Add pluggable SAML state store with Redis and memory support

Refactored SAML state management to support both Redis and in-memory stores via a new SamlStateStoreInterface. Added Redis-backed implementation for multi-instance deployments and a factory to select the store type based on the SAML_STORE_TYPE environment variable. Updated controller and router to use the new store abstraction, and extended environment and type definitions accordingly.

Author: neSpecc

.env.sample

@@ -90,3 +90,6 @@ AWS_S3_BUCKET_ENDPOINT=
 # SSO Service Provider Entity ID
 # Unique identifier for Hawk in SAML IdP configuration
 SSO_SP_ENTITY_ID=urn:hawk:tracker:saml
+
+## SAML state store type (memory or redis, default: redis)
+SAML_STORE_TYPE=redis

.env.test

@@ -97,3 +97,6 @@ AWS_S3_SECRET_ACCESS_KEY=
 AWS_S3_BUCKET_NAME=
 AWS_S3_BUCKET_BASE_URL=
 AWS_S3_BUCKET_ENDPOINT=
+
+## SAML state store type (memory or redis, default: redis)
+SAML_STORE_TYPE=memory

src/redisHelper.ts

@@ -139,6 +139,15 @@ export default class RedisHelper {
     return Boolean(this.redisClient?.isOpen);
   }
 
+  /**
+   * Get Redis client instance
+   *
+   * @returns Redis client or null if not initialized
+   */
+  public getClient(): RedisClientType | null {
+    return this.redisClient;
+  }
+
   /**
    * Execute TS.RANGE command with aggregation
    *

src/sso/saml/controller.ts

@@ -2,7 +2,7 @@ import express from 'express';
 import { v4 as uuid } from 'uuid';
 import { ObjectId } from 'mongodb';
 import SamlService from './service';
-import samlStore from './store';
+import { SamlStateStoreInterface } from './store/SamlStateStoreInterface';
 import { ContextFactories } from '../../types/graphql';
 import { SamlResponseData } from '../types';
 import WorkspaceModel from '../../models/workspace';
@@ -23,13 +23,21 @@ export default class SamlController {
    */
   private factories: ContextFactories;
 
+  /**
+   * SAML state store instance
+   */
+  private store: SamlStateStoreInterface;
+
   /**
    * SAML controller constructor used for DI
+   *
    * @param factories - for working with models
+   * @param store - SAML state store instance
    */
-  constructor(factories: ContextFactories) {
+  constructor(factories: ContextFactories, store: SamlStateStoreInterface) {
     this.samlService = new SamlService();
     this.factories = factories;
+    this.store = store;
   }
 
   /**
@@ -74,10 +82,20 @@ export default class SamlController {
       /**
        * 3. Save RelayState to temporary storage
        */
-      samlStore.saveRelayState(relayStateId, {
+      this.log(
+        'info',
+        '[Store] Saving RelayState:',
+        sgr(relayStateId.slice(0, 8), Effect.ForegroundGray),
+        '| Store:',
+        sgr(this.store.type, Effect.ForegroundBlue),
+        '| Workspace:',
+        sgr(workspaceId, Effect.ForegroundCyan)
+      );
+      await this.store.saveRelayState(relayStateId, {
         returnUrl,
         workspaceId,
       });
+      this.log('log', '[Store] RelayState saved:', sgr(relayStateId.slice(0, 8), Effect.ForegroundGray));
 
       /**
        * 4. Generate AuthnRequest
@@ -105,7 +123,17 @@ export default class SamlController {
       /**
        * 5. Save AuthnRequest ID for InResponseTo validation
        */
-      samlStore.saveAuthnRequest(requestId, workspaceId);
+      this.log(
+        'info',
+        '[Store] Saving AuthnRequest:',
+        sgr(requestId.slice(0, 8), Effect.ForegroundGray),
+        '| Store:',
+        sgr(this.store.type, Effect.ForegroundBlue),
+        '| Workspace:',
+        sgr(workspaceId, Effect.ForegroundCyan)
+      );
+      await this.store.saveAuthnRequest(requestId, workspaceId);
+      this.log('log', '[Store] AuthnRequest saved:', sgr(requestId.slice(0, 8), Effect.ForegroundGray));
 
