@stamhoofd/backend 2.67.0 → 2.69.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.67.0",
+    "version": "2.69.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -37,14 +37,14 @@
         "@simonbackx/simple-encoding": "2.19.0",
         "@simonbackx/simple-endpoints": "1.15.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.67.0",
-        "@stamhoofd/backend-middleware": "2.67.0",
-        "@stamhoofd/email": "2.67.0",
-        "@stamhoofd/models": "2.67.0",
-        "@stamhoofd/queues": "2.67.0",
-        "@stamhoofd/sql": "2.67.0",
-        "@stamhoofd/structures": "2.67.0",
-        "@stamhoofd/utility": "2.67.0",
+        "@stamhoofd/backend-i18n": "2.69.0",
+        "@stamhoofd/backend-middleware": "2.69.0",
+        "@stamhoofd/email": "2.69.0",
+        "@stamhoofd/models": "2.69.0",
+        "@stamhoofd/queues": "2.69.0",
+        "@stamhoofd/sql": "2.69.0",
+        "@stamhoofd/structures": "2.69.0",
+        "@stamhoofd/utility": "2.69.0",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -64,5 +64,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "e496701533ecdb23bf23bfe1f9d642b3bce249a9"
+    "gitHead": "1cc1c8c1109298b0c712b1e7ddf7ef37054be5a9"
 }

package/src/endpoints/auth/CreateTokenEndpoint.ts

@@ -1,7 +1,7 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { EmailVerificationCode, PasswordToken, Token, User } from '@stamhoofd/models';
-import { ChallengeGrantStruct, CreateTokenStruct, PasswordGrantStruct, PasswordTokenGrantStruct, RefreshTokenGrantStruct, RequestChallengeGrantStruct, SignupResponse, Token as TokenStruct } from '@stamhoofd/structures';
+import { EmailVerificationCode, PasswordToken, Platform, Token, User } from '@stamhoofd/models';
+import { ChallengeGrantStruct, CreateTokenStruct, LoginMethod, PasswordGrantStruct, PasswordTokenGrantStruct, RefreshTokenGrantStruct, RequestChallengeGrantStruct, SignupResponse, Token as TokenStruct } from '@stamhoofd/structures';
 
 import { Context } from '../../helpers/Context';
 
@@ -81,8 +81,21 @@ export class CreateTokenEndpoint extends Endpoint<Params, Query, Body, ResponseB
             }
 
             case 'password': {
-            // Increase timout for legacy
+                // Increase timout for legacy
                 request.request.request?.setTimeout(30 * 1000);
+
+                if (STAMHOOFD.userMode === 'platform') {
+                    const platform = await Platform.getShared();
+                    if (!platform.config.loginMethods.includes(LoginMethod.Password)) {
+                        throw new SimpleError({
+                            code: 'not_supported',
+                            message: 'This platform does not support password login',
+                            human: 'Dit platform ondersteunt geen wachtwoord login',
+                            statusCode: 400,
+                        });
+                    }
+                }
+
                 const user = await User.login(organization?.id ?? null, request.body.username, request.body.password);
 
                 const errBody = {

package/src/endpoints/{organization/shared/auth → auth}/OpenIDConnectCallbackEndpoint.ts

@@ -2,8 +2,10 @@ import { AnyDecoder, Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
 
-import { Context } from '../../../../helpers/Context';
-import { OpenIDConnectHelper } from '../../../../helpers/OpenIDConnectHelper';
+import { Context } from '../../helpers/Context';
+import { OpenIDConnectHelper } from '../../helpers/OpenIDConnectHelper';
+import { OpenIDClientConfiguration } from '@stamhoofd/structures';
+import { Platform } from '@stamhoofd/models';
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -27,13 +29,21 @@ export class OpenIDConnectCallbackEndpoint extends Endpoint<Params, Query, Body,
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
-        const configuration = organization.serverMeta.ssoConfiguration;
+        const organization = await Context.setOptionalOrganizationScope();
+        let configuration: OpenIDClientConfiguration | null;
+        const platform = await Platform.getShared();
+
+        if (organization) {
+            configuration = organization.serverMeta.ssoConfiguration;
+        }
+        else {
+            configuration = platform.serverConfig.ssoConfiguration;
+        }
 
         if (!configuration) {
             throw new SimpleError({
-                code: 'invalid_configuration',
-                message: 'Invalid configuration',
+                code: 'invalid_client',
+                message: 'SSO not configured',
                 statusCode: 400,
             });
         }

package/src/endpoints/{organization/shared/auth → auth}/OpenIDConnectStartEndpoint.ts

