CodeCow/stack
1
0
Fork 0
mirror of https://github.com/stack-auth/stack.git synced 2026-06-13 21:01:21 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
191ad700bd
stack/apps/backend
History
Bilal Godil 191ad700bd feat(backend): add SAML login + ACS routes with OAuth2 integration 
Two routes that complete the SAML SP-initiated round trip:

- GET /api/v1/auth/saml/login/[connection_id]
  Receives the same Stack Auth OAuth client params as
  /auth/oauth/authorize (client_id, redirect_uri, scope, state, etc.),
  builds an AuthnRequest, persists the OAuth context + AuthnRequest ID
  in SamlOuterInfo, sets a CSRF cookie keyed to the request ID, and
  redirects to the IdP. Honors stack_response_mode=json so the SDK
  can intercept programmatically. V1 scope: SP-initiated only, no
  signed AuthnRequests, no link/upgrade flow.

- POST /api/v1/auth/saml/acs/[connection_id]
  Receives the IdP's POST. Parses InResponseTo from the response
  WITHOUT verifying the signature, looks up SamlOuterInfo to recover
  tenancy/connection (this is necessary because the connection ID
  alone doesn't index a tenancy in the JSON-config storage model).
  Validates CSRF cookie, then runs node-saml's full
  validatePostResponseAsync (signature + audience + clock skew +
  InResponseTo). Defense-in-depth re-checks InResponseTo and
  cross-connection mismatch (the latter handles 'assertion sent to
  the wrong ACS endpoint' forgery, e2e test #10).

  On success, runs find-existing / link / create via the
  saml-account.tsx helpers, then hands off to oauthServer.authorize
  so Stack Auth issues a customer-facing OAuth code (mirrors the
  oauth/callback pattern). Deletes SamlOuterInfo at the end for
  replay protection.

Adds extractInResponseTo helper to saml/saml.tsx for the pre-validation
parse described above.

Routes typecheck and lint clean. Runtime untested — needs the e2e test
matrix (task #15) to exercise the round-trip end-to-end against the
mock IdP.
2026-04-29 16:46:22 -07:00
..
prisma feat(backend): add SAML SSO Prisma models + migration 2026-04-29 16:46:22 -07:00
scripts Fix ClickHouse OOM in MAU query + optimize /internal/metrics route (#1344) 2026-04-19 22:57:46 -07:00
src feat(backend): add SAML login + ACS routes with OAuth2 integration 2026-04-29 16:46:22 -07:00
.env Move internal MCP server to backend, use Mintlify MCP for docs tools (#1389) 2026-04-29 09:45:52 -07:00
.env.development Move internal MCP server to backend, use Mintlify MCP for docs tools (#1389) 2026-04-29 09:45:52 -07:00
.eslintrc.cjs tsup for stack-shared (#647) 2025-04-28 21:26:52 -07:00
.gitignore private files n sm build shit (#1276) 2026-03-23 12:31:36 -07:00
instrumentation-client.ts Upgrade backend to Next.js 16 2025-12-12 16:59:07 -08:00
LICENSE Split backend and dashboard (#83) 2024-06-18 15:49:31 +02:00
next.config.mjs private files n sm build shit (#1276) 2026-03-23 12:31:36 -07:00
package.json feat(backend): extract email-merge helper and add SAML account helpers 2026-04-29 16:46:22 -07:00
prisma.config.ts [Fix]: Assortment of Bugs with Timefold Table and Payments (#1348) 2026-04-18 14:17:24 -07:00
tsconfig.json Fix lint 2026-02-27 09:59:26 -08:00
vercel.json External db sync (#1036) 2026-02-05 12:04:31 -08:00
vitest.config.ts Customizable ports (#962) 2025-10-20 15:24:47 -07:00
vitest.setup.ts Customizable ports (#962) 2025-10-20 15:24:47 -07:00