       /**
        * 6. Redirect to IdP
@@ -212,11 +240,34 @@ export default class SamlController {
          * Validate InResponseTo against stored AuthnRequest
          */
         if (samlData.inResponseTo) {
-          const isValidRequest = samlStore.validateAndConsumeAuthnRequest(
+          this.log(
+            'info',
+            '[Store] Validating AuthnRequest:',
+            sgr(samlData.inResponseTo.slice(0, 8), Effect.ForegroundGray),
+            '| Store:',
+            sgr(this.store.type, Effect.ForegroundBlue),
+            '| Workspace:',
+            sgr(workspaceId, Effect.ForegroundCyan)
+          );
+          const isValidRequest = await this.store.validateAndConsumeAuthnRequest(
             samlData.inResponseTo,
             workspaceId
           );
 
+          if (isValidRequest) {
+            this.log(
+              'log',
+              '[Store] AuthnRequest validated and consumed:',
+              sgr(samlData.inResponseTo.slice(0, 8), Effect.ForegroundGray)
+            );
+          } else {
+            this.log(
+              'warn',
+              '[Store] AuthnRequest validation failed:',
+              sgr(samlData.inResponseTo.slice(0, 8), Effect.ForegroundRed)
+            );
+          }
+
           if (!isValidRequest) {
             this.log(
               'error',
@@ -274,7 +325,27 @@ export default class SamlController {
        * 4. Get RelayState for return URL (before consuming)
        * Note: RelayState is consumed after first use, so we need to get it before validation
        */
-      const relayState = samlStore.getRelayState(relayStateId);
+      this.log(
+        'info',
+        '[Store] Getting RelayState:',
+        sgr(relayStateId.slice(0, 8), Effect.ForegroundGray),
+        '| Store:',
+        sgr(this.store.type, Effect.ForegroundBlue)
+      );
+      const relayState = await this.store.getRelayState(relayStateId);
+
+      if (relayState) {
+        this.log(
+          'log',
+          '[Store] RelayState retrieved and consumed:',
+          sgr(relayStateId.slice(0, 8), Effect.ForegroundGray),
+          '| Return URL:',
+          sgr(relayState.returnUrl, Effect.ForegroundGray)
+        );
+      } else {
+        this.log('warn', '[Store] RelayState not found or expired:', sgr(relayStateId.slice(0, 8), Effect.ForegroundRed));
+      }
+
       const finalReturnUrl = relayState?.returnUrl || `/workspace/${workspaceId}`;
 
       /**

src/sso/saml/index.ts

@@ -1,5 +1,6 @@
 import express from 'express';
 import SamlController from './controller';
+import { createSamlStateStore } from './storeFactory';
 import { ContextFactories } from '../../types/graphql';
 
 /**
@@ -10,7 +11,8 @@ import { ContextFactories } from '../../types/graphql';
  */
 export function createSamlRouter(factories: ContextFactories): express.Router {
   const router = express.Router();
-  const controller = new SamlController(factories);
+  const store = createSamlStateStore();
+  const controller = new SamlController(factories, store);
 
   /**
    * SSO login initiation

src/sso/saml/store/SamlStateStoreInterface.ts

@@ -0,0 +1,61 @@
+/**
+ * Interface for SAML state store implementations
+ *
+ * Defines contract for storing temporary SAML authentication state:
+ * - RelayState: maps state ID to return URL and workspace ID
+ * - AuthnRequests: maps request ID to workspace ID for InResponseTo validation
+ */
+export interface SamlStateStoreInterface {
+  /**
+   * Store type identifier
+   * Used for logging and debugging purposes
+   *
+   * @example "redis" or "memory"
+   */
+  readonly type: string;
+
+  /**
+   * Save RelayState data
+   *
+   * @param stateId - unique state identifier (usually UUID)
+   * @param data - relay state data (returnUrl, workspaceId)
+   */
+  saveRelayState(stateId: string, data: { returnUrl: string; workspaceId: string }): Promise<void>;
+
+  /**
+   * Get and consume RelayState data
+   *
+   * @param stateId - state identifier
+   * @returns relay state data or null if not found/expired
+   */
+  getRelayState(stateId: string): Promise<{ returnUrl: string; workspaceId: string } | null>;
+
+  /**
+   * Save AuthnRequest for InResponseTo validation
+   *
+   * @param requestId - SAML AuthnRequest ID
+   * @param workspaceId - workspace ID
+   */
+  saveAuthnRequest(requestId: string, workspaceId: string): Promise<void>;
+
+  /**
+   * Validate and consume AuthnRequest
+   *
+   * @param requestId - SAML AuthnRequest ID (from InResponseTo)
+   * @param workspaceId - expected workspace ID
+   * @returns true if request is valid and matches workspace
+   */
+  validateAndConsumeAuthnRequest(requestId: string, workspaceId: string): Promise<boolean>;
+
+  /**
+   * Stop cleanup timer (for testing)
+   * Optional method - only needed for in-memory store
+   */
+  stopCleanupTimer?(): void;
+
+  /**
+   * Clear all stored state (for testing)
+   * Optional method - only needed for in-memory store
+   */
+  clear?(): void;
+}