@@ -1,11 +1,11 @@
 import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Webshop } from '@stamhoofd/models';
-import { StartOpenIDFlowStruct } from '@stamhoofd/structures';
+import { Platform, Webshop } from '@stamhoofd/models';
+import { OpenIDClientConfiguration, StartOpenIDFlowStruct } from '@stamhoofd/structures';
 
-import { Context } from '../../../../helpers/Context';
-import { OpenIDConnectHelper } from '../../../../helpers/OpenIDConnectHelper';
+import { Context } from '../../helpers/Context';
+import { OpenIDConnectHelper } from '../../helpers/OpenIDConnectHelper';
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -30,11 +30,28 @@ export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, Re
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
         // Check webshop and/or organization
-        const organization = await Context.setOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope();
         const webshopId = request.body.webshopId;
-        let redirectUri = 'https://' + organization.getHost();
+        const platform = await Platform.getShared();
+
+        // Host should match correctly
+        let redirectUri = 'https://' + STAMHOOFD.domains.dashboard;
+
+        if (organization) {
+            redirectUri = 'https://' + organization.getHost();
+        }
+
+        // todo: also support the app as redirect uri using app schemes (could be required for mobile apps)
 
         if (webshopId) {
+            if (!organization) {
+                throw new SimpleError({
+                    code: 'invalid_organization',
+                    message: 'Organization required when specifying webshopId',
+                    statusCode: 400,
+                });
+            }
+
             const webshop = await Webshop.getByID(webshopId);
             if (!webshop || webshop.organizationId !== organization.id) {
                 throw new SimpleError({
@@ -68,7 +85,15 @@ export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, Re
             });
         }
 
-        const configuration = organization.serverMeta.ssoConfiguration;
+        let configuration: OpenIDClientConfiguration | null;
+
+        if (organization) {
+            configuration = organization.serverMeta.ssoConfiguration;
+        }
+        else {
+            configuration = platform.serverConfig.ssoConfiguration;
+        }
+
         if (!configuration) {
             throw new SimpleError({
                 code: 'invalid_client',
@@ -76,7 +101,6 @@ export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, Re
                 statusCode: 400,
             });
         }
-
         const helper = new OpenIDConnectHelper(organization, configuration);
         return await helper.startAuthCodeFlow(redirectUri, request.body.provider, request.body.spaState, request.body.prompt);
     }

package/src/endpoints/auth/PatchUserEndpoint.ts

@@ -109,7 +109,7 @@ export class PatchUserEndpoint extends Endpoint<Params, Query, Body, ResponseBod
             }
         }
 
-        if (editUser.id == user.id && request.body.password) {
+        if (editUser.id === user.id && request.body.password) {
             // password changes
             await editUser.changePassword(request.body.password);
             await PasswordToken.clearFor(editUser.id);

package/src/endpoints/auth/SignupEndpoint.ts

@@ -1,8 +1,8 @@
 import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { EmailVerificationCode, PasswordToken, sendEmailTemplate, User } from '@stamhoofd/models';
-import { EmailTemplateType, NewUser, Recipient, Replacement, SignupResponse } from '@stamhoofd/structures';
+import { EmailVerificationCode, PasswordToken, Platform, sendEmailTemplate, User } from '@stamhoofd/models';
+import { EmailTemplateType, LoginMethod, NewUser, Recipient, Replacement, SignupResponse } from '@stamhoofd/structures';
 
 import { Context } from '../../helpers/Context';
 
@@ -30,6 +30,18 @@ export class SignupEndpoint extends Endpoint<Params, Query, Body, ResponseBody>
     async handle(request: DecodedRequest<Params, Query, Body>) {
         const organization = await Context.setUserOrganizationScope();
 
+        if (STAMHOOFD.userMode === 'platform') {
+            const platform = await Platform.getShared();
+            if (!platform.config.loginMethods.includes(LoginMethod.Password)) {
+                throw new SimpleError({
+                    code: 'not_supported',
+                    message: 'This platform does not support password login',
+                    human: 'Dit platform ondersteunt geen wachtwoord login',
+                    statusCode: 400,
+                });
+            }
+        }
+
         const u = await User.getForRegister(organization?.id ?? null, request.body.email);
 
