Add middleware to require SSO for login if the flag is require_sso_flag is set (#42410)

atrakh · Convex, Inc. · commit 17413b3500b6 · 2025-10-25T00:42:15.000Z
GitOrigin-RevId: 7140fc94419df99ba2db4de3dc70b0e72f6d3113
diff --git a/crates/authentication/src/lib.rs b/crates/authentication/src/lib.rs
@@ -15,7 +15,10 @@ use biscuit::{
     JWT,
 };
 use chrono::TimeZone;
-use common::auth::AuthInfo;
+use common::{
+    auth::AuthInfo,
+    types::TeamId,
+};
 use data_url::DataUrl;
 use errors::ErrorMetadata;
 use futures::Future;
@@ -492,6 +495,8 @@ pub struct WorkOSClaims {
 
     #[serde(flatten)]
     vercel: Option<VercelClaims>,
+
+    sso_team_id: Option<String>,
 }
 
 #[derive(Clone, Debug, Serialize, Deserialize, PartialEq)]
@@ -536,6 +541,7 @@ pub struct ConsoleAccessToken {
     sub: String,
     name: Option<String>,
     vercel: Option<VercelClaims>,
+    sso_team_id: Option<TeamId>,
 }
 
 impl ConsoleAccessToken {
@@ -546,6 +552,7 @@ impl ConsoleAccessToken {
             sub,
             name: None,
             vercel: None,
+            sso_team_id: None,
         }
     }
 
@@ -596,6 +603,7 @@ pub struct AuthenticatedLogin {
     email: Option<String>,
     sub: String,
     user_info: Option<UserInfo>,
+    sso_team_id: Option<TeamId>,
 }
 
 impl AuthenticatedLogin {
@@ -604,6 +612,7 @@ impl AuthenticatedLogin {
             email: token.email,
             sub: token.sub,
             user_info,
+            sso_team_id: token.sso_team_id,
         }
     }
 
@@ -622,6 +631,10 @@ impl AuthenticatedLogin {
     pub fn vercel_info(&self) -> Option<&VercelClaims> {
         self.user_info.as_ref().and_then(|ui| ui.vercel_info())
     }
+
+    pub fn sso_team_id(&self) -> Option<TeamId> {
+        self.sso_team_id
+    }
 }
 
