@open-mercato/enterprise 0.6.4-develop.4371.1.8f3030407e → 0.6.4

package/src/modules/security/api/users/_shared.ts

@@ -1,8 +1,13 @@
 import { NextResponse } from 'next/server'
-import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'
+import { CrudHttpError, forbidden } from '@open-mercato/shared/lib/crud/errors'
 import type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { enforceTenantSelection, resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
+import { User } from '@open-mercato/core/modules/auth/data/entities'
+import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import { isSudoRequiredError } from '../../lib/sudo-middleware'
 import type { MfaAdminService, MfaAdminServiceError } from '../../services/MfaAdminService'
 import { localizeSecurityApiBody, securityApiError } from '../i18n'
@@ -41,6 +46,69 @@ export async function resolveSecurityUsersContext(
   }
 }
 
+function normalizeNullableString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null
+}
+
+function normalizeOrganizationList(values: unknown): string[] | null {
+  if (values === null || values === undefined) return null
+  if (!Array.isArray(values)) return null
+  const result: string[] = []
+  for (const value of values) {
+    if (typeof value !== 'string') continue
+    const trimmed = value.trim()
+    if (trimmed) result.push(trimmed)
+  }
+  return result
+}
+
+export async function assertActorCanAccessSecurityUserTarget(
+  ctx: SecurityUsersRequestContext,
+  targetUserId: string,
+): Promise<void> {
+  const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
+  if (isSuperAdmin) return
+
+  const em = ctx.container.resolve<EntityManager>('em')
+  const target = await findOneWithDecryption(
+    em,
+    User,
+    { id: targetUserId, deletedAt: null } as FilterQuery<User>,
+    {},
+    { tenantId: null, organizationId: null },
+  )
+  if (!target) {
+    throw new CrudHttpError(404, { error: 'User not found' })
+  }
+
+  const actorTenantId = normalizeNullableString(ctx.auth.tenantId)
+  const targetTenantId = normalizeNullableString((target as { tenantId?: string | null }).tenantId)
+  if (!targetTenantId || targetTenantId !== actorTenantId) {
+    throw new CrudHttpError(404, { error: 'User not found' })
+  }
+
+  const rbacService = ctx.container.resolve<RbacService>('rbacService')
+  const acl = await rbacService.loadAcl(ctx.auth.sub, {
+    tenantId: actorTenantId,
+    organizationId: normalizeNullableString(ctx.auth.orgId),
+  })
+  const organizations = normalizeOrganizationList(acl?.organizations)
+  if (organizations !== null && !organizations.includes('__all__')) {
+    const targetOrganizationId = normalizeNullableString((target as { organizationId?: string | null }).organizationId)
+    if (!targetOrganizationId || !organizations.includes(targetOrganizationId)) {
+      throw forbidden('Not authorized to access this user.')
+    }
+  }
+}
+
+export async function assertActorOwnsTenantScope(
+  ctx: SecurityUsersRequestContext,
+  requestedTenantId: string | null | undefined,
+): Promise<string | null> {
+  const resolved = await enforceTenantSelection({ auth: ctx.auth, container: ctx.container }, requestedTenantId)
+  return resolved ?? ctx.auth.tenantId ?? null
+}
+
 export async function mapSecurityUsersError(error: unknown): Promise<NextResponse> {
   if (error instanceof CrudHttpError) {
     return NextResponse.json(await localizeSecurityApiBody(error.body), { status: error.status })

package/src/modules/security/api/users/mfa/compliance/route.ts

@@ -2,7 +2,12 @@ import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../../openapi'
 import { securityApiError } from '../../../i18n'
-import { mapSecurityUsersError, resolveSecurityUsersContext } from '../../_shared'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
+import {
+  assertActorOwnsTenantScope,
+  mapSecurityUsersError,
+  resolveSecurityUsersContext,
+} from '../../_shared'
 
 const querySchema = z.object({
   tenantId: z.string().uuid().optional(),
@@ -37,13 +42,16 @@ export async function GET(req: Request) {
     return securityApiError(400, 'Invalid query parameters', { issues: parsedQuery.error.issues })
   }
 
