From cff67f4ca71b7222b12fa5eae256c636a9456d70 Mon Sep 17 00:00:00 2001 From: Tom Moor Date: Fri, 11 Nov 2022 19:19:46 -0800 Subject: [PATCH] fix: Self-hosted logic for allowed domains (#4412) * fix: Self-hosted logic for allowed domains * test --- server/commands/accountProvisioner.test.ts | 535 +++++++++++---------- server/commands/teamProvisioner.test.ts | 221 ++++----- server/commands/teamProvisioner.ts | 12 +- 3 files changed, 390 insertions(+), 378 deletions(-) diff --git a/server/commands/accountProvisioner.test.ts b/server/commands/accountProvisioner.test.ts index 12eff1e1d..a70b34704 100644 --- a/server/commands/accountProvisioner.test.ts +++ b/server/commands/accountProvisioner.test.ts @@ -12,159 +12,72 @@ setupTestDatabase(); describe("accountProvisioner", () => { const ip = "127.0.0.1"; - it("should create a new user and team", async () => { - env.DEPLOYMENT = "hosted"; - - const spy = jest.spyOn(WelcomeEmail, "schedule"); - const { user, team, isNewTeam, isNewUser } = await accountProvisioner({ - ip, - user: { - name: "Jenny Tester", - email: "jenny@example-company.com", - avatarUrl: "https://example.com/avatar.png", - username: "jtester", - }, - team: { - name: "New workspace", - avatarUrl: "https://example.com/avatar.png", - subdomain: "example", - }, - authenticationProvider: { - name: "google", - providerId: "example-company.com", - }, - authentication: { - providerId: "123456789", - accessToken: "123", - scopes: ["read"], - }, - }); - const authentications = await user.$get("authentications"); - const auth = authentications[0]; - expect(auth.accessToken).toEqual("123"); - expect(auth.scopes.length).toEqual(1); - expect(auth.scopes[0]).toEqual("read"); - expect(team.name).toEqual("New workspace"); - expect(user.email).toEqual("jenny@example-company.com"); - expect(user.username).toEqual("jtester"); - expect(isNewUser).toEqual(true); - expect(isNewTeam).toEqual(true); - expect(spy).toHaveBeenCalled(); - const collectionCount = await Collection.count(); - expect(collectionCount).toEqual(1); - - spy.mockRestore(); - }); - - it("should update exising user and authentication", async () => { - const spy = jest.spyOn(WelcomeEmail, "schedule"); - const existingTeam = await buildTeam(); - const providers = await existingTeam.$get("authenticationProviders"); - const authenticationProvider = providers[0]; - const existing = await buildUser({ - teamId: existingTeam.id, - }); - const authentications = await existing.$get("authentications"); - const authentication = authentications[0]; - const newEmail = "test@example-company.com"; - const newUsername = "tname"; - const { user, isNewUser, isNewTeam } = await accountProvisioner({ - ip, - user: { - name: existing.name, - email: newEmail, - avatarUrl: existing.avatarUrl, - username: newUsername, - }, - team: { - name: existingTeam.name, - avatarUrl: existingTeam.avatarUrl, - subdomain: "example", - }, - authenticationProvider: { - name: authenticationProvider.name, - providerId: authenticationProvider.providerId, - }, - authentication: { - providerId: authentication.providerId, - accessToken: "123", - scopes: ["read"], - }, - }); - const auth = await UserAuthentication.findByPk(authentication.id); - expect(auth?.accessToken).toEqual("123"); - expect(auth?.scopes.length).toEqual(1); - expect(auth?.scopes[0]).toEqual("read"); - expect(user.email).toEqual(newEmail); - expect(user.username).toEqual(newUsername); - expect(isNewTeam).toEqual(false); - expect(isNewUser).toEqual(false); - expect(spy).not.toHaveBeenCalled(); - const collectionCount = await Collection.count(); - expect(collectionCount).toEqual(0); - - spy.mockRestore(); - }); - - it("should allow authentication by email matching", async () => { - const existingTeam = await buildTeam(); - const providers = await existingTeam.