f536d1040c
* patch applied * patch applied * We shouldn't pollute global css * Build fixes * Updates typings * WIP extracting zoom to package * Revert "Upgrades next to 12.1 (#1895)" (#1903) This reverts commitede0e98e1f. * Tweak/gitignore prisma zod (#1905) * Extracts ignored createEventTypeBaseInput * Adds postinstall script * Revert "Tweak/gitignore prisma zod (#1905)" (#1906) This reverts commit15bfeb30d7. * Eslint fixes (#1898) * Eslint fixes * Docs build fixes * Upgrade to next 12.1 (#1904) * Upgrades next to 12.1 * Fixes build * Updaters e2e test pipelines Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> * Fix URL by removing slash and backslash (#1733) * Fix URl by removing slash and backslash * Implement slugify * Add data type * Fixing folder structure * Solve zod-utils conflict * Build fixes (#1929) * Build fixes * Fixes type error * WIP * Conflict fixes * Removes unused file * TODO * WIP * Type fixes * Linting * WIP * Moved App definition to types * WIP * WIP * WIP * WIP WIP * Renamed zoomvideo app * Import fix * Daily.co app (#2022) * Daily.co app * Update packages/app-store/dailyvideo/lib/VideoApiAdapter.ts Co-authored-by: Omar López <zomars@me.com> * Update packages/app-store/dailyvideo/lib/VideoApiAdapter.ts Co-authored-by: Omar López <zomars@me.com> * Missing deps for newly added contants to lib Co-authored-by: Omar López <zomars@me.com> * WIP * WIP * WIP * Daily fixes * Updated type info * Slack Oauth integration - api route ideas * Adds getLocationOptions * Type fixes * Adds location option for daily video * Revert "Slack Oauth integration - api route ideas" This reverts commit 35ffa78e929339c4badb98cdab4e4b953ecc7cca. * Slack Oauth + verify sig * Revert "Slack Oauth + verify sig" This reverts commit ee95795e0f0ae6d06be4e0a423afb8c315d9af7d. * Huddle01 migration to app store (#2038) * Jitsi Video App migration * Removing uneeded dependencies * Missed unused reference * Missing dependency `@calcom/lib` is needed in the `locationOption.ts` file * Huddle01 migration to app store * Jitsi Video App migration (#2027) * Jitsi Video App migration * Removing uneeded dependencies * Missed unused reference * Missing dependency `@calcom/lib` is needed in the `locationOption.ts` file Co-authored-by: Omar López <zomars@me.com> * Monorepo/app store MS Teams Integration (#2080) * Create teamsvideo package * Remove zoom specific refrences * Add teams video files * Rename to office365_video * Add call back to add crednetial type office365_teams * Rename to office_video to match type * Add MS Teams as a location option * Rename files * Add teams reponse interface and create meeting * Comment out Daily imports * Add check for Teams integration * Add token checking functions * Change template to create event rather than meeting * Add comment to test between create link and event * Add teams URL to booking * Ask for just onlineMeeting permission * Add MS Teams logo * Add message to have an enterprise account * Remove comments * Comment back hasDailyIntegration * Comment back daily credentials * Update link to MS Graph section of README * Move API calls to package Co-authored-by: Omar López <zomars@me.com> * Re-adds missing module for transpiling * Adds email as required field for app store metadata * WIP: migrates tandem to app store * Cleanup * Migrates tandem api routes to app store * Fixes tandem api handlers * Big WIP WIP * Build fixes * WIP * Fixes annoying circular dependency bug I've spent a whole day on this.... * Location option cleanup * Type fixes * Update EventManager.ts * Update CalendarManager.ts * Moves CalendarService back to lib * Moves apple calendar to App Store * Cleanup * More cleanup * Migrates apple calendar * Returns all connected calendars credentials * No tsx needed in calcom/lib * Update auth.ts * Reordering * Update i18n.utils.ts * WIP: Google Meet * Type fixes * Type fixes * Cleanup * Update LinkIconButton.tsx * Update