Enforce SSO login and refactor SSO config update

Added enforcement of SSO login for users in workspaces with enforced SSO. Refactored SSO configuration update logic by introducing setSsoConfig method in WorkspaceModel and updating resolver to use it, ensuring only SSO config is modified.

Author: neSpecc

src/models/workspace.ts

@@ -420,6 +420,25 @@ export default class WorkspaceModel extends AbstractModel<WorkspaceDBScheme> imp
     );
   }
 
+  /**
+   * Update SSO configuration
+   * @param ssoConfig - SSO configuration to set (or undefined to remove)
+   */
+  public async setSsoConfig(ssoConfig: WorkspaceDBScheme['sso'] | undefined): Promise<void> {
+    this.sso = ssoConfig;
+
+    await this.collection.updateOne(
+      {
+        _id: new ObjectId(this._id),
+      },
+      {
+        $set: {
+          sso: this.sso,
+        },
+      }
+    );
+  }
+
   /**
    * Due date of the current workspace tariff plan
    */

src/resolvers/user.ts

@@ -98,6 +98,21 @@ export default {
         throw new AuthenticationError('Wrong email or password');
       }
 
+      /**
+       * Check if there is a workspace with enforced SSO
+       * If user is a member of any workspace with enforced SSO, they must use SSO login
+       */
+      const workspacesIds = await user.getWorkspacesIds([]);
+      const workspaces = await factories.workspacesFactory.findManyByIds(workspacesIds);
+
+      const enforcedWorkspace = workspaces.find(w => w.sso?.enabled && w.sso?.enforced);
+
+      if (enforcedWorkspace) {
+        throw new AuthenticationError(
+          'This workspace requires SSO login. Please use SSO to sign in.'
+        );
+      }
+
       return user.generateTokensPair();
     },
 

src/resolvers/workspace.js

@@ -382,33 +382,34 @@ module.exports = {
       }
 
       /**
-       * Prepare update data
+       * Prepare SSO configuration
        * If enabled=false, preserve existing SSO config and only update enabled flag
        * If enabled=true, update full SSO configuration
        */
-      const updateData = {
-        ...workspace,
-        sso: config.enabled ? {
-          enabled: config.enabled,
-          enforced: config.enforced || false,
-          type: 'saml',
-          saml: {
-            idpEntityId: config.saml.idpEntityId,
-            ssoUrl: config.saml.ssoUrl,
-            x509Cert: config.saml.x509Cert,
-            nameIdFormat: config.saml.nameIdFormat,
-            attributeMapping: {
-              email: config.saml.attributeMapping.email,
-              name: config.saml.attributeMapping.name,
-            },
+      const ssoConfig = config.enabled ? {
+        enabled: config.enabled,
+        enforced: config.enforced || false,
+        type: 'saml',
+        saml: {
+          idpEntityId: config.saml.idpEntityId,
+          ssoUrl: config.saml.ssoUrl,
+          x509Cert: config.saml.x509Cert,
+          nameIdFormat: config.saml.nameIdFormat,
+          attributeMapping: {
+            email: config.saml.attributeMapping.email,
+            name: config.saml.attributeMapping.name,
           },
-        } : workspace.sso ? {
-          ...workspace.sso,
-          enabled: false,
-        } : undefined,
-      };
+        },
+      } : workspace.sso ? {
+        ...workspace.sso,
+        enabled: false,
+      } : undefined;
 
-      await workspace.updateWorkspace(updateData);
+      /**
+       * Update SSO configuration using model method
+       * This method handles the update correctly without touching other fields
+       */
+      await workspace.setSsoConfig(ssoConfig);
 
       return true;
     },