models updated

Author: neSpecc

package.json

@@ -40,7 +40,7 @@
     "@graphql-tools/schema": "^8.5.1",
     "@graphql-tools/utils": "^8.9.0",
     "@hawk.so/nodejs": "^3.1.1",
-    "@hawk.so/types": "^0.1.37",
+    "@hawk.so/types": "^0.4.0",
     "@n1ru4l/json-patch-plus": "^0.2.0",
     "@types/amqp-connection-manager": "^2.0.4",
     "@types/bson": "^4.0.5",

src/models/user.ts

@@ -142,6 +142,25 @@ export default class UserModel extends AbstractModel<UserDBScheme> implements Us
    */
   public utm?: UserDBScheme['utm'];
 
+  /**
+   * External identities for SSO (keyed by workspaceId)
+   */
+  public identities?: {
+    [workspaceId: string]: {
+      saml: {
+        /**
+         * NameID value from IdP (stable identifier)
+         */
+        id: string;
+
+        /**
+         * Email at the time of linking (for audit)
+         */
+        email: string;
+      };
+    };
+  };
+
   /**
    * Model's collection
    */
@@ -418,4 +437,68 @@ export default class UserModel extends AbstractModel<UserDBScheme> implements Us
       },
     });
   }
+
+  /**
+   * Link SAML identity to user for specific workspace
+   *
+   * @param workspaceId - workspace ID
+   * @param samlId - NameID value from IdP (stable identifier)
+   * @param email - user email at the time of linking
+   */
+  public async linkSamlIdentity(workspaceId: string, samlId: string, email: string): Promise<void> {
+    /**
+     * Use Record<string, any> for MongoDB dot notation keys
+     */
+    const updateData: Record<string, any> = {
+      [`identities.${workspaceId}.saml.id`]: samlId,
+      [`identities.${workspaceId}.saml.email`]: email,
+    };
+
+    await this.update(
+      { _id: new ObjectId(this._id) },
+      { $set: updateData }
+    );
+
+    /**
+     * Update local state
+     */
+    if (!this.identities) {
+      this.identities = {};
+    }
+    if (!this.identities[workspaceId]) {
+      this.identities[workspaceId] = { saml: { id: samlId, email } };
+    } else {
+      this.identities[workspaceId].saml = { id: samlId, email };
+    }
+  }
+
+  /**
+   * Find user by SAML identity
+   *
+   * @param collection - users collection
+   * @param workspaceId - workspace ID
+   * @param samlId - NameID value from IdP
+   * @returns UserModel or null if not found
+   */
+  public static async findBySamlIdentity(
+    collection: Collection<UserDBScheme>,
+    workspaceId: string,
+    samlId: string
+  ): Promise<UserModel | null> {
+    const userData = await collection.findOne({
+      [`identities.${workspaceId}.saml.id`]: samlId,
+    });
+
+    return userData ? new UserModel(userData) : null;
+  }
+
+  /**
+   * Get SAML identity for workspace
+   *
+   * @param workspaceId - workspace ID
+   * @returns SAML identity or null if not found
+   */
+  public getSamlIdentity(workspaceId: string): { id: string; email: string } | null {
+    return this.identities?.[workspaceId]?.saml || null;
+  }
 }

src/models/usersFactory.ts

@@ -149,4 +149,19 @@ export default class UsersFactory extends AbstractModelFactory<UserDBScheme, Use
 
     return !!result.ok;
   }
+
+  /**
+   * Find user by SAML identity
+   *
+   * @param workspaceId - workspace ID
+   * @param samlId - NameID value from IdP
+   * @returns UserModel or null if not found
+   */
+  public async findBySamlIdentity(workspaceId: string, samlId: string): Promise<UserModel | null> {
+    const userData = await this.collection.findOne({
+      [`identities.${workspaceId}.saml.id`]: samlId,
+    });
+
+    return userData ? new UserModel(userData) : null;
+  }
 }

src/models/workspace.ts

@@ -76,6 +76,11 @@ export default class WorkspaceModel extends AbstractModel<WorkspaceDBScheme> imp
    */
   public isDebug?: boolean;
 