-  const tenantId = parsedQuery.data.tenantId ?? context.auth.tenantId ?? null
-  if (!tenantId) {
-    return securityApiError(400, 'Tenant context is required.')
-  }
-
   try {
-    const items = await context.mfaAdminService.bulkComplianceCheck(tenantId)
+    const tenantId = await assertActorOwnsTenantScope(context, parsedQuery.data.tenantId)
+    if (!tenantId) {
+      return securityApiError(400, 'Tenant context is required.')
+    }
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: context.auth, container: context.container })
+    const items = await context.mfaAdminService.bulkComplianceCheck(tenantId, {
+      tenantId: context.auth.tenantId ?? null,
+      isSuperAdmin,
+    })
     return NextResponse.json({ items })
   } catch (error) {
     return await mapSecurityUsersError(error)
@@ -62,6 +70,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid query or missing tenant context', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested tenant scope', schema: securityErrorSchema },
       ],
     },
   },

package/src/modules/security/commands/createEnforcementPolicy.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { enforcementPolicySchema } from '../data/validators'
 import type { MfaEnforcementService } from '../services/MfaEnforcementService'
 
@@ -34,8 +35,12 @@ registerCommand({
     }
 
     const enforcementService = ctx.container.resolve<MfaEnforcementService>('mfaEnforcementService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      const policy = await enforcementService.createPolicy(parsed.data, ctx.auth.sub)
+      const policy = await enforcementService.createPolicy(parsed.data, ctx.auth.sub, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { id: policy.id }
     } catch (error) {
       if (isEnforcementServiceError(error)) {

package/src/modules/security/commands/deleteEnforcementPolicy.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import type { MfaEnforcementService } from '../services/MfaEnforcementService'
 
 export const commandId = 'security.enforcement.delete'
@@ -35,8 +36,12 @@ registerCommand({
     }
 
     const enforcementService = ctx.container.resolve<MfaEnforcementService>('mfaEnforcementService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      await enforcementService.deletePolicy(parsed.data.id)
+      await enforcementService.deletePolicy(parsed.data.id, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { ok: true as const }
     } catch (error) {
       if (isEnforcementServiceError(error)) {

package/src/modules/security/commands/resetUserMfa.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import type { MfaAdminService } from '../services/MfaAdminService'
 
 export const commandId = 'security.admin.mfa.reset'
@@ -36,8 +37,12 @@ registerCommand({
     }
 
     const mfaAdminService = ctx.container.resolve<MfaAdminService>('mfaAdminService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      await mfaAdminService.resetUserMfa(ctx.auth.sub, parsed.data.userId, parsed.data.reason)
+      await mfaAdminService.resetUserMfa(ctx.auth.sub, parsed.data.userId, parsed.data.reason, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { ok: true as const }
     } catch (error) {
       if (isMfaAdminServiceError(error)) {

package/src/modules/security/commands/updateEnforcementPolicy.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { updateEnforcementPolicySchema } from '../data/validators'
 import type { MfaEnforcementService } from '../services/MfaEnforcementService'
 
@@ -37,8 +38,12 @@ registerCommand({
     }
 
     const enforcementService = ctx.container.resolve<MfaEnforcementService>('mfaEnforcementService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      await enforcementService.updatePolicy(parsed.data.id, parsed.data.data, ctx.auth.sub)
+      await enforcementService.updatePolicy(parsed.data.id, parsed.data.data, ctx.auth.sub, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { ok: true as const }
     } catch (error) {
       if (isEnforcementServiceError(error)) {

package/src/modules/security/services/MfaAdminService.ts

@@ -1,6 +1,6 @@
-import type { EntityManager } from '@mikro-orm/postgresql'
+import type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'
 import { User } from '@open-mercato/core/modules/auth/data/entities'
-import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { MfaRecoveryCode, UserMfaMethod } from '../data/entities'
 import { emitSecurityEvent } from '../events'
 import type { MfaEnforcementService } from './MfaEnforcementService'
@@ -27,6 +27,11 @@ type BulkComplianceStatus = {
   lastLoginAt?: Date
 }
 
