db/account: refactor checkRequiredSSO and use it to check, if modifying the email_address is allowed or if update_on_login is set, additionally prohibit changing first or last name

Author: haraldschilly

src/packages/database/postgres-server-queries.coffee

@@ -61,6 +61,7 @@ read = require('read')
 {pii_expire} = require("./postgres/pii")
 passwordHash = require("@cocalc/backend/auth/password-hash").default;
 registrationTokens = require('./postgres/registration-tokens').default;
+getStrategiesSSO = require("@cocalc/database/settings/get-sso-strategies").default;
 
 stripe_name = require('@cocalc/util/stripe/name').default;
 
@@ -2647,6 +2648,19 @@ exports.extend_PostgreSQL = (ext) -> class PostgreSQL extends ext
             return result.rows[0].organization_id
         return undefined
 
+    getStrategiesSSO: () =>
+        return await getStrategiesSSO()
+
+    get_email_address_for_account_id: (account_id) =>
+        result = await @async_query
+            query       : 'SELECT email_address FROM accounts'
+            where       : [ 'account_id :: UUID = $1' ]
+            params      : [ account_id ]
+        if result.rows.length > 0
+            result.rows[0].email_address
+        else
+            return undefined
+
     # async
     registrationTokens: (options, query) =>
         return await registrationTokens(@, options, query)

src/packages/database/postgres/types.ts

@@ -14,6 +14,7 @@ import {
   QueryRows,
   UntypedQueryResult,
 } from "@cocalc/util/types/database";
+import type { Strategy } from "@cocalc/util/types/sso";
 import { Changes } from "./changefeed";
 
 export type { QueryResult };
@@ -317,6 +318,8 @@ export interface PostgreSQL extends EventEmitter {
       email_address: string;
     }>;
   }): Promise<void>;
+
+  getStrategiesSSO(): Promise<Strategy[]>;
 }
 
 export interface SetAccountFields {

src/packages/database/settings/get-sso-strategies.ts

@@ -19,7 +19,8 @@ export default async function getStrategies(): Promise<Strategy[]> {
            COALESCE(info -> 'display',           conf -> 'display')           as display,
            COALESCE(info -> 'public',            conf -> 'public')            as public,
            COALESCE(info -> 'exclusive_domains', conf -> 'exclusive_domains') as exclusive_domains,
-           COALESCE(info -> 'do_not_hide',      'false'::JSONB)               as do_not_hide
+           COALESCE(info -> 'do_not_hide',      'false'::JSONB)               as do_not_hide,
+           COALESCE(info -> 'update_on_login',  'false'::JSONB)               as update_on_login
 
     FROM passport_settings
     WHERE strategy != 'site_conf'
@@ -39,6 +40,7 @@ export default async function getStrategies(): Promise<Strategy[]> {
       public: row.public ?? true,
       exclusiveDomains: row.exclusive_domains ?? [],
       doNotHide: row.do_not_hide ?? false,
+      updateOnLogin: row.update_on_login ?? false,
     };
   });
 }

src/packages/next/components/auth/sso.tsx

@@ -9,7 +9,7 @@ import { join } from "path";
 import { CSSProperties, ReactNode, useMemo } from "react";
 
 import { Icon } from "@cocalc/frontend/components/icon";
-import { checkRequiredSSO } from "@cocalc/server/auth/sso/check-required-sso";
+import { checkRequiredSSO } from "@cocalc/util/auth-check-required-sso";
 import { PRIMARY_SSO } from "@cocalc/util/types/passport-types";
 import { Strategy } from "@cocalc/util/types/sso";
 import Loading from "components/share/loading";
@@ -67,6 +67,7 @@ export default function SSO(props: SSOProps) {
       public: true,
       exclusiveDomains: [],
       doNotHide: true,
+      updateOnLogin: false,
     };
 
     return (

src/packages/server/accounts/set-email-address.ts

@@ -21,7 +21,7 @@ import passwordHash, {
   verifyPassword,
 } from "@cocalc/backend/auth/password-hash";
 import getPool from "@cocalc/database/pool";
-import { checkRequiredSSO } from "@cocalc/server/auth/sso/check-required-sso";
+import { checkRequiredSSO } from "@cocalc/util/auth-check-required-sso";
 import getStrategies from "@cocalc/database/settings/get-sso-strategies";
 import {
   isValidUUID,

