Merge pull request #62 from codex-team/sso

chore(sso): sso types added

Author: neSpecc

build/index.d.ts

@@ -23,6 +23,7 @@ export * from "./src/dbScheme/user";
 export * from "./src/dbScheme/userNotifications";
 export * from "./src/dbScheme/workspace";
 export * from "./src/dbScheme/bankCard";
+export * from "./src/dbScheme/sso";
 export * from "./src/dbScheme/projectEventGroupingPattern";
 export * from "./src/notifications/createProjectNotifications";
 export * from "./src/notifications/receiveTypes";

build/index.js

@@ -39,6 +39,7 @@ __exportStar(require("./src/dbScheme/user"), exports);
 __exportStar(require("./src/dbScheme/userNotifications"), exports);
 __exportStar(require("./src/dbScheme/workspace"), exports);
 __exportStar(require("./src/dbScheme/bankCard"), exports);
+__exportStar(require("./src/dbScheme/sso"), exports);
 __exportStar(require("./src/dbScheme/projectEventGroupingPattern"), exports);
 __exportStar(require("./src/notifications/createProjectNotifications"), exports);
 __exportStar(require("./src/notifications/receiveTypes"), exports);

build/src/dbScheme/sso.d.ts

@@ -0,0 +1,77 @@
+/**
+ * SSO configuration types for database schema
+ */
+/**
+ * SAML attribute mapping configuration
+ */
+export interface SamlAttributeMapping {
+    /**
+     * Attribute name for email in SAML Assertion
+     * @example "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+     * to get email from XML like this:
+     *  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
+     *    <AttributeValue>[email protected]</AttributeValue>
+     *  </Attribute>
+     */
+    email: string;
+    /**
+     * Attribute name for user name in SAML Assertion
+     */
+    name?: string;
+}
+/**
+ * SAML SSO configuration
+ */
+export interface SamlConfig {
+    /**
+     * IdP Entity ID.
+     * Used to validate "this response is intended for Hawk"
+     * @example "urn:hawk:tracker:saml"
+     */
+    idpEntityId: string;
+    /**
+     * SSO URL for redirecting user to IdP
+     * Used to redirect user to IdP for authentication
+     * @example "https://idp.example.com/sso"
+     */
+    ssoUrl: string;
+    /**
+     * X.509 certificate for signature verification
+     * @example "-----BEGIN CERTIFICATE-----\nMIIDYjCCAkqgAwIBAgI...END CERTIFICATE-----"
+     */
+    x509Cert: string;
+    /**
+     * Desired NameID format
+     * @example "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+     */
+    nameIdFormat?: string;
+    /**
+     * Attribute mapping configuration
+     * Used to extract user attributes from SAML Response
+     */
+    attributeMapping: SamlAttributeMapping;
+}
+/**
+ * SSO configuration for workspace
+ */
+export interface WorkspaceSsoConfig {
+    /**
+     * Is SSO enabled
+     */
+    enabled: boolean;
+    /**
+     * Is SSO enforced (only SSO login allowed)
+     * If true, login via email/password is not allowed
+     */
+    enforced: boolean;
+    /**
+     * SSO provider type
+     * Currently only SAML is supported. In future we can add other providers (OAuth 2, etc.)
+     */
+    type: 'saml';
+    /**
+     * SAML-specific configuration.
+     * Got from IdP metadata.
+     */
+    saml: SamlConfig;
+}

build/src/dbScheme/sso.js

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * SSO configuration types for database schema
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

build/src/dbScheme/user.d.ts

@@ -67,4 +67,24 @@ export interface UserDBScheme {
          */
         term?: string;
     };
+    /**
+     * External identities for SSO (keyed by workspaceId)
+     */
+    identities?: {
+        [workspaceId: string]: {
+            /**
+             * SAML-mode params
+             */
+            saml: {
+                /**
+                 * NameID value from IdP (stable identifier)
+                 */
+                id: string;
+                /**
+                 * Email at the time of linking (for audit)
+                 */
+                email: string;
+            };
+        };
+    };
 }