$get("authenticationProviders"); - const authenticationProvider = providers[0]; - const userWithoutAuth = await buildUser({ - email: "email@example.com", - teamId: existingTeam.id, - authentications: [], + describe("hosted", () => { + beforeEach(() => { + env.DEPLOYMENT = "hosted"; }); - const { user, isNewUser, isNewTeam } = await accountProvisioner({ - ip, - user: { - name: userWithoutAuth.name, - email: "email@example.com", - avatarUrl: userWithoutAuth.avatarUrl, - }, - team: { - name: existingTeam.name, - avatarUrl: existingTeam.avatarUrl, - subdomain: "example", - }, - authenticationProvider: { - name: authenticationProvider.name, - providerId: authenticationProvider.providerId, - }, - authentication: { - providerId: "anything", - accessToken: "123", - scopes: ["read"], - }, - }); - expect(user.id).toEqual(userWithoutAuth.id); - expect(isNewTeam).toEqual(false); - expect(isNewUser).toEqual(false); - expect(user.authentications.length).toEqual(0); - }); + it("should create a new user and team", async () => { + const spy = jest.spyOn(WelcomeEmail, "schedule"); + const { user, team, isNewTeam, isNewUser } = await accountProvisioner({ + ip, + user: { + name: "Jenny Tester", + email: "jenny@example-company.com", + avatarUrl: "https://example.com/avatar.png", + username: "jtester", + }, + team: { + name: "New workspace", + avatarUrl: "https://example.com/avatar.png", + subdomain: "example", + }, + authenticationProvider: { + name: "google", + providerId: "example-company.com", + }, + authentication: { + providerId: "123456789", + accessToken: "123", + scopes: ["read"], + }, + }); + const authentications = await user.$get("authentications"); + const auth = authentications[0]; + expect(auth.accessToken).toEqual("123"); + expect(auth.scopes.length).toEqual(1); + expect(auth.scopes[0]).toEqual("read"); + expect(team.name).toEqual("New workspace"); + expect(user.email).toEqual("jenny@example-company.com"); + expect(user.username).toEqual("jtester"); + expect(isNewUser).toEqual(true); + expect(isNewTeam).toEqual(true); + expect(spy).toHaveBeenCalled(); + const collectionCount = await Collection.count(); + expect(collectionCount).toEqual(1); - it("should throw an error when authentication provider is disabled", async () => { - const existingTeam = await buildTeam(); - const providers = await existingTeam.$get("authenticationProviders"); - const authenticationProvider = providers[0]; - await authenticationProvider.update({ - enabled: false, + spy.mockRestore(); }); - const existing = await buildUser({ - teamId: existingTeam.id, - }); - const authentications = await existing.$get("authentications"); - const authentication = authentications[0]; - let error; - try { - await accountProvisioner({ + it("should update exising user and authentication", async () => { + const spy = jest.spyOn(WelcomeEmail, "schedule"); + const existingTeam = await buildTeam(); + const providers = await existingTeam.$get("authenticationProviders"); + const authenticationProvider = providers[0]; + const existing = await buildUser({ + teamId: existingTeam.id, + }); + const authentications = await existing.$get("authentications"); + const authentication = authentications[0]; + const newEmail = "test@example-company.com"; + const newUsername = "tname"; + const { user, isNewUser, isNewTeam } = await accountProvisioner({ ip, user: { name: existing.name, - email: existing.email!, + email: newEmail, avatarUrl: existing.avatarUrl, + username: newUsername, }, team: { name: existingTeam.name, @@ -181,28 +94,161 @@ describe("accountProvisioner", () => { scopes: ["read"], }, }); - } catch (err) { - error = err; - } + const auth = await UserAuthentication.findByPk(authentication.id); + expect(auth?.accessToken).toEqual("123"); + expect(auth?.scopes.length).toEqual(1); + expect(auth?.scopes[0]).toEqual("read"); + expect(user.email).toEqual(newEmail); + expect(user.username).toEqual(newUsername); + expect(isNewTeam).toEqual(false); + expect(isNewUser).toEqual(false); + expect(spy).not.toHaveBeenCalled(); + const collectionCount = await Collection.count(); + expect(collectionCount).toEqual(0); - expect(error).toBeTruthy(); - }); - - it("should throw an error when the domain is not allowed", async () => { - const { admin, team: existingTeam } = await seed(); - const providers = await existingTeam.