feedback

Author: brendan-kellam

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -1,6 +1,6 @@
 import * as Sentry from "@sentry/node";
 import { PrismaClient, AccountPermissionSyncJobStatus, Account, PermissionSyncSource} from "@sourcebot/db";
-import { env, createLogger, loadConfig, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from "@sourcebot/shared";
+import { env, createLogger, getIdentityProviderConfig, PERMISSION_SYNC_SUPPORTED_IDENTITY_PROVIDERS } from "@sourcebot/shared";
 import { hasEntitlement } from "../entitlements.js";
 import { ensureFreshAccountToken } from "./tokenRefresh.js";
 import { Job, Queue, Worker } from "bullmq";
@@ -218,8 +218,6 @@ export class AccountPermissionSyncer {
         account: Account & { user: { email: string | null } },
         logger: ReturnType<typeof createJobLogger>,
     ) {
-        const config = await loadConfig(env.CONFIG_PATH);
-
         logger.debug(`Syncing permissions for ${account.providerId} account (id: ${account.id}) for user ${account.user.email}...`);
 
         // Ensure the OAuth token is fresh, refreshing it if it is expired or near expiry.
@@ -242,9 +240,7 @@ export class AccountPermissionSyncer {
         const repoIds = await (async () => {
             const aggregatedRepoIds: Set<number> = new Set();
 
-            const idpConfig = config.identityProviders ?
-                config.identityProviders[account.providerId] :
-                undefined;
+            const idpConfig = await getIdentityProviderConfig(account.providerId);
 
             if (!idpConfig) {
                 throw new Error(`Unable to find IDP config in config.json.`);

packages/backend/src/ee/tokenRefresh.ts

@@ -10,9 +10,9 @@ import {
     decryptOAuthToken,
     encryptOAuthToken,
     env,
+    getIdentityProviderConfig,
     getTokenFromConfig,
     IdentityProviderType,
-    loadConfig,
 } from '@sourcebot/shared';
 import { z } from 'zod';
 
@@ -157,10 +157,7 @@ const refreshOAuthToken = async (
     refreshToken: string,
 ): Promise<OAuthTokenResponse | null> => {
     try {
-        const config = await loadConfig(env.CONFIG_PATH);
-        const idpConfig = config.identityProviders ?
-                config.identityProviders[providerId] :
-                undefined;
+        const idpConfig = await getIdentityProviderConfig(providerId);
 
         if (!idpConfig) {
             logger.error(`No provider config found for: ${providerId}`);

packages/shared/src/env.server.ts

@@ -7,11 +7,6 @@ import stripJsonComments from "strip-json-comments";
 import { z } from "zod";
 import { getTokenFromConfig } from "./crypto.js";
 
-export type NormalizedIdentityProviders = Record<string, IdentityProviderConfig>;
-export type NormalizedSourcebotConfig = Omit<SourcebotConfig, "identityProviders"> & {
-    identityProviders?: NormalizedIdentityProviders;
-};
-
 // Booleans are specified as 'true' or 'false' strings.
 const booleanSchema = z.enum(["true", "false"]);
 
@@ -25,7 +20,7 @@ const ajv = new Ajv({
     validateFormats: false,
 });
 
-export const resolveEnvironmentVariableOverridesFromConfig = async (config: NormalizedSourcebotConfig): Promise<Record<string, string>> => {
+export const resolveEnvironmentVariableOverridesFromConfig = async (config: SourcebotConfig): Promise<Record<string, string>> => {
     if (!config.environmentOverrides) {
         return {};
     }
@@ -61,39 +56,8 @@ export const isRemotePath = (path: string) => {
     return path.startsWith('https://') || path.startsWith('http://');
 }
 
-/**
- * Collapses the dual-form `identityProviders` field into the canonical object
- * form keyed by id. The array form is deprecated and only supports a single
- * instance per provider type - its synthesized id is `entry.provider`, which
- * matches the value historically stored in `Account.provider` for those users,
- * so existing single-instance deployments don't need a data migration.
- */
-const normalizeIdentityProviders = (
-    raw: SourcebotConfig["identityProviders"],
-): NormalizedIdentityProviders | undefined => {
-    if (!raw) {
-        return undefined;
-    }
-    if (!Array.isArray(raw)) {
-        return raw;
-    }
-
-    const result: NormalizedIdentityProviders = {};
-    for (const entry of raw) {
-        const id = entry.provider;
-        if (result[id]) {
-            throw new Error(
-                `Duplicate identity provider id "${id}" in array-form \`identityProviders\`. ` +
-                `The array form is deprecated and only supports one instance per provider type. ` +
-                `Migrate to the object form (keyed by id) to configure multiple instances.`,
-            );
-        }
-        result[id] = entry;
-    }
-    return result;
-};
 
