feat: add organisation sso portal (#1946)

Allow organisations to manage an SSO OIDC compliant portal. This method
is intended to streamline the onboarding process and paves the way to
allow organisations to manage their members in a more strict way.

packages/trpc/server/enterprise-router/create-organisation-email-domain.types.ts

@@ -2,7 +2,7 @@ import { z } from 'zod';
 
 import { ZEmailDomainSchema } from '@documenso/lib/types/email-domain';
 
-const domainRegex =
+export const domainRegex =
   /^(?!https?:\/\/)(?!www\.)([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/;
 
 export const ZDomainSchema = z

packages/trpc/server/enterprise-router/decline-link-organisation-account.ts

@@ -0,0 +1,25 @@
+import { ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER } from '@documenso/lib/constants/organisations';
+import { prisma } from '@documenso/prisma';
+
+import { procedure } from '../trpc';
+import {
+  ZDeclineLinkOrganisationAccountRequestSchema,
+  ZDeclineLinkOrganisationAccountResponseSchema,
+} from './decline-link-organisation-account.types';
+
+/**
+ * Unauthenicated procedure, do not copy paste.
+ */
+export const declineLinkOrganisationAccountRoute = procedure
+  .input(ZDeclineLinkOrganisationAccountRequestSchema)
+  .output(ZDeclineLinkOrganisationAccountResponseSchema)
+  .mutation(async ({ input }) => {
+    const { token } = input;
+
+    await prisma.verificationToken.delete({
+      where: {
+        token,
+        identifier: ORGANISATION_ACCOUNT_LINK_VERIFICATION_TOKEN_IDENTIFIER,
+      },
+    });
+  });

packages/trpc/server/enterprise-router/decline-link-organisation-account.types.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod';
+
+export const ZDeclineLinkOrganisationAccountRequestSchema = z.object({
+  token: z.string(),
+});
+
+export const ZDeclineLinkOrganisationAccountResponseSchema = z.void();
+
+export type TDeclineLinkOrganisationAccountRequest = z.infer<
+  typeof ZDeclineLinkOrganisationAccountRequestSchema
+>;

packages/trpc/server/enterprise-router/get-organisation-authentication-portal.ts

@@ -0,0 +1,84 @@
+import { ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { buildOrganisationWhereQuery } from '@documenso/lib/utils/organisations';
+import { prisma } from '@documenso/prisma';
+
+import { authenticatedProcedure } from '../trpc';
+import {
+  ZGetOrganisationAuthenticationPortalRequestSchema,
+  ZGetOrganisationAuthenticationPortalResponseSchema,
+} from './get-organisation-authentication-portal.types';
+
+export const getOrganisationAuthenticationPortalRoute = authenticatedProcedure
+  .input(ZGetOrganisationAuthenticationPortalRequestSchema)
+  .output(ZGetOrganisationAuthenticationPortalResponseSchema)
+  .query(async ({ input, ctx }) => {
+    const { organisationId } = input;
+
+    ctx.logger.info({
+      input: {
+        organisationId,
+      },
+    });
+
+    return await getOrganisationAuthenticationPortal({
+      userId: ctx.user.id,
+      organisationId,
+    });
+  });
+
+type GetOrganisationAuthenticationPortalOptions = {
+  userId: number;
+  organisationId: string;
+};
+
+export const getOrganisationAuthenticationPortal = async ({
+  userId,
+  organisationId,
+}: GetOrganisationAuthenticationPortalOptions) => {
+  const organisation = await prisma.organisation.findFirst({
+    where: buildOrganisationWhereQuery({
+      organisationId,
+      userId,
+      roles: ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_ORGANISATION'],
+    }),
+    include: {
+      organisationClaim: true,
+      organisationAuthenticationPortal: {
+        select: {
+          defaultOrganisationRole: true,
+          enabled: true,
+          clientId: true,
+          wellKnownUrl: true,
+          autoProvisionUsers: true,
+          allowedDomains: true,
+          clientSecret: true,
+        },
+      },
+    },
+  });
+
+  if (!organisation) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Organisation not found',
+    });
+  }
+
+  if (!organisation.organisationClaim.flags.authenticationPortal) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Authentication portal not found',
+    });
+  }
+
+  const portal = organisation.organisationAuthenticationPortal;
+
+  return {
+    defaultOrganisationRole: portal.defaultOrganisationRole,
+    enabled: portal.enabled,
+    clientId: portal.clientId,
+    wellKnownUrl: portal.wellKnownUrl,
+    autoProvisionUsers: portal.autoProvisionUsers,
+    allowedDomains: portal.allowedDomains,
+    clientSecretProvided: Boolean(portal.clientSecret),
+  };
+};

packages/trpc/server/enterprise-router/get-organisation-authentication-portal.types.ts

