feat: scope login attempts to specific subdomains if available - do not switch subdomains (#3741)

* make the user lookup in user creator sensitive to team * add team specific logic to oidc strat * factor out slugifyDomain * change type of req during auth to Koa.Context
2022-07-19 06:50:55 -07:00
parent 4ee3929e9d
commit c3f5563e7f
12 changed files with 148 additions and 64 deletions
--- a/server/commands/accountProvisioner.ts
+++ b/server/commands/accountProvisioner.ts
@@ -3,6 +3,7 @@ import { UniqueConstraintError } from "sequelize";
 import WelcomeEmail from "@server/emails/templates/WelcomeEmail";
 import {
  AuthenticationError,
+  InvalidAuthenticationError,
  EmailAuthenticationRequiredError,
  AuthenticationProviderDisabledError,
 } from "@server/errors";
@@ -20,6 +21,7 @@ type Props = {
    username?: string;
  };
  team: {
+    id?: string;
    name: string;
    domain?: string;
    subdomain: string;
@@ -56,15 +58,12 @@ async function accountProvisioner({

  try {
    result = await teamCreator({
-      name: teamParams.name,
-      domain: teamParams.domain,
-      subdomain: teamParams.subdomain,
-      avatarUrl: teamParams.avatarUrl,
+      ...teamParams,
      authenticationProvider: authenticationProviderParams,
      ip,
    });
  } catch (err) {
-    throw AuthenticationError(err.message);
+    throw InvalidAuthenticationError(err.message);
  }

  invariant(result, "Team creator result must exist");
--- a/server/commands/teamCreator.ts
+++ b/server/commands/teamCreator.ts
@@ -1,6 +1,10 @@
 import { sequelize } from "@server/database/sequelize";
 import env from "@server/env";
-import { DomainNotAllowedError, MaximumTeamsError } from "@server/errors";
+import {
+  InvalidAuthenticationError,
+  DomainNotAllowedError,
+  MaximumTeamsError,
+} from "@server/errors";
 import Logger from "@server/logging/Logger";
 import { APM } from "@server/logging/tracing";
 import { Team, AuthenticationProvider, Event } from "@server/models";
@@ -13,6 +17,7 @@ type TeamCreatorResult = {
 };

 type Props = {
+  id?: string;
  name: string;
  domain?: string;
  subdomain: string;
@@ -25,6 +30,7 @@ type Props = {
 };

 async function teamCreator({
+  id,
  name,
  domain,
  subdomain,
@@ -33,7 +39,9 @@ async function teamCreator({
  ip,
 }: Props): Promise<TeamCreatorResult> {
  let authP = await AuthenticationProvider.findOne({
-    where: authenticationProvider,
+    where: id
+      ? { ...authenticationProvider, teamId: id }
+      : authenticationProvider,
    include: [
      {
        model: Team,
@@ -52,6 +60,11 @@ async function teamCreator({
      isNewTeam: false,
    };
  }
+  // A team id was provided but no auth provider was found matching those credentials
+  // The user is attempting to log into a team with an incorrect SSO - fail the login
+  else if (id) {
+    throw InvalidAuthenticationError("incorrect authentication credentials");
+  }

  // This team has never been seen before, if self hosted the logic is different
  // to the multi-tenant version, we want to restrict to a single team that MAY
--- a/server/commands/userCreator.ts
+++ b/server/commands/userCreator.ts
@@ -47,6 +47,8 @@ export default async function userCreator({
      {
        model: User,
        as: "user",
+        where: { teamId },
+        required: true,
      },
    ],
  });