TrialBanner.tsx * Cleanup * Cleanup * Type fixes * Update _appRegistry.ts * Update fonts.css * Update CalEventParser.ts * Delete yarn.lock.rej * Update eslint-preset.js * Delete zoom.tsx * Type fixes * Migrates caldav to app store * Cleanup * Type fixes * Adds caldav to app store * Test fixes * Updates integration tests * Moar test fixes * Redirection fixes * Redirection fixes * Update timeFormat.ts * Update booking-pages.test.ts * Connect button fixes * Fix empty item * Cal fixes andrea (#2234) * Fixes #2178 * Fixes #2178 * Update apps/web/components/availability/Schedule.tsx * Update apps/web/components/availability/Schedule.tsx Co-authored-by: Peer Richelsen <peeroke@gmail.com> Co-authored-by: Peer Richelsen <peer@cal.com> * added meta viewport to disable zoom on input focus on mobile (#2238) * Update lint.yml (#2211) Co-authored-by: Peer Richelsen <peeroke@gmail.com> * Fix prisma client bundle makes app slow (#2237) Co-authored-by: Omar López <zomars@me.com> * Slider fixes * Removed unused code * Full Shell when unauthed * App sidebar responsive fixes * Adds dynamic install button * Fix for duplicate connected calendars * Various fixes * Display notification on app delete * Reuse connect button * Adds CalDav button * Deprecates ConnectIntegration * Simplify install button * Adds Google Calendar connect button * Adds Office 365 Install button * Migrates Stripe to App Store * Zoom Install Button (#2244) * Fix minor css, app image load from static path * Fix app logos remote img src (#2252) * Adds missing exports * Cleanup * Disables install button for globally enabled apps * Update EventManager.ts * Stripe fixes * Disables example app Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Co-authored-by: Juan Esteban Nieto Cifuentes <89233604+Jenietoc@users.noreply.github.com> Co-authored-by: Leo Giovanetti <hello@leog.me> Co-authored-by: Sean Brydon <seanbrydon.me@gmail.com> Co-authored-by: Joe Au-Yeung <65426560+joeauyeung@users.noreply.github.com> Co-authored-by: Peer Richelsen <peeroke@gmail.com> Co-authored-by: Bailey Pumfleet <pumfleet@hey.com> Co-authored-by: Syed Ali Shahbaz <52925846+alishaz-polymath@users.noreply.github.com> Co-authored-by: andreaestefania12 <andreaestefania12@hotmail.com> Co-authored-by: Peer Richelsen <peer@cal.com> Co-authored-by: Demian Caldelas <denik.works@protonmail.com> Co-authored-by: Alan <alannnc@gmail.com>
357 lines
10 KiB
TypeScript
357 lines
10 KiB
TypeScript
import { IdentityProvider } from "@prisma/client";
|
|
import NextAuth, { Session } from "next-auth";
|
|
import { Provider } from "next-auth/providers";
|
|
import CredentialsProvider from "next-auth/providers/credentials";
|
|
import GoogleProvider from "next-auth/providers/google";
|
|
import { authenticator } from "otplib";
|
|
|
|
import { symmetricDecrypt } from "@calcom/lib/crypto";
|
|
|
|
import { ErrorCode, verifyPassword } from "@lib/auth";
|
|
import prisma from "@lib/prisma";
|
|
import { randomString } from "@lib/random";
|
|
import { isSAMLLoginEnabled, samlLoginUrl, hostedCal } from "@lib/saml";
|
|
import slugify from "@lib/slugify";
|
|
|
|
import { GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, IS_GOOGLE_LOGIN_ENABLED } from "@server/lib/constants";
|
|
|
|
const usernameSlug = (username: string) => slugify(username) + "-" + randomString(6).toLowerCase();
|
|
|
|
const providers: Provider[] = [
|
|
CredentialsProvider({
|
|
id: "credentials",
|
|
name: "Cal.com",
|
|
type: "credentials",
|
|
credentials: {
|
|
email: { label: "Email Address", type: "email", placeholder: "john.doe@example.com" },
|
|
password: { label: "Password", type: "password", placeholder: "Your super secure password" },
|
|
totpCode: { label: "Two-factor Code", type: "input", placeholder: "Code from authenticator app" },
|
|
},
|
|
async authorize(credentials) {
|
|
if (!credentials) {
|
|
console.error(`For some reason credentials are missing`);
|
|