$get("authenticationProviders"); - const authenticationProvider = providers[0]; - - await TeamDomain.create({ - teamId: existingTeam.id, - name: "other.com", - createdById: admin.id, + spy.mockRestore(); }); - let error; + it("should allow authentication by email matching", async () => { + const existingTeam = await buildTeam(); + const providers = await existingTeam.$get("authenticationProviders"); + const authenticationProvider = providers[0]; + const userWithoutAuth = await buildUser({ + email: "email@example.com", + teamId: existingTeam.id, + authentications: [], + }); - try { - await accountProvisioner({ + const { user, isNewUser, isNewTeam } = await accountProvisioner({ + ip, + user: { + name: userWithoutAuth.name, + email: "email@example.com", + avatarUrl: userWithoutAuth.avatarUrl, + }, + team: { + name: existingTeam.name, + avatarUrl: existingTeam.avatarUrl, + subdomain: "example", + }, + authenticationProvider: { + name: authenticationProvider.name, + providerId: authenticationProvider.providerId, + }, + authentication: { + providerId: "anything", + accessToken: "123", + scopes: ["read"], + }, + }); + expect(user.id).toEqual(userWithoutAuth.id); + expect(isNewTeam).toEqual(false); + expect(isNewUser).toEqual(false); + expect(user.authentications.length).toEqual(0); + }); + + it("should throw an error when authentication provider is disabled", async () => { + const existingTeam = await buildTeam(); + const providers = await existingTeam.$get("authenticationProviders"); + const authenticationProvider = providers[0]; + await authenticationProvider.update({ + enabled: false, + }); + const existing = await buildUser({ + teamId: existingTeam.id, + }); + const authentications = await existing.$get("authentications"); + const authentication = authentications[0]; + let error; + + try { + await accountProvisioner({ + ip, + user: { + name: existing.name, + email: existing.email!, + avatarUrl: existing.avatarUrl, + }, + team: { + name: existingTeam.name, + avatarUrl: existingTeam.avatarUrl, + subdomain: "example", + }, + authenticationProvider: { + name: authenticationProvider.name, + providerId: authenticationProvider.providerId, + }, + authentication: { + providerId: authentication.providerId, + accessToken: "123", + scopes: ["read"], + }, + }); + } catch (err) { + error = err; + } + + expect(error).toBeTruthy(); + }); + + it("should throw an error when the domain is not allowed", async () => { + const { admin, team: existingTeam } = await seed(); + const providers = await existingTeam.$get("authenticationProviders"); + const authenticationProvider = providers[0]; + + await TeamDomain.create({ + teamId: existingTeam.id, + name: "other.com", + createdById: admin.id, + }); + + let error; + + try { + await accountProvisioner({ + ip, + user: { + name: "Jenny Tester", + email: "jenny@example-company.com", + avatarUrl: "https://example.com/avatar.png", + username: "jtester", + }, + team: { + name: existingTeam.name, + avatarUrl: existingTeam.avatarUrl, + subdomain: "example", + }, + authenticationProvider: { + name: authenticationProvider.name, + providerId: authenticationProvider.providerId, + }, + authentication: { + providerId: "123456789", + accessToken: "123", + scopes: ["read"], + }, + }); + } catch (err) { + error = err; + } + + expect(error).toBeTruthy(); + }); + + it("should create a new user in an existing team when the domain is allowed", async () => { + const spy = jest.spyOn(WelcomeEmail, "schedule"); + const { admin, team } = await seed(); + const authenticationProviders = await team.