@stamhoofd/backend 2.67.0 → 2.68.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.67.0",
+    "version": "2.68.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -37,14 +37,14 @@
         "@simonbackx/simple-encoding": "2.19.0",
         "@simonbackx/simple-endpoints": "1.15.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.67.0",
-        "@stamhoofd/backend-middleware": "2.67.0",
-        "@stamhoofd/email": "2.67.0",
-        "@stamhoofd/models": "2.67.0",
-        "@stamhoofd/queues": "2.67.0",
-        "@stamhoofd/sql": "2.67.0",
-        "@stamhoofd/structures": "2.67.0",
-        "@stamhoofd/utility": "2.67.0",
+        "@stamhoofd/backend-i18n": "2.68.0",
+        "@stamhoofd/backend-middleware": "2.68.0",
+        "@stamhoofd/email": "2.68.0",
+        "@stamhoofd/models": "2.68.0",
+        "@stamhoofd/queues": "2.68.0",
+        "@stamhoofd/sql": "2.68.0",
+        "@stamhoofd/structures": "2.68.0",
+        "@stamhoofd/utility": "2.68.0",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -64,5 +64,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "e496701533ecdb23bf23bfe1f9d642b3bce249a9"
+    "gitHead": "6356e14541b66873ca0d2ccd4b660825ac39a7fd"
 }

package/src/endpoints/{organization/shared/auth → auth}/OpenIDConnectCallbackEndpoint.ts

@@ -2,8 +2,10 @@ import { AnyDecoder, Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
 
-import { Context } from '../../../../helpers/Context';
-import { OpenIDConnectHelper } from '../../../../helpers/OpenIDConnectHelper';
+import { Context } from '../../helpers/Context';
+import { OpenIDConnectHelper } from '../../helpers/OpenIDConnectHelper';
+import { OpenIDClientConfiguration } from '@stamhoofd/structures';
+import { Platform } from '@stamhoofd/models';
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -27,13 +29,21 @@ export class OpenIDConnectCallbackEndpoint extends Endpoint<Params, Query, Body,
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
-        const configuration = organization.serverMeta.ssoConfiguration;
+        const organization = await Context.setOptionalOrganizationScope();
+        let configuration: OpenIDClientConfiguration | null;
+        const platform = await Platform.getShared();
+
+        if (organization) {
+            configuration = organization.serverMeta.ssoConfiguration;
+        }
+        else {
+            configuration = platform.serverConfig.ssoConfiguration;
+        }
 
         if (!configuration) {
             throw new SimpleError({
-                code: 'invalid_configuration',
-                message: 'Invalid configuration',
+                code: 'invalid_client',
+                message: 'SSO not configured',
                 statusCode: 400,
             });
         }

package/src/endpoints/{organization/shared/auth → auth}/OpenIDConnectStartEndpoint.ts

@@ -1,11 +1,11 @@
 import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Webshop } from '@stamhoofd/models';
-import { StartOpenIDFlowStruct } from '@stamhoofd/structures';
+import { Platform, Webshop } from '@stamhoofd/models';
+import { OpenIDClientConfiguration, StartOpenIDFlowStruct } from '@stamhoofd/structures';
 
-import { Context } from '../../../../helpers/Context';
-import { OpenIDConnectHelper } from '../../../../helpers/OpenIDConnectHelper';
+import { Context } from '../../helpers/Context';
+import { OpenIDConnectHelper } from '../../helpers/OpenIDConnectHelper';
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -30,11 +30,28 @@ export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, Re
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
         // Check webshop and/or organization
-        const organization = await Context.setOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope();
         const webshopId = request.body.webshopId;
-        let redirectUri = 'https://' + organization.getHost();
+        const platform = await Platform.getShared();
+
+        // Host should match correctly
+        let redirectUri = 'https://' + STAMHOOFD.domains.dashboard;
+
+        if (organization) {
+            redirectUri = 'https://' + organization.getHost();
+        }
+
+        // todo: also support the app as redirect uri using app schemes (could be required for mobile apps)
 
         if (webshopId) {
+            if (!organization) {
+                throw new SimpleError({
+                    code: 'invalid_organization',
+                    message: 'Organization required when specifying webshopId',
+                    statusCode: 400,
+                });
+            }
+
             const webshop = await Webshop.getByID(webshopId);
             if (!webshop || webshop.organizationId !== organization.id) {
                 throw new SimpleError({
@@ -68,7 +85,15 @@ export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, Re
             });
         }
 