src/sso/saml/store.ts src/sso/saml/store/memory.store.tssrc/sso/saml/store.ts renamed to src/sso/saml/store/memory.store.ts

@@ -1,4 +1,5 @@
-import { AuthnRequestState, RelayStateData } from './types';
+import { AuthnRequestState, RelayStateData } from '../types';
+import { SamlStateStoreInterface } from './SamlStateStoreInterface';
 
 /**
  * In-memory store for SAML state
@@ -7,9 +8,15 @@ import { AuthnRequestState, RelayStateData } from './types';
  * - RelayState: maps state ID to return URL and workspace ID
  * - AuthnRequests: maps request ID to workspace ID for InResponseTo validation
  *
- * @todo Replace with Redis for production (multi-instance support)
+ * Note: This implementation is not suitable for multi-instance deployments.
+ * Use Redis store for production environments with multiple API instances.
  */
-class SamlStateStore {
+export class MemorySamlStateStore implements SamlStateStoreInterface {
+  /**
+   * Store type identifier
+   */
+  public readonly type = 'memory';
+
   private relayStates: Map<string, RelayStateData> = new Map();
   private authnRequests: Map<string, AuthnRequestState> = new Map();
 
@@ -41,7 +48,7 @@ class SamlStateStore {
    * @param stateId - unique state identifier (usually UUID)
    * @param data - relay state data (returnUrl, workspaceId)
    */
-  public saveRelayState(stateId: string, data: { returnUrl: string; workspaceId: string }): void {
+  public async saveRelayState(stateId: string, data: { returnUrl: string; workspaceId: string }): Promise<void> {
     this.relayStates.set(stateId, {
       ...data,
       expiresAt: Date.now() + this.TTL,
@@ -54,7 +61,7 @@ class SamlStateStore {
    * @param stateId - state identifier
    * @returns relay state data or null if not found/expired
    */
-  public getRelayState(stateId: string): { returnUrl: string; workspaceId: string } | null {
+  public async getRelayState(stateId: string): Promise<{ returnUrl: string; workspaceId: string } | null> {
     const state = this.relayStates.get(stateId);
 
     if (!state) {
@@ -87,7 +94,7 @@ class SamlStateStore {
    * @param requestId - SAML AuthnRequest ID
    * @param workspaceId - workspace ID
    */
-  public saveAuthnRequest(requestId: string, workspaceId: string): void {
+  public async saveAuthnRequest(requestId: string, workspaceId: string): Promise<void> {
     this.authnRequests.set(requestId, {
       workspaceId,
       expiresAt: Date.now() + this.TTL,
@@ -101,7 +108,7 @@ class SamlStateStore {
    * @param workspaceId - expected workspace ID
    * @returns true if request is valid and matches workspace
    */
-  public validateAndConsumeAuthnRequest(requestId: string, workspaceId: string): boolean {
+  public async validateAndConsumeAuthnRequest(requestId: string, workspaceId: string): Promise<boolean> {
     const request = this.authnRequests.get(requestId);
 
     if (!request) {
@@ -190,8 +197,3 @@ class SamlStateStore {
     }
   }
 }
-
-/**
- * Singleton instance
- */
-export default new SamlStateStore();