Merge pull request #27 from HarperFast/issue-26

disambiguate session provider

Author: heskew

docs/multi-tenant-sso.md

@@ -373,7 +373,7 @@ registerHooks({
 				id: user.email,
 				name: user.name,
 				role: user.role || 'user',
-				tenant: session.oauth.provider,
+				tenant: session.oauth.providerConfigId, // Config ID = tenant ID
 			});
 		}
 

src/index.ts

@@ -182,41 +182,42 @@ export async function handleApplication(scope: Scope): Promise<void> {
 			return next(request);
 		}
 
-		// Get the provider for this OAuth session
-		const providerName = request.session.oauth.provider;
-		let providerData = providers[providerName];
+		// Get the provider config ID for this OAuth session
+		// Use providerConfigId (new) or fall back to provider (old) for backwards compatibility
+		const providerConfigId = request.session.oauth.providerConfigId || request.session.oauth.provider;
+		let providerData = providers[providerConfigId];
 
 		// If provider not found in registry, try to resolve via hook (dynamic providers)
 		if (!providerData && hookManager?.hasHook('onResolveProvider')) {
 			try {
-				logger?.debug?.(`Provider "${providerName}" not in registry, attempting dynamic resolution`);
+				logger?.debug?.(`Provider config "${providerConfigId}" not in registry, attempting dynamic resolution`);
 
-				const hookConfig = await hookManager.callResolveProvider(providerName, logger);
+				const hookConfig = await hookManager.callResolveProvider(providerConfigId, logger);
 
 				if (hookConfig) {
 					// Hook resolved provider - build full config and register dynamically
 					const { OAuthProvider } = await import('./lib/OAuthProvider.ts');
 					const { buildProviderConfig } = await import('./lib/config.ts');
 
 					// Build full provider config (handles Okta/Azure/Auth0 domain configuration)
-					const config = buildProviderConfig(hookConfig, providerName, pluginDefaults);
+					const config = buildProviderConfig(hookConfig, providerConfigId, pluginDefaults);
 					const provider = new OAuthProvider(config, logger);
 
-					providers[providerName] = {
+					providers[providerConfigId] = {
 						provider,
 						config,
 					};
 
-					providerData = providers[providerName];
-					logger?.info?.(`Dynamically registered provider for session validation: ${providerName}`);
+					providerData = providers[providerConfigId];
+					logger?.info?.(`Dynamically registered provider for session validation: ${providerConfigId}`);
 				}
 			} catch (error) {
-				logger?.error?.(`Error resolving provider ${providerName} for session:`, (error as Error).message);
+				logger?.error?.(`Error resolving provider ${providerConfigId} for session:`, (error as Error).message);
 			}
 		}
 
 		if (!providerData) {
-			logger?.warn?.(`OAuth provider '${providerName}' not found, logging out user`);
+			logger?.warn?.(`OAuth provider config '${providerConfigId}' not found, logging out user`);
 			// Provider no longer exists - complete logout
 			await clearOAuthSession(request.session, logger);
 			return next(request);
@@ -229,7 +230,7 @@ export async function handleApplication(scope: Scope): Promise<void> {
 			// Session is no longer valid (already cleaned up by validator)
 			logger?.debug?.(`OAuth session invalidated: ${validation.error}`);
 		} else if (validation.refreshed) {
-			logger?.debug?.(`OAuth token auto-refreshed for ${providerName}`);
+			logger?.debug?.(`OAuth token auto-refreshed for ${providerConfigId}`);
 		}
 
 		// Continue with the request (session updated if refreshed)

src/lib/handlers.ts

@@ -219,13 +219,13 @@ export async function handleCallback(
 			// Leave expiresAt and refreshThreshold undefined so middleware doesn't try to refresh
 