$get( + "authenticationProviders" + ); + const authenticationProvider = authenticationProviders[0]; + await TeamDomain.create({ + teamId: team.id, + name: "example-company.com", + createdById: admin.id, + }); + + const { user, isNewUser } = await accountProvisioner({ ip, user: { name: "Jenny Tester", @@ -211,8 +257,8 @@ describe("accountProvisioner", () => { username: "jtester", }, team: { - name: existingTeam.name, - avatarUrl: existingTeam.avatarUrl, + name: team.name, + avatarUrl: team.avatarUrl, subdomain: "example", }, authenticationProvider: { @@ -225,110 +271,75 @@ describe("accountProvisioner", () => { scopes: ["read"], }, }); - } catch (err) { - error = err; - } + const authentications = await user.$get("authentications"); + const auth = authentications[0]; + expect(auth.accessToken).toEqual("123"); + expect(auth.scopes.length).toEqual(1); + expect(auth.scopes[0]).toEqual("read"); + expect(user.email).toEqual("jenny@example-company.com"); + expect(user.username).toEqual("jtester"); + expect(isNewUser).toEqual(true); + expect(spy).toHaveBeenCalled(); + // should provision welcome collection + const collectionCount = await Collection.count(); + expect(collectionCount).toEqual(1); - expect(error).toBeTruthy(); - }); - - it("should create a new user in an existing team when the domain is allowed", async () => { - const spy = jest.spyOn(WelcomeEmail, "schedule"); - const { admin, team } = await seed(); - const authenticationProviders = await team.$get("authenticationProviders"); - const authenticationProvider = authenticationProviders[0]; - await TeamDomain.create({ - teamId: team.id, - name: "example-company.com", - createdById: admin.id, + spy.mockRestore(); }); - const { user, isNewUser } = await accountProvisioner({ - ip, - user: { - name: "Jenny Tester", - email: "jenny@example-company.com", - avatarUrl: "https://example.com/avatar.png", - username: "jtester", - }, - team: { - name: team.name, - avatarUrl: team.avatarUrl, - subdomain: "example", - }, - authenticationProvider: { - name: authenticationProvider.name, - providerId: authenticationProvider.providerId, - }, - authentication: { - providerId: "123456789", - accessToken: "123", - scopes: ["read"], - }, + it("should create a new user in an existing team", async () => { + const spy = jest.spyOn(WelcomeEmail, "schedule"); + const team = await buildTeam(); + const authenticationProviders = await team.$get( + "authenticationProviders" + ); + const authenticationProvider = authenticationProviders[0]; + const { user, isNewUser } = await accountProvisioner({ + ip, + user: { + name: "Jenny Tester", + email: "jenny@example-company.com", + avatarUrl: "https://example.com/avatar.png", + username: "jtester", + }, + team: { + name: team.name, + avatarUrl: team.avatarUrl, + subdomain: "example", + }, + authenticationProvider: { + name: authenticationProvider.name, + providerId: authenticationProvider.providerId, + }, + authentication: { + providerId: "123456789", + accessToken: "123", + scopes: ["read"], + }, + }); + const authentications = await user.$get("authentications"); + const auth = authentications[0]; + expect(auth.accessToken).toEqual("123"); + expect(auth.scopes.length).toEqual(1); + expect(auth.scopes[0]).toEqual("read"); + expect(user.email).toEqual("jenny@example-company.com"); + expect(user.username).toEqual("jtester"); + expect(isNewUser).toEqual(true); + expect(spy).toHaveBeenCalled(); + // should provision welcome collection + const collectionCount = await Collection.count(); + expect(collectionCount).toEqual(1); + + spy.mockRestore(); }); - const authentications = await user.