From e613ec732b7c734b523738cba09fd5614708b01f Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Fri, 20 Aug 2021 14:03:52 -0700
Subject: [PATCH] feat: Add hosted domain hint when signing in through Google
 SSO from subdomain (#2458)

* feat: Add hosted domain hint when signing in through Google SSO from subdomain

closes #2454
---
 server/api/auth.js              | 18 +++++++++++++-----
 server/api/auth.test.js         |  5 ++++-
 server/auth/providers/google.js | 26 +++++++++++++++++++++-----
 3 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/server/api/auth.js b/server/api/auth.js
index d771d4d51..3e8543ee6 100644
--- a/server/api/auth.js
+++ b/server/api/auth.js
@@ -25,11 +25,19 @@ function filterProviders(team) {
         find(team.authenticationProviders, { name: provider.id, enabled: true })
       );
     })
-    .map((provider) => ({
-      id: provider.id,
-      name: provider.name,
-      authUrl: provider.authUrl,
-    }));
+    .map((provider) => {
+      const authProvider = team
+        ? find(team.authenticationProviders, {
+            name: provider.id,
+          })
+        : undefined;
+
+      return {
+        id: provider.id,
+        name: provider.name,
+        authUrl: `${provider.authUrl}?authProviderId=${authProvider?.id || ""}`,
+      };
+    });
 }
 
 router.post("auth.config", async (ctx) => {
diff --git a/server/api/auth.test.js b/server/api/auth.test.js
index df6e3a656..046a77078 100644
--- a/server/api/auth.test.js
+++ b/server/api/auth.test.js
@@ -56,7 +56,7 @@ describe("#auth.config", () => {
   it("should return available providers for team subdomain", async () => {
     process.env.URL = "http://localoutline.com";
 
-    await buildTeam({
+    const team = await buildTeam({
       guestSignin: false,
       subdomain: "example",
       authenticationProviders: [
@@ -74,6 +74,9 @@ describe("#auth.config", () => {
     expect(res.status).toEqual(200);
     expect(body.data.providers.length).toBe(1);
     expect(body.data.providers[0].name).toBe("Slack");
+    expect(body.data.providers[0].authUrl).toContain(
+      `?authProviderId=${team.authenticationProviders[0].id}`
+    );
   });
 
   it("should return available providers for team custom domain", async () => {
diff --git a/server/auth/providers/google.js b/server/auth/providers/google.js
index 334de42b6..a58985edc 100644
--- a/server/auth/providers/google.js
+++ b/server/auth/providers/google.js
@@ -10,6 +10,7 @@ import {
   GoogleWorkspaceInvalidError,
 } from "../../errors";
 import passportMiddleware from "../../middlewares/passport";
+import { AuthenticationProvider } from "../../models";
 import { getAllowedDomains } from "../../utils/authentication";
 import { StateStore } from "../../utils/passport";
 
@@ -86,13 +87,28 @@ if (GOOGLE_CLIENT_ID) {
     )
   );
 
-  router.get(
-    "google",
-    passport.authenticate(providerName, {
+  router.get("google", async (ctx) => {
+    const { authProviderId } = ctx.request.query;
+
+    if (authProviderId) {
+      ctx.assertUuid(authProviderId, "authProviderId must be a UUID");
+    }
+
+    const authProvider = authProviderId
+      ? await AuthenticationProvider.findOne({
+          where: {
+            id: authProviderId,
+            name: providerName,
+          },
+        })
+      : undefined;
+
+    return passport.authenticate(providerName, {
       accessType: "offline",
       prompt: "select_account consent",
-    })
-  );
+      hd: authProvider?.providerId,
+    })(ctx);
+  });
 
   router.get("google.callback", passportMiddleware(providerName));
 }