-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: SAML fixes for uppercase email & GOOGLE → SAML idp switch #14971
Conversation
Thank you for following the naming conventions! 🙏 Feel free to join our discord and post your PR link. |
@@ -342,7 +342,8 @@ if (isSAMLLoginEnabled) { | |||
return null; | |||
} | |||
|
|||
const { id, firstName, lastName, email } = userInfo; | |||
const { id, firstName, lastName } = userInfo; | |||
const email = userInfo.email.toLowerCase(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We convert to lower case to ensure an uppercase email doesn't slip in from the idP into our DB
@@ -844,7 +845,7 @@ export const AUTH_OPTIONS: AuthOptions = { | |||
where: { email: existingUserWithEmail.email }, | |||
// also update email to the IdP email | |||
data: { | |||
email: user.email, | |||
email: user.email.toLowerCase(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We convert to lower case to ensure an uppercase email doesn't slip in from the idP into our DB
where: { email: existingUserWithEmail.email }, | ||
// also update email to the IdP email | ||
data: { | ||
email: user.email.toLowerCase(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We convert to lower case to ensure an uppercase email doesn't slip in from the idP into our DB
existingUserWithEmail.identityProvider === IdentityProvider.GOOGLE && | ||
idP === IdentityProvider.SAML | ||
) { | ||
await prisma.user.update({ | ||
where: { email: existingUserWithEmail.email }, | ||
// also update email to the IdP email | ||
data: { | ||
email: user.email.toLowerCase(), | ||
identityProvider: idP, | ||
identityProviderId: account.providerAccountId, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the check to allow switching from GOOGLE idP to SAML, which was earlier throwing use-identity-login error.
📦 Next.js Bundle Analysis for @calcom/webThis analysis was generated by the Next.js Bundle Analysis action. 🤖 This PR introduced no changes to the JavaScript bundle! 🙌 |
No failed tests 🎉 |
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 3 Ignored Deployments
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good to me
What does this PR do?
Fixes the bug where if the idP (SAML) had uppercase email, when switching from other idP to SAML on Cal, we'd use the uppercase email from the idP and thus mess up the email matchup, sometimes even creating a duplicate account.
Adds the feature now allowing users to switch from GOOGLE idP to SAML for existing users
Fixes [CAL-3485] SAML/SSO auto-linking failing for GOOGLE auth users #14631 [CAL-3600] SAML/SSO idP auto-merging allows slipping of uppercase in email #14833
Fixes CAL-3485
Fixes CAL-3600
Mandatory Tasks (DO NOT REMOVE)
How should this be tested?
Checklist