More fixes in SSO

2025-12-06 11:36:44 +03:00 · 2025-07-26 20:33:26 +05:30
parent 1f6add5fff
commit 0920314679
8 changed files with 1866 additions and 14 deletions
--- a/drizzle/0002_bored_captain_cross.sql
+++ b/drizzle/0002_bored_captain_cross.sql
@@ -0,0 +1,10 @@
+CREATE TABLE `verifications` (
+	`id` text PRIMARY KEY NOT NULL,
+	`identifier` text NOT NULL,
+	`value` text NOT NULL,
+	`expires_at` integer NOT NULL,
+	`created_at` integer DEFAULT (unixepoch()) NOT NULL,
+	`updated_at` integer DEFAULT (unixepoch()) NOT NULL
+);
+--> statement-breakpoint
+CREATE INDEX `idx_verifications_identifier` ON `verifications` (`identifier`);
--- a/drizzle/meta/0002_snapshot.json
+++ b/drizzle/meta/0002_snapshot.json
--- a/drizzle/meta/_journal.json
+++ b/drizzle/meta/_journal.json
@@ -15,6 +15,13 @@
      "when": 1752173351102,
      "tag": "0001_polite_exodus",
      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "6",
+      "when": 1753539600567,
+      "tag": "0002_bored_captain_cross",
+      "breakpoints": true
    }
  ]
 }
--- a/src/components/config/SSOSettings.tsx
+++ b/src/components/config/SSOSettings.tsx
@@ -6,11 +6,9 @@ import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/com
 import { Switch } from '@/components/ui/switch';
 import { Alert, AlertDescription } from '@/components/ui/alert';
 import { Dialog, DialogContent, DialogDescription, DialogFooter, DialogHeader, DialogTitle, DialogTrigger } from '@/components/ui/dialog';
-import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@/components/ui/select';
 import { apiRequest, showErrorToast } from '@/lib/utils';
 import { toast } from 'sonner';
-import { Plus, Trash2, ExternalLink, Loader2, AlertCircle, Shield, Info } from 'lucide-react';
-import { Separator } from '@/components/ui/separator';
+import { Plus, Trash2, Loader2, AlertCircle, Shield } from 'lucide-react';
 import { Skeleton } from '../ui/skeleton';
 import { Badge } from '../ui/badge';
 import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs';
@@ -102,7 +100,7 @@ export function SSOSettings() {
    setIsLoading(true);
    try {
      const [providersRes, headerAuthStatus] = await Promise.all([
-        apiRequest<SSOProvider[]>('/sso/providers'),
+        apiRequest<SSOProvider[] | { providers: SSOProvider[] }>('/sso/providers'),
        apiRequest<{ enabled: boolean }>('/auth/header-status').catch(() => ({ enabled: false }))
      ]);
      
@@ -164,7 +162,7 @@ export function SSOSettings() {
        requestData.jwksEndpoint = providerForm.jwksEndpoint;
        requestData.userInfoEndpoint = providerForm.userInfoEndpoint;
        requestData.discoveryEndpoint = providerForm.discoveryEndpoint;
-        requestData.scopes = providerForm.scopes;
+        // Don't send scopes - let the backend handle provider-specific defaults
        requestData.pkce = providerForm.pkce;
      } else {
        requestData.entryPoint = providerForm.entryPoint;
@@ -224,10 +222,6 @@ export function SSOSettings() {
  };


-  const copyToClipboard = (text: string) => {
-    navigator.clipboard.writeText(text);
-    toast.success('Copied to clipboard');
-  };