+type ActorContext = {
+  tenantId: string | null
+  isSuperAdmin: boolean
+}
+
 export class MfaAdminServiceError extends Error {
   constructor(
     message: string,
@@ -43,7 +48,7 @@ export class MfaAdminService {
     private readonly mfaEnforcementService: MfaEnforcementService,
   ) {}
 
-  async resetUserMfa(adminId: string, userId: string, reason: string): Promise<void> {
+  async resetUserMfa(adminId: string, userId: string, reason: string, actor?: ActorContext): Promise<void> {
     if (!adminId.trim()) {
       throw new MfaAdminServiceError('Admin ID is required', 400)
     }
@@ -60,6 +65,7 @@ export class MfaAdminService {
     if (!user) {
       throw new MfaAdminServiceError('User not found', 404)
     }
+    this.assertActorOwnsUser(user, actor)
 
     const activeMethods = await this.em.find(UserMfaMethod, {
       userId,
@@ -95,7 +101,7 @@ export class MfaAdminService {
     })
   }
 
-  async getUserMfaStatus(userId: string): Promise<UserMfaStatus> {
+  async getUserMfaStatus(userId: string, actor?: ActorContext): Promise<UserMfaStatus> {
     if (!userId.trim()) {
       throw new MfaAdminServiceError('User ID is required', 400)
     }
@@ -104,6 +110,7 @@ export class MfaAdminService {
     if (!user) {
       throw new MfaAdminServiceError('User not found', 404)
     }
+    this.assertActorOwnsUser(user, actor)
 
     const methods = await this.em.find(
       UserMfaMethod,
@@ -136,10 +143,13 @@ export class MfaAdminService {
     }
   }
 
-  async bulkComplianceCheck(tenantId: string): Promise<BulkComplianceStatus[]> {
+  async bulkComplianceCheck(tenantId: string, actor?: ActorContext): Promise<BulkComplianceStatus[]> {
     if (!tenantId.trim()) {
       throw new MfaAdminServiceError('Tenant ID is required', 400)
     }
+    if (actor && !actor.isSuperAdmin && tenantId !== actor.tenantId) {
+      throw new MfaAdminServiceError('Not authorized for the requested tenant scope.', 403)
+    }
 
     const users = await findWithDecryption(
       this.em,
@@ -186,8 +196,21 @@ export class MfaAdminService {
     })
   }
 
+  private assertActorOwnsUser(user: User, actor?: ActorContext): void {
+    if (!actor || actor.isSuperAdmin) return
+    if (!user.tenantId || user.tenantId !== actor.tenantId) {
+      throw new MfaAdminServiceError('User not found', 404)
+    }
+  }
+
   private async findUserById(userId: string): Promise<User | null> {
-    return this.em.findOne(User, { id: userId, deletedAt: null })
+    return findOneWithDecryption(
+      this.em,
+      User,
+      { id: userId, deletedAt: null } as FilterQuery<User>,
+      {},
+      { tenantId: null, organizationId: null },
+    )
   }
 }
 

package/src/modules/security/services/MfaEnforcementService.ts

@@ -28,6 +28,11 @@ type EnforcementPolicyListFilters = {
   scope?: EnforcementScope
 }
 
+export type EnforcementActorContext = {
+  tenantId: string | null
+  isSuperAdmin: boolean
+}
+
 type UserCompliance = {
   compliant: boolean
   deadline?: Date
@@ -65,12 +70,21 @@ export class MfaEnforcementService {
     return { enforced: true, policy }
   }
 
