Revert "To revert: in this commit, I added a pretty elaborate system of automatically signing out accounts when oauth scopes change. The system is pretty fragile, so I'm going to take the safer approach and just add document this as a known issue."

This reverts commit 84b1cf4.

Author: brendan-kellam

packages/backend/src/gitlab.ts

@@ -324,6 +324,7 @@ export const getProjectsForAuthenticatedUser = async (visibility: 'private' | 'i
 export const getOAuthScopesForAuthenticatedUser = async (api: InstanceType<typeof Gitlab>) => {
     try {
         const response = await api.requester.get('/oauth/token/info');
+        console.log('response', response);
         if (
             response &&
             typeof response.body === 'object' &&

packages/web/src/app/components/authMethodSelector.tsx

@@ -29,6 +29,7 @@ export const AuthMethodSelector = ({
         // Call the optional analytics callback first
         onProviderClick?.(provider);
 
+        // @nocheckin
         signIn(
             provider,
             {
@@ -39,6 +40,7 @@ export const AuthMethodSelector = ({
             // @see: https://next-auth.js.org/getting-started/client#additional-parameters
             {
                 prompt: 'consent',
+                scope: 'read:user user:email repo'
             }
         );
     }, [callbackUrl, onProviderClick]);

packages/web/src/auth.ts

@@ -19,7 +19,6 @@ import { onCreateUser } from '@/lib/authUtils';
 import { getAuditService } from '@/ee/features/audit/factory';
 import { SINGLE_TENANT_ORG_ID } from './lib/constants';
 import { refreshLinkedAccountTokens } from '@/ee/features/permissionSyncing/tokenRefresh';
-import { getRequiredScopes, normalizeScopes } from './lib/oauthScopes';
 
 const auditService = getAuditService();
 const eeIdentityProviders = hasEntitlement("sso") ? await getEEIdentityProviders() : [];
@@ -53,8 +52,6 @@ declare module 'next-auth' {
 declare module 'next-auth/jwt' {
     interface JWT {
         userId: string;
-        providerAccountId: string;
-        provider: string;
         linkedAccountTokens?: LinkedAccountTokensMap;
     }
 }
@@ -167,7 +164,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
             // Explicitly update the Account record with the OAuth token details.
             // This is necessary to update the access token when the user
             // re-authenticates.
-            if (account && account.provider && account.provider !== 'credentials' && account.providerAccountId) {
+            if (account && account.provider && account.providerAccountId) {
                 await prisma.account.update({
                     where: {
                         provider_providerAccountId: {
@@ -220,60 +217,14 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
         }
     },
     callbacks: {
-        async jwt({ token, user: _user, account: _account }) {
+        async jwt({ token, user: _user, account }) {
+            const user = _user as User | undefined;
             // @note: `user` will be available on signUp or signIn triggers.
             // Cache the userId in the JWT for later use.
-            if (_user) {
-                const user = _user as User;
+            if (user) {
                 token.userId = user.id;
             }
 
-            if (_account) {
-                token.providerAccountId = _account.providerAccountId;
-                token.provider = _account.provider;
-            }
-
-            const account = await prisma.account.findUnique({
-                where: {
-                    provider_providerAccountId: {
-                        provider: token.provider,
-                        providerAccountId: token.providerAccountId,
-                    },
-                },
-            });
-
-            if (!account) {
-                return null;
-            }
-
-            const currentScopes = normalizeScopes(account.scope);
-            const requiredScopes = getRequiredScopes(account.provider);
-
-            if (currentScopes !== requiredScopes) {
-                const doesAccountExist = await prisma.account.findUnique({
-                    where: {
-                        provider_providerAccountId: {
-                            provider: account.provider,
-                            providerAccountId: account.providerAccountId,
-                        },
-                    },
-                });
-
-                if (doesAccountExist) {
-                    await prisma.account.delete({
-                        where: {
-                            provider_providerAccountId: {
-                                provider: account.provider,
-                                providerAccountId: account.providerAccountId,
-                            },
-                        },
-                    });
-                    console.log(`Deleted account ${account.providerAccountId} for provider ${account.provider} because it did not have the required scopes.`);
-                }
-
-                return null;
-            }
-
             if (hasEntitlement('permission-syncing')) {
                 if (account && account.access_token && account.refresh_token && account.expires_at) {
                     token.linkedAccountTokens = token.linkedAccountTokens || {};
@@ -322,4 +273,4 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
         // We set redirect to false in signInOptions so we can pass the email is as a param
         // verifyRequest: "/login/verify",
     }
-});
+});

