feat(sso): sso support added #614
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Moved SAML audience, recipient, and time condition validation functions from SamlService to a new utils module for better separation of concerns. Added comprehensive unit tests for these utility functions and for SAML service logic. Improved test data isolation by introducing a unique test string generator. Updated existing user and usersFactory tests to use the new generator and ensure test isolation. Also, prevented MongoDB metrics setup in test environments.
Replaces custom SAML assertion validation logic with @node-saml/node-saml for signature, audience, and time validation. Updates error handling to map node-saml errors to SamlValidationError types, adds fallback error type, and removes now-unnecessary utility functions and tests. Extends and improves test coverage for SAML response parsing, error cases, and attribute extraction.
Added logic to generate SAML AuthnRequest using node-saml, extract the request ID from the encoded request, and handle errors. Updated and expanded unit tests to cover successful generation, error cases, and correct invocation of SAML library methods.
Added SAML SSO login and ACS endpoint logic to the controller, including user provisioning and session creation. Updated Jest config to use a dedicated test tsconfig. Added comprehensive tests for SAML controller behavior and created a test tsconfig.json.
Introduces a new @definedOnlyForAdmins directive to restrict certain fields to workspace admins, returning null for non-admins. Adds SSO configuration types, inputs, and resolvers to the workspace schema, including the sso field and updateWorkspaceSso mutation, both protected for admin access. Updates schema wiring to register the new directive and its transformer.
Dockerfiles and GitHub Actions workflow now use a dynamic Node.js version via build args, reading from .nvmrc for consistency. SAML SSO controller adds workspace ID validation, improved error handling, and clearer error responses for SSO initiation and ACS callback. Also documents REDIS_URL in environment types.
Introduces the ssoWorkspace query to fetch public workspace info (id, name, image) for SSO login pages. Updates GraphQL type definitions with WorkspacePreview type and exposes ssoWorkspace query for unauthenticated access.
Added enforcement of SSO login for users in workspaces with enforced SSO. Refactored SSO configuration update logic by introducing setSsoConfig method in WorkspaceModel and updating resolver to use it, ensuring only SSO config is modified.
Refresh token lifetime is now 2 days instead of 30 for users in workspaces with enforced SSO. This change applies to both standard and SAML SSO flows to improve security by requiring more frequent re-authentication.
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request introduces comprehensive Single Sign-On (SSO) support with SAML authentication to the Hawk tracking system. The implementation includes backend authentication flows, user identity management, GraphQL API updates, and integration testing infrastructure.
Changes:
- Added SAML SSO authentication flow with Identity Provider integration, user provisioning, and workspace-based SSO enforcement
- Upgraded Node.js from v22.12.0 to v24.11.1 across all environments and CI/CD pipelines
- Integrated Keycloak IdP for local development and integration testing with automated setup scripts
Reviewed changes
Copilot reviewed 39 out of 42 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| yarn.lock | Updated dependencies for SAML support (@node-saml/node-saml, xml libraries) and @hawk.so/types |
| package.json | Added SAML dependencies and updated @hawk.so/types to v0.4.2 |
| src/sso/* | Complete SAML service implementation with controller, store, service, and utilities |
| src/models/user.ts | Added SAML identity linking methods and shorter token lifetime for SSO users |
| src/models/usersFactory.ts | Added findBySamlIdentity method for SSO user lookup |
| src/models/workspace.ts | Added SSO configuration storage and update methods |
| src/resolvers/*.{js,ts} | Implemented SSO enforcement in login flow and workspace SSO configuration queries/mutations |
| src/directives/definedOnlyForAdmins.ts | New directive to restrict field visibility to workspace admins |
| src/typeDefs/workspace.ts | Added SSO configuration types and WorkspacePreview for public SSO login pages |
| src/index.ts | Integrated SSO routes into Express application |
| test/sso/* | Comprehensive unit tests for SAML utils, store, service, and controller |
| test/models/* | Unit tests for user SAML identity management |
| test/integration/* | End-to-end SSO tests with Keycloak integration |
| docker-compose.test.yml | Added Keycloak service for integration testing |
| .nvmrc, docker/Dockerfile.* | Upgraded Node.js version to v24.11.1 |
| .github/workflows/* | Updated CI/CD to use Node.js version from .nvmrc |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Refactored SAML state management to support both Redis and in-memory stores via a new SamlStateStoreInterface. Added Redis-backed implementation for multi-instance deployments and a factory to select the store type based on the SAML_STORE_TYPE environment variable. Updated controller and router to use the new store abstraction, and extended environment and type definitions accordingly.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #614 +/- ##
==========================================
- Coverage 58.30% 55.13% -3.17%
==========================================
Files 19 32 +13
Lines 518 1032 +514
Branches 95 198 +103
==========================================
+ Hits 302 569 +267
- Misses 216 427 +211
- Partials 0 36 +36 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces Single Sign-On (SSO) with SAML support, adds a local Keycloak IdP for integration testing, and updates Node.js and related dependencies. The main changes include new SSO-related models, resolvers, and directives, as well as updates to Docker and CI/CD configurations to support the new authentication flow.
SSO/SAML Support and User Model Enhancements
UserModel,UsersFactory). [1] [2] [3]WorkspaceModel, including methods to update SSO settings. [1] [2]Testing and Local Development Improvements
docker-compose.test.ymlfor integration testing SSO flows, including health checks and setup scripts. [1] [2] [3] [4].env.samplewith a newSSO_SP_ENTITY_IDvariable for SAML configuration.Node.js and Dependency Upgrades
.nvmrc, Dockerfiles, and CI/CD workflows, and made the Node.js version configurable in Docker builds. [1] [2] [3] [4] [5] [6]package.json. [1] [2] [3]GraphQL and Middleware Enhancements
definedOnlyForAdminsGraphQL directive to restrict field visibility to workspace admins, returningnullfor non-admins.SSO Route Integration
SSO/SAML Support:
UserModel, and a method to find users by SAML identity inUsersFactory. [1] [2] [3]WorkspaceModeland added a method for updating SSO settings. [1] [2]Testing/Dev Infrastructure:
docker-compose.test.ymlfor SSO integration tests, including health checks and setup. [1] [2] [3] [4].env.samplewith SSO-related configuration.Platform/Dependency Updates:
.nvmrc, Dockerfiles, and CI/CD, and made Node.js version configurable in Docker builds. [1] [2] [3] [4] [5] [6]package.json. [1] [2] [3]GraphQL/Middleware:
definedOnlyForAdminsdirective for admin-only field visibility in GraphQL schemas.App Integration: