.error('[SSO Event]', e))
+
+    return this.toPublic(config)
+  }
+
+  async update(scope: SsoAdminScope, id: string, input: SsoConfigAdminUpdateInput): Promise<SsoConfigPublic> {
+    const config = await this.resolveConfig(scope, id)
+
+    if (input.name !== undefined) config.name = input.name
+    if (input.protocol !== undefined) config.protocol = input.protocol
+    if (input.issuer !== undefined) config.issuer = input.issuer
+    if (input.clientId !== undefined) config.clientId = input.clientId
+    if (input.jitEnabled !== undefined) {
+      if (input.jitEnabled) {
+        const activeScimCount = await this.em.count(ScimToken, { ssoConfigId: id, isActive: true })
+        if (activeScimCount > 0) {
+          throw new SsoConfigError('Cannot enable JIT provisioning while SCIM directory sync is active. Revoke all SCIM tokens first.', 409)
+        }
+      }
+      config.jitEnabled = input.jitEnabled
+    }
+    if (input.autoLinkByEmail !== undefined) config.autoLinkByEmail = input.autoLinkByEmail
+    if (input.appRoleMappings !== undefined) config.appRoleMappings = input.appRoleMappings
+
+    if (input.clientSecret !== undefined) {
+      const encrypted = await this.tenantEncryptionService.encryptEntityPayload(
+        'SsoConfig',
+        { clientSecretEnc: input.clientSecret },
+        config.tenantId,
+        config.organizationId,
+      )
+      config.clientSecretEnc = encrypted.clientSecretEnc as string
+    }
+
+    await this.em.flush()
+
+    void emitSsoEvent('sso.config.updated', {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId,
+    }).catch((e) => console.error('[SSO Event]', e))
+
+    return this.toPublic(config)
+  }
+
+  async delete(scope: SsoAdminScope, id: string): Promise<void> {
+    const config = await this.resolveConfig(scope, id)
+
+    if (config.isActive) {
+      throw new SsoConfigError('Cannot delete an active SSO configuration — deactivate it first', 400)
+    }
+
+    config.deletedAt = new Date()
+    await this.em.flush()
+
+    void emitSsoEvent('sso.config.deleted', {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId,
+    }).catch((e) => console.error('[SSO Event]', e))
+  }
+
+  async activate(scope: SsoAdminScope, id: string, active: boolean): Promise<SsoConfigPublic> {
+    const config = await this.resolveConfig(scope, id)
+
+    if (active) {
+      if (config.allowedDomains.length === 0) {
+        throw new SsoConfigError('Cannot activate SSO configuration with no allowed domains', 400)
+      }
+
+      const testResult = await this.testConnectionInternal(config)
+      if (!testResult.ok) {
+        throw new SsoConfigError(`Cannot activate — discovery failed: ${testResult.error}`, 400)
+      }
+    }
+
+    const wasActive = config.isActive
+    config.isActive = active
+    await this.em.flush()
+
+    if (active && !wasActive) {
+      void emitSsoEvent('sso.config.activated', {
+        id: config.id,
+        tenantId: config.tenantId,
+        organizationId: config.organizationId,
+      }).catch((e) => console.error('[SSO Event]', e))
+    } else if (!active && wasActive) {
+      void emitSsoEvent('sso.config.deactivated', {
+        id: config.id,
+        tenantId: config.tenantId,
+        organizationId: config.organizationId,
+      }).catch((e) => console.error('[SSO Event]', e))
+    }
+
+    return this.toPublic(config)
+  }
+
+  async testConnection(scope: SsoAdminScope, id: string): Promise<{ ok: boolean; error?: string }> {
+    const config = await this.resolveConfig(scope, id)
+    return this.testConnectionInternal(config)
+  }
+
+  async addDomain(scope: SsoAdminScope, id: string, domain: string): Promise<SsoConfigPublic> {
+    const normalized = normalizeDomain(domain)
+    const validation = validateDomain(normalized)
+    if (!validation.valid) throw new SsoConfigError(validation.error!, 400)
+
+    const config = await this.resolveConfig(scope, id)
+
