Include cloud auth provider

services/platform/db/migrations/1760123845_postgresql_migration.js

@@ -1,5 +1,5 @@
 exports.up = async function (knex) {
-    await knex.raw(`
+  await knex.raw(`
 CREATE OR REPLACE FUNCTION set_updated_at () RETURNS trigger LANGUAGE plpgsql AS $$
 BEGIN
   NEW.updated_at := current_timestamp;

services/platform/db/migrations/1760294845_organizations.js

@@ -0,0 +1,15 @@
+exports.up = async function (knex) {
+    await knex.schema.alterTable('organizations', table => {
+        table.dropColumn('domain');
+        table.dropColumn('username');
+        table.string('name').notNullable().defaultTo('');
+    })
+}
+
+exports.down = async function (knex) {
+    await knex.schema.alterTable('organizations', table => {
+        table.dropColumn('name');
+        table.string('domain').notNullable().defaultTo('');
+        table.string('username').notNullable().defaultTo('');
+    })
+}

services/platform/db/migrations/1760303889_admins_external_id.js

@@ -0,0 +1,11 @@
+exports.up = async function (knex) {
+    await knex.schema.alterTable('admins', table => {
+        table.string('external_id');
+    })
+}
+
+exports.down = async function (knex) {
+    await knex.schema.alterTable('admins', table => {
+        table.dropColumn('external_id');
+    })
+}

services/platform/package.json

@@ -11,6 +11,7 @@
     "@aws-sdk/lib-storage": "^3.908.0",
     "@bugsnag/js": "^8.6.0",
     "@bugsnag/plugin-koa": "^8.6.0",
+    "@clerk/backend": "^2.17.2",
     "@koa/cors": "^5.0.0",
     "@koa/router": "^11.0.2",
     "@ladjs/country-language": "^1.0.3",
@@ -23,6 +24,7 @@
     "ajv-formats": "^2.1.1",
     "bullmq": "^5.61.0",
     "busboy": "^1.6.0",
+    "cookies": "^0.9.1",
     "csv-parse": "^5.6.0",
     "date-fns": "^2.30.0",
     "date-fns-tz": "^1.3.8",
@@ -35,6 +37,7 @@
     "ioredis": "^5.8.1",
     "jsonpath": "^1.1.1",
     "jsonwebtoken": "^9.0.2",
+    "jwks-rsa": "^3.2.0",
     "knex": "^2.5.1",
     "koa": "^2.16.2",
     "koa-body": "5.0.0",
@@ -53,6 +56,7 @@
     "pino-pretty": "^8.1.0",
     "posthog-node": "^3.6.3",
     "rrule": "2.7.2",
+    "svix": "^1.77.0",
     "uuid": "^9.0.1"
   },
   "scripts": {

services/platform/src/auth/Admin.ts

@@ -3,6 +3,7 @@ import Model, { ModelParams } from '../core/Model'
 import { UUID } from 'crypto'
 
 export default class Admin extends Model {
+    external_id?: string
     organization_id!: UUID
     email!: string
     first_name?: string
@@ -11,6 +12,6 @@ export default class Admin extends Model {
     role!: OrganizationRole
 }
 
-export type AdminParams = Omit<Admin, ModelParams> & { domain?: string }
+export type AdminParams = Omit<Admin, ModelParams>
 
-export type AuthAdminParams = Omit<AdminParams, 'organization_id' | 'role'> & { domain?: string }
+export type AuthAdminParams = Omit<AdminParams, 'organization_id' | 'role'>

services/platform/src/auth/AdminController.ts

@@ -96,7 +96,6 @@ router.patch('/:adminId', async ctx => {
 })
 
 router.delete('/:adminId', async ctx => {
-
     requireOrganizationRole(ctx.state.admin!, ctx.state.modelAdmin!.role)
     await Admin.deleteById(ctx.state.modelAdmin!.id)
 

services/platform/src/auth/AdminRepository.ts

@@ -13,6 +13,14 @@ export const getAdmin = async (id: UUID, organizationId: UUID): Promise<Admin |
     return await Admin.find(id, qb => qb.where('organization_id', organizationId))
 }
 
+export const getAdminById = async (id: UUID): Promise<Admin | undefined> => {
+    return await Admin.find(id)
+}
+
+export const getAdminByExternalId = async (id: string): Promise<Admin | undefined> => {
+    return await Admin.first(qb => qb.where('external_id', id))
+}
+
 export const getAdminByEmail = async (email: string): Promise<Admin | undefined> => {
     return await Admin.first(qb => qb.where('email', email))
 }
@@ -29,3 +37,7 @@ export const createOrUpdateAdmin = async ({ organization_id, ...params }: AdminP
         })
     }
 }
+
+export const deleteAdmin = async (id: UUID): Promise<void> => {
+    await Admin.delete(qb => qb.where('id', id))
+}

services/platform/src/auth/Auth.ts

@@ -2,27 +2,32 @@ import { Context } from 'koa'
 import AuthProvider from './AuthProvider'
 import OpenIDProvider, { OpenIDConfig } from './OpenIDAuthProvider'
 import GoogleProvider, { GoogleConfig } from './GoogleAuthProvider'
+import CloudProvider, { CloudConfig } from './CloudAuthProvider'
 import SAMLProvider, { SAMLConfig } from './SAMLAuthProvider'
 import { DriverConfig } from '../config/env'
 import BasicAuthProvider, { BasicAuthConfig } from './BasicAuthProvider'
 import Organization from '../organizations/Organization'
 import App from '../app'
-import MultiAuthProvider, { MultiAuthConfig } from './MultiAuthProvider'
 import EmailAuthProvider, { EmailAuthConfig } from './EmailAuthProvider'
 
