feat: add organisation sso portal (#1946)

Allow organisations to manage an SSO OIDC compliant portal. This method is intended to streamline the onboarding process and paves the way to allow organisations to manage their members in a more strict way.
2025-11-16 17:51:49 +10:00 · 2025-09-09 17:14:07 +10:00
parent 374f2c45b4
commit 9ac7b94d9a
56 changed files with 2922 additions and 200 deletions
--- a/packages/auth/server/routes/account.ts
+++ b/packages/auth/server/routes/account.ts
@ -0,0 +1,25 @@
+import { Hono } from 'hono';
+import superjson from 'superjson';
+
+import { deleteAccountProvider } from '../lib/utils/delete-account-provider';
+import { getAccounts } from '../lib/utils/get-accounts';
+
+export const accountRoute = new Hono()
+  /**
+   * Get all linked accounts.
+   */
+  .get('/accounts', async (c) => {
+    const accounts = await getAccounts(c);
+
+    return c.json(superjson.serialize({ accounts }));
+  })
+  /**
+   * Delete an account linking method.
+   */
+  .delete('/account/:accountId', async (c) => {
+    const accountId = c.req.param('accountId');
+
+    await deleteAccountProvider(c, accountId);
+
+    return c.json({ success: true });
+  });
--- a/packages/auth/server/routes/callback.ts
+++ b/packages/auth/server/routes/callback.ts
@ -1,7 +1,10 @@
 import { Hono } from 'hono';

+import { AppError } from '@documenso/lib/errors/app-error';
+
 import { GoogleAuthOptions, OidcAuthOptions } from '../config';
 import { handleOAuthCallbackUrl } from '../lib/utils/handle-oauth-callback-url';
+import { handleOAuthOrganisationCallbackUrl } from '../lib/utils/handle-oauth-organisation-callback-url';
 import type { HonoAuthContext } from '../types/context';

 /**
@ -14,6 +17,31 @@ export const callbackRoute = new Hono<HonoAuthContext>()
   */
  .get('/oidc', async (c) => handleOAuthCallbackUrl({ c, clientOptions: OidcAuthOptions }))

+  /**
+   * Organisation OIDC callback verification.
+   */
+  .get('/oidc/org/:orgUrl', async (c) => {
+    const orgUrl = c.req.param('orgUrl');
+
+    try {
+      return await handleOAuthOrganisationCallbackUrl({
+        c,
+        orgUrl,
+      });
+    } catch (err) {
+      console.error(err);
+
+      if (err instanceof Error) {
+        throw new AppError(err.name, {
+          message: err.message,
+          statusCode: 500,
+        });
+      }
+
+      throw err;
+    }
+  })
+
  /**
   * Google callback verification.
   */
--- a/packages/auth/server/routes/email-password.ts
+++ b/packages/auth/server/routes/email-password.ts
@ -16,7 +16,7 @@ import { validateTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/
 import { viewBackupCodes } from '@documenso/lib/server-only/2fa/view-backup-codes';
 import { createUser } from '@documenso/lib/server-only/user/create-user';
 import { forgotPassword } from '@documenso/lib/server-only/user/forgot-password';
-import { getMostRecentVerificationTokenByUserId } from '@documenso/lib/server-only/user/get-most-recent-verification-token-by-user-id';
+import { getMostRecentEmailVerificationToken } from '@documenso/lib/server-only/user/get-most-recent-email-verification-token';
 import { resetPassword } from '@documenso/lib/server-only/user/reset-password';
 import { updatePassword } from '@documenso/lib/server-only/user/update-password';
 import { verifyEmail } from '@documenso/lib/server-only/user/verify-email';
@ -105,7 +105,7 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
    }

    if (!user.emailVerified) {
-      const mostRecentToken = await getMostRecentVerificationTokenByUserId({
+      const mostRecentToken = await getMostRecentEmailVerificationToken({
        userId: user.id,
      });

--- a/packages/auth/server/routes/oauth.ts
+++ b/packages/auth/server/routes/oauth.ts
@ -4,6 +4,7 @@ import { z } from 'zod';

 import { GoogleAuthOptions, OidcAuthOptions } from '../config';
 import { handleOAuthAuthorizeUrl } from '../lib/utils/handle-oauth-authorize-url';
+import { getOrganisationAuthenticationPortalOptions } from '../lib/utils/organisation-portal';
 import type { HonoAuthContext } from '../types/context';

 const ZOAuthAuthorizeSchema = z.object({
@ -34,4 +35,20 @@ export const oauthRoute = new Hono<HonoAuthContext>()
      clientOptions: OidcAuthOptions,
      redirectPath,
    });
+  })
+  /**
+   * Organisation OIDC authorize endpoint.
+   */
+  .post('/authorize/oidc/org/:orgUrl', async (c) => {
+    const orgUrl = c.req.param('orgUrl');
+
+    const { clientOptions } = await getOrganisationAuthenticationPortalOptions({
+      type: 'url',
+      organisationUrl: orgUrl,
+    });
+
+    return await handleOAuthAuthorizeUrl({
+      c,
+      clientOptions,
+    });
  });