 pub fn names_to_full_name(first_name: Option<String>, last_name: Option<String>) -> Option<String> {
@@ -766,6 +779,12 @@ where
         email: claims.private.email.clone(),
         sub,
         vercel: claims.private.vercel.clone(),
+        sso_team_id: claims
+            .private
+            .sso_team_id
+            .as_ref()
+            .map(|id| id.parse().map(TeamId))
+            .transpose()?,
         name: full_name,
     })
 }
@@ -1019,6 +1038,7 @@ mod tests {
                     first_name: Some("Test".to_string()),
                     last_name: Some("User".to_string()),
                     vercel: None,
+                    sso_team_id: None,
                 },
             ),
             &*TEST_SIGNING_KEY,
@@ -1071,6 +1091,7 @@ mod tests {
                     first_name: Some("Test".to_string()),
                     last_name: Some("User2".to_string()),
                     vercel: None,
+                    sso_team_id: None,
                 },
             ),
             &*TEST_SIGNING_KEY,
diff --git a/npm-packages/convex/management-openapi.json b/npm-packages/convex/management-openapi.json
@@ -21,7 +21,7 @@
                 "schema": {
                   "type": "array",
                   "items": {
-                    "$ref": "#/components/schemas/Team"
+                    "$ref": "#/components/schemas/TeamResponse"
                   }
                 }
               }
@@ -397,7 +397,15 @@
       "ReferralCode": {
         "type": "string"
       },
-      "Team": {
+      "TeamId": {
+        "type": "integer",
+        "format": "int64",
+        "minimum": 0
+      },
+      "TeamName": {
+        "type": "string"
+      },
+      "TeamResponse": {
         "type": "object",
         "required": [
           "id",
@@ -445,19 +453,17 @@
           "slug": {
             "$ref": "#/components/schemas/TeamSlug"
           },
+          "ssoLoginId": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
           "suspended": {
             "type": "boolean"
           }
         }
       },
-      "TeamId": {
-        "type": "integer",
-        "format": "int64",
-        "minimum": 0
-      },
-      "TeamName": {
-        "type": "string"
-      },
       "TeamSlug": {
         "type": "string"
       }
diff --git a/npm-packages/dashboard/dashboard-management-openapi.json b/npm-packages/dashboard/dashboard-management-openapi.json
@@ -244,7 +244,7 @@
                 "schema": {
                   "type": "array",
                   "items": {
-                    "$ref": "#/components/schemas/Team"
+                    "$ref": "#/components/schemas/TeamResponse"
                   }
                 }
               }
@@ -5531,6 +5531,65 @@
       "TeamName": {
         "type": "string"
       },
+      "TeamResponse": {
+        "type": "object",
+        "required": [
+          "id",
+          "name",
+          "slug",
+          "suspended",
+          "referralCode"
+        ],
+        "properties": {
+          "creator": {
+            "oneOf": [
+              {
+                "type": "null"
+              },
+              {
+                "$ref": "#/components/schemas/MemberId"
+              }
+            ]
+          },
+          "id": {
+            "$ref": "#/components/schemas/TeamId"
+          },
+          "managedBy": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
+          "name": {
+            "$ref": "#/components/schemas/TeamName"
+          },
+          "referralCode": {
+            "$ref": "#/components/schemas/ReferralCode"
+          },
+          "referredBy": {
+            "oneOf": [
+              {
+                "type": "null"
+              },
+              {
+                "$ref": "#/components/schemas/TeamId"
+              }
+            ]
+          },
+          "slug": {
+            "$ref": "#/components/schemas/TeamSlug"
+          },
+          "ssoLoginId": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
+          "suspended": {
+            "type": "boolean"
+          }
+        }
+      },
       "TeamSlug": {
         "type": "string"
       },
diff --git a/npm-packages/dashboard/src/generatedApi.ts b/npm-packages/dashboard/src/generatedApi.ts
@@ -2370,6 +2370,17 @@ export interface components {
             role: components["schemas"]["Role"];
         };
         TeamName: string;
+        TeamResponse: {
+            creator?: null | components["schemas"]["MemberId"];
+            id: components["schemas"]["TeamId"];
+            managedBy?: string | null;
+            name: components["schemas"]["TeamName"];
+            referralCode: components["schemas"]["ReferralCode"];
+            referredBy?: null | components["schemas"]["TeamId"];
+            slug: components["schemas"]["TeamSlug"];
+            ssoLoginId?: string | null;
+            suspended: boolean;
+        };
         TeamSlug: string;
         TeamUsageStateResponse: {
             teamId: components["schemas"]["TeamId"];
@@ -2594,6 +2605,7 @@ export type TeamEntitlementsResponse = components['schemas']['TeamEntitlementsRe
 export type TeamId = components['schemas']['TeamId'];
 export type TeamMemberResponse = components['schemas']['TeamMemberResponse'];
 export type TeamName = components['schemas']['TeamName'];
+export type TeamResponse = components['schemas']['TeamResponse'];
 export type TeamSlug = components['schemas']['TeamSlug'];
 export type TeamUsageStateResponse = components['schemas']['TeamUsageStateResponse'];
 export type TransferProjectArgs = components['schemas']['TransferProjectArgs'];
@@ -2873,7 +2885,7 @@ export interface operations {
                     [name: string]: unknown;
                 };
                 content: {
-                    "application/json": components["schemas"]["Team"][];
+                    "application/json": components["schemas"]["TeamResponse"][];
                 };
             };
         };
