feat: add organisation sso portal (#1946)

Allow organisations to manage an SSO OIDC compliant portal. This method is intended to streamline the onboarding process and paves the way to allow organisations to manage their members in a more strict way.
2025-11-14 08:42:12 +10:00 · 2025-09-09 17:14:07 +10:00
parent 374f2c45b4
commit 9ac7b94d9a
56 changed files with 2922 additions and 200 deletions
--- a/packages/ee/server-only/lib/link-organisation-account.ts
+++ b/packages/ee/server-only/lib/link-organisation-account.ts
@ -0,0 +1,163 @@
+import { UserSecurityAuditLogType } from '@prisma/client';
+
+import { getOrganisationAuthenticationPortalOptions } from '@documenso/auth/server/lib/utils/organisation-portal';
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import {
+  ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+  ORGANISATION_USER_ACCOUNT_TYPE,
+} from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { addUserToOrganisation } from '@documenso/lib/server-only/organisation/accept-organisation-invitation';
+import { ZOrganisationAccountLinkMetadataSchema } from '@documenso/lib/types/organisation';
+import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { prisma } from '@documenso/prisma';
+
+export interface LinkOrganisationAccountOptions {
+  token: string;
+  requestMeta: RequestMetadata;
+}
+
+export const linkOrganisationAccount = async ({
+  token,
+  requestMeta,
+}: LinkOrganisationAccountOptions) => {
+  if (!IS_BILLING_ENABLED()) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Billing is not enabled',
+    });
+  }
+
+  // Delete the token since it contains unnecessary sensitive data.
+  const verificationToken = await prisma.verificationToken.delete({
+    where: {
+      token,
+      identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+    },
+    include: {
+      user: {
+        select: {
+          id: true,
+          emailVerified: true,
+          accounts: {
+            select: {
+              provider: true,
+              providerAccountId: true,
+            },
+          },
+        },
+      },
+    },
+  });
+
+  if (!verificationToken) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Verification token not found, used or expired',
+    });
+  }
+
+  if (verificationToken.completed) {
+    throw new AppError('ALREADY_USED');
+  }
+
+  if (verificationToken.expires < new Date()) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Verification token not found, used or expired',
+    });
+  }
+
+  const tokenMetadata = ZOrganisationAccountLinkMetadataSchema.safeParse(
+    verificationToken.metadata,
+  );
+
+  if (!tokenMetadata.success) {
+    console.error('Invalid token metadata', tokenMetadata.error);
+
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Verification token not found, used or expired',
+    });
+  }
+
+  const user = verificationToken.user;
+
+  const { clientOptions, organisation } = await getOrganisationAuthenticationPortalOptions({
+    type: 'id',
+    organisationId: tokenMetadata.data.organisationId,
+  });
+
+  const organisationMember = await prisma.organisationMember.findFirst({
+    where: {
+      userId: user.id,
+      organisationId: tokenMetadata.data.organisationId,
+    },
+  });
+
+  const oauthConfig = tokenMetadata.data.oauthConfig;
+
+  const userAlreadyLinked = user.accounts.find(
+    (account) =>
+      account.provider === clientOptions.id &&
+      account.providerAccountId === oauthConfig.providerAccountId,
+  );
+
+  if (organisationMember && userAlreadyLinked) {
+    return;
+  }
+
+  await prisma.$transaction(
+    async (tx) => {
+      // Link the user if not linked yet.
+      if (!userAlreadyLinked) {
+        await tx.account.create({
+          data: {
+            type: ORGANISATION_USER_ACCOUNT_TYPE,
+            provider: clientOptions.id,
+            providerAccountId: oauthConfig.providerAccountId,
+            access_token: oauthConfig.accessToken,
+            expires_at: oauthConfig.expiresAt,
+            token_type: 'Bearer',
+            id_token: oauthConfig.idToken,
+            userId: user.id,
+          },
+        });
+
+        // Log link event.
+        await tx.userSecurityAuditLog.create({
+          data: {
+            userId: user.id,
+            ipAddress: requestMeta.ipAddress,
+            userAgent: requestMeta.userAgent,
+            type: UserSecurityAuditLogType.ORGANISATION_SSO_LINK,
+          },
+        });
+
+        // If account already exists in an unverified state, remove the password to ensure
+        // they cannot sign in using that method since we cannot confirm the password
+        // was set by the user.
+        if (!user.emailVerified) {
+          await tx.user.update({
+            where: {
+              id: user.id,
+            },
+            data: {
+              emailVerified: new Date(),
+              password: null,
+              // Todo: (RR7) Will need to update the "password" account after the migration.
+            },
+          });
+        }
+      }
+
+      // Only add the user to the organisation if they are not already a member.
+      if (!organisationMember) {
+        await addUserToOrganisation({
+          userId: user.id,
+          organisationId: tokenMetadata.data.organisationId,
+          organisationGroups: organisation.groups,
+          organisationMemberRole:
+            organisation.organisationAuthenticationPortal.defaultOrganisationRole,
+        });
+      }
+    },
+    { timeout: 30_000 },
+  );
+};