sso: normalize provider config via discovery

src/lib/sso/oidc-config.test.ts

@@ -0,0 +1,56 @@
+import { describe, expect, it } from "bun:test";
+import { normalizeOidcProviderConfig, OidcConfigError } from "./oidc-config";
+
+const issuer = "https://auth.example.com";
+
+describe("normalizeOidcProviderConfig", () => {
+  it("returns provided endpoints when complete", async () => {
+    const result = await normalizeOidcProviderConfig(issuer, {
+      clientId: "client",
+      clientSecret: "secret",
+      authorizationEndpoint: "https://auth.example.com/auth",
+      tokenEndpoint: "https://auth.example.com/token",
+      jwksEndpoint: "https://auth.example.com/jwks",
+      userInfoEndpoint: "https://auth.example.com/userinfo",
+      scopes: ["openid", "email"],
+      pkce: false,
+    }, async () => {
+      throw new Error("fetch should not be called when endpoints are provided");
+    });
+
+    expect(result.oidcConfig.authorizationEndpoint).toBe("https://auth.example.com/auth");
+    expect(result.oidcConfig.tokenEndpoint).toBe("https://auth.example.com/token");
+    expect(result.oidcConfig.jwksEndpoint).toBe("https://auth.example.com/jwks");
+    expect(result.oidcConfig.userInfoEndpoint).toBe("https://auth.example.com/userinfo");
+    expect(result.oidcConfig.scopes).toEqual(["openid", "email"]);
+    expect(result.oidcConfig.pkce).toBe(false);
+  });
+
+  it("derives missing fields from discovery", async () => {
+    const fetchMock = async () =>
+      new Response(JSON.stringify({
+        authorization_endpoint: "https://auth.example.com/auth",
+        token_endpoint: "https://auth.example.com/token",
+        jwks_uri: "https://auth.example.com/jwks",
+        userinfo_endpoint: "https://auth.example.com/userinfo",
+        scopes_supported: ["openid", "email", "profile"],
+      }));
+
+    const result = await normalizeOidcProviderConfig(issuer, {
+      clientId: "client",
+      clientSecret: "secret",
+    }, fetchMock);
+
+    expect(result.oidcConfig.authorizationEndpoint).toBe("https://auth.example.com/auth");
+    expect(result.oidcConfig.tokenEndpoint).toBe("https://auth.example.com/token");
+    expect(result.oidcConfig.jwksEndpoint).toBe("https://auth.example.com/jwks");
+    expect(result.oidcConfig.userInfoEndpoint).toBe("https://auth.example.com/userinfo");
+    expect(result.oidcConfig.scopes).toEqual(["openid", "email", "profile"]);
+  });
+
+  it("throws for invalid issuer URL", async () => {
+    await expect(
+      normalizeOidcProviderConfig("not-a-url", {}),
+    ).rejects.toBeInstanceOf(OidcConfigError);
+  });
+});