$get("authentications"); - const auth = authentications[0]; - expect(auth.accessToken).toEqual("123"); - expect(auth.scopes.length).toEqual(1); - expect(auth.scopes[0]).toEqual("read"); - expect(user.email).toEqual("jenny@example-company.com"); - expect(user.username).toEqual("jtester"); - expect(isNewUser).toEqual(true); - expect(spy).toHaveBeenCalled(); - // should provision welcome collection - const collectionCount = await Collection.count(); - expect(collectionCount).toEqual(1); - - spy.mockRestore(); - }); - - it("should create a new user in an existing team", async () => { - const spy = jest.spyOn(WelcomeEmail, "schedule"); - const team = await buildTeam(); - const authenticationProviders = await team.$get("authenticationProviders"); - const authenticationProvider = authenticationProviders[0]; - const { user, isNewUser } = await accountProvisioner({ - ip, - user: { - name: "Jenny Tester", - email: "jenny@example-company.com", - avatarUrl: "https://example.com/avatar.png", - username: "jtester", - }, - team: { - name: team.name, - avatarUrl: team.avatarUrl, - subdomain: "example", - }, - authenticationProvider: { - name: authenticationProvider.name, - providerId: authenticationProvider.providerId, - }, - authentication: { - providerId: "123456789", - accessToken: "123", - scopes: ["read"], - }, - }); - const authentications = await user.$get("authentications"); - const auth = authentications[0]; - expect(auth.accessToken).toEqual("123"); - expect(auth.scopes.length).toEqual(1); - expect(auth.scopes[0]).toEqual("read"); - expect(user.email).toEqual("jenny@example-company.com"); - expect(user.username).toEqual("jtester"); - expect(isNewUser).toEqual(true); - expect(spy).toHaveBeenCalled(); - // should provision welcome collection - const collectionCount = await Collection.count(); - expect(collectionCount).toEqual(1); - - spy.mockRestore(); }); describe("self hosted", () => { - it("should fail if existing team and domain not in allowed list", async () => { + beforeEach(() => { env.DEPLOYMENT = undefined; + }); + + it("should fail if existing team and domain not in allowed list", async () => { let error; const team = await buildTeam(); @@ -342,6 +353,7 @@ describe("accountProvisioner", () => { username: "jtester", }, team: { + teamId: team.id, name: team.name, avatarUrl: team.avatarUrl, subdomain: "example", @@ -366,8 +378,6 @@ describe("accountProvisioner", () => { }); it("should always use existing team if self-hosted", async () => { - env.DEPLOYMENT = undefined; - const team = await buildTeam(); const { user, isNewUser } = await accountProvisioner({ ip, @@ -378,6 +388,7 @@ describe("accountProvisioner", () => { username: "jtester", }, team: { + teamId: team.id, name: team.name, avatarUrl: team.avatarUrl, subdomain: "example", diff --git a/server/commands/teamProvisioner.test.ts b/server/commands/teamProvisioner.test.ts index 51d675f92..ef355dfe3 100644 --- a/server/commands/teamProvisioner.test.ts +++ b/server/commands/teamProvisioner.test.ts @@ -9,127 +9,129 @@ setupTestDatabase(); describe("teamProvisioner", () => { const ip = "127.0.0.1"; - it("should create team and authentication provider", async () => { - env.DEPLOYMENT = "hosted"; - const result = await teamProvisioner({ - name: "Test team", - subdomain: "example", - avatarUrl: "http://example.com/logo.png", - authenticationProvider: { - name: "google", - providerId: "example.com", - }, - ip, - }); - const { team, authenticationProvider, isNewTeam } = result; - expect(authenticationProvider.name).toEqual("google"); - expect(authenticationProvider.providerId).toEqual("example.com"); - expect(team.name).toEqual("Test team"); - expect(team.subdomain).toEqual("example"); - expect(isNewTeam).toEqual(true); - }); - - it("should set subdomain append if