throw new Error(ErrorCode.InternalServerError);
|
|
}
|
|
|
|
const user = await prisma.user.findUnique({
|
|
where: {
|
|
email: credentials.email.toLowerCase(),
|
|
},
|
|
});
|
|
|
|
if (!user) {
|
|
throw new Error(ErrorCode.UserNotFound);
|
|
}
|
|
|
|
if (user.identityProvider !== IdentityProvider.CAL) {
|
|
throw new Error(ErrorCode.ThirdPartyIdentityProviderEnabled);
|
|
}
|
|
|
|
if (!user.password) {
|
|
throw new Error(ErrorCode.UserMissingPassword);
|
|
}
|
|
|
|
const isCorrectPassword = await verifyPassword(credentials.password, user.password);
|
|
if (!isCorrectPassword) {
|
|
throw new Error(ErrorCode.IncorrectPassword);
|
|
}
|
|
|
|
if (user.twoFactorEnabled) {
|
|
if (!credentials.totpCode) {
|
|
throw new Error(ErrorCode.SecondFactorRequired);
|
|
}
|
|
|
|
if (!user.twoFactorSecret) {
|
|
console.error(`Two factor is enabled for user ${user.id} but they have no secret`);
|
|
throw new Error(ErrorCode.InternalServerError);
|
|
}
|
|
|
|
if (!process.env.CALENDSO_ENCRYPTION_KEY) {
|
|
console.error(`"Missing encryption key; cannot proceed with two factor login."`);
|
|
throw new Error(ErrorCode.InternalServerError);
|
|
}
|
|
|
|
const secret = symmetricDecrypt(user.twoFactorSecret, process.env.CALENDSO_ENCRYPTION_KEY);
|
|
if (secret.length !== 32) {
|
|
console.error(
|
|
`Two factor secret decryption failed. Expected key with length 32 but got ${secret.length}`
|
|
);
|
|
throw new Error(ErrorCode.InternalServerError);
|
|
}
|
|
|
|
const isValidToken = authenticator.check(credentials.totpCode, secret);
|
|
if (!isValidToken) {
|
|
throw new Error(ErrorCode.IncorrectTwoFactorCode);
|
|
}
|
|
}
|
|
|
|
return {
|
|
id: user.id,
|
|
username: user.username,
|
|
email: user.email,
|
|
name: user.name,
|
|
};
|
|
},
|
|
}),
|
|
];
|
|
|
|
if (IS_GOOGLE_LOGIN_ENABLED) {
|
|
providers.push(
|
|
GoogleProvider({
|
|
clientId: GOOGLE_CLIENT_ID,
|
|
clientSecret: GOOGLE_CLIENT_SECRET,
|
|
})
|
|
);
|
|
}
|
|
|
|
if (isSAMLLoginEnabled) {
|
|
providers.push({
|
|
id: "saml",
|
|
name: "BoxyHQ",
|
|
type: "oauth",
|
|
version: "2.0",
|
|
checks: ["pkce", "state"],
|
|
authorization: {
|
|
url: `${samlLoginUrl}/api/auth/saml/authorize`,
|
|
params: {
|
|
scope: "",
|
|
response_type: "code",
|
|
provider: "saml",
|
|
},
|
|
},
|
|
token: {
|
|
url: `${samlLoginUrl}/api/auth/saml/token`,
|
|
params: { grant_type: "authorization_code" },
|
|
},
|
|
userinfo: `${samlLoginUrl}/api/auth/saml/userinfo`,
|
|
profile: (profile) => {
|
|
return {
|
|
id: profile.id || "",
|
|
firstName: profile.firstName || "",
|
|
lastName: profile.lastName || "",
|
|
email: profile.email || "",
|
|
name: `${profile.firstName || ""} ${profile.lastName || ""}`.trim(),
|
|
email_verified: true,
|
|
};
|
|
},
|
|
options: {
|
|
clientId: "dummy",
|
|
clientSecret: "dummy",
|
|
},
|
|
});
|
|
}
|
|
|
|
export default NextAuth({
|
|
session: {
|
|
strategy: "jwt",
|
|
},
|
|
secret: process.env.JWT_SECRET,
|
|
pages: {
|
|
signIn: "/auth/login",
|
|
signOut: "/auth/logout",
|
|
error: "/auth/error", // Error code passed in query string as ?error=
|
|
},
|
|
providers,
|
|
callbacks: {
|
|
async jwt({ token, user, account }) {
|
|
const autoMergeIdentities = async () => {
|
|
if (!hostedCal) {
|
|
const existingUser = await prisma.user.findFirst({
|
|
where: { email: token.email! },
|
|
});
|
|
|
|
if (!existingUser) {
|
|
return token;
|
|
}
|
|
|
|
return {
|
|
id: existingUser.id,
|
|
username: existingUser.username,
|
|
name: existingUser.name,
|
|
email: existingUser.email,
|
|
};
|
|
}
|
|
|
|
return token;
|
|
};
|
|
|
|
if (!user) {
|
|
return await autoMergeIdentities();
|
|
}
|
|
|
|
if (account && account.type === "credentials") {
|
|
return {
|
|
id: user.id,
|
|
name: user.name,
|
|
username: user.username,
|
|
email: user.email,
|
|
};
|
|
}
|
|
|
|
// The arguments above are from the provider so we need to look up the
|
|
// user based on those values in order to construct a JWT.