-        const configuration = organization.serverMeta.ssoConfiguration;
+        let configuration: OpenIDClientConfiguration | null;
+
+        if (organization) {
+            configuration = organization.serverMeta.ssoConfiguration;
+        }
+        else {
+            configuration = platform.serverConfig.ssoConfiguration;
+        }
+
         if (!configuration) {
             throw new SimpleError({
                 code: 'invalid_client',
@@ -76,7 +101,6 @@ export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, Re
                 statusCode: 400,
             });
         }
-
         const helper = new OpenIDConnectHelper(organization, configuration);
         return await helper.startAuthCodeFlow(redirectUri, request.body.provider, request.body.spaState, request.body.prompt);
     }

package/src/endpoints/{organization/dashboard/organization/GetOrganizationSSOEndpoint.ts → global/sso/GetSSOEndpoint.ts}

@@ -1,7 +1,8 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { OpenIDClientConfiguration } from '@stamhoofd/structures';
 
-import { Context } from '../../../../helpers/Context';
+import { Context } from '../../../helpers/Context';
+import { Platform } from '@stamhoofd/models';
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -18,7 +19,7 @@ export class GetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, Re
             return [false];
         }
 
-        const params = Endpoint.parseParameters(request.url, '/organization/sso', {});
+        const params = Endpoint.parseParameters(request.url, '/sso', {});
 
         if (params) {
             return [true, params as Params];
@@ -27,17 +28,18 @@ export class GetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, Re
     }
 
     async handle(_: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope();
         await Context.authenticate();
 
-        if (!await Context.auth.canManageSSOSettings(organization.id)) {
+        if (!await Context.auth.canManageSSOSettings(organization?.id ?? null)) {
             throw Context.auth.error();
         }
 
-        return new Response(organization.serverMeta.ssoConfiguration ?? OpenIDClientConfiguration.create({
-            clientId: '',
-            clientSecret: '',
-            issuer: '',
-        }));
+        if (organization) {
+            return new Response(organization.serverMeta.ssoConfiguration ?? OpenIDClientConfiguration.create({}));
+        }
+
+        const platform = await Platform.getShared();
+        return new Response(platform.serverConfig.ssoConfiguration ?? OpenIDClientConfiguration.create({}));
     }
 }

package/src/endpoints/global/sso/SetSSOEndpoint.ts

@@ -0,0 +1,68 @@
+import { AutoEncoderPatchType, Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { OpenIDClientConfiguration } from '@stamhoofd/structures';
+
+import { Context } from '../../../helpers/Context';
+import { OpenIDConnectHelper } from '../../../helpers/OpenIDConnectHelper';
+import { Platform } from '@stamhoofd/models';
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = AutoEncoderPatchType<OpenIDClientConfiguration>;
+type ResponseBody = OpenIDClientConfiguration;
+
+/**
+ * One endpoint to create, patch and delete groups. Usefull because on organization setup, we need to create multiple groups at once. Also, sometimes we need to link values and update multiple groups at once
+ */
+
+export class SetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = OpenIDClientConfiguration.patchType() as Decoder<AutoEncoderPatchType<OpenIDClientConfiguration>>;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method !== 'POST') {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, '/sso', {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOptionalOrganizationScope();
+        await Context.authenticate();
+
+        if (!await Context.auth.canManageSSOSettings(organization?.id ?? null)) {
+            throw Context.auth.error();
+        }
+
+        let newConfig: OpenIDClientConfiguration;
+
+        if (organization) {
+            newConfig = (organization.serverMeta.ssoConfiguration ?? OpenIDClientConfiguration.create({})).patch(request.body);
+
+            // Validate configuration
+            const helper = new OpenIDConnectHelper(organization, newConfig);
+            await helper.getClient();
+
+            organization.serverMeta.ssoConfiguration = newConfig;
+            await organization.save();
+        }
+        else {
+            const platform = await Platform.getShared();
+            newConfig = (platform.serverConfig.ssoConfiguration ?? OpenIDClientConfiguration.create({})).patch(request.body);
+
+            // Validate configuration
+            const helper = new OpenIDConnectHelper(null, newConfig);
+            await helper.getClient();
+
+            platform.serverConfig.ssoConfiguration = newConfig;
+            await platform.save();
+        }
+
+        return new Response(newConfig);
+    }
+}

package/src/endpoints/organization/dashboard/registration-periods/PatchOrganizationRegistrationPeriodsEndpoint.ts

