mirror of
https://github.com/docmost/docmost.git
synced 2026-06-11 02:36:56 +08:00
fix: auto redirect if there is only one SSO provider.
- fix tighten sso redirect - fix share tree margin
This commit is contained in:
Philipinho
@@ -1,4 +1,4 @@
|
||||
import { useState } from "react";
|
||||
import { useEffect, useRef, useState } from "react";
|
||||
import { useWorkspacePublicDataQuery } from "@/features/workspace/queries/workspace-query.ts";
|
||||
import { Button, Divider, Stack } from "@mantine/core";
|
||||
import { IconLock, IconServer } from "@tabler/icons-react";
|
||||
@@ -7,15 +7,37 @@ import { buildSsoLoginUrl } from "@/ee/security/sso.utils.ts";
|
||||
import { SSO_PROVIDER } from "@/ee/security/contants.ts";
|
||||
import { GoogleIcon } from "@/components/icons/google-icon.tsx";
|
||||
import { LdapLoginModal } from "@/ee/components/ldap-login-modal.tsx";
|
||||
import { getRedirectParam } from "@/lib/app-route.ts";
|
||||
import useCurrentUser from "@/features/user/hooks/use-current-user.ts";
|
||||
|
||||
const SSO_AUTO_ATTEMPT_KEY = "docmost:ssoAutoAttempt";
|
||||
const SSO_AUTO_ATTEMPT_TTL_MS = 5 * 60_000;
|
||||
|
||||
function recentAutoAttempt(): boolean {
|
||||
try {
|
||||
const raw = window.sessionStorage.getItem(SSO_AUTO_ATTEMPT_KEY);
|
||||
if (!raw) return false;
|
||||
const ts = Number(raw);
|
||||
return Number.isFinite(ts) && Date.now() - ts < SSO_AUTO_ATTEMPT_TTL_MS;
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function markAutoAttempt(): void {
|
||||
try {
|
||||
window.sessionStorage.setItem(SSO_AUTO_ATTEMPT_KEY, String(Date.now()));
|
||||
} catch {
|
||||
/* sessionStorage unavailable (private mode, etc.) — best effort */
|
||||
}
|
||||
}
|
||||
|
||||
export default function SsoLogin() {
|
||||
const { data, isLoading } = useWorkspacePublicDataQuery();
|
||||
const { data: currentUser } = useCurrentUser();
|
||||
const [ldapModalOpened, setLdapModalOpened] = useState(false);
|
||||
const [selectedLdapProvider, setSelectedLdapProvider] = useState<IAuthProvider | null>(null);
|
||||
|
||||
if (!data?.authProviders || data?.authProviders?.length === 0) {
|
||||
return null;
|
||||
}
|
||||
const autoRedirectedRef = useRef(false);
|
||||
|
||||
const handleSsoLogin = (provider: IAuthProvider) => {
|
||||
if (provider.type === SSO_PROVIDER.LDAP) {
|
||||
@@ -28,10 +50,47 @@ export default function SsoLogin() {
|
||||
providerId: provider.id,
|
||||
type: provider.type,
|
||||
workspaceId: data.id,
|
||||
redirect: getRedirectParam() ?? undefined,
|
||||
});
|
||||
}
|
||||
};
|
||||
|
||||
// Auto-redirect when SSO is enforced and there is exactly one non-LDAP
|
||||
// provider. The user has no other option, so skip the extra click.
|
||||
useEffect(() => {
|
||||
if (autoRedirectedRef.current) return;
|
||||
if (!data?.enforceSso) return;
|
||||
if (!data.authProviders || data.authProviders.length !== 1) return;
|
||||
const onlyProvider = data.authProviders[0];
|
||||
if (onlyProvider.type === SSO_PROVIDER.LDAP) return;
|
||||
|
||||
// Already signed in: let useRedirectIfAuthenticated handle navigation
|
||||
// instead of racing it through the IdP.
|
||||
if (currentUser?.user) return;
|
||||
|
||||
// Explicit logout: don't immediately bounce them back to the IdP.
|
||||
const params = new URLSearchParams(window.location.search);
|
||||
if (params.has("logout")) return;
|
||||
|
||||
// Circuit-breaker: if we already auto-redirected within the TTL, the
|
||||
// user came back (likely from an IdP failure). Show the page so they
|
||||
// can read errors or pick a different account.