         // Don't optimize. Always run two queries atm.

package/src/endpoints/{organization/dashboard/organization/GetOrganizationSSOEndpoint.ts → global/sso/GetSSOEndpoint.ts}

@@ -1,7 +1,8 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { OpenIDClientConfiguration } from '@stamhoofd/structures';
 
-import { Context } from '../../../../helpers/Context';
+import { Context } from '../../../helpers/Context';
+import { Platform } from '@stamhoofd/models';
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -18,7 +19,7 @@ export class GetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, Re
             return [false];
         }
 
-        const params = Endpoint.parseParameters(request.url, '/organization/sso', {});
+        const params = Endpoint.parseParameters(request.url, '/sso', {});
 
         if (params) {
             return [true, params as Params];
@@ -27,17 +28,18 @@ export class GetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, Re
     }
 
     async handle(_: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope();
         await Context.authenticate();
 
-        if (!await Context.auth.canManageSSOSettings(organization.id)) {
+        if (!await Context.auth.canManageSSOSettings(organization?.id ?? null)) {
             throw Context.auth.error();
         }
 
-        return new Response(organization.serverMeta.ssoConfiguration ?? OpenIDClientConfiguration.create({
-            clientId: '',
-            clientSecret: '',
-            issuer: '',
-        }));
+        if (organization) {
+            return new Response(organization.serverMeta.ssoConfiguration ?? OpenIDClientConfiguration.create({}));
+        }
+
+        const platform = await Platform.getShared();
+        return new Response(platform.serverConfig.ssoConfiguration ?? OpenIDClientConfiguration.create({}));
     }
 }

package/src/endpoints/global/sso/SetSSOEndpoint.ts

@@ -0,0 +1,68 @@
+import { AutoEncoderPatchType, Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { OpenIDClientConfiguration } from '@stamhoofd/structures';
+
+import { Context } from '../../../helpers/Context';
+import { OpenIDConnectHelper } from '../../../helpers/OpenIDConnectHelper';
+import { Platform } from '@stamhoofd/models';
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = AutoEncoderPatchType<OpenIDClientConfiguration>;
+type ResponseBody = OpenIDClientConfiguration;
+
+/**
+ * One endpoint to create, patch and delete groups. Usefull because on organization setup, we need to create multiple groups at once. Also, sometimes we need to link values and update multiple groups at once
+ */
+
+export class SetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = OpenIDClientConfiguration.patchType() as Decoder<AutoEncoderPatchType<OpenIDClientConfiguration>>;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method !== 'POST') {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, '/sso', {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOptionalOrganizationScope();
+        await Context.authenticate();
+
+        if (!await Context.auth.canManageSSOSettings(organization?.id ?? null)) {
+            throw Context.auth.error();
+        }
+
+        let newConfig: OpenIDClientConfiguration;
+
+        if (organization) {
+            newConfig = (organization.serverMeta.ssoConfiguration ?? OpenIDClientConfiguration.create({})).patch(request.body);
+
+            // Validate configuration
+            const helper = new OpenIDConnectHelper(organization, newConfig);
+            await helper.getClient();
+
+            organization.serverMeta.ssoConfiguration = newConfig;
+            await organization.save();
+        }
+        else {
+            const platform = await Platform.getShared();
+            newConfig = (platform.serverConfig.ssoConfiguration ?? OpenIDClientConfiguration.create({})).patch(request.body);
+
+            // Validate configuration
+            const helper = new OpenIDConnectHelper(null, newConfig);
+            await helper.getClient();
+
+            platform.serverConfig.ssoConfiguration = newConfig;
+            await platform.save();
+        }
+
+        return new Response(newConfig);
+    }
+}

package/src/endpoints/organization/dashboard/registration-periods/PatchOrganizationRegistrationPeriodsEndpoint.ts

@@ -243,8 +243,22 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
         }
         const platform = await Platform.getSharedStruct();
 
