Merge pull request #3850 from activepieces/fix/auth-fed-url

fix(sso): show correct url for platform on cloud edition

package.json

@@ -1,7 +1,7 @@
 {
   "name": "activepieces",
   "version": "0.19.0",
-  "rcVersion": "0.20.0-rc.1",
+  "rcVersion": "0.20.0-rc.2",
   "scripts": {
     "prepare": "husky install",
     "serve:frontend": "nx serve ui-core",

packages/backend/src/app/ee/authentication/federated-authn/authn-provider/authn-provider.ts

@@ -4,8 +4,8 @@ import { googleAuthnProvider } from './google-authn-provider'
 import { gitHubAuthnProvider } from './github-authn-provider'
 
 export type AuthnProvider = {
-    getLoginUrl: (platform: Platform) => Promise<string>
-    authenticate: (platform: Platform, authorizationCode: string) => Promise<AuthenticationResponse>
+    getLoginUrl: (hostname: string, platform: Platform) => Promise<string>
+    authenticate: (hostname: string, platform: Platform, authorizationCode: string) => Promise<AuthenticationResponse>
 }
 
 

packages/backend/src/app/ee/authentication/federated-authn/authn-provider/github-authn-provider.ts

@@ -16,25 +16,25 @@ function getClientIdAndSecret(platform: Platform): { clientId: string, clientSec
 }
 
 export const gitHubAuthnProvider: AuthnProvider = {
-    async getLoginUrl(platform: Platform): Promise<string> {
+    async getLoginUrl(hostname: string, platform: Platform): Promise<string> {
         const { clientId } = getClientIdAndSecret(platform)
         const loginUrl = new URL('https://github.com/login/oauth/authorize')
         loginUrl.searchParams.set('client_id', clientId)
-        loginUrl.searchParams.set('redirect_uri', flagService.getThirdPartyRedirectUrl())
+        loginUrl.searchParams.set('redirect_uri', flagService.getThirdPartyRedirectUrl(platform.id, hostname))
         loginUrl.searchParams.set('scope', 'user:email')
 
         return loginUrl.href
     },
 
-    async authenticate(platform, authorizationCode): Promise<AuthenticationResponse> {
+    async authenticate(hostname, platform, authorizationCode): Promise<AuthenticationResponse> {
         const { clientId, clientSecret } = getClientIdAndSecret(platform)
-        const githubAccessToken = await getGitHubAccessToken(clientId, clientSecret, authorizationCode)
+        const githubAccessToken = await getGitHubAccessToken(platform, hostname, clientId, clientSecret, authorizationCode)
         const gitHubUserInfo = await getGitHubUserInfo(githubAccessToken)
         return authenticateUser(platform.id, gitHubUserInfo)
     },
 }
 
-const getGitHubAccessToken = async (clientId: string, clientSecret: string, authorizationCode: string): Promise<string> => {
+const getGitHubAccessToken = async (platform: Platform, hostname: string, clientId: string, clientSecret: string, authorizationCode: string): Promise<string> => {
     const response = await fetch('https://github.com/login/oauth/access_token', {
         method: 'POST',
         headers: {
@@ -44,7 +44,7 @@ const getGitHubAccessToken = async (clientId: string, clientSecret: string, auth
             client_id: clientId,
             client_secret: clientSecret,
             code: authorizationCode,
-            redirect_uri: flagService.getThirdPartyRedirectUrl(),
+            redirect_uri: flagService.getThirdPartyRedirectUrl(platform.id, hostname),
         }),
     })
 

packages/backend/src/app/ee/authentication/federated-authn/authn-provider/google-authn-provider.ts

@@ -24,26 +24,26 @@ function getClientIdAndSecret(platform: Platform): { clientId: string, clientSec
 }
 
 export const googleAuthnProvider: AuthnProvider = {
-    async getLoginUrl(platform: Platform): Promise<string> {
+    async getLoginUrl(hostname: string, platform: Platform): Promise<string> {
         const { clientId } = getClientIdAndSecret(platform)
         const loginUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth')
         loginUrl.searchParams.set('client_id', clientId)
-        loginUrl.searchParams.set('redirect_uri', flagService.getThirdPartyRedirectUrl())
+        loginUrl.searchParams.set('redirect_uri', flagService.getThirdPartyRedirectUrl(platform.id, hostname))
         loginUrl.searchParams.set('scope', 'email profile')
         loginUrl.searchParams.set('response_type', 'code')
 
         return loginUrl.href
     },
 
-    async authenticate(platform, authorizationCode): Promise<AuthenticationResponse> {
+    async authenticate(hostname, platform, authorizationCode): Promise<AuthenticationResponse> {
         const { clientId, clientSecret } = getClientIdAndSecret(platform)
-        const idToken = await exchangeCodeForIdToken(clientId, clientSecret, authorizationCode)
+        const idToken = await exchangeCodeForIdToken(platform.id, hostname, clientId, clientSecret, authorizationCode)
         const idTokenPayload = await verifyIdToken(clientId, idToken)
         return generateAuthenticationResponse(platform.id, idTokenPayload)
     },
 }
 
