Commit Graph

40 Commits

Author SHA1 Message Date
Kenneth Wußmann 0b47f92134 fix(oidc): allow string boolean in email_verified userinfo schema (#14609)
## Why

When using AWS Cognito as OIDC provider, AFFiNE returns a zod parsing
error because AWS returns `email_verified` as a string in the userinfo
response.

```json
{
    "sub": "[UUID]",
    "email_verified": "true",
    "custom:mycustom1": "CustomValue",
    "phone_number_verified": "true",
    "phone_number": "+12065551212",
    "email": "bob@example.com",
    "username": "bob"
}
```

Reference:
https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html#get-userinfo-response-sample

Error returned in AFFiNE frontend:
```
Validation error, errors: [ { "code": "invalid_type", "expected": "boolean", "received": "string", "path": [ "email_verified" ], "message": "Expected boolean, received string" } ]
```

## What

I'm adjusting the existing `OIDCUserInfoSchema` to allow `z.boolean()`
and `z.enum(['true', 'false', '0', '1', 'yes', 'no'])`.
This matches with [our `extractBoolean` function in the
`OIDCProvider`](https://github.com/KennethWussmann/AFFiNE/blob/82e6239957db5f3754cde8ad968db62bc4ffad6a/packages/backend/server/src/plugins/oauth/providers/oidc.ts#L269-L285),
which already parses string as booleans in `email_verified`. But because
the userinfo response is parsed with zod first, it's failing before
reaching our `extractBoolean`.

> [!NOTE]
> We are using zod v3. In zod v4 they [added support for
`z.stringbool()`](https://zod.dev/api?id=stringbool) which would make
this easier.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **Bug Fixes**
* Enhanced OpenID Connect provider authentication to accept flexible
formats for email verification status, including various string
representations alongside boolean values.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-09 02:53:43 +00:00
GyeongSu Han 2e95d91093 fix: restore Accept header and prevent encoded response in GitHub OAuth token request (regression from #14061) (#14538)
## 📝 Summary

This PR fixes a regression that caused the following error during GitHub
OAuth login:

> Unable to parse JSON response from
[https://github.com/login/oauth/access_token](https://github.com/login/oauth/access_token)

Related issue:
[https://github.com/toeverything/AFFiNE/issues/14334](https://github.com/toeverything/AFFiNE/issues/14334)
Regression introduced in:
[https://github.com/toeverything/AFFiNE/pull/14061](https://github.com/toeverything/AFFiNE/pull/14061)

---

## 🎯 Background

GitHub’s OAuth access token endpoint returns different response formats
depending on the request headers.

To receive a JSON response, the request must include:

```
Accept: application/json
```

If the `Accept` header is missing, GitHub responds with:

```
application/x-www-form-urlencoded
```

The current implementation assumes a JSON response and parses it
directly.
When a non-JSON response is returned, JSON parsing fails,
breaking the OAuth login flow.

---

## 🔍 Traffic Analysis (tcpdump)

Network path:

affine-graphql → (HTTPS) → envoy → (HTTP, tcpdump) → envoy → GitHub

### Observed Request

```
POST /login/oauth/access_token HTTP/1.1
host: github-proxy.com
content-type: application/x-www-form-urlencoded
accept: */*
...
```

### Observed Response

```
HTTP/1.1 200 OK
date: Sat, 28 Feb 2026 14:47:43 GMT
content-type: application/x-www-form-urlencoded; charset=utf-8
...
```

The `Accept` header was `*/*` instead of `application/json`,
causing GitHub to return a form-urlencoded response.

---

## 🐛 Root Cause

PR #14061 introduced a side effect in the request configuration.

Although the `Accept` header was initially defined,
the request options were later overwritten by the `init` parameter.

Because `init.headers` replaced the previously defined headers object,
the required header was lost.

Resulting in:

* Missing `Accept: application/json`
* GitHub returning `application/x-www-form-urlencoded`
* JSON parsing failure
* OAuth login failure

---

## 🔧 Changes

### 1️⃣ Fix header overwrite order

* Process the incoming `init` parameter first
* Explicitly overwrite required headers afterward
* Ensure `Accept: application/json` is always enforced

---

## 💥 Breaking Changes

None.