-export const loadConfig = async (configPath?: string): Promise<NormalizedSourcebotConfig> => {
+export const loadConfig = async (configPath?: string): Promise<SourcebotConfig> => {
     if (!configPath) {
         throw new Error('CONFIG_PATH is required but not provided');
     }
@@ -147,10 +111,45 @@ export const loadConfig = async (configPath?: string): Promise<NormalizedSourceb
         throw new Error(`Config file '${configPath}' is invalid: ${ajv.errorsText(ajv.errors)}`);
     }
 
-    return {
-        ...config,
-        identityProviders: normalizeIdentityProviders(config.identityProviders),
-    };
+    return config;
+}
+
+
+export const getIdentityProviderConfigs = async (): Promise<Record<string, IdentityProviderConfig>> => {
+    const config = await loadConfig(env.CONFIG_PATH);
+
+    // Collapses the dual-form `identityProviders` field into the canonical object
+    // form keyed by id.
+    const idpConfigs = (() => {
+        if (!config.identityProviders) {
+            return undefined;
+        }
+        if (!Array.isArray(config.identityProviders)) {
+            return config.identityProviders;
+        }
+
+        const result: Record<string, IdentityProviderConfig> = {};
+        for (const entry of config.identityProviders) {
+            const id = entry.provider;
+            if (result[id]) {
+                throw new Error(
+                    `Duplicate identity provider id "${id}" in array-form \`identityProviders\`. ` +
+                    `The array form is deprecated and only supports one instance per provider type. ` +
+                    `Migrate to the object form (keyed by id) to configure multiple instances.`,
+                );
+            }
+            result[id] = entry;
+        }
+        return result;
+    })();
+
+    return idpConfigs ?? {};
+}
+
+export const getIdentityProviderConfig = async (id: string): Promise<IdentityProviderConfig | undefined> => {
+    const idps = await getIdentityProviderConfigs();
+    const idp = idps[id] as IdentityProviderConfig | undefined;
+    return idp;
 }
 
 // Merge process.env with environment variables resolved from config.json

packages/shared/src/index.server.ts

@@ -36,11 +36,10 @@ export * from "./constants.js";
 export {
     resolveEnvironmentVariableOverridesFromConfig,
     loadConfig,
+    getIdentityProviderConfigs,
+    getIdentityProviderConfig,
     isRemotePath,
 } from "./env.server.js";
-export type {
-    NormalizedSourcebotConfig,
-} from "./env.server.js";
 export { env } from "./env.server.js"
 export {
     createLogger,

packages/web/src/ee/features/sso/actions.ts

@@ -6,7 +6,7 @@ import { withAuth } from "@/middleware/withAuth";
 import { withMinimumOrgRole } from "@/middleware/withMinimumOrgRole";
 import { OrgRole } from "@sourcebot/db";
 import { hasEntitlement } from "@/lib/entitlements";
-import { createLogger, doesIdpSupportPermissionSyncing, env, loadConfig } from "@sourcebot/shared";
+import { createLogger, doesIdpSupportPermissionSyncing, env, getIdentityProviderConfig, getIdentityProviderConfigs } from "@sourcebot/shared";
 import { cookies } from "next/headers";
 
 const logger = createLogger('web-ee-sso-actions');
@@ -44,8 +44,6 @@ export const getLinkedAccounts = async () => sew(() =>
                 },
             });
 
-            const config = await loadConfig(env.CONFIG_PATH);
-
             const permissionSyncEnabled =
                 env.PERMISSION_SYNC_ENABLED === 'true' &&
                 await hasEntitlement('permission-syncing');
@@ -54,9 +52,7 @@ export const getLinkedAccounts = async () => sew(() =>
 
             // All connected accounts (from DB), enriched with config data where available
             for (const account of accounts) {
-                const providerConfig = config.identityProviders ?
-                    config.identityProviders[account.providerId] :
-                    undefined;
+                const providerConfig = await getIdentityProviderConfig(account.providerId);
                 const isAccountLinking = providerConfig?.purpose === 'account_linking';
 
                 result.push({
@@ -74,7 +70,8 @@ export const getLinkedAccounts = async () => sew(() =>
             }
 
             // Unlinked account_linking providers from config (not yet connected)
-            for (const [id, providerConfig] of Object.entries(config.identityProviders ?? {})) {
+            const identityProviders = await getIdentityProviderConfigs();
+            for (const [id, providerConfig] of Object.entries(identityProviders)) {
                 const account = accounts.find((account) => account.providerId === id);
                 if (!account) {
                     result.push({