calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-28 11:43:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

move idp mode check to a middleware

Browse Source
This commit is contained in:
miloschwartz
2026-04-16 21:00:48 -07:00
parent 93400ace27
commit 707cc4b275
8 changed files with 40 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
server/private/routers/external.ts
View File

@@ -89,6 +89,7 @@ authenticated.put(
"/org/:orgId/idp/oidc", "/org/:orgId/idp/oidc",
verifyValidLicense, verifyValidLicense,
verifyValidSubscription(tierMatrix.orgOidc), verifyValidSubscription(tierMatrix.orgOidc),
orgIdp.requireOrgIdentityProviderMode,
verifyOrgAccess, verifyOrgAccess,
verifyLimits, verifyLimits,
verifyUserHasAction(ActionsEnum.createIdp), verifyUserHasAction(ActionsEnum.createIdp),
@@ -100,6 +101,7 @@ authenticated.post(
"/org/:orgId/idp/:idpId/import", "/org/:orgId/idp/:idpId/import",
verifyValidLicense, verifyValidLicense,
verifyValidSubscription(tierMatrix.orgOidc), verifyValidSubscription(tierMatrix.orgOidc),
orgIdp.requireOrgIdentityProviderMode,
verifyOrgAccess, verifyOrgAccess,
verifyLimits, verifyLimits,
verifyAdmin, verifyAdmin,
@@ -111,6 +113,7 @@ authenticated.post(
"/org/:orgId/idp/:idpId/oidc", "/org/:orgId/idp/:idpId/oidc",
verifyValidLicense, verifyValidLicense,
verifyValidSubscription(tierMatrix.orgOidc), verifyValidSubscription(tierMatrix.orgOidc),
orgIdp.requireOrgIdentityProviderMode,
verifyOrgAccess, verifyOrgAccess,
verifyIdpAccess, verifyIdpAccess,
verifyLimits, verifyLimits,
@@ -122,6 +125,7 @@ authenticated.post(
authenticated.delete( authenticated.delete(
"/org/:orgId/idp/:idpId", "/org/:orgId/idp/:idpId",
verifyValidLicense, verifyValidLicense,
orgIdp.requireOrgIdentityProviderMode,
verifyOrgAccess, verifyOrgAccess,
verifyIdpAccess, verifyIdpAccess,
verifyUserHasAction(ActionsEnum.deleteIdp), verifyUserHasAction(ActionsEnum.deleteIdp),
@@ -132,6 +136,7 @@ authenticated.delete(
authenticated.delete( authenticated.delete(
"/org/:orgId/idp/:idpId/association", "/org/:orgId/idp/:idpId/association",
verifyValidLicense, verifyValidLicense,
orgIdp.requireOrgIdentityProviderMode,
verifyOrgAccess, verifyOrgAccess,
verifyIdpAccess, verifyIdpAccess,
verifyUserHasAction(ActionsEnum.deleteIdp), verifyUserHasAction(ActionsEnum.deleteIdp),

13
server/private/routers/orgIdp/createOrgOidcIdp.ts
View File

@@ -27,7 +27,6 @@ import config from "@server/lib/config";
import { CreateOrgIdpResponse } from "@server/routers/orgIdp/types"; import { CreateOrgIdpResponse } from "@server/routers/orgIdp/types";
import { isSubscribed } from "#private/lib/isSubscribed"; import { isSubscribed } from "#private/lib/isSubscribed";
import { tierMatrix } from "@server/lib/billing/tierMatrix"; import { tierMatrix } from "@server/lib/billing/tierMatrix";
import privateConfig from "#private/lib/config";
import { build } from "@server/build"; import { build } from "@server/build";
const paramsSchema = z.strictObject({ orgId: z.string().nonempty() }); const paramsSchema = z.strictObject({ orgId: z.string().nonempty() });
@@ -94,18 +93,6 @@ export async function createOrgOidcIdp(
); );
} }
if (
privateConfig.getRawPrivateConfig().app.identity_provider_mode !==
"org"
) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Organization-specific IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'org' in the private configuration to enable this feature."
)
);
}
const { const {
clientId, clientId,
clientSecret, clientSecret,

13
server/private/routers/orgIdp/deleteOrgIdp.ts
View File

@@ -22,7 +22,6 @@ import { fromError } from "zod-validation-error";
import { idp, idpOidcConfig, idpOrg } from "@server/db"; import { idp, idpOidcConfig, idpOrg } from "@server/db";
import { eq } from "drizzle-orm"; import { eq } from "drizzle-orm";
import { OpenAPITags, registry } from "@server/openApi"; import { OpenAPITags, registry } from "@server/openApi";
import privateConfig from "#private/lib/config";
const paramsSchema = z const paramsSchema = z
.object({ .object({
@@ -60,18 +59,6 @@ export async function deleteOrgIdp(
const { idpId } = parsedParams.data; const { idpId } = parsedParams.data;
if (
privateConfig.getRawPrivateConfig().app.identity_provider_mode !==
"org"
) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Organization-specific IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'org' in the private configuration to enable this feature."
)
);
}
// Check if IDP exists // Check if IDP exists
const [existingIdp] = await db const [existingIdp] = await db
.select() .select()