unavailable", async () => { - env.DEPLOYMENT = "hosted"; - - await buildTeam({ - subdomain: "myteam", + describe("hosted", () => { + beforeEach(() => { + env.DEPLOYMENT = "hosted"; }); - const result = await teamProvisioner({ - name: "Test team", - subdomain: "myteam", - avatarUrl: "http://example.com/logo.png", - authenticationProvider: { - name: "google", - providerId: "example.com", - }, - ip, - }); - - expect(result.isNewTeam).toEqual(true); - expect(result.team.subdomain).toEqual("myteam1"); - }); - - it("should increment subdomain append if unavailable", async () => { - env.DEPLOYMENT = "hosted"; - - await buildTeam({ - subdomain: "myteam", - }); - await buildTeam({ - subdomain: "myteam1", - }); - const result = await teamProvisioner({ - name: "Test team", - subdomain: "myteam", - avatarUrl: "http://example.com/logo.png", - authenticationProvider: { - name: "google", - providerId: "example.com", - }, - ip, - }); - - expect(result.team.subdomain).toEqual("myteam2"); - }); - - it("should return existing team", async () => { - env.DEPLOYMENT = "hosted"; - const authenticationProvider = { - name: "google", - providerId: "example.com", - }; - const existing = await buildTeam({ - subdomain: "example", - authenticationProviders: [authenticationProvider], - }); - const result = await teamProvisioner({ - name: "Updated name", - subdomain: "example", - authenticationProvider, - ip, - }); - const { team, isNewTeam } = result; - expect(team.id).toEqual(existing.id); - expect(team.name).toEqual(existing.name); - expect(team.subdomain).toEqual("example"); - expect(isNewTeam).toEqual(false); - }); - - it("should error on mismatched team and authentication provider", async () => { - env.DEPLOYMENT = "hosted"; - const exampleTeam = await buildTeam({ - subdomain: "example", - authenticationProviders: [ - { + it("should create team and authentication provider", async () => { + const result = await teamProvisioner({ + name: "Test team", + subdomain: "example", + avatarUrl: "http://example.com/logo.png", + authenticationProvider: { name: "google", providerId: "example.com", }, - ], + ip, + }); + const { team, authenticationProvider, isNewTeam } = result; + expect(authenticationProvider.name).toEqual("google"); + expect(authenticationProvider.providerId).toEqual("example.com"); + expect(team.name).toEqual("Test team"); + expect(team.subdomain).toEqual("example"); + expect(isNewTeam).toEqual(true); }); - let error; - try { - await teamProvisioner({ - teamId: exampleTeam.id, - name: "name", - subdomain: "other", + it("should set subdomain append if unavailable", async () => { + await buildTeam({ + subdomain: "myteam", + }); + + const result = await teamProvisioner({ + name: "Test team", + subdomain: "myteam", + avatarUrl: "http://example.com/logo.png", authenticationProvider: { name: "google", - providerId: "other.com", + providerId: "example.com", }, ip, }); - } catch (e) { - error = e; - } - expect(error.id).toEqual("invalid_authentication"); + + expect(result.isNewTeam).toEqual(true); + expect(result.team.subdomain).toEqual("myteam1"); + }); + + it("should increment subdomain append if unavailable", async () => { + await buildTeam({ + subdomain: "myteam", + }); + await buildTeam({ + subdomain: "myteam1", + }); + const result = await teamProvisioner({ + name: "Test team", + subdomain: "myteam", + avatarUrl: "http://example.com/logo.png", + authenticationProvider: { + name: "google", + providerId: "example.com", + }, + ip, + }); + + expect(result.team.subdomain).toEqual("myteam2"); + }); + + it("should return existing team", async () => { + const authenticationProvider = { + name: "google", + providerId: "example.com", + }; + const existing = await buildTeam({ + subdomain: "example", + authenticationProviders: [authenticationProvider], + }); + const result = await