  if (isLoading) {
    return (
@@ -448,7 +442,14 @@ export function SSOSettings() {
                        <Alert>
                          <AlertCircle className="h-4 w-4" />
                          <AlertDescription>
-                            Redirect URL: {window.location.origin}/api/auth/sso/callback/{providerForm.providerId || '{provider-id}'}
+                            <div className="space-y-2">
+                              <p>Redirect URL: {window.location.origin}/api/auth/sso/callback/{providerForm.providerId || '{provider-id}'}</p>
+                              {providerForm.issuer.includes('google.com') && (
+                                <p className="text-xs text-muted-foreground">
+                                  Note: Google doesn't support the "offline_access" scope. The system will automatically use appropriate scopes.
+                                </p>
+                              )}
+                            </div>
                          </AlertDescription>
                        </Alert>
                      </TabsContent>
--- a/src/lib/db/index.ts
+++ b/src/lib/db/index.ts
@@ -78,6 +78,7 @@ export {
  sessions,
  accounts,
  verificationTokens,
+  verifications,
  oauthApplications,
  oauthAccessTokens,
  oauthConsent,
--- a/src/lib/db/schema.ts
+++ b/src/lib/db/schema.ts
@@ -518,6 +518,24 @@ export const verificationTokens = sqliteTable("verification_tokens", {
  };
 });

+// Verifications table (for Better Auth)
+export const verifications = sqliteTable("verifications", {
+  id: text("id").primaryKey(),
+  identifier: text("identifier").notNull(),
+  value: text("value").notNull(),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+  updatedAt: integer("updated_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+}, (table) => {
+  return {
+    identifierIdx: index("idx_verifications_identifier").on(table.identifier),
+  };
+});
+
 // ===== OIDC Provider Tables =====

 // OAuth Applications table
--- a/src/pages/api/auth/sso/register.ts
+++ b/src/pages/api/auth/sso/register.ts
@@ -77,7 +77,7 @@ export async function POST(context: APIContext) {
        jwksEndpoint,
        discoveryEndpoint,
        userInfoEndpoint,
-        scopes = ["openid", "email", "profile"],
+        scopes,
        pkce = true,
        mapping = {
          id: "sub",
@@ -88,6 +88,23 @@ export async function POST(context: APIContext) {
        }
      } = body;

+      // Handle provider-specific scope defaults
+      let finalScopes = scopes;
+      if (!finalScopes) {
+        // Check if this is a Google provider
+        const isGoogle = issuer.includes('google.com') || 
+                        issuer.includes('googleapis.com') ||
+                        domain.includes('google.com');
+        
+        if (isGoogle) {
+          // Google doesn't support offline_access scope
+          finalScopes = ["openid", "email", "profile"];
+        } else {
+          // Default scopes for other providers
+          finalScopes = ["openid", "email", "profile", "offline_access"];
+        }
+      }
+
      registrationBody.oidcConfig = {
        clientId,
        clientSecret,
@@ -96,7 +113,7 @@ export async function POST(context: APIContext) {
        jwksEndpoint,
        discoveryEndpoint,
        userInfoEndpoint,
-        scopes,
+        scopes: finalScopes,
        pkce,
      };
      registrationBody.mapping = mapping;
--- a/src/pages/api/sso/providers.ts
+++ b/src/pages/api/sso/providers.ts
@@ -13,7 +13,14 @@ export async function GET(context: APIContext) {

    const providers = await db.select().from(ssoProviders);

-    return new Response(JSON.stringify(providers), {
+    // Parse JSON fields before sending
+    const formattedProviders = providers.map(provider => ({
+      ...provider,
+      oidcConfig: provider.oidcConfig ? JSON.parse(provider.oidcConfig) : undefined,
+      samlConfig: provider.samlConfig ? JSON.parse(provider.samlConfig) : undefined,
+    }));
+
+    return new Response(JSON.stringify(formattedProviders), {
      status: 200,
      headers: { "Content-Type": "application/json" },
    });
@@ -102,7 +109,14 @@ export async function POST(context: APIContext) {
      })
      .returning();

-    return new Response(JSON.stringify(newProvider), {
+    // Parse JSON fields before sending
+    const formattedProvider = {
+      ...newProvider,
+      oidcConfig: newProvider.oidcConfig ? JSON.parse(newProvider.oidcConfig) : undefined,
+      samlConfig: newProvider.samlConfig ? JSON.parse(newProvider.samlConfig) : undefined,
+    };
+
+    return new Response(JSON.stringify(formattedProvider), {
      status: 201,
      headers: { "Content-Type": "application/json" },
    });