packages/web/src/ee/features/permissionSyncing/components/linkButton.tsx

@@ -12,7 +12,7 @@ interface LinkButtonProps {
 export const LinkButton = ({ provider, callbackUrl }: LinkButtonProps) => {
     const handleLink = () => {
         signIn(provider, {
-            redirectTo: callbackUrl,
+            redirectTo: callbackUrl
         });
     };
 

packages/web/src/ee/features/sso/sso.ts

@@ -1,9 +1,8 @@
 import type { IdentityProvider } from "@/auth";
 import { onCreateUser } from "@/lib/authUtils";
-import { getRequiredScopes } from "@/lib/oauthScopes";
 import { prisma } from "@/prisma";
 import { AuthentikIdentityProviderConfig, GCPIAPIdentityProviderConfig, GitHubIdentityProviderConfig, GitLabIdentityProviderConfig, GoogleIdentityProviderConfig, KeycloakIdentityProviderConfig, MicrosoftEntraIDIdentityProviderConfig, OktaIdentityProviderConfig } from "@sourcebot/schemas/v3/index.type";
-import { createLogger, env, getTokenFromConfig, loadConfig } from "@sourcebot/shared";
+import { createLogger, env, getTokenFromConfig, hasEntitlement, loadConfig } from "@sourcebot/shared";
 import { OAuth2Client } from "google-auth-library";
 import type { User as AuthJsUser } from "next-auth";
 import type { Provider } from "next-auth/providers";
@@ -127,10 +126,19 @@ const createGitHubProvider = (clientId: string, clientSecret: string, baseUrl?:
         ...(hostname === GITHUB_CLOUD_HOSTNAME ? { enterprise: { baseUrl: baseUrl } } : {}), // if this is set the provider expects GHE so we need this check
         authorization: {
             params: {
-                scope: getRequiredScopes('github'),
+                scope: [
+                    'read:user',
+                    'user:email',
+                    // Permission syncing requires the `repo` scope in order to fetch repositories
+                    // for the authenticated user.
+                    // @see: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-repositories-for-the-authenticated-user
+                    ...(env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing') ?
+                        ['repo'] :
+                        []
+                    ),
+                ].join(' '),
             },
         },
-        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -142,7 +150,16 @@ const createGitLabProvider = (clientId: string, clientSecret: string, baseUrl?:
         authorization: {
             url: `${url}/oauth/authorize`,
             params: {
-                scope: getRequiredScopes('gitlab'),
+                scope: [
+                    "read_user",
+                    // Permission syncing requires the `read_api` scope in order to fetch projects
+                    // for the authenticated user and project members.
+                    // @see: https://docs.gitlab.com/ee/api/projects.html#list-all-projects
+                    ...(env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing') ?
+                        ['read_api'] :
+                        []
+                    ),
+                ].join(' '),
             },
         },
         token: {
@@ -151,15 +168,13 @@ const createGitLabProvider = (clientId: string, clientSecret: string, baseUrl?:
         userinfo: {
             url: `${url}/api/v4/user`,
         },
-        allowDangerousEmailAccountLinking: true,
     });
 }
 
 const createGoogleProvider = (clientId: string, clientSecret: string): Provider => {
     return Google({
         clientId: clientId,
         clientSecret: clientSecret,
-        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -168,7 +183,6 @@ const createOktaProvider = (clientId: string, clientSecret: string, issuer: stri
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
-        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -177,7 +191,6 @@ const createKeycloakProvider = (clientId: string, clientSecret: string, issuer:
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
-        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -186,7 +199,6 @@ const createMicrosoftEntraIDProvider = (clientId: string, clientSecret: string,
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
-        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -271,6 +283,5 @@ export const createAuthentikProvider = (clientId: string, clientSecret: string,
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
-        allowDangerousEmailAccountLinking: true,
     });
 }