---

## 🧪 How to Test

1. Configure GitHub OAuth.
2. Attempt login via GitHub.
3. Verify that:

   * The request contains `Accept: application/json`
   * The response content-type is `application/json`
   * No JSON parsing error occurs
   * OAuth login completes successfully

---

## 📌 Notes

This change restores correct OAuth behavior and prevents regression
caused by header overwriting introduced in #14061.

The same header overwrite pattern identified in this issue
was also found in the calendar module and has been corrected there as
well.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Improved backend HTTP header handling for external integrations to
avoid unintended header overrides, ensuring content-type and encoding
hints are applied consistently and improving reliability of service
requests.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
2026-03-01 14:32:28 +00:00
DarkSky 728e02cab7 feat: bump eslint & oxlint (#14452)
#### PR Dependency Tree


* **PR #14452** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved null-safety, dependency tracking, upload validation, and
error logging for more reliable uploads, clipboard, calendar linking,
telemetry, PDF/theme printing, and preview/zoom behavior.
* Tightened handling of all-day calendar events (missing date now
reported).

* **Deprecations**
  * Removed deprecated RadioButton and RadioButtonGroup; use RadioGroup.

* **Chores**
* Unified and upgraded linting/config, reorganized imports, and
standardized binary handling for more consistent builds and tooling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-16 13:52:08 +08:00
DarkSky 944fab36ac feat: drop outdated session (#14373)
#### PR Dependency Tree


* **PR #14373** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added client version tracking and validation to ensure application
compatibility across authentication flows and sessions.
* Enhanced OAuth authentication with improved version handling during
sign-in and refresh operations.

* **Bug Fixes**
* Improved payment callback URL handling with safer defaults for
redirect links.

* **Tests**
* Expanded test coverage for client version enforcement and session
management.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-05 21:35:36 +08:00
DarkSky 403f16b404 chore: drop old client support (#14369) 2026-02-05 02:49:33 +08:00
DarkSky f29e47e9d2 feat: improve oauth (#14061)
fix #13730
fix #12901
fix #14025
2025-12-08 10:44:41 +08:00
DarkSky 5cac8971eb fix: apple sign (#14053) 2025-12-06 15:36:50 +08:00
DarkSky 05d373081a fix(server): update email verified at oauth (#13714)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Automatic email verification when signing in or reconnecting with a
linked OAuth provider: if the provider confirms the same email and your
account was unverified, your email will be marked as verified
automatically.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-10-09 09:46:05 +00:00
Finn Weigand 363f64ebfa feat: add dedicated sign-up config for oauth (#13610)
Currently, it is only possible to disable all registrations. However, it
would be helpful if you could disable normal registration but enable
OAuth registration.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added a setting to enable/disable new user signups via OAuth (default:
enabled).
* Admin Settings (Authentication) now includes a toggle for OAuth
signups.
* OAuth signup flow now respects this setting, preventing new
registrations via OAuth when disabled.
  * Self-hosted configuration schema updated to include the new option.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Hudint Finn Weigand <dev@hudint.de>
Co-authored-by: DarkSky <darksky2048@gmail.com>
Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
2025-09-21 15:38:25 +00:00
Jakob eb73c90b2e fix(server): allow MS Office365 / Azure compatibility by making OIDC.preferred_username optional (#13027)
> [!NOTE]
> **This is a reopened (already approved) PR**
> Needed to reopen https://github.com/toeverything/AFFiNE/pull/13011
because commit email was wrong and I could not sign the CLA

Make Office365 / Azure login possible by making preferred_username
optional.
This is NOT send in the token of MS.

