Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: SAML fixes for uppercase email & GOOGLE → SAML idp switch #14971

Merged
merged 5 commits into from
May 10, 2024
Merged

fix: SAML fixes for uppercase email & GOOGLE → SAML idp switch #14971

merged 5 commits into from
May 10, 2024

Conversation

alishaz-polymath
Copy link
Member

@alishaz-polymath alishaz-polymath commented May 10, 2024
edited

What does this PR do?

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected)
  • I have added a Docs issue here if this PR makes changes that would require a documentation change
  • I have added or modified automated tests that prove my fix is effective or that my feature works (PRs might be rejected if logical changes are not properly tested)

How should this be tested?

  • Are there environment variables that should be set?
  • What are the minimal test data to have?
  • What is expected (happy path) to have (input and output)?
  • Any other important info that could help to test that PR

Checklist

  • I haven't read the contributing guide
  • My code doesn't follow the style guidelines of this project
  • I haven't commented my code, particularly in hard-to-understand areas
  • I haven't checked if my changes generate no new warnings

@linear Linear
Copy link

linear bot commented May 10, 2024

CAL-3485 SAML/SSO auto-linking failing for GOOGLE auth users

CAL-3600 SAML/SSO idP auto-merging allows slipping of uppercase in email

@github-actions github-actions bot added authentication area: authentication, auth, google sign in, password, SAML, password reset, can't log in enterprise area: enterprise, audit log, organisation, SAML, SSO High priority Created by Linear-GitHub Sync organizations area: organizations, orgs 🐛 bug Something isn't working labels May 10, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 10, 2024
edited

Thank you for following the naming conventions! 🙏 Feel free to join our discord and post your PR link.

@keithwillcode keithwillcode added the core area: core, team members only label May 10, 2024
alishaz-polymath
alishaz-polymath commented May 10, 2024
View reviewed changes
packages/features/auth/lib/next-auth-options.ts
@@ -342,7 +342,8 @@ if (isSAMLLoginEnabled) {
return null;
}

const { id, firstName, lastName, email } = userInfo;
const { id, firstName, lastName } = userInfo;
const email = userInfo.email.toLowerCase();
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We convert to lower case to ensure an uppercase email doesn't slip in from the idP into our DB

alishaz-polymath
alishaz-polymath commented May 10, 2024
View reviewed changes
packages/features/auth/lib/next-auth-options.ts
@@ -844,7 +845,7 @@ export const AUTH_OPTIONS: AuthOptions = {
where: { email: existingUserWithEmail.email },
// also update email to the IdP email
data: {
email: user.email,
email: user.email.toLowerCase(),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We convert to lower case to ensure an uppercase email doesn't slip in from the idP into our DB

alishaz-polymath
alishaz-polymath commented May 10, 2024
View reviewed changes
packages/features/auth/lib/next-auth-options.ts
where: { email: existingUserWithEmail.email },
// also update email to the IdP email
data: {
email: user.email.toLowerCase(),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We convert to lower case to ensure an uppercase email doesn't slip in from the idP into our DB

packages/features/auth/lib/next-auth-options.ts
Comment on lines +862 to +872
existingUserWithEmail.identityProvider === IdentityProvider.GOOGLE &&
idP === IdentityProvider.SAML
) {
await prisma.user.update({
where: { email: existingUserWithEmail.email },
// also update email to the IdP email
data: {
email: user.email.toLowerCase(),
identityProvider: idP,
identityProviderId: account.providerAccountId,
},
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the check to allow switching from GOOGLE idP to SAML, which was earlier throwing use-identity-login error.

@alishaz-polymath alishaz-polymath marked this pull request as ready for review May 10, 2024 10:22
@alishaz-polymath alishaz-polymath added the ✨ feature New feature or request label May 10, 2024
@alishaz-polymath alishaz-polymath requested review from emrysal and a team May 10, 2024 10:22
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 10, 2024
edited

📦 Next.js Bundle Analysis for @calcom/web

This analysis was generated by the Next.js Bundle Analysis action. 🤖

This PR introduced no changes to the JavaScript bundle! 🙌

@deploysentinel DeploySentinel
Copy link

deploysentinel bot commented May 10, 2024
edited

No failed tests 🎉

@vercel Vercel
Copy link

vercel bot commented May 10, 2024
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

3 Ignored Deployments
Name Status Preview Comments Updated (UTC)
ai ⬜️ Ignored (Inspect) Visit Preview May 10, 2024 2:07pm
cal ⬜️ Ignored (Inspect) Visit Preview May 10, 2024 2:07pm
calcom-web-canary ⬜️ Ignored (Inspect) Visit Preview May 10, 2024 2:07pm

emrysal
emrysal approved these changes May 10, 2024
View reviewed changes
Copy link
Contributor

@emrysal emrysal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 👍

@emrysal emrysal enabled auto-merge (squash) May 10, 2024 12:44
baileypumfleet
baileypumfleet approved these changes May 10, 2024
View reviewed changes
Copy link
Contributor

@baileypumfleet baileypumfleet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good to me

@emrysal emrysal merged commit b190933 into main May 10, 2024
40 checks passed
@emrysal emrysal deleted the fix/saml-google-merging branch May 10, 2024 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emrysal emrysal emrysal approved these changes

@baileypumfleet baileypumfleet baileypumfleet approved these changes

Assignees
No one assigned
Labels
authentication area: authentication, auth, google sign in, password, SAML, password reset, can't log in 🐛 bug Something isn't working core area: core, team members only enterprise area: enterprise, audit log, organisation, SAML, SSO ✨ feature New feature or request High priority Created by Linear-GitHub Sync organizations area: organizations, orgs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[CAL-3485] SAML/SSO auto-linking failing for GOOGLE auth users
5 participants
@alishaz-polymath @emrysal @baileypumfleet @keithwillcode @CarinaWolli