lint

Author: neSpecc

src/directives/definedOnlyForAdmins.ts

@@ -1,7 +1,6 @@
 import { defaultFieldResolver, GraphQLSchema } from 'graphql';
 import { mapSchema, MapperKind, getDirective } from '@graphql-tools/utils';
 import { ResolverContextWithUser, UnknownGraphQLResolverResult } from '../types/graphql';
-import { ForbiddenError, UserInputError } from 'apollo-server-express';
 import WorkspaceModel from '../models/workspace';
 
 /**
@@ -98,4 +97,3 @@ export default function definedOnlyForAdminsDirective(directiveName = 'definedOn
       }),
   };
 }
-

src/models/user.ts

@@ -473,9 +473,17 @@ export default class UserModel extends AbstractModel<Omit<UserDBScheme, '_id'>>
       this.identities = {};
     }
     if (!this.identities[workspaceId]) {
-      this.identities[workspaceId] = { saml: { id: samlId, email } };
+      this.identities[workspaceId] = {
+        saml: {
+          id: samlId,
+          email,
+        },
+      };
     } else {
-      this.identities[workspaceId].saml = { id: samlId, email };
+      this.identities[workspaceId].saml = {
+        id: samlId,
+        email,
+      };
     }
   }
 

src/resolvers/workspace.js

@@ -49,7 +49,7 @@ module.exports = {
       /**
        * Check if workspace exists and has SSO enabled
        */
-      if (!workspace || !workspace.sso?.enabled) {
+      if (!workspace || !(workspace.sso && workspace.sso.enabled)) {
         return null;
       }
 

src/sso/index.ts

@@ -10,6 +10,6 @@ import { ContextFactories } from '../types/graphql';
  */
 export function appendSsoRoutes(app: express.Application, factories: ContextFactories): void {
   const samlRouter = createSamlRouter(factories);
+
   app.use('/auth/sso/saml', samlRouter);
 }
-

src/sso/saml/controller.ts

@@ -23,54 +23,19 @@ export default class SamlController {
    */
   private factories: ContextFactories;
 
+  /**
+   * SAML controller constructor used for DI
+   * @param factories - for working with models
+   */
   constructor(factories: ContextFactories) {
     this.samlService = new SamlService();
     this.factories = factories;
   }
 
-  /**
-   * Log message with SSO prefix
-   *
-   * @param level - log level ('log', 'warn', 'error', 'info', 'success')
-   * @param args - arguments to log
-   */
-  private log(level: 'log' | 'warn' | 'error' | 'info' | 'success', ...args: unknown[]): void {
-    const colors = {
-      log: Effect.ForegroundGreen,
-      warn: Effect.ForegroundYellow,
-      error: Effect.ForegroundRed,
-      info: Effect.ForegroundBlue,
-      success: [Effect.ForegroundGreen, Effect.Bold],
-    };
-
-    const logger = level === 'error' ? console.error : level === 'warn' ? console.warn : console.log;
-
-    logger(sgr('[SSO]', colors[level]), ...args);
-  }
-
-  /**
-   * Validate workspace ID format
-   *
-   * @param workspaceId - workspace ID to validate
-   * @returns true if valid, false otherwise
-   */
-  private isValidWorkspaceId(workspaceId: string): boolean {
-    return ObjectId.isValid(workspaceId);
-  }
-
-  /**
-   * Compose Assertion Consumer Service URL for workspace
-   *
-   * @param workspaceId - workspace ID
-   * @returns ACS URL
-   */
-  private getAcsUrl(workspaceId: string): string {
-    const apiUrl = process.env.API_URL || 'https://api.hawk.so';
-    return `${apiUrl}/auth/sso/saml/${workspaceId}/acs`;
-  }
-
   /**
    * Initiate SSO login (GET /auth/sso/saml/:workspaceId)
+   * @param req - Express request
+   * @param res - Express response
    */
   public async initiateLogin(req: express.Request, res: express.Response): Promise<void> {
     const { workspaceId } = req.params;
@@ -84,6 +49,7 @@ export default class SamlController {
       if (!this.isValidWorkspaceId(workspaceId)) {
         this.log('warn', 'Invalid workspace ID format:', sgr(workspaceId, Effect.ForegroundRed));
         res.status(400).json({ error: 'Invalid workspace ID' });
+
         return;
       }
 
@@ -95,6 +61,7 @@ export default class SamlController {
       if (!workspace || !workspace.sso?.enabled) {
         this.log('warn', 'SSO not enabled for workspace:', sgr(workspaceId, Effect.ForegroundCyan));
         res.status(400).json({ error: 'SSO is not enabled for this workspace' });
+
         return;
       }
 