@@ -0,0 +1,28 @@
+import { z } from 'zod';
+
+import { OrganisationAuthenticationPortalSchema } from '@documenso/prisma/generated/zod/modelSchema/OrganisationAuthenticationPortalSchema';
+
+export const ZGetOrganisationAuthenticationPortalRequestSchema = z.object({
+  organisationId: z.string(),
+});
+
+export const ZGetOrganisationAuthenticationPortalResponseSchema =
+  OrganisationAuthenticationPortalSchema.pick({
+    defaultOrganisationRole: true,
+    enabled: true,
+    clientId: true,
+    wellKnownUrl: true,
+    autoProvisionUsers: true,
+    allowedDomains: true,
+  }).extend({
+    /**
+     * Whether we have the client secret in the database.
+     *
+     * Do not expose the actual client secret.
+     */
+    clientSecretProvided: z.boolean(),
+  });
+
+export type TGetOrganisationAuthenticationPortalResponse = z.infer<
+  typeof ZGetOrganisationAuthenticationPortalResponseSchema
+>;

packages/trpc/server/enterprise-router/link-organisation-account.ts

@@ -0,0 +1,22 @@
+import { linkOrganisationAccount } from '@documenso/ee/server-only/lib/link-organisation-account';
+
+import { procedure } from '../trpc';
+import {
+  ZLinkOrganisationAccountRequestSchema,
+  ZLinkOrganisationAccountResponseSchema,
+} from './link-organisation-account.types';
+
+/**
+ * Unauthenicated procedure, do not copy paste.
+ */
+export const linkOrganisationAccountRoute = procedure
+  .input(ZLinkOrganisationAccountRequestSchema)
+  .output(ZLinkOrganisationAccountResponseSchema)
+  .mutation(async ({ input, ctx }) => {
+    const { token } = input;
+
+    await linkOrganisationAccount({
+      token,
+      requestMeta: ctx.metadata.requestMetadata,
+    });
+  });

packages/trpc/server/enterprise-router/link-organisation-account.types.ts

@@ -0,0 +1,9 @@
+import { z } from 'zod';
+
+export const ZLinkOrganisationAccountRequestSchema = z.object({
+  token: z.string(),
+});
+
+export const ZLinkOrganisationAccountResponseSchema = z.void();
+
+export type TLinkOrganisationAccountRequest = z.infer<typeof ZLinkOrganisationAccountRequestSchema>;

packages/trpc/server/enterprise-router/router.ts

@@ -2,15 +2,19 @@ import { router } from '../trpc';
 import { createOrganisationEmailRoute } from './create-organisation-email';
 import { createOrganisationEmailDomainRoute } from './create-organisation-email-domain';
 import { createSubscriptionRoute } from './create-subscription';
+import { declineLinkOrganisationAccountRoute } from './decline-link-organisation-account';
 import { deleteOrganisationEmailRoute } from './delete-organisation-email';
 import { deleteOrganisationEmailDomainRoute } from './delete-organisation-email-domain';
 import { findOrganisationEmailDomainsRoute } from './find-organisation-email-domain';
 import { findOrganisationEmailsRoute } from './find-organisation-emails';
 import { getInvoicesRoute } from './get-invoices';
+import { getOrganisationAuthenticationPortalRoute } from './get-organisation-authentication-portal';
 import { getOrganisationEmailDomainRoute } from './get-organisation-email-domain';
 import { getPlansRoute } from './get-plans';
 import { getSubscriptionRoute } from './get-subscription';
+import { linkOrganisationAccountRoute } from './link-organisation-account';
 import { manageSubscriptionRoute } from './manage-subscription';
+import { updateOrganisationAuthenticationPortalRoute } from './update-organisation-authentication-portal';
 import { updateOrganisationEmailRoute } from './update-organisation-email';
 import { verifyOrganisationEmailDomainRoute } from './verify-organisation-email-domain';
 
@@ -29,6 +33,12 @@ export const enterpriseRouter = router({
       delete: deleteOrganisationEmailDomainRoute,
       verify: verifyOrganisationEmailDomainRoute,
     },
+    authenticationPortal: {
+      get: getOrganisationAuthenticationPortalRoute,
+      update: updateOrganisationAuthenticationPortalRoute,
+      linkAccount: linkOrganisationAccountRoute,
+      declineLinkAccount: declineLinkOrganisationAccountRoute,
+    },
   },
   billing: {
     plans: {

packages/trpc/server/enterprise-router/update-organisation-authentication-portal.ts