src/lib/sso/oidc-config.ts

@@ -0,0 +1,202 @@
+import { z } from "zod";
+
+const DEFAULT_SCOPES = ["openid", "email", "profile"] as const;
+const DISCOVERY_TIMEOUT_MS = 10000;
+
+const discoverySchema = z.object({
+  issuer: z.string().url().optional(),
+  authorization_endpoint: z.string().url().optional(),
+  token_endpoint: z.string().url().optional(),
+  userinfo_endpoint: z.string().url().optional(),
+  jwks_uri: z.string().url().optional(),
+  scopes_supported: z.array(z.string()).optional(),
+});
+
+export class OidcConfigError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "OidcConfigError";
+  }
+}
+
+export type RawOidcConfig = {
+  clientId?: string;
+  clientSecret?: string;
+  authorizationEndpoint?: string;
+  tokenEndpoint?: string;
+  jwksEndpoint?: string;
+  userInfoEndpoint?: string;
+  discoveryEndpoint?: string;
+  scopes?: string[];
+  pkce?: boolean;
+  mapping?: ProviderMapping;
+};
+
+export type ProviderMapping = {
+  id: string;
+  email: string;
+  emailVerified?: string;
+  name?: string;
+  image?: string;
+  firstName?: string;
+  lastName?: string;
+};
+
+export type NormalizedOidcConfig = {
+  oidcConfig: {
+    clientId?: string;
+    clientSecret?: string;
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+    jwksEndpoint?: string;
+    userInfoEndpoint?: string;
+    discoveryEndpoint: string;
+    scopes: string[];
+    pkce: boolean;
+  };
+  mapping: ProviderMapping;
+};
+
+type FetchFn = typeof fetch;
+
+function cleanUrl(value: string | undefined, field: string): string | undefined {
+  if (!value || typeof value !== "string") return undefined;
+  const trimmed = value.trim();
+  if (!trimmed) return undefined;
+  try {
+    return new URL(trimmed).toString();
+  } catch {
+    throw new OidcConfigError(`Invalid ${field} URL: ${value}`);
+  }
+}
+
+function sanitizeScopes(scopes: string[] | undefined, fallback: readonly string[]): string[] {
+  const candidates = Array.isArray(scopes) ? scopes : [];
+  const sanitized = candidates
+    .map(scope => scope?.trim())
+    .filter((scope): scope is string => Boolean(scope));
+
+  if (sanitized.length === 0) {
+    return [...fallback];
+  }
+
+  return Array.from(new Set(sanitized));
+}
+
+async function fetchDiscoveryDocument(url: string, fetchFn: FetchFn): Promise<z.infer<typeof discoverySchema>> {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), DISCOVERY_TIMEOUT_MS);
+
+  try {
+    const response = await fetchFn(url, {
+      signal: controller.signal,
+      headers: { Accept: "application/json" },
+    });
+
+    if (!response.ok) {
+      throw new OidcConfigError(`OIDC discovery request failed (${response.status} ${response.statusText})`);
+    }
+
+    let payload: unknown;
+    try {
+      payload = await response.json();
+    } catch {
+      throw new OidcConfigError("OIDC discovery response is not valid JSON");
+    }
+
+    const parsed = discoverySchema.parse(payload);
+    if (!parsed.authorization_endpoint || !parsed.token_endpoint) {
+      throw new OidcConfigError("OIDC discovery document is missing required endpoints");
+    }
+    return parsed;
+  } catch (error) {
+    if (error instanceof OidcConfigError) {
+      throw error;
+    }
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new OidcConfigError(`OIDC discovery timed out after ${DISCOVERY_TIMEOUT_MS / 1000}s`);
+    }
+    throw new OidcConfigError(`Failed to fetch OIDC discovery document: ${error instanceof Error ? error.message : "unknown error"}`);
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+
+export async function normalizeOidcProviderConfig(
+  issuer: string,
+  rawConfig: RawOidcConfig,
+  fetchFn: FetchFn = fetch,
+): Promise<NormalizedOidcConfig> {
+  if (!issuer || typeof issuer !== "string") {
+    throw new OidcConfigError("Issuer is required");
+  }
+
+  let normalizedIssuer: string;
+  try {
+    const issuerUrl = new URL(issuer.trim());
+    normalizedIssuer = issuerUrl.toString().replace(/\/$/, "");
+  } catch {
+    throw new OidcConfigError(`Invalid issuer URL: ${issuer}`);
+  }
+
+  const discoveryEndpoint = cleanUrl(
+    rawConfig.discoveryEndpoint,
+    "discovery endpoint",
+  ) ?? `${normalizedIssuer}/.well-known/openid-configuration`;
+
+  const authorizationEndpoint = cleanUrl(rawConfig.authorizationEndpoint, "authorization endpoint");
+  const tokenEndpoint = cleanUrl(rawConfig.tokenEndpoint, "token endpoint");
+  const jwksEndpoint = cleanUrl(rawConfig.jwksEndpoint, "JWKS endpoint");
+  const userInfoEndpoint = cleanUrl(rawConfig.userInfoEndpoint, "userinfo endpoint");
+  const providedScopes = Array.isArray(rawConfig.scopes) ? rawConfig.scopes : undefined;
+  let scopes = sanitizeScopes(providedScopes, DEFAULT_SCOPES);
+
+  const shouldFetchDiscovery =
+    !authorizationEndpoint ||
+    !tokenEndpoint ||
+    !jwksEndpoint ||
+    !userInfoEndpoint ||
+    !providedScopes ||
+    providedScopes.length === 0;
+
+  let resolvedAuthorization = authorizationEndpoint;
+  let resolvedToken = tokenEndpoint;
+  let resolvedJwks = jwksEndpoint;
+  let resolvedUserInfo = userInfoEndpoint;
+
+  if (shouldFetchDiscovery) {
+    const discovery = await fetchDiscoveryDocument(discoveryEndpoint, fetchFn);
+    resolvedAuthorization = resolvedAuthorization ?? discovery.authorization_endpoint;
+    resolvedToken = resolvedToken ?? discovery.token_endpoint;
+    resolvedJwks = resolvedJwks ?? discovery.jwks_uri;
+    resolvedUserInfo = resolvedUserInfo ?? discovery.userinfo_endpoint;
+    if (!providedScopes || providedScopes.length === 0) {
+      scopes = sanitizeScopes(discovery.scopes_supported, DEFAULT_SCOPES);
+    }
+  }
+
+  if (!resolvedAuthorization || !resolvedToken) {
+    throw new OidcConfigError("OIDC configuration must include authorization and token endpoints");
+  }
+
+  return {
+    oidcConfig: {
+      clientId: rawConfig.clientId,
+      clientSecret: rawConfig.clientSecret,
+      authorizationEndpoint: resolvedAuthorization,
+      tokenEndpoint: resolvedToken,
+      jwksEndpoint: resolvedJwks,
+      userInfoEndpoint: resolvedUserInfo,
+      discoveryEndpoint,
+      scopes,
+      pkce: rawConfig.pkce !== false,
+    },
+    mapping: rawConfig.mapping ?? {
+      id: "sub",
+      email: "email",
+      emailVerified: "email_verified",
+      name: "name",
+      image: "picture",
+    },
+  };
+}