+    if (config.allowedDomains.includes(normalized)) {
+      return this.toPublic(config)
+    }
+
+    const limitCheck = checkDomainLimit(config.allowedDomains.length, 1)
+    if (!limitCheck.ok) throw new SsoConfigError(limitCheck.error!, 400)
+
+    config.allowedDomains = [...config.allowedDomains, normalized]
+    await this.em.flush()
+
+    void emitSsoEvent('sso.domain.added', {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId,
+      domain: normalized,
+    }).catch((e) => console.error('[SSO Event]', e))
+
+    return this.toPublic(config)
+  }
+
+  async removeDomain(scope: SsoAdminScope, id: string, domain: string): Promise<SsoConfigPublic> {
+    const normalized = normalizeDomain(domain)
+    const config = await this.resolveConfig(scope, id)
+
+    config.allowedDomains = config.allowedDomains.filter((d) => d !== normalized)
+    await this.em.flush()
+
+    void emitSsoEvent('sso.domain.removed', {
+      id: config.id,
+      tenantId: config.tenantId,
+      organizationId: config.organizationId,
+      domain: normalized,
+    }).catch((e) => console.error('[SSO Event]', e))
+
+    return this.toPublic(config)
+  }
+
+  toPublic(config: SsoConfig): SsoConfigPublic {
+    return {
+      id: config.id,
+      name: config.name ?? null,
+      tenantId: config.tenantId ?? null,
+      organizationId: config.organizationId,
+      protocol: config.protocol,
+      issuer: config.issuer ?? null,
+      clientId: config.clientId ?? null,
+      hasClientSecret: !!config.clientSecretEnc,
+      allowedDomains: config.allowedDomains,
+      jitEnabled: config.jitEnabled,
+      autoLinkByEmail: config.autoLinkByEmail,
+      isActive: config.isActive,
+      ssoRequired: config.ssoRequired,
+      appRoleMappings: config.appRoleMappings ?? {},
+      createdAt: config.createdAt,
+      updatedAt: config.updatedAt,
+    }
+  }
+
+  private async resolveConfig(scope: SsoAdminScope, id: string): Promise<SsoConfig> {
+    const where: FilterQuery<SsoConfig> = { id, deletedAt: null }
+    if (!scope.isSuperAdmin) {
+      if (!scope.organizationId) throw new SsoConfigError('Organization context is required', 403)
+      where.organizationId = scope.organizationId
+    }
+
+    const config = await this.em.findOne(SsoConfig, where)
+    if (!config) throw new SsoConfigError('SSO configuration not found', 404)
+
+    return config
+  }
+
+  private async testConnectionInternal(config: SsoConfig): Promise<{ ok: boolean; error?: string }> {
+    const provider = this.ssoProviderRegistry.resolve(config.protocol)
+    if (!provider) return { ok: false, error: `No provider for protocol: ${config.protocol}` }
+
+    return provider.validateConfig(config)
+  }
+}
+
+export class SsoConfigError extends Error {
+  constructor(
+    message: string,
+    public readonly statusCode: number,
+  ) {
+    super(message)
+    this.name = 'SsoConfigError'
+  }
+}

package/src/modules/sso/services/ssoService.ts

@@ -0,0 +1,167 @@
+import crypto from 'node:crypto'
+import { EntityManager } from '@mikro-orm/postgresql'
+import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { signJwt } from '@open-mercato/shared/lib/auth/jwt'
+import type { AuthService } from '@open-mercato/core/modules/auth/services/authService'
+import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
+import { SsoConfig } from '../data/entities'
+import type { SsoProviderRegistry } from '../lib/registry'
+import type { AccountLinkingService } from './accountLinkingService'
+import { encryptStateCookie, decryptStateCookie, createFlowState } from '../lib/state-cookie'
+import { emitSsoEvent } from '../events'
+import type { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'
+
+export class SsoService {
+  constructor(
+    private em: EntityManager,
+    private ssoProviderRegistry: SsoProviderRegistry,
+    private accountLinkingService: AccountLinkingService,
+    private tenantEncryptionService: TenantDataEncryptionService,