@@ -0,0 +1,109 @@
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { DOCUMENSO_ENCRYPTION_KEY } from '@documenso/lib/constants/crypto';
+import { ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { symmetricEncrypt } from '@documenso/lib/universal/crypto';
+import { buildOrganisationWhereQuery } from '@documenso/lib/utils/organisations';
+import { prisma } from '@documenso/prisma';
+
+import { authenticatedProcedure } from '../trpc';
+import {
+  ZUpdateOrganisationAuthenticationPortalRequestSchema,
+  ZUpdateOrganisationAuthenticationPortalResponseSchema,
+} from './update-organisation-authentication-portal.types';
+
+export const updateOrganisationAuthenticationPortalRoute = authenticatedProcedure
+  .input(ZUpdateOrganisationAuthenticationPortalRequestSchema)
+  .output(ZUpdateOrganisationAuthenticationPortalResponseSchema)
+  .mutation(async ({ input, ctx }) => {
+    const { organisationId, data } = input;
+    const { user } = ctx;
+
+    ctx.logger.info({
+      input: {
+        organisationId,
+      },
+    });
+
+    if (!IS_BILLING_ENABLED()) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST, {
+        message: 'Billing is not enabled',
+      });
+    }
+
+    const organisation = await prisma.organisation.findFirst({
+      where: buildOrganisationWhereQuery({
+        organisationId,
+        userId: user.id,
+        roles: ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_ORGANISATION'],
+      }),
+      include: {
+        organisationAuthenticationPortal: true,
+        organisationClaim: true,
+      },
+    });
+
+    if (!organisation) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED);
+    }
+
+    if (!organisation.organisationClaim.flags.authenticationPortal) {
+      throw new AppError(AppErrorCode.INVALID_REQUEST, {
+        message: 'Authentication portal is not allowed for this organisation',
+      });
+    }
+
+    const {
+      defaultOrganisationRole,
+      enabled,
+      clientId,
+      clientSecret,
+      wellKnownUrl,
+      autoProvisionUsers,
+      allowedDomains,
+    } = data;
+
+    if (
+      enabled &&
+      (!wellKnownUrl ||
+        !clientId ||
+        (!clientSecret && !organisation.organisationAuthenticationPortal.clientSecret))
+    ) {
+      throw new AppError(AppErrorCode.INVALID_BODY, {
+        message:
+          'Client ID, client secret, and well known URL are required when authentication portal is enabled',
+      });
+    }
+
+    // Allow empty string to be passed in to remove the client secret from the database.
+    let encryptedClientSecret: string | undefined = clientSecret;
+
+    // Encrypt the secret if it is provided.
+    if (clientSecret) {
+      const encryptionKey = DOCUMENSO_ENCRYPTION_KEY;
+
+      if (!encryptionKey) {
+        throw new Error('Missing DOCUMENSO_ENCRYPTION_KEY');
+      }
+
+      encryptedClientSecret = symmetricEncrypt({
+        key: encryptionKey,
+        data: clientSecret,
+      });
+    }
+
+    await prisma.organisationAuthenticationPortal.update({
+      where: {
+        id: organisation.organisationAuthenticationPortal.id,
+      },
+      data: {
+        defaultOrganisationRole,
+        enabled,
+        clientId,
+        clientSecret: encryptedClientSecret,
+        wellKnownUrl,
+        autoProvisionUsers,
+        allowedDomains,
+      },
+    });
+  });

packages/trpc/server/enterprise-router/update-organisation-authentication-portal.types.ts

@@ -0,0 +1,24 @@
+import { z } from 'zod';
+
+import OrganisationMemberRoleSchema from '@documenso/prisma/generated/zod/inputTypeSchemas/OrganisationMemberRoleSchema';
+
+import { domainRegex } from './create-organisation-email-domain.types';
+
+export const ZUpdateOrganisationAuthenticationPortalRequestSchema = z.object({
+  organisationId: z.string(),
+  data: z.object({
+    defaultOrganisationRole: OrganisationMemberRoleSchema,
+    enabled: z.boolean(),
+    clientId: z.string(),
+    clientSecret: z.string().optional(),
+    wellKnownUrl: z.union([z.string().url(), z.literal('')]),
+    autoProvisionUsers: z.boolean(),
+    allowedDomains: z.array(z.string().regex(domainRegex)),
+  }),
+});
+
+export const ZUpdateOrganisationAuthenticationPortalResponseSchema = z.void();
+
+export type TUpdateOrganisationAuthenticationPortalRequest = z.infer<
+  typeof ZUpdateOrganisationAuthenticationPortalRequestSchema
+>;