mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-04 21:04:37 +08:00
cf7f77c1c7
- Reject duplicate-domain SAML connections in admin POST so /auth/saml/discover stays deterministic; correct the discovery doc comment that claimed a non-existent DB invariant.
- Set SameSite=None+Secure on stack-saml-inner cookie in non-dev so the IdP cross-site POST to ACS doesn't drop it; keep Lax in dev where Secure isn't available over HTTP.
- Pass idpIssuer to node-saml so assertions issued under a different IdP entity (even with a matching signing cert) are rejected.
- Tighten the ACS body schema to { SAMLResponse, RelayState? } and wrap base64/XML decode failures as BadRequest.
- Make ProjectUserSamlAccount.projectUserId NOT NULL — no code path created orphan rows; drop the runtime ?? throwAssertion fallback and the dead getProjectUserIdFromSamlAccount helper.
|
||
|---|---|---|
| .. | ||
| backend | ||
| dashboard | ||
| dev-launchpad | ||
| e2e | ||
| hosted-components | ||
| internal-tool | ||
| mock-oauth-server | ||
| mock-saml-idp | ||
| oauth-mock-server | ||