-  async listPolicies(filters?: EnforcementPolicyListFilters): Promise<MfaEnforcementPolicy[]> {
+  async getPolicyById(id: string): Promise<MfaEnforcementPolicy | null> {
+    return this.em.findOne(MfaEnforcementPolicy, { id, deletedAt: null })
+  }
+
+  async listPolicies(
+    filters?: EnforcementPolicyListFilters,
+    actor?: EnforcementActorContext,
+  ): Promise<MfaEnforcementPolicy[]> {
+    const tenantConstraint = actor && !actor.isSuperAdmin ? { tenantId: actor.tenantId } : {}
     return this.em.find(
       MfaEnforcementPolicy,
       {
         deletedAt: null,
         ...(filters?.scope ? { scope: filters.scope } : {}),
+        ...tenantConstraint,
       },
       {
         orderBy: { updatedAt: 'desc' },
@@ -81,8 +95,10 @@ export class MfaEnforcementService {
   async getComplianceReport(
     scope: EnforcementScope,
     scopeId?: string,
+    actor?: EnforcementActorContext,
   ): Promise<ComplianceReport> {
     const { tenantId, organizationId } = this.resolveScopeFilters(scope, scopeId)
+    this.assertActorOwnsScopeFilters(actor, scope, tenantId)
     const users = await this.em.find(User, {
       deletedAt: null,
       ...(tenantId ? { tenantId } : {}),
@@ -123,8 +139,10 @@ export class MfaEnforcementService {
   async createPolicy(
     data: EnforcementPolicyInput,
     adminId: string,
+    actor?: EnforcementActorContext,
   ): Promise<MfaEnforcementPolicy> {
     const normalized = this.normalizePolicyInput(data)
+    this.assertActorOwnsScopeFilters(actor, normalized.scope, normalized.tenantId)
     const existing = await this.findPolicyByScope(
       normalized.scope,
       normalized.tenantId ?? undefined,
@@ -176,6 +194,7 @@ export class MfaEnforcementService {
     id: string,
     data: UpdateEnforcementPolicyInput,
     adminId: string,
+    actor?: EnforcementActorContext,
   ): Promise<MfaEnforcementPolicy> {
     const policy = await this.em.findOne(MfaEnforcementPolicy, {
       id,
@@ -184,6 +203,7 @@ export class MfaEnforcementService {
     if (!policy) {
       throw new MfaEnforcementServiceError('Enforcement policy not found', 404)
     }
+    this.assertActorOwnsScopeFilters(actor, policy.scope, policy.tenantId ?? null)
 
     const mergedInput = this.normalizePolicyInput({
       scope: data.scope ?? policy.scope,
@@ -197,6 +217,8 @@ export class MfaEnforcementService {
           : data.enforcementDeadline,
     })
 
+    this.assertActorOwnsScopeFilters(actor, mergedInput.scope, mergedInput.tenantId)
+
     if (
       mergedInput.scope !== policy.scope ||
       mergedInput.tenantId !== (policy.tenantId ?? null) ||
@@ -231,7 +253,7 @@ export class MfaEnforcementService {
     return policy
   }
 
-  async deletePolicy(id: string): Promise<void> {
+  async deletePolicy(id: string, actor?: EnforcementActorContext): Promise<void> {
     const policy = await this.em.findOne(MfaEnforcementPolicy, {
       id,
       deletedAt: null,
@@ -239,6 +261,7 @@ export class MfaEnforcementService {
     if (!policy) {
       throw new MfaEnforcementServiceError('Enforcement policy not found', 404)
     }
+    this.assertActorOwnsScopeFilters(actor, policy.scope, policy.tenantId ?? null)
 
     const now = new Date()
     policy.deletedAt = now
@@ -314,6 +337,23 @@ export class MfaEnforcementService {
     )
   }
 
