Skip to content

feat(users): Add email domain based restriction for dashboard entry APIs#6940

Merged
Gnanasundari24 merged 8 commits intomainfrom
sso-domain-restriction
Dec 30, 2024
Merged

feat(users): Add email domain based restriction for dashboard entry APIs#6940
Gnanasundari24 merged 8 commits intomainfrom
sso-domain-restriction

Conversation

@ThisIsMani
Copy link
Contributor

@ThisIsMani ThisIsMani commented Dec 26, 2024
edited
Loading

Type of Change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

There will be a mapping of email domain and auth methods.
This PR will restrict users to enter into the dashboard based on the email domain.

Additional Changes

  • This PR modifies the API contract
  • This PR modifies the database schema
  • This PR modifies application configuration/environment variables

Motivation and Context

Closes #6939.

How did you test it?

  1. Create user auth method with email domain

    curl --location 'http://localhost:8080/user/auth' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiMjAxYTJlZWQtNGE0ZC00MjZlLTg1N2ItMjNhM2ZjZTk5NTMzIiwibWVyY2hhbnRfaWQiOiJtZXJjaGFudF8xNjk3NjIzMjI0Iiwicm9sZV9pZCI6Im1lcmNoYW50X2FkbWluIiwiZXhwIjoxNjk3Nzk2MDI3LCJvcmdfaWQiOiJvcmdfVzJ2NmtPZ2lMSWx3YnFoaVh4VUIifQ.HnkHHWboPt82-VlvE5GVCjTJ1sA82-dMbUxeYNl-mxk' \
--header 'Content-Type: application/json' \
--header 'api-key: ••••••' \
--data '{
    "owner_id": "test",
    "owner_type": "organization",
    "auth_method": {
        "auth_type": "password",
        "private_config": {
            "base_url": "url",
            "client_id": "client_id",
            "client_secret": "client_secret"
        },
        "public_config": {
            "name": "okta"
        }
    },
    "allow_signup": true,
    "email_domain": "gmail.com" 
}'

    Response will be 200 OK.

  2. Update user auth method

    1. Auth Method 
      curl --location --request PUT 'http://localhost:8080/user/auth' \
--header 'Content-Type: application/json' \
--header 'api-key: test_admin' \
--header 'Cookie: Cookie_1=value' \
--data '{
    "auth_method": {
        "id": "799596e6-e6ba-405c-b5cf-70fd510409dc",
        "auth_method": {
            "auth_type": "open_id_connect",
            "private_config": {
                "base_url": "base url",
                "client_id": "client id",
                "client_secret": "client secret"
            },
            "public_config": {
                "name": "okta"
            }
        }
    }
}
'
      Response will be 200 OK.
    2. Email Domain 
       curl --location --request PUT 'http://localhost:8080/user/auth' \
 --header 'Content-Type: application/json' \
 --header 'api-key: test_admin' \
 --header 'Cookie: Cookie_1=value' \
 --data '{
     "email_domain": {
         "owner_id": "test",
         "email_domain": "juspay.com"
     }
 }'
      Response will be 200 OK.

All the following APIs will restrict the users based on the email domain and the corresponding auth method

  1. Signin - Password
  2. Signup - Password
  3. Connect Account - MagicLink
  4. Forgot Password - Password
  5. Send Verification Email - MagicLink
  6. SSO Signin - OpenIdConnect
  7. Terminate Auth Select - Selected auth method

If the auth method list for email domain is empty of consists of the above auth method, the request will be continued, or else the api will be stopped.

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code
  • I added unit tests for my changes where possible

@ThisIsMani ThisIsMani added C-feature Category: Feature request or enhancement M-database-changes Metadata: This PR involves database schema changes M-api-contract-changes Metadata: This PR involves API contract changes A-users Area: Users labels Dec 26, 2024
@ThisIsMani ThisIsMani self-assigned this Dec 26, 2024
@ThisIsMani ThisIsMani requested review from a team as code owners December 26, 2024 07:59
@semanticdiff-com
Copy link