13
server/private/routers/orgIdp/importOrgIdp.ts
View File

@@ -24,7 +24,6 @@ import { idp, idpOrg, orgs, roles, userOrgs } from "@server/db";
import { and, eq, inArray } from "drizzle-orm"; import { and, eq, inArray } from "drizzle-orm";
import { CreateOrgIdpResponse } from "@server/routers/orgIdp/types"; import { CreateOrgIdpResponse } from "@server/routers/orgIdp/types";
import { generateOidcRedirectUrl } from "@server/lib/idp/generateRedirectUrl"; import { generateOidcRedirectUrl } from "@server/lib/idp/generateRedirectUrl";
import privateConfig from "#private/lib/config";
import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy"; import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
import { getUserOrgRoleIds } from "@server/lib/userOrgRoles"; import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
@@ -105,18 +104,6 @@ export async function importOrgIdp(
const { sourceOrgId } = parsedBody.data; const { sourceOrgId } = parsedBody.data;
if (
privateConfig.getRawPrivateConfig().app.identity_provider_mode !==
"org"
) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Organization-specific IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'org' in the private configuration to enable this feature."
)
);
}
if (sourceOrgId === targetOrgId) { if (sourceOrgId === targetOrgId) {
return next( return next(
createHttpError( createHttpError(

1
server/private/routers/orgIdp/index.ts
View File

@@ -19,3 +19,4 @@ export * from "./listUserAdminOrgIdps";
export * from "./updateOrgOidcIdp"; export * from "./updateOrgOidcIdp";
export * from "./deleteOrgIdp"; export * from "./deleteOrgIdp";
export * from "./unassociateOrgIdp"; export * from "./unassociateOrgIdp";
export * from "./requireOrgIdentityProviderMode";

34
server/private/routers/orgIdp/requireOrgIdentityProviderMode.ts Normal file
View File

@@ -0,0 +1,34 @@
/*
* This file is part of a proprietary work.
*
* Copyright (c) 2025-2026 Fossorial, Inc.
* All rights reserved.
*
* This file is licensed under the Fossorial Commercial License.
* You may not use this file except in compliance with the License.
* Unauthorized use, copying, modification, or distribution is strictly prohibited.
*
* This file is not licensed under the AGPLv3.
*/
import { NextFunction, Request, Response } from "express";
import createHttpError from "http-errors";
import privateConfig from "#private/lib/config";
import HttpCode from "@server/types/HttpCode";
export function requireOrgIdentityProviderMode(
_req: Request,
_res: Response,
next: NextFunction
): void {
if (privateConfig.getRawPrivateConfig().app.identity_provider_mode !== "org") {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Organization-specific IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'org' in the private configuration to enable this feature."
)
);
}
return next();
}

13
server/private/routers/orgIdp/unassociateOrgIdp.ts
View File

@@ -21,7 +21,6 @@ import logger from "@server/logger";
import { fromError } from "zod-validation-error"; import { fromError } from "zod-validation-error";
import { and, eq, sql } from "drizzle-orm"; import { and, eq, sql } from "drizzle-orm";
import { OpenAPITags, registry } from "@server/openApi"; import { OpenAPITags, registry } from "@server/openApi";
import privateConfig from "#private/lib/config";
const paramsSchema = z const paramsSchema = z
.object({ .object({
@@ -48,18 +47,6 @@ export async function unassociateOrgIdp(
const { orgId, idpId } = parsedParams.data; const { orgId, idpId } = parsedParams.data;
if (
privateConfig.getRawPrivateConfig().app.identity_provider_mode !==
"org"
) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Organization-specific IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'org' in the private configuration to enable this feature."
)
);
}
const [association] = await db const [association] = await db
.select() .select()
.from(idpOrg) .from(idpOrg)

13
server/private/routers/orgIdp/updateOrgOidcIdp.ts
View File

@@ -26,7 +26,6 @@ import { encrypt } from "@server/lib/crypto";
import config from "@server/lib/config"; import config from "@server/lib/config";
import { isSubscribed } from "#private/lib/isSubscribed"; import { isSubscribed } from "#private/lib/isSubscribed";
import { tierMatrix } from "@server/lib/billing/tierMatrix"; import { tierMatrix } from "@server/lib/billing/tierMatrix";
import privateConfig from "#private/lib/config";
import { build } from "@server/build"; import { build } from "@server/build";
const paramsSchema = z const paramsSchema = z
@@ -99,18 +98,6 @@ export async function updateOrgOidcIdp(
); );
} }
if (
privateConfig.getRawPrivateConfig().app.identity_provider_mode !==
"org"
) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Organization-specific IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'org' in the private configuration to enable this feature."
)
);
}
const { idpId, orgId } = parsedParams.data; const { idpId, orgId } = parsedParams.data;
const { const {
clientId, clientId,