+  private assertActorOwnsScopeFilters(
+    actor: EnforcementActorContext | undefined,
+    scope: EnforcementScope,
+    tenantId: string | null | undefined,
+  ): void {
+    if (!actor || actor.isSuperAdmin) return
+    if (scope === EnforcementScope.PLATFORM) {
+      throw new MfaEnforcementServiceError(
+        'Platform scope requires platform administrator privileges.',
+        403,
+      )
+    }
+    if (!tenantId || tenantId !== actor.tenantId) {
+      throw new MfaEnforcementServiceError('Not authorized for the requested scope.', 403)
+    }
+  }
+
   private resolveScopeFilters(
     scope: EnforcementScope,
     scopeId?: string,

package/src/modules/security/services/MfaVerificationService.ts

@@ -87,6 +87,7 @@ export class MfaVerificationService {
     context?: MfaProviderRuntimeContext,
   ): Promise<{ clientData?: Record<string, unknown> }> {
     const challenge = await this.getValidChallenge(challengeId)
+    await this.assertMethodAllowedByPolicy(challenge.userId, methodType)
     const provider = this.mfaProviderRegistry.get(methodType)
     if (!provider) {
       throw new MfaVerificationServiceError(`MFA provider '${methodType}' is not registered`, 400)
@@ -119,12 +120,10 @@ export class MfaVerificationService {
       return false
     }
 
+    await this.assertMethodAllowedByPolicy(challenge.userId, methodType)
+
     if (challenge.methodType && challenge.methodType !== methodType) {
-      challenge.attempts += 1
-      if (challenge.attempts >= this.securityConfig.mfa.maxAttempts) {
-        challenge.expiresAt = new Date()
-      }
-      await this.em.flush()
+      await this.registerFailedAttempt(challenge)
       return false
     }
 
@@ -160,11 +159,7 @@ export class MfaVerificationService {
       return true
     }
 
-    challenge.attempts += 1
-    if (challenge.attempts >= this.securityConfig.mfa.maxAttempts) {
-      challenge.expiresAt = new Date()
-    }
-    await this.em.flush()
+    await this.registerFailedAttempt(challenge)
     return false
   }
 
@@ -186,6 +181,34 @@ export class MfaVerificationService {
     return challenge
   }
 
+  private async assertMethodAllowedByPolicy(userId: string, methodType: string): Promise<void> {
+    const policy = await this.mfaEnforcementService.getEffectivePolicyForUser(userId)
+    if (!policy?.isEnforced || !policy.allowedMethods?.length) {
+      return
+    }
+    if (!policy.allowedMethods.includes(methodType)) {
+      throw new MfaVerificationServiceError(`MFA method '${methodType}' is not allowed by the enforcement policy`, 403)
+    }
+  }
+
+  private async registerFailedAttempt(challenge: MfaChallenge): Promise<void> {
+    const maxAttempts = this.securityConfig.mfa.maxAttempts
+    const rows = await this.em.getConnection().execute<Array<{ attempts: number }>>(
+      'UPDATE mfa_challenges SET attempts = attempts + 1 WHERE id = ? AND verified_at IS NULL AND attempts < ? RETURNING attempts',
+      [challenge.id, maxAttempts],
+    )
+    const updatedAttempts = rows.length > 0 ? Number(rows[0].attempts) : maxAttempts
+    challenge.attempts = updatedAttempts
+    if (updatedAttempts >= maxAttempts) {
+      const now = new Date()
+      await this.em.getConnection().execute(
+        'UPDATE mfa_challenges SET expires_at = ? WHERE id = ?',
+        [now, challenge.id],
+      )
+      challenge.expiresAt = now
+    }
+  }
+
   private async getActiveMethods(userId: string): Promise<UserMfaMethod[]> {
     const methods = await this.em.find(
       UserMfaMethod,

package/src/modules/security/services/SudoChallengeService.ts

@@ -1,4 +1,5 @@
 import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto'
+import { z } from 'zod'
 import type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'
 import { User } from '@open-mercato/core/modules/auth/data/entities'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
@@ -38,14 +39,16 @@ export type SudoProtectionResolution = {
   config?: SudoChallengeConfig
 }
 