+    private authService: AuthService,
+    private rbacService: RbacService,
+  ) {}
+
+  async findConfigByEmail(email: string): Promise<SsoConfig | null> {
+    const domain = email.split('@')[1]?.toLowerCase()
+    if (!domain) return null
+
+    const configs = await findWithDecryption(
+      this.em,
+      SsoConfig,
+      { isActive: true, deletedAt: null },
+      {},
+      { tenantId: null },
+    )
+    return configs.find((c) => c.allowedDomains.some((d) => d.toLowerCase() === domain)) ?? null
+  }
+
+  async initiateLogin(
+    configId: string,
+    returnUrl: string,
+    redirectUri: string,
+  ): Promise<{ redirectUrl: string; stateCookie: string }> {
+    const config = await findOneWithDecryption(
+      this.em,
+      SsoConfig,
+      { id: configId, isActive: true, deletedAt: null },
+      {},
+      { tenantId: null },
+    )
+    if (!config) throw new Error('SSO configuration not found or inactive')
+
+    const provider = this.ssoProviderRegistry.resolve(config.protocol)
+    if (!provider) throw new Error(`No provider registered for protocol: ${config.protocol}`)
+
+    const clientSecret = await this.decryptClientSecret(config)
+
+    const { state } = createFlowState({ configId, returnUrl })
+
+    void emitSsoEvent('sso.login.initiated', {
+      tenantId: config.tenantId,
+      organizationId: config.organizationId,
+    }).catch((e) => console.error('[SSO Event]', e))
+
+    const authUrl = await provider.buildAuthUrl(config, {
+      state: state.state,
+      nonce: state.nonce,
+      redirectUri,
+      codeVerifier: state.codeVerifier,
+      clientSecret,
+    })
+
+    const stateCookie = encryptStateCookie(state)
+    return { redirectUrl: authUrl, stateCookie }
+  }
+
+  async handleOidcCallback(
+    callbackParams: Record<string, string>,
+    stateCookie: string,
+    redirectUri: string,
+  ): Promise<{
+    token: string
+    sessionToken: string
+    sessionExpiresAt: Date
+    redirectUrl: string
+    tenantId: string | null
+    organizationId: string
+  }> {
+    const flowState = decryptStateCookie(stateCookie)
+    if (!flowState) throw new Error('Invalid or expired SSO state')
+
+    const receivedState = Buffer.from(callbackParams.state || '')
+    const expectedState = Buffer.from(flowState.state)
+    if (receivedState.length !== expectedState.length || !crypto.timingSafeEqual(receivedState, expectedState)) {
+      throw new Error('State mismatch — possible CSRF attack')
+    }
+
+    const config = await findOneWithDecryption(
+      this.em,
+      SsoConfig,
+      { id: flowState.configId, isActive: true, deletedAt: null },
+      {},
+      { tenantId: null },
+    )
+    if (!config) throw new Error('SSO configuration no longer active')
+
+    const provider = this.ssoProviderRegistry.resolve(config.protocol)
+    if (!provider) throw new Error(`No provider for protocol: ${config.protocol}`)
+
+    const clientSecret = await this.decryptClientSecret(config)
+
+    const idpPayload = await provider.handleCallback(config, {
+      callbackParams,
+      redirectUri,
+      expectedState: flowState.state,
+      expectedNonce: flowState.nonce,
+      codeVerifier: flowState.codeVerifier,
+      clientSecret,
+    })
+
+    const tenantId = config.tenantId ?? ''
+    const { user } = await this.accountLinkingService.resolveUser(config, idpPayload, tenantId)
+
+    await this.rbacService.invalidateUserCache(String(user.id))
+
+    const roles = await this.authService.getUserRoles(user, tenantId || null)
+    const token = signJwt({
+      sub: String(user.id),
+      tenantId: tenantId || null,
+      orgId: user.organizationId ? String(user.organizationId) : null,
+      email: user.email,
+      roles,
+    })
+
+    await this.authService.updateLastLoginAt(user)
+
+    const days = Number(process.env.REMEMBER_ME_DAYS || '30')
+    const sessionExpiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000)