-const exchangeCodeForIdToken = async (clientId: string, clientSecret: string, code: string): Promise<string> => {
+const exchangeCodeForIdToken = async (platformId: string, hostName: string, clientId: string, clientSecret: string, code: string): Promise<string> => {
     const response = await fetch('https://oauth2.googleapis.com/token', {
         method: 'POST',
         headers: {
@@ -53,7 +53,7 @@ const exchangeCodeForIdToken = async (clientId: string, clientSecret: string, co
             code,
             client_id: clientId,
             client_secret: clientSecret,
-            redirect_uri: flagService.getThirdPartyRedirectUrl(),
+            redirect_uri: flagService.getThirdPartyRedirectUrl(platformId, hostName),
             grant_type: 'authorization_code',
         }),
     })

packages/backend/src/app/ee/authentication/federated-authn/federated-authn-controller.ts

@@ -11,6 +11,7 @@ export const federatedAuthnController: FastifyPluginAsyncTypebox = async (app) =
         return federatedAuthnService.login({
             providerName: req.query.providerName,
             platformId,
+            hostname: req.hostname,
         })
     })
 
@@ -19,6 +20,7 @@ export const federatedAuthnController: FastifyPluginAsyncTypebox = async (app) =
         assertNotNullOrUndefined(platformId, 'Platform id is not defined')
         return federatedAuthnService.claim({
             platformId,
+            hostname: req.hostname,
             providerName: req.body.providerName,
             code: req.body.code,
         })

packages/backend/src/app/ee/authentication/federated-authn/federated-authn-service.ts

@@ -5,31 +5,33 @@ import { platformService } from '../../platform/platform.service'
 
 
 export const federatedAuthnService = {
-    async login({ providerName, platformId }: LoginParams): Promise<FederatedAuthnLoginResponse> {
+    async login({ providerName, platformId, hostname }: LoginParams): Promise<FederatedAuthnLoginResponse> {
         const provider = providers[providerName]
         const platform = await platformService.getOneOrThrow(platformId)
-        const loginUrl = await provider.getLoginUrl(platform)
+        const loginUrl = await provider.getLoginUrl(hostname, platform)
 
         return {
             loginUrl,
         }
     },
 
-    async claim({ platformId, providerName, code }: ClaimParams): Promise<AuthenticationResponse> {
+    async claim({ hostname, platformId, providerName, code }: ClaimParams): Promise<AuthenticationResponse> {
         const provider = providers[providerName]
         const platform = await platformService.getOneOrThrow(platformId)
-        return provider.authenticate(platform, code)
+        return provider.authenticate(hostname, platform, code)
     },
 }
 
 type LoginParams = {
     platformId: string
+    hostname: string
     providerName: ThirdPartyAuthnProviderEnum
 }
 
 
 type ClaimParams = {
     platformId: string
+    hostname: string
     providerName: ThirdPartyAuthnProviderEnum
     code: string
 }

packages/backend/src/app/ee/flags/enterprise-flags.hooks.ts

@@ -36,7 +36,7 @@ export const enterpriseFlagsHooks: FlagsServiceHooks = {
             modifiedFlags[ApFlagId.SHOW_GIT_SYNC] = platform.gitSyncEnabled
             modifiedFlags[ApFlagId.FRONTEND_URL] = `https://${hostname}`
             modifiedFlags[ApFlagId.WEBHOOK_URL_PREFIX] = `https://${hostname}/api/v1/webhooks`
-            modifiedFlags[ApFlagId.THIRD_PARTY_AUTH_PROVIDER_REDIRECT_URL] = `https://${hostname}/redirect`
+            modifiedFlags[ApFlagId.THIRD_PARTY_AUTH_PROVIDER_REDIRECT_URL] = flagService.getThirdPartyRedirectUrl(platform.id, hostname)
             modifiedFlags[ApFlagId.PRIVACY_POLICY_URL] = platform.privacyPolicyUrl
             modifiedFlags[ApFlagId.TERMS_OF_SERVICE_URL] = platform.termsOfServiceUrl
             modifiedFlags[ApFlagId.OWN_AUTH2_ENABLED] = false

packages/backend/src/app/flags/flag.service.ts

@@ -104,7 +104,7 @@ export const flagService = {
             },
             {
                 id: ApFlagId.THIRD_PARTY_AUTH_PROVIDER_REDIRECT_URL,
-                value: [ApEdition.CLOUD, ApEdition.ENTERPRISE].includes(getEdition()) ? this.getThirdPartyRedirectUrl() : undefined,
+                value: [ApEdition.CLOUD, ApEdition.ENTERPRISE].includes(getEdition()) ? this.getThirdPartyRedirectUrl(undefined, undefined) : undefined,
                 created,
                 updated,
             },
@@ -214,7 +214,11 @@ export const flagService = {
 
         return flags
     },
-    getThirdPartyRedirectUrl(): string {
+    getThirdPartyRedirectUrl(platformId: string | undefined, hostname: string | undefined): string {
+        const isCustomerPlatform = platformId &&  !flagService.isCloudPlatform(platformId)
+        if (isCustomerPlatform) {
+            return `https://${hostname}/redirect`
+        }
         const frontendUrl = system.get(SystemProp.FRONTEND_URL)
         const trimmedFrontendUrl = frontendUrl?.endsWith('/') ? frontendUrl.slice(0, -1) : frontendUrl
         return `${trimmedFrontendUrl}/redirect`