feat: add organisation sso portal (#1946)

Allow organisations to manage an SSO OIDC compliant portal. This method is intended to streamline the onboarding process and paves the way to allow organisations to manage their members in a more strict way.
2025-11-15 01:01:49 +10:00 · 2025-09-09 17:14:07 +10:00
parent 374f2c45b4
commit 9ac7b94d9a
56 changed files with 2922 additions and 200 deletions
--- a/packages/ee/server-only/lib/link-organisation-account.ts
+++ b/packages/ee/server-only/lib/link-organisation-account.ts
@ -0,0 +1,163 @@
+import { UserSecurityAuditLogType } from '@prisma/client';
+
+import { getOrganisationAuthenticationPortalOptions } from '@documenso/auth/server/lib/utils/organisation-portal';
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import {
+  ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+  ORGANISATION_USER_ACCOUNT_TYPE,
+} from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { addUserToOrganisation } from '@documenso/lib/server-only/organisation/accept-organisation-invitation';
+import { ZOrganisationAccountLinkMetadataSchema } from '@documenso/lib/types/organisation';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { prisma } from '@documenso/prisma';
+
+export interface LinkOrganisationAccountOptions {
+  token: string;
+  requestMeta: RequestMetadata;
+}
+
+export const linkOrganisationAccount = async ({
+  token,
+  requestMeta,
+}: LinkOrganisationAccountOptions) => {
+  if (!IS_BILLING_ENABLED()) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Billing is not enabled',
+    });
+  }
+
+  // Delete the token since it contains unnecessary sensitive data.
+  const verificationToken = await prisma.verificationToken.delete({
+    where: {
+      token,
+      identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+    },
+    include: {
+      user: {
+        select: {
+          id: true,
+          emailVerified: true,
+          accounts: {
+            select: {
+              provider: true,
+              providerAccountId: true,
+            },
+          },
+        },
+      },
+    },
+  });
+
+  if (!verificationToken) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Verification token not found, used or expired',
+    });
+  }
+
+  if (verificationToken.completed) {
+    throw new AppError('ALREADY_USED');
+  }
+
+  if (verificationToken.expires < new Date()) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Verification token not found, used or expired',
+    });
+  }
+
+  const tokenMetadata = ZOrganisationAccountLinkMetadataSchema.safeParse(
+    verificationToken.metadata,
+  );
+
+  if (!tokenMetadata.success) {
+    console.error('Invalid token metadata', tokenMetadata.error);
+
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Verification token not found, used or expired',
+    });
+  }
+
+  const user = verificationToken.user;
+
+  const { clientOptions, organisation } = await getOrganisationAuthenticationPortalOptions({
+    type: 'id',
+    organisationId: tokenMetadata.data.organisationId,
+  });
+
+  const organisationMember = await prisma.organisationMember.findFirst({
+    where: {
+      userId: user.id,
+      organisationId: tokenMetadata.data.organisationId,
+    },
+  });
+
+  const oauthConfig = tokenMetadata.data.oauthConfig;
+
+  const userAlreadyLinked = user.accounts.find(
+    (account) =>
+      account.provider === clientOptions.id &&
+      account.providerAccountId === oauthConfig.providerAccountId,
+  );
+
+  if (organisationMember && userAlreadyLinked) {
+    return;
+  }
+
+  await prisma.$transaction(
+    async (tx) => {
+      // Link the user if not linked yet.
+      if (!userAlreadyLinked) {
+        await tx.account.create({
+          data: {
+            type: ORGANISATION_USER_ACCOUNT_TYPE,
+            provider: clientOptions.id,
+            providerAccountId: oauthConfig.providerAccountId,
+            access_token: oauthConfig.accessToken,
+            expires_at: oauthConfig.expiresAt,
+            token_type: 'Bearer',
+            id_token: oauthConfig.idToken,
+            userId: user.id,
+          },
+        });
+
+        // Log link event.
+        await tx.userSecurityAuditLog.create({
+          data: {
+            userId: user.id,
+            ipAddress: requestMeta.ipAddress,
+            userAgent: requestMeta.userAgent,
+            type: UserSecurityAuditLogType.ORGANISATION_SSO_LINK,
+          },
+        });
+
+        // If account already exists in an unverified state, remove the password to ensure
+        // they cannot sign in using that method since we cannot confirm the password
+        // was set by the user.