@@ -243,8 +243,22 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
         }
         const platform = await Platform.getSharedStruct();
 
-        if (platform.config.defaultAgeGroups.find(g => g.id === id)) {
-            return id;
+        const defaultAgeGroup = platform.config.defaultAgeGroups.find(g => g.id === id);
+
+        if (defaultAgeGroup) {
+            const organization = Context.organization;
+            const tags = organization?.meta.tags ?? [];
+
+            if (defaultAgeGroup.isEnabledForTags(tags)) {
+                return id;
+            }
+
+            throw new SimpleError({
+                code: 'invalid_default_age_group',
+                message: 'Invalid default age group',
+                human: 'De standaard leeftijdsgroep is niet beschikbaar voor deze organisatie',
+                statusCode: 400,
+            });
         }
 
         throw new SimpleError({

package/src/helpers/AdminPermissionChecker.ts

@@ -758,7 +758,10 @@ export class AdminPermissionChecker {
         return this.hasFullAccess(organizationId);
     }
 
-    canManageSSOSettings(organizationId: string) {
+    canManageSSOSettings(organizationId: string | null) {
+        if (!organizationId) {
+            return this.hasPlatformFullAccess();
+        }
         return this.hasFullAccess(organizationId);
     }
 

package/src/helpers/OpenIDConnectHelper.ts

@@ -30,17 +30,22 @@ type SessionContext = {
 };
 
 export class OpenIDConnectHelper {
-    organization: Organization;
+    organization: Organization | null;
     configuration: OpenIDClientConfiguration;
 
     static sessionStorage = new Map<string, SessionContext>();
 
-    constructor(organization, configuration: OpenIDClientConfiguration) {
+    constructor(organization: Organization | null, configuration: OpenIDClientConfiguration) {
         this.organization = organization;
         this.configuration = configuration;
     }
 
     get redirectUri() {
+        // todo: we might need a special url for the app here
+
+        if (!this.organization) {
+            return 'https://' + STAMHOOFD.domains.api + '/openid/callback';
+        }
         return 'https://' + this.organization.id + '.' + STAMHOOFD.domains.api + '/openid/callback';
     }
 
@@ -209,7 +214,7 @@ export class OpenIDConnectHelper {
             }
 
             // Get user from database
-            let user = await User.getOrganizationLevelUser(this.organization.id, claims.email);
+            let user = await User.getForRegister(this.organization?.id ?? null, claims.email);
             if (!user) {
                 // Create a new user
                 user = await User.registerSSO(this.organization, {

package/src/endpoints/organization/dashboard/organization/SetOrganizationSSOEndpoint.ts

@@ -1,50 +0,0 @@
-import { Decoder } from '@simonbackx/simple-encoding';
-import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { OpenIDClientConfiguration } from '@stamhoofd/structures';
-
-import { Context } from '../../../../helpers/Context';
-import { OpenIDConnectHelper } from '../../../../helpers/OpenIDConnectHelper';
-
-type Params = Record<string, never>;
-type Query = undefined;
-type Body = OpenIDClientConfiguration;
-type ResponseBody = OpenIDClientConfiguration;
-
-/**
- * One endpoint to create, patch and delete groups. Usefull because on organization setup, we need to create multiple groups at once. Also, sometimes we need to link values and update multiple groups at once
- */
-
-export class SetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
-    bodyDecoder = OpenIDClientConfiguration as Decoder<OpenIDClientConfiguration>;
-
-    protected doesMatch(request: Request): [true, Params] | [false] {
-        if (request.method !== 'POST') {
-            return [false];
-        }
-
-        const params = Endpoint.parseParameters(request.url, '/organization/sso', {});
-
-        if (params) {
-            return [true, params as Params];
-        }
-        return [false];
-    }
-
-    async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
-        await Context.authenticate();
-
-        if (!await Context.auth.canManageSSOSettings(organization.id)) {
-            throw Context.auth.error();
-        }
-
-        // Validate configuration
-        const helper = new OpenIDConnectHelper(organization, request.body);
-        await helper.getClient();
-
-        organization.serverMeta.ssoConfiguration = request.body;
-        await organization.save();
-
-        return new Response(request.body);
-    }
-}