|
|
if (account && account.type === "oauth" && account.provider && account.providerAccountId) {
|
|
let idP: IdentityProvider = IdentityProvider.GOOGLE;
|
|
if (account.provider === "saml") {
|
|
idP = IdentityProvider.SAML;
|
|
}
|
|
|
|
const existingUser = await prisma.user.findFirst({
|
|
where: {
|
|
AND: [
|
|
{
|
|
identityProvider: idP,
|
|
},
|
|
{
|
|
identityProviderId: account.providerAccountId as string,
|
|
},
|
|
],
|
|
},
|
|
});
|
|
|
|
if (!existingUser) {
|
|
return await autoMergeIdentities();
|
|
}
|
|
|
|
return {
|
|
id: existingUser.id,
|
|
name: existingUser.name,
|
|
username: existingUser.username,
|
|
email: existingUser.email,
|
|
};
|
|
}
|
|
|
|
return token;
|
|
},
|
|
async session({ session, token }) {
|
|
const calendsoSession: Session = {
|
|
...session,
|
|
user: {
|
|
...session.user,
|
|
id: token.id as number,
|
|
name: token.name,
|
|
username: token.username as string,
|
|
},
|
|
};
|
|
return calendsoSession;
|
|
},
|
|
async signIn({ user, account, profile }) {
|
|
// In this case we've already verified the credentials in the authorize
|
|
// callback so we can sign the user in.
|
|
if (account.type === "credentials") {
|
|
return true;
|
|
}
|
|
|
|
if (account.type !== "oauth") {
|
|
return false;
|
|
}
|
|
|
|
if (!user.email) {
|
|
return false;
|
|
}
|
|
|
|
if (!user.name) {
|
|
return false;
|
|
}
|
|
|
|
if (account.provider) {
|
|
let idP: IdentityProvider = IdentityProvider.GOOGLE;
|
|
if (account.provider === "saml") {
|
|
idP = IdentityProvider.SAML;
|
|
}
|
|
user.email_verified = user.email_verified || profile.email_verified;
|
|
|
|
if (!user.email_verified) {
|
|
return "/auth/error?error=unverified-email";
|
|
}
|
|
|
|
const existingUser = await prisma.user.findFirst({
|
|
where: {
|
|
AND: [{ identityProvider: idP }, { identityProviderId: user.id as string }],
|
|
},
|
|
});
|
|
|
|
if (existingUser) {
|
|
// In this case there's an existing user and their email address
|
|
// hasn't changed since they last logged in.
|
|
if (existingUser.email === user.email) {
|
|
return true;
|
|
}
|
|
|
|
// If the email address doesn't match, check if an account already exists
|
|
// with the new email address. If it does, for now we return an error. If
|
|
// not, update the email of their account and log them in.
|
|
const userWithNewEmail = await prisma.user.findFirst({
|
|
where: { email: user.email },
|
|
});
|
|
|
|
if (!userWithNewEmail) {
|
|
await prisma.user.update({ where: { id: existingUser.id }, data: { email: user.email } });
|
|
return true;
|
|
} else {
|
|
return "/auth/error?error=new-email-conflict";
|
|
}
|
|
}
|
|
|
|
// If there's no existing user for this identity provider and id, create
|
|
// a new account. If an account already exists with the incoming email
|
|
// address return an error for now.
|
|
const existingUserWithEmail = await prisma.user.findFirst({
|
|
where: { email: user.email },
|
|
});
|
|
|
|
if (existingUserWithEmail) {
|
|
// if self-hosted then we can allow auto-merge of identity providers if email is verified
|
|
if (!hostedCal && existingUserWithEmail.emailVerified) {
|
|
return true;
|
|
}
|
|
|
|
// check if user was invited
|
|
if (
|
|
!existingUserWithEmail.password &&
|
|
!existingUserWithEmail.emailVerified &&
|
|
!existingUserWithEmail.username
|
|
) {
|
|
await prisma.user.update({
|
|
where: { email: user.email },
|
|
data: {
|
|
// Slugify the incoming name and append a few random characters to
|
|
// prevent conflicts for users with the same name.
|
|
username: usernameSlug(user.name),
|
|
emailVerified: new Date(Date.now()),
|
|
name: user.name,
|
|
identityProvider: idP,
|
|
identityProviderId: user.id as string,
|
|
},
|
|
});
|
|
|
|
return true;
|
|
}
|
|
|
|
if (existingUserWithEmail.identityProvider === IdentityProvider.CAL) {
|
|
return "/auth/error?error=use-password-login";
|
|
}
|
|
|
|
return "/auth/error?error=use-identity-login";
|
|
}
|
|
|
|
await prisma.user.create({
|
|
data: {
|
|
// Slugify the incoming name and append a few random characters to
|
|
// prevent conflicts for users with the same name.
|
|
username: usernameSlug(user.name),
|
|
emailVerified: new Date(Date.now()),
|
|
name: user.name,
|
|
email: user.email,
|
|
identityProvider: idP,
|
|
identityProviderId: user.id as string,
|
|
},
|
|
});
|
|
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
},
|
|
},
|
|
});
|