+    const session = await this.authService.createSession(user, sessionExpiresAt)
+
+    void emitSsoEvent('sso.login.completed', {
+      id: String(user.id),
+      tenantId: config.tenantId,
+      organizationId: config.organizationId,
+    }).catch((e) => console.error('[SSO Event]', e))
+
+    return {
+      token,
+      sessionToken: session.token,
+      sessionExpiresAt,
+      redirectUrl: flowState.returnUrl || '/backend',
+      tenantId: config.tenantId ?? null,
+      organizationId: config.organizationId,
+    }
+  }
+
+  private async decryptClientSecret(config: SsoConfig): Promise<string | undefined> {
+    if (!config.clientSecretEnc) return undefined
+
+    const decrypted = await this.tenantEncryptionService.decryptEntityPayload(
+      config.id,
+      { clientSecretEnc: config.clientSecretEnc },
+      config.tenantId,
+      config.organizationId,
+    )
+    return (decrypted.clientSecretEnc as string) ?? undefined
+  }
+}

package/src/modules/sso/setup.ts

@@ -0,0 +1,56 @@
+import type { RequiredEntityData } from '@mikro-orm/core'
+import type { ModuleSetupConfig } from '@open-mercato/shared/modules/setup'
+import type { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'
+import { SsoConfig } from './data/entities'
+
+export const setup: ModuleSetupConfig = {
+  defaultRoleFeatures: {
+    superadmin: ['sso.*'],
+    admin: ['sso.config.view', 'sso.config.manage', 'sso.scim.manage'],
+  },
+
+  async seedDefaults({ em, tenantId, organizationId, container }) {
+    if (process.env.NODE_ENV !== 'development') return
+    if (process.env.SSO_DEV_SEED !== 'true') return
+
+    const clientSecret = process.env.SSO_DEV_CLIENT_SECRET
+    if (!clientSecret) return
+
+    const domains = (process.env.SSO_DEV_ALLOWED_DOMAINS || 'example.com')
+      .split(',')
+      .map((d) => d.trim())
+      .filter(Boolean)
+
+    const existing = await em.findOne(SsoConfig, { organizationId })
+    if (existing) {
+      existing.allowedDomains = domains
+      await em.flush()
+      return
+    }
+
+    const encryptionService = container.resolve<TenantDataEncryptionService>('tenantEncryptionService')
+    const encrypted = await encryptionService.encryptEntityPayload(
+      'SsoConfig',
+      { clientSecretEnc: clientSecret },
+      tenantId,
+      organizationId,
+    )
+
+    const config = em.create(SsoConfig, {
+      tenantId,
+      organizationId,
+      protocol: 'oidc',
+      issuer: process.env.SSO_DEV_ISSUER || 'http://localhost:8080/realms/open-mercato',
+      clientId: process.env.SSO_DEV_CLIENT_ID || 'open-mercato-app',
+      clientSecretEnc: encrypted.clientSecretEnc as string,
+      allowedDomains: domains,
+      jitEnabled: true,
+      autoLinkByEmail: true,
+      isActive: true,
+      ssoRequired: false,
+    } as RequiredEntityData<SsoConfig>)
+    await em.persistAndFlush(config)
+  },
+}
+
+export default setup

package/src/modules/sso/subscribers/user-deleted-cleanup.ts

@@ -0,0 +1,33 @@
+import type { EntityData } from '@mikro-orm/core'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { SsoIdentity, SsoRoleGrant, SsoUserDeactivation } from '../data/entities'
+
+export const metadata = {
+  event: 'auth.user.deleted',
+  persistent: true,
+  id: 'sso:user-deleted-cleanup',
+}
+
+type UserDeletedPayload = {
+  userId: string
+  tenantId: string
+  organizationId: string
+}
+
+type ResolverContext = {
+  resolve: <T = unknown>(name: string) => T
+}
+
+export default async function handle(payload: UserDeletedPayload, ctx: ResolverContext) {
+  const em = ctx.resolve<EntityManager>('em')
+
+  await em.nativeUpdate(
+    SsoIdentity,
+    { userId: payload.userId, deletedAt: null },
+    { deletedAt: new Date() } as EntityData<SsoIdentity>,
+  )
+
+  await em.nativeDelete(SsoRoleGrant, { userId: payload.userId })
+
+  await em.nativeDelete(SsoUserDeactivation, { userId: payload.userId })
+}