To make this work you ALSO need to set the oidc.config.args.id to
"email" (there preferred_username is used as default)
Source:
https://github.com/toeverything/AFFiNE/blob/canary/packages/backend/server/src/plugins/oauth/providers/oidc.ts#L152

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved compatibility with OIDC providers by allowing the preferred
username field to be optional during user info validation.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-04 06:36:28 +00:00
fengmk2 facf6ee28b fix(server): disable Apple oauth on client version < 0.22.0 (#12984)
close AF-2705



#### PR Dependency Tree


* **PR #12984** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* The Apple OAuth provider is now available only for clients version
0.22.0 or higher.
* Client version detection has been improved by extracting version
information from request headers.

* **Bug Fixes**
* Ensured that the Apple OAuth provider is hidden for clients below
version 0.22.0.

* **Tests**
* Added comprehensive end-to-end and utility tests for OAuth provider
selection and client version extraction.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-07-02 08:07:34 +00:00
fengmk2 dc55518c5b feat(server): support multiple hosts in one deployment (#12950)
close CLOUD-233



#### PR Dependency Tree


* **PR #12950** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added support for configuring multiple server hosts across backend and
frontend settings.
* Enhanced deployment and Helm chart configuration to allow specifying
multiple ingress hosts.
* Updated admin and configuration interfaces to display and manage
multiple server hosts.

* **Improvements**
* Improved URL generation, OAuth, and worker service logic to
dynamically handle requests from multiple hosts.
  * Enhanced captcha verification to support multiple allowed hostnames.
* Updated frontend logic for platform-specific server base URLs and
allowed origins, including Apple app domains.
  * Expanded test coverage for multi-host scenarios.

* **Bug Fixes**
* Corrected backend logic to consistently use dynamic base URLs and
origins based on request host context.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-06-27 09:41:37 +00:00
liuyi 71be1d424a fix(server): oidc registration (#12723) 2025-06-05 09:16:21 +00:00
forehalo ee931d546e fix(server): oauth should follow sign up restriction (#12683)
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

- **New Features**
	- Enforced signup restrictions for OAuth login based on configuration settings. Users will not be able to sign up via OAuth if signup is disabled by the administrator.
- **Bug Fixes**
	- Improved error handling during OAuth login when signup is not permitted.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-06-03 08:53:00 +00:00
forehalo 88eec2cdfb chore(server): disable version check for oauth callback (#12640)
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

- **Bug Fixes**
  - Improved Apple OAuth login reliability by ensuring client version checks do not block the callback process.

- **New Features**
  - Enhanced OAuth account information by including an optional display name field.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-05-30 03:05:38 +00:00
liuyi 41781902f6 feat(core): support apple sign in (#12424) 2025-05-23 15:27:27 +08:00
forehalo 0ea38680fa refactor(server): config system (#11081) 2025-03-27 12:32:28 +00:00
fengmk2 867ae7933f refactor(server): improve oauth login flow (#10648)
close CLOUD-145
2025-03-12 15:27:36 +08:00
fengmk2 b88113a2d1 feat(server): add invalid oauth callback code error handling (#10603)
close CLOUD-130
2025-03-05 06:16:59 +00:00
DarkSky fa86f71853 feat(server): client version check (#9205)
Co-authored-by: forehalo <forehalo@gmail.com>
2025-02-20 15:50:22 +08:00
fengmk2 67b6c28d67 refactor(server): use user model on oauth plugin (#10031)
close CLOUD-117
2025-02-10 20:26:34 +08:00
forehalo 44de4474c3 feat(server): use user model (#9710) 2025-01-17 07:06:12 +00:00
liuyi 64827f771c fix(server): end_session_endpoint is not required for oidc (#9381) 2024-12-27 19:11:54 +08:00
Brooooooklyn aaaea8918f chore: upgrade to eslint9 (#9163) 2024-12-14 10:29:04 +00:00
forehalo 4c23991047 chore: rename fundamentals to base (#9119) 2024-12-13 06:27:13 +00:00
js os e2f281ac18 fix(server): make scope field optional in access token response (#8753)
Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
2024-11-09 20:01:33 +08:00
pengx17 8f694aceb7 fix(core): redirect to old page after login via 404 page (#8588)
fix AF-1487

When visit a cloud worskapce page without login, we should allow the user to redirect back to that page after login.

