feat(sso): enhance SSO provider management and trusted origins handling

- Added logic to retrieve and delete SSO providers, ensuring proper permission checks and error handling. - Updated user trusted origins when adding or removing SSO providers, maintaining accurate origin lists. - Refactored trusted origins retrieval to improve clarity and efficiency in the authentication process. - Introduced utility functions for normalizing trusted origins and converting request headers.
2026-06-29 11:05:33 +02:00 · 2026-02-05 00:55:17 -06:00
parent 9910c0e602
commit 542ccc4479
5 changed files with 120 additions and 38 deletions
--- a/packages/server/src/db/schema/user.ts
+++ b/packages/server/src/db/schema/user.ts
@@ -65,6 +65,7 @@ export const user = pgTable("user", {
 	stripeCustomerId: text("stripeCustomerId"),
 	stripeSubscriptionId: text("stripeSubscriptionId"),
 	serversQuantity: integer("serversQuantity").notNull().default(0),
+	trustedOrigins: text("trustedOrigins").array(),
 });

 export const usersRelations = relations(user, ({ one, many }) => ({
@@ -85,6 +86,8 @@ const createSchema = createInsertSchema(user, {
 	isRegistered: z.boolean().optional(),
 }).omit({
 	role: true,
+	trustedOrigins: true,
+	isValidEnterpriseLicense: true,
 });

 export const apiCreateUserInvitation = createSchema.pick({}).extend({
--- a/packages/server/src/lib/auth.ts
+++ b/packages/server/src/lib/auth.ts
@@ -9,7 +9,7 @@ import { and, desc, eq } from "drizzle-orm";
 import { IS_CLOUD } from "../constants";
 import { db } from "../db";
 import * as schema from "../db/schema";
-import { getUserByToken } from "../services/admin";
+import { getTrustedOrigins, getUserByToken } from "../services/admin";
 import {
 	getWebServerSettings,
 	updateWebServerSettings,
@@ -43,28 +43,24 @@ const { handler, api } = betterAuth({
 	logger: {
 		disabled: process.env.NODE_ENV === "production",
 	},
-	...(!IS_CLOUD && {
-		async trustedOrigins() {
-			const settings = await getWebServerSettings();
-			if (!settings) {
-				return [];
-			}
-			return [
-				...(settings?.serverIp ? [`http://${settings?.serverIp}:3000`] : []),
-				...(settings?.host ? [`https://${settings?.host}`] : []),
-				...(process.env.NODE_ENV === "development"
-					? [
-							"http://localhost:3000",
-							"https://absolutely-handy-falcon.ngrok-free.app",
-							"https://dev-pee8hhc3qbjlqedb.us.auth0.com",
-							"https://trial-2804699.okta.com",
-							"https://login.microsoftonline.com",
-							"https://graph.microsoft.com",
-						]
-					: []),
-			];
-		},
-	}),
+	async trustedOrigins() {
+		const trustedOrigins = await getTrustedOrigins();
+		if (IS_CLOUD) {
+			return trustedOrigins;
+		}
+		const settings = await getWebServerSettings();
+		if (!settings) {
+			return [];
+		}
+		return [
+			...(settings?.serverIp ? [`http://${settings?.serverIp}:3000`] : []),
+			...(settings?.host ? [`https://${settings?.host}`] : []),
+			...(process.env.NODE_ENV === "development"
+				? ["http://localhost:3000"]
+				: []),
+			...trustedOrigins,
+		];
+	},
 	emailVerification: {
 		sendOnSignUp: true,
 		autoSignInAfterVerification: true,
--- a/packages/server/src/services/admin.ts
+++ b/packages/server/src/services/admin.ts
@@ -116,3 +116,18 @@ export const getDokployUrl = async () => {
 	}
 	return `http://${settings?.serverIp}:${process.env.PORT}`;
 };
+
+export const getTrustedOrigins = async () => {
+	const members = await db.query.member.findMany({
+		where: eq(member.role, "owner"),
+		with: {
+			user: true,
+		},
+	});
+
+	const trustedOrigins = members.flatMap(
+		(member) => member.user.trustedOrigins || [],
+	);
+
+	return Array.from(new Set(trustedOrigins));
+};
--- a/packages/server/src/services/proprietary/sso.ts
+++ b/packages/server/src/services/proprietary/sso.ts
@@ -13,3 +13,23 @@ export const getSSOProviders = async () => {
 	});
 	return providers;
 };
+
+export const requestToHeaders = (req: {
+	headers?: Record<string, string | string[] | undefined>;
+}): Headers => {
+	const headers = new Headers();
+	if (req?.headers) {
+		for (const [key, value] of Object.entries(req.headers)) {
+			if (value !== undefined && key.toLowerCase() !== "host") {
+				headers.set(key, Array.isArray(value) ? value.join(", ") : value);
+			}
+		}
+	}
+	return headers;
+};
+
+export const normalizeTrustedOrigin = (value: string): string => {
+	// Keep it simple: trim and remove trailing slashes.
+	// e.g. "https://example.com/" -> "https://example.com"
+	return value.trim().replace(/\/+$/, "");
+};