-        if (platform.config.defaultAgeGroups.find(g => g.id === id)) {
-            return id;
+        const defaultAgeGroup = platform.config.defaultAgeGroups.find(g => g.id === id);
+
+        if (defaultAgeGroup) {
+            const organization = Context.organization;
+            const tags = organization?.meta.tags ?? [];
+
+            if (defaultAgeGroup.isEnabledForTags(tags)) {
+                return id;
+            }
+
+            throw new SimpleError({
+                code: 'invalid_default_age_group',
+                message: 'Invalid default age group',
+                human: 'De standaard leeftijdsgroep is niet beschikbaar voor deze organisatie',
+                statusCode: 400,
+            });
         }
 
         throw new SimpleError({

package/src/helpers/AdminPermissionChecker.ts

@@ -556,6 +556,9 @@ export class AdminPermissionChecker {
     }
 
     async canEditUserEmail(user: User) {
+        if (user.meta?.loginProviderIds?.size) {
+            return false;
+        }
         return this.canEditUserName(user);
     }
 
@@ -758,7 +761,10 @@ export class AdminPermissionChecker {
         return this.hasFullAccess(organizationId);
     }
 
-    canManageSSOSettings(organizationId: string) {
+    canManageSSOSettings(organizationId: string | null) {
+        if (!organizationId) {
+            return this.hasPlatformFullAccess();
+        }
         return this.hasFullAccess(organizationId);
     }
 

package/src/helpers/OpenIDConnectHelper.ts

@@ -30,17 +30,25 @@ type SessionContext = {
 };
 
 export class OpenIDConnectHelper {
-    organization: Organization;
+    organization: Organization | null;
     configuration: OpenIDClientConfiguration;
 
     static sessionStorage = new Map<string, SessionContext>();
 
-    constructor(organization, configuration: OpenIDClientConfiguration) {
+    constructor(organization: Organization | null, configuration: OpenIDClientConfiguration) {
         this.organization = organization;
         this.configuration = configuration;
     }
 
     get redirectUri() {
+        if (this.configuration.redirectUri) {
+            return this.configuration.redirectUri;
+        }
+        // todo: we might need a special url for the app here
+
+        if (!this.organization) {
+            return 'https://' + STAMHOOFD.domains.api + '/openid/callback';
+        }
         return 'https://' + this.organization.id + '.' + STAMHOOFD.domains.api + '/openid/callback';
     }
 
@@ -73,7 +81,7 @@ export class OpenIDConnectHelper {
         // Store
         CookieHelper.setCookie(response, 'oid_session_id', sessionId, {
             httpOnly: true,
-            secure: true,
+            secure: STAMHOOFD.environment !== 'development',
             expires: data.expires,
         });
     }
@@ -209,7 +217,7 @@ export class OpenIDConnectHelper {
             }
 
             // Get user from database
-            let user = await User.getOrganizationLevelUser(this.organization.id, claims.email);
+            let user = await User.getForRegister(this.organization?.id ?? null, claims.email);
             if (!user) {
                 // Create a new user
                 user = await User.registerSSO(this.organization, {

package/src/endpoints/organization/dashboard/organization/SetOrganizationSSOEndpoint.ts

@@ -1,50 +0,0 @@
-import { Decoder } from '@simonbackx/simple-encoding';
-import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { OpenIDClientConfiguration } from '@stamhoofd/structures';
-
-import { Context } from '../../../../helpers/Context';
-import { OpenIDConnectHelper } from '../../../../helpers/OpenIDConnectHelper';
-
-type Params = Record<string, never>;
-type Query = undefined;
-type Body = OpenIDClientConfiguration;
-type ResponseBody = OpenIDClientConfiguration;
-
-/**
- * One endpoint to create, patch and delete groups. Usefull because on organization setup, we need to create multiple groups at once. Also, sometimes we need to link values and update multiple groups at once
- */
-
-export class SetOrganizationSSOEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
-    bodyDecoder = OpenIDClientConfiguration as Decoder<OpenIDClientConfiguration>;
-
-    protected doesMatch(request: Request): [true, Params] | [false] {
-        if (request.method !== 'POST') {
-            return [false];
-        }
-
-        const params = Endpoint.parseParameters(request.url, '/organization/sso', {});
-
-        if (params) {
-            return [true, params as Params];
-        }
-        return [false];
-    }
-
-    async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
-        await Context.authenticate();
-
-        if (!await Context.auth.canManageSSOSettings(organization.id)) {
-            throw Context.auth.error();
-        }
-
-        // Validate configuration
-        const helper = new OpenIDConnectHelper(organization, request.body);
-        await helper.getClient();
-
-        organization.serverMeta.ssoConfiguration = request.body;
-        await organization.save();
-
-        return new Response(request.body);
-    }
-}