+  /**
+   * SSO configuration
+   */
+  public sso?: WorkspaceDBScheme['sso'];
+
   /**
    * Model's collection
    */

src/sso/types.ts

@@ -1,88 +1,11 @@
 /**
- * SAML attribute mapping configuration
+ * Re-export SSO types from @hawk.so/types
  */
-export interface SamlAttributeMapping {
-  /**
-   * Attribute name for email in SAML Assertion
-   *
-   * @example "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-   * to get email from XML like this:
-   *  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
-   *    <AttributeValue>[email protected]</AttributeValue>
-   *  </Attribute>
-   */
-  email: string;
-
-  /**
-   * Attribute name for user name in SAML Assertion
-   */
-  name?: string;
-}
-
-/**
- * SAML SSO configuration
- */
-export interface SamlConfig {
-  /**
-   * IdP Entity ID.
-   * Used to validate "this response is intended for Hawk"
-   * @example "urn:hawk:tracker:saml"
-   */
-  idpEntityId: string;
-
-  /**
-   * SSO URL for redirecting user to IdP
-   * Used to redirect user to IdP for authentication
-   * @example "https://idp.example.com/sso"
-   */
-  ssoUrl: string;
-
-  /**
-   * X.509 certificate for signature verification
-   * @example "-----BEGIN CERTIFICATE-----\nMIIDYjCCAkqgAwIBAgI...END CERTIFICATE-----"
-   */
-  x509Cert: string;
-
-  /**
-   * Desired NameID format
-   * @example "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-   */
-  nameIdFormat?: string;
-
-  /**
-   * Attribute mapping configuration
-   * Used to extract user attributes from SAML Response
-   */
-  attributeMapping: SamlAttributeMapping;
-}
-
-/**
- * SSO configuration for workspace
- */
-export interface WorkspaceSsoConfig {
-  /**
-   * Is SSO enabled
-   */
-  enabled: boolean;
-
-  /**
-   * Is SSO enforced (only SSO login allowed)
-   * If true, login via email/password is not allowed
-   */
-  enforced: boolean;
-
-  /**
-   * SSO provider type
-   * Currently only SAML is supported. In future we can add other providers (OAuth 2, etc.)
-   */
-  type: 'saml';
-
-  /**
-   * SAML-specific configuration.
-   * Got from IdP metadata.
-   */
-  saml: SamlConfig;
-}
+export type {
+  SamlAttributeMapping,
+  SamlConfig,
+  WorkspaceSsoConfig,
+} from '@hawk.so/types';
 
 /**
  * Data extracted from SAML Response

yarn.lock

@@ -491,12 +491,12 @@
   dependencies:
     "@types/mongodb" "^3.5.34"
 
-"@hawk.so/types@^0.1.37":
-  version "0.1.37"
-  resolved "https://registry.yarnpkg.com/@hawk.so/types/-/types-0.1.37.tgz#e68d822957d86aac4fa1fdec7927a046ce0cf8c8"
-  integrity sha512-34C+TOWA5oJyOL3W+NXlSyY7u0OKkRu2+tIZ4jSJp0c1/5v+qpEPeo07FlOOHqDRRhMG4/2PAgQCronfF2qWPg==
+"@hawk.so/types@^0.4.0":
+  version "0.4.0"
+  resolved "https://registry.yarnpkg.com/@hawk.so/types/-/types-0.4.0.tgz#76627aba4c253352e088a6c2b1358065908334ae"
+  integrity sha512-PiwrZn2xGIfCnFFapAZPSXC75cdMOUewV3LTMZijF9lBgUHI2fIgbcMdT65WAkDFArtQTYzoLhDvJMbhtEyRKA==
   dependencies:
-    "@types/mongodb" "^3.5.34"
+    bson "^7.0.0"
 
 "@istanbuljs/load-nyc-config@^1.0.0":
   version "1.1.0"
@@ -2045,6 +2045,11 @@ bson@^1.1.4:
   resolved "https://registry.yarnpkg.com/bson/-/bson-1.1.6.tgz#fb819be9a60cd677e0853aee4ca712a785d6618a"
   integrity sha512-EvVNVeGo4tHxwi8L6bPj3y3itEvStdwvvlojVxxbyYfoaxJ6keLgrTuKdyfEAszFK+H3olzBuafE0yoh0D1gdg==
 
+bson@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/bson/-/bson-7.0.0.tgz#2ee7ac8296d61739a8d3d1799724a10d9f8afa8d"
+  integrity sha512-Kwc6Wh4lQ5OmkqqKhYGKIuELXl+EPYSCObVE6bWsp1T/cGkOCBN0I8wF/T44BiuhHyNi1mmKVPXk60d41xZ7kw==
+
 buffer-crc32@~0.2.3:
   version "0.2.13"
   resolved "https://registry.yarnpkg.com/buffer-crc32/-/buffer-crc32-0.2.13.tgz#0d333e3f00eac50aa1454abd30ef8c2a5d9a7242"