src/packages/server/auth/check-email-exclusive-sso.ts

@@ -5,7 +5,7 @@
 
 import { PostgreSQL } from "@cocalc/database/postgres/types";
 import getStrategies from "@cocalc/database/settings/get-sso-strategies";
-import { checkRequiredSSO } from "@cocalc/server/auth/sso/check-required-sso";
+import { checkRequiredSSO } from "@cocalc/util/auth-check-required-sso";
 
 export async function checkEmailExclusiveSSO(
   db: PostgreSQL,

src/packages/server/auth/sso/passport-login.ts

@@ -45,8 +45,9 @@ import { sanitizeProfile } from "@cocalc/server/auth/sso/sanitize-profile";
 import { callback2 as cb2 } from "@cocalc/util/async-utils";
 import { is_valid_email_address } from "@cocalc/util/misc";
 import { HELP_EMAIL } from "@cocalc/util/theme";
-import { emailBelongsToDomain, getEmailDomain } from "./check-required-sso";
+import { emailBelongsToDomain } from "@cocalc/util/auth-check-required-sso";
 import { SSO_API_KEY_COOKIE_NAME } from "./consts";
+import { getEmailDomain } from "@cocalc/util/auth-check-required-sso";
 
 const logger = getLogger("server:auth:sso:passport-login");
 
@@ -240,7 +241,7 @@ export class PassportLogin {
     const exclusiveDomains = strategy.info?.exclusive_domains ?? [];
     if (!isEmpty(exclusiveDomains)) {
       for (const email of opts.emails ?? []) {
-        const emailDomain = getEmailDomain(email.toLocaleLowerCase());
+        const emailDomain = getEmailDomain(email.toLowerCase());
         for (const ssoDomain of exclusiveDomains) {
           if (emailBelongsToDomain(emailDomain, ssoDomain)) {
             return true;
@@ -253,7 +254,7 @@ export class PassportLogin {
 
   // similar to the above, for a specific email address
   private checkEmailExclusiveSSO(email_address: string): boolean {
-    const emailDomain = getEmailDomain(email_address.toLocaleLowerCase());
+    const emailDomain = getEmailDomain(email_address.toLowerCase());
     for (const strategyName in this.opts.passports) {
       const strategy = this.opts.passports[strategyName];
       for (const ssoDomain of strategy.info?.exclusive_domains ?? []) {
@@ -510,7 +511,7 @@ export class PassportLogin {
     }
 
     // We update the email address, if it does not belong to another account.
-  
+
     if (is_valid_email_address(locals.email_address)) {
       upd.email_address = locals.email_address;
     }

src/packages/server/auth/sso/unlink-strategy.ts

@@ -12,7 +12,7 @@ upstream SSO provider.
 import getPool from "@cocalc/database/pool";
 import getStrategies from "@cocalc/database/settings/get-sso-strategies";
 import { is_valid_uuid_string } from "@cocalc/util/misc";
-import { checkRequiredSSO } from "./check-required-sso";
+import { checkRequiredSSO } from "@cocalc/util/auth-check-required-sso";
 
 // The name should be something like "google-9999601658192", i.e., a key
 // of the passports field.

src/packages/server/auth/throttle.ts

@@ -7,7 +7,7 @@ the database.
 import LRU from "lru-cache";
 
 import getStrategies from "@cocalc/database/settings/get-sso-strategies";
-import { checkRequiredSSO } from "./sso/check-required-sso";
+import { checkRequiredSSO } from "@cocalc/util/auth-check-required-sso";
 
 const emailShortCache = new LRU<string, number>({
   max: 10000, // avoid memory issues

src/packages/server/auth/sso/check-required-sso.ts renamed to src/packages/util/auth-check-required-sso.ts

@@ -5,18 +5,19 @@
 
 import { Strategy } from "@cocalc/util/types/sso";
 
-/**
- * If the domain of a given email address belongs to an SSO strategy,
- * which is configured to be an "exclusive" domain, then return the Strategy.
- * This also matches subdomains, i.e. "foo@bar.baz.edu" is goverend by "baz.edu".
- */
-
 interface Opts {
   email: string | undefined;
   strategies: Strategy[] | undefined;
   specificStrategy?: string;
 }
 
+/**
+ * If the domain of a given email address belongs to an SSO strategy,
+ * which is configured to be an "exclusive" domain, then return the Strategy.
+ * This also matches subdomains, i.e. "foo@bar.baz.edu" is goverend by "baz.edu".
+ *
+ * Optionally, if @specificStrategy is set, only that strategy is checked!
+ */
 export function checkRequiredSSO(opts: Opts): Strategy | undefined {
   const { email, strategies, specificStrategy } = opts;
   // if the domain of email is contained in any of the strategie's exclusiveDomain array, return that strategy's name