src/lib/sso/provider-maintenance.ts

@@ -0,0 +1,65 @@
+import { db, ssoProviders } from "@/lib/db";
+import { normalizeOidcProviderConfig, OidcConfigError } from "./oidc-config";
+import { eq } from "drizzle-orm";
+
+type Logger = Pick<typeof console, "info" | "warn" | "error">;
+
+export async function ensureValidSsoProviders(logger: Logger = console): Promise<void> {
+  const providers = await db.select().from(ssoProviders);
+
+  for (const provider of providers) {
+    if (!provider.oidcConfig) continue;
+
+    let parsedConfig: any;
+    try {
+      parsedConfig = JSON.parse(provider.oidcConfig);
+    } catch (error) {
+      logger.warn(`[SSO] Skipping provider ${provider.providerId}: invalid JSON configuration`, error);
+      continue;
+    }
+
+    const hasEndpoints =
+      parsedConfig.authorizationEndpoint &&
+      parsedConfig.tokenEndpoint;
+
+    const hasScopes = Array.isArray(parsedConfig.scopes) && parsedConfig.scopes.length > 0;
+
+    if (hasEndpoints && hasScopes) {
+      continue;
+    }
+
+    try {
+      const normalized = await normalizeOidcProviderConfig(provider.issuer, {
+        clientId: parsedConfig.clientId,
+        clientSecret: parsedConfig.clientSecret,
+        authorizationEndpoint: parsedConfig.authorizationEndpoint,
+        tokenEndpoint: parsedConfig.tokenEndpoint,
+        jwksEndpoint: parsedConfig.jwksEndpoint,
+        userInfoEndpoint: parsedConfig.userInfoEndpoint,
+        discoveryEndpoint: parsedConfig.discoveryEndpoint,
+        scopes: parsedConfig.scopes,
+        pkce: parsedConfig.pkce,
+        mapping: parsedConfig.mapping,
+      });
+
+      await db
+        .update(ssoProviders)
+        .set({
+          oidcConfig: JSON.stringify({
+            ...normalized.oidcConfig,
+            mapping: normalized.mapping,
+          }),
+          updatedAt: new Date(),
+        })
+        .where(eq(ssoProviders.id, provider.id));
+
+      logger.info(`[SSO] Normalized OIDC configuration for provider ${provider.providerId}`);
+    } catch (error) {
+      if (error instanceof OidcConfigError) {
+        logger.warn(`[SSO] Unable to normalize provider ${provider.providerId}: ${error.message}`);
+      } else {
+        logger.error(`[SSO] Unexpected error normalizing provider ${provider.providerId}`, error);
+      }
+    }
+  }
+}