synced/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2025-03-28 15:29:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Feat: Scoped JWT to organization

Browse Source
This commit is contained in:
Daniel Hougaard
2024-03-12 14:24:41 +01:00
parent 08b5975f26
commit 750a43c978
2 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
backend/src/services/auth/auth-login-service.ts
View File

@ -1,6 +1,7 @@
import jwt from "jsonwebtoken";
import { TUsers, UserDeviceSchema } from "@app/db/schemas";
import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
import { getConfig } from "@app/lib/config/env";
import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
import { BadRequestError } from "@app/lib/errors";
@ -89,7 +90,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
user: TUsers;
ip: string;
userAgent: string;
organizationId?: string;
organizationId: string | undefined;
authMethod: AuthMethod;
}) => {
const cfg = getConfig();
@ -178,9 +179,15 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
// let authMethod = (providerAuthToken as AuthMethod) || AuthMethod.EMAIL;
let authMethod = AuthMethod.EMAIL;
let organizationId: string | undefined;
if (providerAuthToken) {
authMethod = validateProviderAuthToken(providerAuthToken, email).authMethod;
const decodedProviderToken = validateProviderAuthToken(providerAuthToken, email);
authMethod = decodedProviderToken.authMethod;
if (isAuthMethodSaml(authMethod) && decodedProviderToken.orgId) {
organizationId = decodedProviderToken.orgId;
}
}
if (!userEnc.serverPrivateKey || !userEnc.clientPublicKey) throw new Error("Failed to authenticate. Try again?");
@ -226,7 +233,8 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
},
ip,
userAgent,
authMethod
authMethod,
organizationId
});
return { token, isMfaEnabled: false, user: userEnc } as const;

3
backend/src/services/auth/auth-type.ts
View File

@ -6,6 +6,7 @@ export enum AuthMethod {
OKTA_SAML = "okta-saml",
AZURE_SAML = "azure-saml",
JUMPCLOUD_SAML = "jumpcloud-saml",
GOOGLE_SAML = "google-saml",
LDAP = "ldap"
}
@ -38,6 +39,8 @@ export enum ActorType { // would extend to AWS, Azure, ...
SCIM_CLIENT = "scimClient"
}
export type ActorAuthMethod = AuthMethod | null;
export type AuthModeJwtTokenPayload = {
authTokenType: AuthTokenType.ACCESS_TOKEN;
authMethod: AuthMethod;