build/src/dbScheme/workspace.d.ts

@@ -1,4 +1,5 @@
 import type { ObjectId } from 'bson';
+import type { WorkspaceSsoConfig } from './sso.ts';
 /**
  * Workspace representation in DataBase
  */
@@ -68,4 +69,8 @@ export interface WorkspaceDBScheme {
     lastNotificationDate?: {
         [key: string]: Date;
     };
+    /**
+     * SSO configuration (optional, only for workspaces with SSO enabled)
+     */
+    sso?: WorkspaceSsoConfig;
 }

index.ts

@@ -28,6 +28,7 @@ export * from "./src/dbScheme/user";
 export * from "./src/dbScheme/userNotifications";
 export * from "./src/dbScheme/workspace";
 export * from "./src/dbScheme/bankCard";
+export * from "./src/dbScheme/sso";
 export * from "./src/dbScheme/projectEventGroupingPattern";
 
 export * from "./src/notifications/createProjectNotifications";

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hawk.so/types",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "TypeScript definitions for Hawk",
   "types": "build/index.d.ts",
   "main": "build/index.js",

src/dbScheme/sso.ts

@@ -0,0 +1,88 @@
+/**
+ * SSO configuration types for database schema
+ */
+
+/**
+ * SAML attribute mapping configuration
+ */
+export interface SamlAttributeMapping {
+  /**
+   * Attribute name for email in SAML Assertion
+   * @example "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+   * to get email from XML like this:
+   *  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
+   *    <AttributeValue>[email protected]</AttributeValue>
+   *  </Attribute>
+   */
+  email: string;
+
+  /**
+   * Attribute name for user name in SAML Assertion
+   */
+  name?: string;
+}
+
+/**
+ * SAML SSO configuration
+ */
+export interface SamlConfig {
+  /**
+   * IdP Entity ID.
+   * Used to validate "this response is intended for Hawk"
+   * @example "urn:hawk:tracker:saml"
+   */
+  idpEntityId: string;
+
+  /**
+   * SSO URL for redirecting user to IdP
+   * Used to redirect user to IdP for authentication
+   * @example "https://idp.example.com/sso"
+   */
+  ssoUrl: string;
+
+  /**
+   * X.509 certificate for signature verification
+   * @example "-----BEGIN CERTIFICATE-----\nMIIDYjCCAkqgAwIBAgI...END CERTIFICATE-----"
+   */
+  x509Cert: string;
+
+  /**
+   * Desired NameID format
+   * @example "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+   */
+  nameIdFormat?: string;
+
+  /**
+   * Attribute mapping configuration
+   * Used to extract user attributes from SAML Response
+   */
+  attributeMapping: SamlAttributeMapping;
+}
+
+/**
+ * SSO configuration for workspace
+ */
+export interface WorkspaceSsoConfig {
+  /**
+   * Is SSO enabled
+   */
+  enabled: boolean;
+
+  /**
+   * Is SSO enforced (only SSO login allowed)
+   * If true, login via email/password is not allowed
+   */
+  enforced: boolean;
+
+  /**
+   * SSO provider type
+   * Currently only SAML is supported. In future we can add other providers (OAuth 2, etc.)
+   */
+  type: 'saml';
+
+  /**
+   * SAML-specific configuration.
+   * Got from IdP metadata.
+   */
+  saml: SamlConfig;
+}

src/dbScheme/user.ts

@@ -81,4 +81,26 @@ export interface UserDBScheme {
      */
     term?: string;
   };
+
+  /**
+   * External identities for SSO (keyed by workspaceId)
+   */
+  identities?: {
+    [workspaceId: string]: {
+      /**
+       * SAML-mode params
+       */
+      saml: {
+        /**
+         * NameID value from IdP (stable identifier)
+         */
+        id: string;
+
+        /**
+         * Email at the time of linking (for audit)
+         */
+        email: string;
+      };
+    };
+  };
 }