feat: Validate Google, Azure, OIDC SSO access (#3590)

* chore: Store expiresAt on UserAuthentications. This represents the time that the accessToken is no longer valid and should be exchanged using the refreshToken

* feat: Check and expire Google SSO

* fix: Better handling of multiple auth methods
Added more docs

* fix: Retry access validation with network errors

* Small refactor, add Azure token validation support

* doc

* test

* lint

* OIDC refresh support

* CheckSSOAccessTask -> ValidateSSOAccessTask
Added lastValidatedAt column
Skip checks if validated within 5min
Some edge cases around encrypted columns

server/models/decorators/Encrypted.ts

@@ -1,3 +1,4 @@
+import { isNil } from "lodash";
 import vaults from "@server/database/vaults";
 import Logger from "@server/logging/Logger";
 
@@ -19,6 +20,9 @@ export function getEncryptedColumn(target: any, propertyKey: string): string {
   try {
     return Reflect.getMetadata(key, target, propertyKey).get.call(target);
   } catch (err) {
+    if (err.message.includes("Unexpected end of JSON input")) {
+      return "";
+    }
     if (err.message.includes("bad decrypt")) {
       Logger.error(
         `Failed to decrypt database column (${propertyKey}). The SECRET_KEY environment variable may have changed since installation.`,
@@ -39,5 +43,9 @@ export function setEncryptedColumn(
   propertyKey: string,
   value: string
 ) {
-  Reflect.getMetadata(key, target, propertyKey).set.call(target, value);
+  if (isNil(value)) {
+    target.setDataValue(propertyKey, value);
+  } else {
+    Reflect.getMetadata(key, target, propertyKey).set.call(target, value);
+  }
 }