The logic is only added for this case, including login with email magin link + google login. Login with password is already working without changes.
2024-10-25 03:43:00 +00:00
forehalo 64d2b926a2 fix(server): remove default auth redirect url (#8140) 2024-09-06 06:26:59 +00:00
forehalo 8b0afd6eeb refactor(server): auth (#7994) 2024-09-03 09:03:39 +00:00
forehalo 624f3514fc feat(server): make permission a standalone module (#7880) 2024-08-15 10:01:52 +00:00
forehalo 0ec1995add fix(admin): organize admin panel (#7840) 2024-08-13 14:51:54 +08:00
liuyi 54fc1197ad feat(server): introduce user friendly server errors (#7111) 2024-06-17 11:30:58 +08:00
Tao Chen e417c4cd44 fix(server): OIDC bug (#7061) 2024-05-28 18:19:37 +08:00
forehalo 638fc62601 feat(server): runtime setting support (#5602)
---

<details open="true"><summary>Generated summary (powered by <a href="https://app.graphite.dev">Graphite</a>)</summary>

> ## TL;DR
> This pull request adds a new migration file, a new model, and new modules related to runtime settings. It also introduces a new `Runtime` service that allows getting, setting, and updating runtime configurations.
>
> ## What changed
> - Added a new migration file `migration.sql` that creates a table called `application_settings` with columns `key` and `value`.
> - Added a new model `ApplicationSetting` with properties `key` and `value`.
> - Added a new module `RuntimeSettingModule` that exports the `Runtime` service.
> - Added a new service `Runtime` that provides methods for getting, setting, and updating runtime configurations.
> - Modified the `app.module.ts` file to import the `RuntimeSettingModule`.
> - Modified the `index.ts` file in the `fundamentals` directory to export the `Runtime` service.
> - Added a new file `def.ts` in the `runtime` directory that defines the runtime configurations and provides a default implementation.
> - Added a new file `service.ts` in the `runtime` directory that implements the `Runtime` service.
>
> ## How to test
> 1. Run the migration script to create the `application_settings` table.
> 2. Use the `Runtime` service to get, set, and update runtime configurations.
> 3. Verify that the runtime configurations are stored correctly in the database and can be retrieved and modified using the `Runtime` service.
>
> ## Why make this change
> This change introduces a new feature related to runtime settings. The `Runtime` service allows the application to dynamically manage and modify runtime configurations without requiring a restart. This provides flexibility and allows for easier customization and configuration of the application.
</details>
2024-05-28 06:43:53 +00:00
Tao Chen 22a8a2663e feat(server): add OIDC for AFFiNE (#6991)
Co-authored-by: LongYinan <lynweklm@gmail.com>
Co-authored-by: DarkSky <darksky2048@gmail.com>
2024-05-24 00:35:30 +08:00
forehalo 1a1af83375 test(server): auth tests (#6135) 2024-03-26 02:24:17 +00:00
liuyi 06a5b2e5a5 fix(server): wrong google oauth param (#6227) 2024-03-20 17:45:22 +08:00
liuyi f2ec81b2d0 feat(server): user connected accounts migration (#6103) 2024-03-13 09:28:52 +00:00
liuyi 573528be41 fix(server): user can not signup through oauth if ever invited (#6101) 2024-03-13 07:50:11 +00:00
liuyi fb3a0e7b8f refactor(server): auth (#5895)
Remove `next-auth` and implement our own Authorization/Authentication system from scratch.

## Server

- [x] tokens
  - [x] function
  - [x] encryption

- [x] AuthController
  - [x] /api/auth/sign-in
  - [x] /api/auth/sign-out
  - [x] /api/auth/session
  - [x] /api/auth/session (WE SUPPORT MULTI-ACCOUNT!)

- [x] OAuthPlugin
  - [x] OAuthController
  - [x] /oauth/login
  - [x] /oauth/callback
  - [x] Providers
    - [x] Google
    - [x] GitHub

## Client

- [x] useSession
- [x] cloudSignIn
- [x] cloudSignOut

## NOTE:

Tests will be adding in the future
2024-03-12 10:00:09 +00:00