 			// Prepare session data
-			// Store providerName (registry key) not config.provider (provider type)
-			// This ensures session validation can look up the correct provider
 			const sessionData: any = {
 				user: hookData?.user || user.username, // Use hook's user if provided, otherwise OAuth username
 				oauthUser: user, // Store full OAuth user object separately
 				oauth: {
-					provider: providerName, // Store registry key (e.g., 'harperdb') not provider type (e.g., 'okta')
+					provider: providerName, // Config key (backwards compatible - e.g., 'my-custom-github', 'production-okta')
+					providerConfigId: providerName, // Config key/ID (clearer naming for new code)
+					providerType: config.provider, // Provider type (e.g., 'github', 'okta')
 					accessToken: tokenResponse.access_token,
 					refreshToken: tokenResponse.refresh_token,
 					expiresAt,
@@ -358,6 +358,8 @@ export async function handleUserInfo(request: Request, tokenRefreshed = false):
 				oauth: oauthMetadata
 					? {
 							provider: oauthMetadata.provider,
+							providerConfigId: oauthMetadata.providerConfigId,
+							providerType: oauthMetadata.providerType,
 							expiresAt: oauthMetadata.expiresAt,
 							refreshThreshold: oauthMetadata.refreshThreshold,
 							lastRefreshed: oauthMetadata.lastRefreshed,

src/lib/sessionValidator.ts

@@ -151,6 +151,8 @@ export async function validateAndRefreshSession(
 		// Update session with new tokens and metadata
 		const updatedMetadata: OAuthSessionMetadata = {
 			provider: oauthMetadata.provider,
+			providerConfigId: oauthMetadata.providerConfigId,
+			providerType: oauthMetadata.providerType,
 			accessToken: tokenResponse.access_token,
 			refreshToken: tokenResponse.refresh_token || oauthMetadata.refreshToken, // Keep existing if not provided
 			expiresAt: newExpiresAt,

src/types.ts

@@ -315,8 +315,15 @@ export interface Request extends IncomingMessage {
  * Token and expiration data stored in session for automatic refresh
  */
 export interface OAuthSessionMetadata {
-	/** OAuth provider name (e.g., 'github', 'google') */
+	/**
+	 * Provider configuration ID/key from config (e.g., 'my-custom-github', 'production-okta').
+	 * @deprecated Use `providerConfigId` instead. This field is maintained for backwards compatibility only.
+	 */
 	provider: string;
+	/** Provider configuration ID/key from config (e.g., 'my-custom-github', 'production-okta'). */
+	providerConfigId: string;
+	/** OAuth provider type (e.g., 'github', 'google', 'okta') */
+	providerType: string;
 	/** Current access token */
 	accessToken: string;
 	/** Refresh token for obtaining new access tokens */

test/lib/handlers.test.js

@@ -367,6 +367,9 @@ describe('OAuth Handlers', () => {
 			// Token data is now stored in oauth object
 			assert.ok(mockRequest.session.oauth);
 			assert.equal(mockRequest.session.oauth.accessToken, 'access-token-123');
+			assert.equal(mockRequest.session.oauth.provider, 'test-provider', 'provider (config key) should be set');
+			assert.equal(mockRequest.session.oauth.providerConfigId, 'test-provider', 'providerConfigId should be set');
+			assert.equal(mockRequest.session.oauth.providerType, 'test', 'providerType should match config.provider');
 		});
 
 		it('should handle tokens without expiration (GitHub style)', async () => {

test/lib/sessionValidator.test.js

@@ -131,6 +131,8 @@ test('should preserve provider field during token refresh', async () => {
 	const session = createMockSession({
 		oauth: {
 			provider: 'google',
+			providerConfigId: 'google',
+			providerType: 'google',
 			accessToken: 'old_token',
 			refreshToken: 'old_refresh',
 			expiresAt: Date.now() - 1000, // Already expired
@@ -146,6 +148,16 @@ test('should preserve provider field during token refresh', async () => {
 	// BUG: This assertion will FAIL before the fix!
 	// The provider field gets lost during session.update()
 	assert.strictEqual(session.oauth.provider, 'google', 'provider field should be preserved after token refresh');
+	assert.strictEqual(
+		session.oauth.providerConfigId,
+		'google',
+		'providerConfigId field should be preserved after token refresh'
+	);
+	assert.strictEqual(
+		session.oauth.providerType,
+		'google',
+		'providerType field should be preserved after token refresh'
+	);
 });
 
 test('should preserve custom session fields from hooks during refresh', async () => {