@@ -107,7 +74,10 @@ export default class SamlController {
       /**
        * 3. Save RelayState to temporary storage
        */
-      samlStore.saveRelayState(relayStateId, { returnUrl, workspaceId });
+      samlStore.saveRelayState(relayStateId, {
+        returnUrl,
+        workspaceId,
+      });
 
       /**
        * 4. Generate AuthnRequest
@@ -141,6 +111,7 @@ export default class SamlController {
        * 6. Redirect to IdP
        */
       const redirectUrl = new URL(workspace.sso.saml.ssoUrl);
+
       redirectUrl.searchParams.set('SAMLRequest', encodedRequest);
       redirectUrl.searchParams.set('RelayState', relayStateId);
 
@@ -167,6 +138,9 @@ export default class SamlController {
 
   /**
    * Handle ACS callback (POST /auth/sso/saml/:workspaceId/acs)
+   * @param req - Express request object
+   * @param res - Express response object
+   * @returns void
    */
   public async handleAcs(req: express.Request, res: express.Response): Promise<void> {
     const { workspaceId } = req.params;
@@ -181,6 +155,7 @@ export default class SamlController {
       if (!this.isValidWorkspaceId(workspaceId)) {
         this.log('warn', '[ACS] Invalid workspace ID format:', sgr(workspaceId, Effect.ForegroundRed));
         res.status(400).json({ error: 'Invalid workspace ID' });
+
         return;
       }
 
@@ -190,6 +165,7 @@ export default class SamlController {
       if (!samlResponse) {
         this.log('warn', '[ACS] Missing SAML response for workspace:', sgr(workspaceId, Effect.ForegroundCyan));
         res.status(400).json({ error: 'SAML response is required' });
+
         return;
       }
 
@@ -201,6 +177,7 @@ export default class SamlController {
       if (!workspace || !workspace.sso?.enabled) {
         this.log('warn', '[ACS] SSO not enabled for workspace:', sgr(workspaceId, Effect.ForegroundCyan));
         res.status(400).json({ error: 'SSO is not enabled for this workspace' });
+
         return;
       }
 
@@ -249,6 +226,7 @@ export default class SamlController {
               sgr(samlData.inResponseTo.slice(0, 8), Effect.ForegroundGray)
             );
             res.status(400).json({ error: 'Invalid SAML response: InResponseTo validation failed' });
+
             return;
           }
         }
@@ -261,6 +239,7 @@ export default class SamlController {
           sgr(error instanceof Error ? error.message : 'Unknown error', Effect.ForegroundRed)
         );
         res.status(400).json({ error: 'Invalid SAML response' });
+
         return;
       }
 
@@ -310,6 +289,7 @@ export default class SamlController {
        */
       const callbackPath = `/login/sso/${workspaceId}`;
       const frontendUrl = new URL(callbackPath, process.env.GARAGE_URL || 'http://localhost:3000');
+
       frontendUrl.searchParams.set('access_token', tokens.accessToken);
       frontendUrl.searchParams.set('refresh_token', tokens.refreshToken);
       frontendUrl.searchParams.set('returnUrl', finalReturnUrl);
@@ -340,6 +320,7 @@ export default class SamlController {
           sgr(error.message, Effect.ForegroundRed)
         );
         res.status(400).json({ error: 'Invalid SAML response' });
+
         return;
       }
 
@@ -354,6 +335,56 @@ export default class SamlController {
     }
   }
 
+  /**
+   * Log message with SSO prefix
+   *
+   * @param level - log level ('log', 'warn', 'error', 'info', 'success')
+   * @param args - arguments to log
+   */
+  private log(level: 'log' | 'warn' | 'error' | 'info' | 'success', ...args: unknown[]): void {
+    const colors = {
+      log: Effect.ForegroundGreen,
+      warn: Effect.ForegroundYellow,
+      error: Effect.ForegroundRed,
+      info: Effect.ForegroundBlue,
+      success: [Effect.ForegroundGreen, Effect.Bold],
+    };
+
+    let logger: typeof console.log;
+
+    if (level === 'error') {
+      logger = console.error;
+    } else if (level === 'warn') {
+      logger = console.warn;
+    } else {
+      logger = console.log;
+    }
+
+    logger(sgr('[SSO]', colors[level]), ...args);
+  }
+
+  /**
+   * Validate workspace ID format
+   *
+   * @param workspaceId - workspace ID to validate
+   * @returns true if valid, false otherwise
+   */
+  private isValidWorkspaceId(workspaceId: string): boolean {
+    return ObjectId.isValid(workspaceId);
+  }
+
+  /**
+   * Compose Assertion Consumer Service URL for workspace
+   *
+   * @param workspaceId - workspace ID
+   * @returns ACS URL
+   */
+  private getAcsUrl(workspaceId: string): string {
+    const apiUrl = process.env.API_URL || 'https://api.hawk.so';
+
+    return `${apiUrl}/auth/sso/saml/${workspaceId}/acs`;
+  }
+
   /**
    * Handle user provisioning (JIT or invite-only)
    *
@@ -462,4 +493,3 @@ export default class SamlController {
     }
   }
 }
-