-type SignedSudoTokenPayload = {
-  sid: string
-  sub: string
-  tid: string | null
-  oid: string | null
-  tgt: string
-  exp: number
-}
+const signedSudoTokenPayloadSchema = z.object({
+  sid: z.string(),
+  sub: z.string(),
+  tid: z.string().nullable(),
+  oid: z.string().nullable(),
+  tgt: z.string(),
+  exp: z.number(),
+})
+
+type SignedSudoTokenPayload = z.infer<typeof signedSudoTokenPayloadSchema>
 
 type UserScope = {
   id: string
@@ -665,9 +668,11 @@ export class SudoChallengeService {
     if (!timingSafeEqual(signatureBuffer, expectedBuffer)) return null
 
     try {
-      const parsed = JSON.parse(Buffer.from(encodedPayload, 'base64url').toString('utf8')) as SignedSudoTokenPayload
-      if (!parsed || typeof parsed !== 'object') return null
-      return parsed
+      const parsed = signedSudoTokenPayloadSchema.safeParse(
+        JSON.parse(Buffer.from(encodedPayload, 'base64url').toString('utf8')),
+      )
+      if (!parsed.success) return null
+      return parsed.data
     } catch {
       return null
     }

package/src/modules/sso/api/callback/oidc/route.ts

@@ -4,6 +4,7 @@ import { toAbsoluteUrl } from '@open-mercato/shared/lib/url'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { SsoService } from '../../../services/ssoService'
 import { emitSsoEvent } from '../../../events'
+import { resolveSsoCallbackErrorCode } from '../../../lib/errors'
 
 export const metadata = {
   GET: { requireAuth: false },
@@ -82,8 +83,7 @@ async function handleCallback(req: Request): Promise<NextResponse> {
     void emitSsoEvent('sso.login.failed', {
       reason: err instanceof Error ? err.message : 'callback_failed',
     }).catch((e) => console.error('[SSO Event]', e))
-    const message = err instanceof Error ? err.message : ''
-    const errorCode = message.includes('email is not verified') ? 'sso_email_not_verified' : 'sso_failed'
+    const errorCode = resolveSsoCallbackErrorCode(err)
     return NextResponse.redirect(toAbsoluteUrl(req, `/login?error=${errorCode}`))
   }
 }

package/src/modules/sso/i18n/de.json

@@ -24,6 +24,7 @@
   "sso.admin.action.test": "Erkennung überprüfen",
   "sso.admin.activated": "SSO-Konfiguration aktiviert",
   "sso.admin.activity.empty": "Noch keine SSO-Anmeldeaktivität. Aktivitäten werden hier angezeigt, sobald Benutzer sich über SSO anmelden.",
+  "sso.admin.backToList": "Zurück zu SSO-Konfigurationen",
   "sso.admin.banner.activateNow": "Jetzt aktivieren",
   "sso.admin.banner.created": "Ihre SSO-Konfiguration wurde erstellt. Möchten Sie sie jetzt aktivieren?",
   "sso.admin.banner.notYet": "Noch nicht",
@@ -53,6 +54,7 @@
   "sso.admin.error.domainRemoveFailed": "Domain konnte nicht entfernt werden",
   "sso.admin.error.loadFailed": "SSO-Konfiguration konnte nicht geladen werden",
   "sso.admin.error.noDomainsForActivation": "Fügen Sie mindestens eine erlaubte E-Mail-Domain hinzu, bevor Sie aktivieren",
+  "sso.admin.error.notFound": "SSO-Konfiguration nicht gefunden.",
   "sso.admin.error.saveFailed": "SSO-Konfiguration konnte nicht gespeichert werden",
   "sso.admin.error.testFailed": "Verbindungstest fehlgeschlagen",
   "sso.admin.field.autoLinkByEmail": "Automatische Verknüpfung per E-Mail",