-export type AuthProviderName = 'basic' | 'email' | 'saml' | 'openid' | 'google' | 'multi'
+export type AuthProviderName = 'basic' | 'email' | 'saml' | 'openid' | 'google' | 'cloud'
 
-export type AuthProviderConfig = BasicAuthConfig | EmailAuthConfig | SAMLConfig | OpenIDConfig | GoogleConfig | MultiAuthConfig
+export type AuthProviderConfig = BasicAuthConfig | EmailAuthConfig | SAMLConfig | OpenIDConfig | GoogleConfig | CloudConfig
 
 export interface AuthConfig {
     driver: AuthProviderName[]
     tokenLife: number
+    jwt: JWTConfig
     basic: BasicAuthConfig
     email: EmailAuthConfig
     saml: SAMLConfig
     openid: OpenIDConfig
     google: GoogleConfig
-    multi: MultiAuthConfig
+    cloud: CloudConfig
+}
+
+export interface JWTConfig {
+    jwksUrl?: string
 }
 
 export { BasicAuthConfig, SAMLConfig, OpenIDConfig }
@@ -35,36 +40,30 @@ export interface AuthTypeConfig extends DriverConfig {
 interface AuthMethod {
     driver: AuthProviderName
     name: string
+    publicConfig?: { [key: string]: string }
 }
 
 export const initProvider = (config?: AuthProviderConfig): AuthProvider => {
-    if (config?.driver === 'basic') {
+    switch (config?.driver) {
+    case 'basic':
         return new BasicAuthProvider(config)
-    } else if (config?.driver === 'email') {
+    case 'email':
         return new EmailAuthProvider(config)
-    } else if (config?.driver === 'saml') {
+    case 'saml':
         return new SAMLProvider(config)
-    } else if (config?.driver === 'openid') {
+    case 'openid':
         return new OpenIDProvider(config)
-    } else if (config?.driver === 'google') {
+    case 'google':
         return new GoogleProvider(config)
-    } else if (config?.driver === 'multi') {
-        return new MultiAuthProvider()
-    } else {
+    case 'cloud':
+        return new CloudProvider(config)
+    default:
         throw new Error('A valid auth driver must be set!')
     }
 }
 
-export const authMethods = async (organization?: Organization): Promise<AuthMethod[]> => {
-
-    if (!App.main.env.config.multiOrg) return mapMethods(App.main.env.auth)
-
-    // If we know the org, don't require any extra steps like
-    // providing email since we know where to route you. Otherwise
-    // we need context to properly fetch SSO and such.
-    return organization
-        ? [mapMethod(organization.auth)]
-        : mapMethods(App.main.env.auth)
+export const authMethods = async (): Promise<AuthMethod[]> => {
+    return mapMethods(App.main.env.auth)
 }
 
 export const checkAuth = (organization?: Organization): boolean => {
@@ -81,13 +80,17 @@ export const validateAuth = async (ctx: Context): Promise<void> => {
     return await provider.validate(ctx)
 }
 
-const loadProvider = async (ctx: Context): Promise<AuthProvider> => {
-    const driver = ctx.params.driver as AuthProviderName
-    const organization = ctx.state.organization
-    if (organization && App.main.env.config.multiOrg) {
-        return initProvider(organization.auth)
+export const authWebhook = async (ctx: Context): Promise<void> => {
+    const provider = await loadProvider(ctx)
+    if (!provider.webhook) {
+        return ctx.throw(404)
     }
 
+    return await provider.webhook(ctx)
+}
+
+const loadProvider = async (ctx: Context): Promise<AuthProvider> => {
+    const driver = ctx.params.driver as AuthProviderName
     return initProvider(App.main.env.auth[driver])
 }
 

services/platform/src/auth/AuthController.ts

@@ -1,8 +1,7 @@
 import Router from '@koa/router'
-import { getTokenCookies, revokeAccessToken } from './TokenRepository'
 import { getOrganizationByEmail } from '../organizations/OrganizationService'
 import Organization from '../organizations/Organization'
-import { authMethods, checkAuth, startAuth, validateAuth } from './Auth'
+import { authMethods, authWebhook, checkAuth, startAuth, validateAuth } from './Auth'
 
 const router = new Router<{
     organization?: Organization
@@ -11,7 +10,7 @@ const router = new Router<{
 })
 
 router.get('/methods', async ctx => {
-    ctx.body = await authMethods(ctx.state.organization)
+    ctx.body = await authMethods()
 })
 
 router.post('/check', async ctx => {
@@ -40,20 +39,8 @@ router.post('/login/:driver/callback', async ctx => {
     await validateAuth(ctx)
 })
 
-router.post('/logout', async ctx => {
-    const oauth = getTokenCookies(ctx)
-    if (oauth) {
-        await revokeAccessToken(oauth.access_token, ctx)
-    }
-    ctx.redirect('/')
-})
-
-router.get('/logout', async ctx => {
-    const oauth = getTokenCookies(ctx)
-    if (oauth) {
-        await revokeAccessToken(oauth.access_token, ctx)
-    }
-    ctx.redirect('/')
+router.post('/login/:driver/webhook', async ctx => {
+    await authWebhook(ctx)
 })
 
 export default router