semanticdiff-com bot commented Dec 26, 2024
edited
Loading

Review changes with  SemanticDiff

Changed Files
File Status
  crates/api_models/src/user.rs  40% smaller
  crates/router/src/core/user.rs  34% smaller
  crates/diesel_models/src/query/user_authentication_method.rs  0% smaller
  crates/diesel_models/src/schema.rs  0% smaller
  crates/diesel_models/src/schema_v2.rs  0% smaller
  crates/diesel_models/src/user_authentication_method.rs  0% smaller
  crates/router/src/core/errors/user.rs  0% smaller
  crates/router/src/db/kafka_store.rs  0% smaller
  crates/router/src/db/user_authentication_method.rs  0% smaller
  crates/router/src/types/domain/user.rs  0% smaller
  crates/router/src/types/domain/user/user_authentication_method.rs  0% smaller
  crates/router/src/utils/user.rs  0% smaller
  migrations/2024-12-11-092624_add-email-domain-in-auth-methods/down.sql Unsupported file format
  migrations/2024-12-11-092624_add-email-domain-in-auth-methods/up.sql Unsupported file format

@hyperswitch-bot hyperswitch-bot bot removed the M-api-contract-changes Metadata: This PR involves API contract changes label Dec 26, 2024
@ThisIsMani ThisIsMani changed the title feat(users): Add email domain based restriction for dashboard enttry APIs feat(users): Add email domain based restriction for dashboard entry APIs Dec 26, 2024
apoorvdixit88
apoorvdixit88 reviewed Dec 26, 2024
View reviewed changes
racnan
racnan approved these changes Dec 26, 2024
View reviewed changes
Copy link
Contributor

@racnan racnan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be later changed to have email domain as a nullable column instead.
We shouldn't force users to always add a domain based restriction.

crates/api_models/src/user.rs
Comment on lines +326 to +327
pub auth_id: Option<String>,
pub email_domain: Option<String>,
Copy link
Contributor

@racnan racnan Dec 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could have been an enum.

crates/router/src/core/user.rs
Comment on lines +2350 to +2362
let (auth_id, email_domain) = if let Some(auth_method) = auth_methods.first() {
let email_domain = match req.email_domain {
Some(email_domain) => {
if email_domain != auth_method.email_domain {
return Err(report!(UserErrors::InvalidAuthMethodOperationWithMessage(
"Email domain mismatch".to_string()
)));
}

email_domain
}
None => auth_method.email_domain.clone(),
};
Copy link
Contributor

@racnan racnan Dec 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nesting can be avoided.

crates/router/src/core/user.rs
Comment on lines +2486 to +2496
futures::future::try_join_all(auth_methods.iter().map(|auth_method| async {
state
.store
.update_user_authentication_method(
&auth_method.id,
UserAuthenticationMethodUpdate::EmailDomain {
email_domain: email_domain.clone(),
},
)
.await
.to_duplicate_response(UserErrors::UserAuthMethodAlreadyExists)
Copy link
Contributor

@racnan racnan Dec 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we make in query for this ?

crates/router/src/core/user.rs
Comment on lines +2520 to +2521
(Some(_), Some(_)) | (None, None) => {
return Err(UserErrors::InvalidUserAuthMethodOperation.into());
Copy link
Contributor

@racnan racnan Dec 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as mentioned above, if api model is enum we can avoid such cases here.

SanchithHegde
SanchithHegde reviewed Dec 27, 2024
View reviewed changes
crates/router/src/core/user.rs
StorageError::DuplicateValue { .. } => {
UserErrors::UserAuthMethodAlreadyExists
}
_ => UserErrors::InternalServerError,
Copy link
Member

@SanchithHegde SanchithHegde Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have some context message included wherever we're raising internal server errors (here and elsewhere in the file)?

@Gnanasundari24 Gnanasundari24 added this pull request to the merge queue Dec 30, 2024
Merged via the queue into main with commit 227c274 Dec 30, 2024
@Gnanasundari24 Gnanasundari24 deleted the sso-domain-restriction branch December 30, 2024 07:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SanchithHegde SanchithHegde SanchithHegde left review comments

@inventvenkat inventvenkat inventvenkat approved these changes

@apoorvdixit88 apoorvdixit88 apoorvdixit88 approved these changes

@racnan racnan racnan approved these changes

@Riddhiagrawal001 Riddhiagrawal001 Awaiting requested review from Riddhiagrawal001

Assignees

@ThisIsMani ThisIsMani

Labels

A-users Area: Users C-feature Category: Feature request or enhancement M-database-changes Metadata: This PR involves database schema changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(users): Add email domain based restriction for dashboard entry APIs

6 participants

@ThisIsMani @inventvenkat @SanchithHegde @apoorvdixit88 @racnan @Gnanasundari24