teamProvisioner({ + name: "Updated name", + subdomain: "example", + authenticationProvider, + ip, + }); + const { team, isNewTeam } = result; + expect(team.id).toEqual(existing.id); + expect(team.name).toEqual(existing.name); + expect(team.subdomain).toEqual("example"); + expect(isNewTeam).toEqual(false); + }); + + it("should error on mismatched team and authentication provider", async () => { + const exampleTeam = await buildTeam({ + subdomain: "example", + authenticationProviders: [ + { + name: "google", + providerId: "example.com", + }, + ], + }); + + let error; + try { + await teamProvisioner({ + teamId: exampleTeam.id, + name: "name", + subdomain: "other", + authenticationProvider: { + name: "google", + providerId: "other.com", + }, + ip, + }); + } catch (e) { + error = e; + } + expect(error.id).toEqual("invalid_authentication"); + }); }); describe("self hosted", () => { - it("should allow creating first team", async () => { + beforeEach(() => { env.DEPLOYMENT = undefined; + }); + + it("should allow creating first team", async () => { const { team, isNewTeam } = await teamProvisioner({ name: "Test team", subdomain: "example", @@ -146,8 +148,7 @@ describe("teamProvisioner", () => { }); it("should not allow creating multiple teams in installation", async () => { - env.DEPLOYMENT = undefined; - await buildTeam(); + const team = await buildTeam(); let error; try { @@ -155,6 +156,7 @@ describe("teamProvisioner", () => { name: "Test team", subdomain: "example", avatarUrl: "http://example.com/logo.png", + teamId: team.id, authenticationProvider: { name: "google", providerId: "example.com", @@ -169,7 +171,6 @@ describe("teamProvisioner", () => { }); it("should return existing team when within allowed domains", async () => { - env.DEPLOYMENT = undefined; const existing = await buildTeam(); const user = await buildUser({ teamId: existing.id, @@ -183,6 +184,7 @@ describe("teamProvisioner", () => { name: "Updated name", subdomain: "example", domain: "allowed-domain.com", + teamId: existing.id, authenticationProvider: { name: "google", providerId: "allowed-domain.com", @@ -200,7 +202,6 @@ describe("teamProvisioner", () => { }); it("should error when NOT within allowed domains", async () => { - env.DEPLOYMENT = undefined; const existing = await buildTeam(); const user = await buildUser({ teamId: existing.id, @@ -217,6 +218,7 @@ describe("teamProvisioner", () => { name: "Updated name", subdomain: "example", domain: "other-domain.com", + teamId: existing.id, authenticationProvider: { name: "google", providerId: "other-domain.com", @@ -231,7 +233,6 @@ describe("teamProvisioner", () => { }); it("should return existing team", async () => { - env.DEPLOYMENT = undefined; const authenticationProvider = { name: "google", providerId: "example.com", diff --git a/server/commands/teamProvisioner.ts b/server/commands/teamProvisioner.ts index fbcf5291a..3ea66d265 100644 --- a/server/commands/teamProvisioner.ts +++ b/server/commands/teamProvisioner.ts @@ -72,13 +72,13 @@ async function teamProvisioner({ }; } else if (teamId) { // The user is attempting to log into a team with an unfamiliar SSO provider - throw InvalidAuthenticationError(); - } + if (env.DEPLOYMENT === "hosted") { + throw InvalidAuthenticationError(); + } - // This team has never been seen before, if self hosted the logic is different - // to the multi-tenant version, we want to restrict to a single team that MAY - // have multiple authentication providers - if (env.DEPLOYMENT !== "hosted") { + // This team has never been seen before, if self hosted the logic is different + // to the multi-tenant version, we want to restrict to a single team that MAY + // have multiple authentication providers const team = await Team.findOne(); // If the self-hosted installation has a single team and the domain for the