package/src/modules/sso/i18n/en.json

@@ -24,6 +24,7 @@
   "sso.admin.action.test": "Verify Discovery",
   "sso.admin.activated": "SSO configuration activated",
   "sso.admin.activity.empty": "No SSO login activity yet. Activity will appear here once users start logging in via SSO.",
+  "sso.admin.backToList": "Back to SSO configurations",
   "sso.admin.banner.activateNow": "Activate Now",
   "sso.admin.banner.created": "Your SSO configuration has been created. Would you like to activate it now?",
   "sso.admin.banner.notYet": "Not Yet",
@@ -53,6 +54,7 @@
   "sso.admin.error.domainRemoveFailed": "Failed to remove domain",
   "sso.admin.error.loadFailed": "Failed to load SSO configuration",
   "sso.admin.error.noDomainsForActivation": "Add at least one allowed email domain before activating",
+  "sso.admin.error.notFound": "SSO configuration not found.",
   "sso.admin.error.saveFailed": "Failed to save SSO configuration",
   "sso.admin.error.testFailed": "Connection test failed",
   "sso.admin.field.autoLinkByEmail": "Auto-link by Email",

package/src/modules/sso/i18n/es.json

@@ -24,6 +24,7 @@
   "sso.admin.action.test": "Verificar descubrimiento",
   "sso.admin.activated": "Configuración SSO activada",
   "sso.admin.activity.empty": "Aún no hay actividad de inicio de sesión SSO. La actividad aparecerá aquí cuando los usuarios comiencen a iniciar sesión a través de SSO.",
+  "sso.admin.backToList": "Volver a configuraciones SSO",
   "sso.admin.banner.activateNow": "Activar ahora",
   "sso.admin.banner.created": "Su configuración SSO ha sido creada. ¿Desea activarla ahora?",
   "sso.admin.banner.notYet": "Aún no",
@@ -53,6 +54,7 @@
   "sso.admin.error.domainRemoveFailed": "Error al eliminar dominio",
   "sso.admin.error.loadFailed": "Error al cargar la configuración SSO",
   "sso.admin.error.noDomainsForActivation": "Agregue al menos un dominio de correo electrónico permitido antes de activar",
+  "sso.admin.error.notFound": "Configuración SSO no encontrada.",
   "sso.admin.error.saveFailed": "Error al guardar la configuración SSO",
   "sso.admin.error.testFailed": "La prueba de conexión falló",
   "sso.admin.field.autoLinkByEmail": "Vinculación automática por correo electrónico",

package/src/modules/sso/i18n/pl.json

@@ -24,6 +24,7 @@
   "sso.admin.action.test": "Zweryfikuj Discovery",
   "sso.admin.activated": "Konfiguracja SSO aktywowana",
   "sso.admin.activity.empty": "Brak aktywności logowania SSO. Aktywność pojawi się tutaj, gdy użytkownicy zaczną logować się przez SSO.",
+  "sso.admin.backToList": "Wróć do konfiguracji SSO",
   "sso.admin.banner.activateNow": "Aktywuj teraz",
   "sso.admin.banner.created": "Konfiguracja SSO została utworzona. Czy chcesz ją teraz aktywować?",
   "sso.admin.banner.notYet": "Jeszcze nie",
@@ -53,6 +54,7 @@
   "sso.admin.error.domainRemoveFailed": "Nie udało się usunąć domeny",
   "sso.admin.error.loadFailed": "Nie udało się załadować konfiguracji SSO",
   "sso.admin.error.noDomainsForActivation": "Dodaj co najmniej jedną dozwoloną domenę e-mail przed aktywacją",
+  "sso.admin.error.notFound": "Nie znaleziono konfiguracji SSO.",
   "sso.admin.error.saveFailed": "Nie udało się zapisać konfiguracji SSO",
   "sso.admin.error.testFailed": "Test połączenia nie powiódł się",
   "sso.admin.field.autoLinkByEmail": "Automatyczne łączenie po e-mailu",