|
||||
if (recentAutoAttempt()) return;
|
||||
|
||||
autoRedirectedRef.current = true;
|
||||
markAutoAttempt();
|
||||
window.location.href = buildSsoLoginUrl({
|
||||
providerId: onlyProvider.id,
|
||||
type: onlyProvider.type,
|
||||
workspaceId: data.id,
|
||||
redirect: getRedirectParam() ?? undefined,
|
||||
});
|
||||
}, [data, currentUser]);
|
||||
|
||||
if (!data?.authProviders || data?.authProviders?.length === 0) {
|
||||
return null;
|
||||
}
|
||||
|
||||
const getProviderIcon = (provider: IAuthProvider) => {
|
||||
if (provider.type === SSO_PROVIDER.GOOGLE) {
|
||||
return <GoogleIcon size={16} />;
|
||||
|
||||
@@ -18,14 +18,21 @@ export function buildSsoLoginUrl(opts: {
|
||||
providerId: string;
|
||||
type: SSO_PROVIDER;
|
||||
workspaceId?: string;
|
||||
redirect?: string;
|
||||
}): string {
|
||||
const { providerId, type, workspaceId } = opts;
|
||||
const { providerId, type, workspaceId, redirect } = opts;
|
||||
const domain = getAppUrl();
|
||||
|
||||
const params = new URLSearchParams();
|
||||
if (redirect) params.set("redirect", redirect);
|
||||
|
||||
if (type === SSO_PROVIDER.GOOGLE) {
|
||||
return `${getServerAppUrl()}/api/sso/${type}/login?workspaceId=${workspaceId}`;
|
||||
if (workspaceId) params.set("workspaceId", workspaceId);
|
||||
return `${getServerAppUrl()}/api/sso/${type}/login?${params.toString()}`;
|
||||
}
|
||||
return `${domain}/api/sso/${type}/${providerId}/login`;
|
||||
const query = params.toString();
|
||||
const base = `${domain}/api/sso/${type}/${providerId}/login`;
|
||||
return query ? `${base}?${query}` : base;
|
||||
}
|
||||
|
||||
export function getGoogleSignupUrl(): string {
|
||||
|
||||
@@ -166,7 +166,7 @@ export default function useAuth() {
|
||||
const handleLogout = async () => {
|
||||
setCurrentUser(RESET);
|
||||
await logout();
|
||||
window.location.replace(APP_ROUTE.AUTH.LOGIN);
|
||||
window.location.replace(`${APP_ROUTE.AUTH.LOGIN}?logout=1`);
|
||||
};
|
||||
|
||||
const handleForgotPassword = async (data: IForgotPassword) => {
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
.treeNode {
|
||||
text-decoration: none;
|
||||
user-select: none;
|
||||
padding-bottom: 0;
|
||||
}
|
||||
|
||||
.navbar,
|
||||
|
||||
@@ -31,20 +31,38 @@ const APP_ROUTE = {
|
||||
},
|
||||
};
|
||||
|
||||
export function safeRedirectPath(input: unknown): string | null {
|
||||
if (typeof input !== "string") return null;
|
||||
if (input.length === 0 || input.length > 2048) return null;
|
||||
// Reject whitespace, backslash, and any Unicode "Other" category char
|
||||
// (ASCII controls, zero-width space, BOM, bidi marks, etc).
|
||||
if (/[\s\\]|\p{C}/u.test(input)) return null;
|
||||
if (!input.startsWith("/") || input.startsWith("//")) return null;
|
||||
if (input.toLowerCase().includes("://")) return null;
|
||||
if (/^\/[a-z][a-z0-9+\-.]*:/i.test(input)) return null;
|
||||
try {
|
||||
const resolved = new URL(input, window.location.origin);
|
||||
if (resolved.origin !== window.location.origin) return null;
|
||||
return resolved.pathname + resolved.search + resolved.hash;
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
export function getPostLoginRedirect(): string {
|
||||
const params = new URLSearchParams(window.location.search);
|
||||
const redirect = params.get("redirect");
|
||||
if (redirect) {
|
||||
try {
|
||||
const resolved = new URL(redirect, window.location.origin);
|
||||
if (resolved.origin === window.location.origin) {
|
||||
return resolved.pathname + resolved.search + resolved.hash;
|
||||
}
|
||||
} catch {
|
||||
// malformed URL, fall through to default
|
||||
}
|
||||
}
|
||||
return APP_ROUTE.HOME;
|
||||
return safeRedirectPath(params.get("redirect")) ?? APP_ROUTE.HOME;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the `?redirect=` value from the current URL only when it is a safe
|
||||
* same-origin path. Unlike {@link getPostLoginRedirect} this returns `null`
|
||||
* (not `/home`) when no redirect is present, so callers can distinguish
|
||||
* "user came here directly" from "user was bounced from a deep link".
|
||||
*/
|
||||
export function getRedirectParam(): string | null {
|
||||
const params = new URLSearchParams(window.location.search);
|
||||
return safeRedirectPath(params.get("redirect"));
|
||||
}
|
||||
|
||||
export default APP_ROUTE;
|
||||
|
||||
Reference in New Issue
Block a user