+        if (!user.emailVerified) {
+          await tx.user.update({
+            where: {
+              id: user.id,
+            },
+            data: {
+              emailVerified: new Date(),
+              password: null,
+              // Todo: (RR7) Will need to update the "password" account after the migration.
+            },
+          });
+        }
+      }
+
+      // Only add the user to the organisation if they are not already a member.
+      if (!organisationMember) {
+        await addUserToOrganisation({
+          userId: user.id,
+          organisationId: tokenMetadata.data.organisationId,
+          organisationGroups: organisation.groups,
+          organisationMemberRole:
+            organisation.organisationAuthenticationPortal.defaultOrganisationRole,
+        });
+      }
+    },
+    { timeout: 30_000 },
+  );
+};
--- a/packages/ee/server-only/lib/send-organisation-account-link-confirmation-email.ts
+++ b/packages/ee/server-only/lib/send-organisation-account-link-confirmation-email.ts
@ -0,0 +1,119 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/core/macro';
+import crypto from 'crypto';
+import { DateTime } from 'luxon';
+
+import { mailer } from '@documenso/email/mailer';
+import { OrganisationAccountLinkConfirmationTemplate } from '@documenso/email/templates/organisation-account-link-confirmation';
+import { getI18nInstance } from '@documenso/lib/client-only/providers/i18n-server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { DOCUMENSO_INTERNAL_EMAIL } from '@documenso/lib/constants/email';
+import { ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER } from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { getEmailContext } from '@documenso/lib/server-only/email/get-email-context';
+import type { TOrganisationAccountLinkMetadata } from '@documenso/lib/types/organisation';
+import { renderEmailWithI18N } from '@documenso/lib/utils/render-email-with-i18n';
+import { prisma } from '@documenso/prisma';
+
+export type SendOrganisationAccountLinkConfirmationEmailProps = TOrganisationAccountLinkMetadata & {
+  organisationName: string;
+};
+
+export const sendOrganisationAccountLinkConfirmationEmail = async ({
+  type,
+  userId,
+  organisationId,
+  organisationName,
+  oauthConfig,
+}: SendOrganisationAccountLinkConfirmationEmailProps) => {
+  const user = await prisma.user.findFirst({
+    where: {
+      id: userId,
+    },
+    include: {
+      verificationTokens: {
+        where: {
+          identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+        },
+        orderBy: {
+          createdAt: 'desc',
+        },
+        take: 1,
+      },
+    },
+  });
+
+  if (!user) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'User not found',
+    });
+  }
+
+  const [previousVerificationToken] = user.verificationTokens;
+
+  // If we've sent a token in the last 5 minutes, don't send another one
+  if (
+    previousVerificationToken?.createdAt &&
+    DateTime.fromJSDate(previousVerificationToken.createdAt).diffNow('minutes').minutes > -5
+  ) {
+    return;
+  }
+
+  const token = crypto.randomBytes(20).toString('hex');
+
+  const createdToken = await prisma.verificationToken.create({
+    data: {
+      identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+      token,
+      expires: DateTime.now().plus({ minutes: 30 }).toJSDate(),
+      metadata: {
+        type,
+        userId,
+        organisationId,
+        oauthConfig,
+      } satisfies TOrganisationAccountLinkMetadata,
+      userId,
+    },
+  });
+
+  const { emailLanguage } = await getEmailContext({
+    emailType: 'INTERNAL',
+    source: {
+      type: 'organisation',
+      organisationId,
+    },
+    meta: null,
+  });
+
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+  const confirmationLink = `${assetBaseUrl}/organisation/sso/confirmation/${createdToken.token}`;
+
+  const confirmationTemplate = createElement(OrganisationAccountLinkConfirmationTemplate, {
+    type,
+    assetBaseUrl,
+    confirmationLink,
+    organisationName,
+  });
+
+  const [html, text] = await Promise.all([
+    renderEmailWithI18N(confirmationTemplate, { lang: emailLanguage }),
+    renderEmailWithI18N(confirmationTemplate, { lang: emailLanguage, plainText: true }),
+  ]);
+
+  const i18n = await getI18nInstance(emailLanguage);
+
+  return mailer.sendMail({
+    to: {
+      address: user.email,
+      name: user.name || '',
+    },
+    from: DOCUMENSO_INTERNAL_EMAIL,
+    subject:
+      type === 'create'
+        ? i18n._(msg`Account creation request`)
+        : i18n._(msg`Account linking request`),
+    html,
+    text,
+  });
+};