src/sso/saml/index.ts

@@ -38,4 +38,3 @@ export function createSamlRouter(factories: ContextFactories): express.Router {
 
   return router;
 }
-

src/sso/saml/service.ts

@@ -1,4 +1,5 @@
 import { SAML, SamlConfig as NodeSamlConfig, Profile } from '@node-saml/node-saml';
+import { inflateRawSync } from 'zlib';
 import { SamlConfig, SamlResponseData } from '../types';
 import { SamlValidationError, SamlValidationErrorType } from './types';
 import { extractAttribute } from './utils';
@@ -51,34 +52,6 @@ export default class SamlService {
     };
   }
 
-  /**
-   * Extract request ID from encoded SAML AuthnRequest
-   *
-   * @param encodedRequest - deflated and base64 encoded SAML request
-   * @returns request ID
-   */
-  private extractRequestIdFromEncodedRequest(encodedRequest: string): string {
-    const zlib = require('zlib');
-
-    /**
-     * Decode base64 and inflate
-     */
-    const decoded = Buffer.from(encodedRequest, 'base64');
-    const inflated = zlib.inflateRawSync(decoded).toString('utf-8');
-
-    /**
-     * Extract ID attribute from AuthnRequest XML
-     * Format: <samlp:AuthnRequest ... ID="_abc123" ...>
-     */
-    const idMatch = inflated.match(/ID="([^"]+)"/);
-
-    if (!idMatch || !idMatch[1]) {
-      throw new Error('Failed to extract request ID from AuthnRequest');
-    }
-
-    return idMatch[1];
-  }
-
   /**
    * Validate and parse SAML Response
    *
@@ -179,7 +152,10 @@ export default class SamlService {
       throw new SamlValidationError(
         SamlValidationErrorType.INVALID_IN_RESPONSE_TO,
         `InResponseTo mismatch: expected ${expectedRequestId}, got ${inResponseTo}`,
-        { expected: expectedRequestId, received: inResponseTo }
+        {
+          expected: expectedRequestId,
+          received: inResponseTo,
+        }
       );
     }
 
@@ -219,14 +195,40 @@ export default class SamlService {
     };
   }
 
+  /**
+   * Extract request ID from encoded SAML AuthnRequest
+   *
+   * @param encodedRequest - deflated and base64 encoded SAML request
+   * @returns request ID
+   */
+  private extractRequestIdFromEncodedRequest(encodedRequest: string): string {
+    /**
+     * Decode base64 and inflate
+     */
+    const decoded = Buffer.from(encodedRequest, 'base64');
+    const inflated = inflateRawSync(decoded as unknown as Uint8Array).toString('utf-8');
+
+    /**
+     * Extract ID attribute from AuthnRequest XML
+     * Format: <samlp:AuthnRequest ... ID="_abc123" ...>
+     */
+    const idMatch = inflated.match(/ID="([^"]+)"/);
+
+    if (!idMatch || !idMatch[1]) {
+      throw new Error('Failed to extract request ID from AuthnRequest');
+    }
+
+    return idMatch[1];
+  }
+
   /**
    * Create node-saml SAML instance with given configuration
    *
    * @param acsUrl - Assertion Consumer Service URL
    * @param samlConfig - SAML configuration from workspace
    * @returns configured SAML instance
    */
-   private createSamlInstance(acsUrl: string, samlConfig: SamlConfig): SAML {
+  private createSamlInstance(acsUrl: string, samlConfig: SamlConfig): SAML {
     const spEntityId = process.env.SSO_SP_ENTITY_ID;
 
     if (!spEntityId) {
@@ -254,4 +256,3 @@ export default class SamlService {
     return new SAML(options);
   }
 }
-