mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

fix(auth): throw on partial SSO provider config (Keycloak, Authentik, WorkOS)
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/push/ci Pipeline was successful
Details

Browse Source
This commit is contained in:
Jason Woltje
2026-03-21 07:44:51 -05:00
parent cecc90afa7
commit 8b261710dd
1 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
packages/auth/src/sso.ts
View File

@@ -62,6 +62,13 @@ function buildAuthentikConfig(env: EnvMap): GenericOidcProviderConfig | null {
const clientId = readEnv(env, 'AUTHENTIK_CLIENT_ID'); const clientId = readEnv(env, 'AUTHENTIK_CLIENT_ID');
const clientSecret = readEnv(env, 'AUTHENTIK_CLIENT_SECRET'); const clientSecret = readEnv(env, 'AUTHENTIK_CLIENT_SECRET');
const fields = [issuer, clientId, clientSecret];
const presentCount = fields.filter(Boolean).length;
if (presentCount > 0 && presentCount < fields.length) {
throw new Error(
'@mosaic/auth: Authentik SSO requires AUTHENTIK_ISSUER, AUTHENTIK_CLIENT_ID, AUTHENTIK_CLIENT_SECRET.',
);
}
if (!issuer || !clientId || !clientSecret) { if (!issuer || !clientId || !clientSecret) {
return null; return null;
} }
@@ -86,6 +93,13 @@ function buildWorkosConfig(env: EnvMap): GenericOidcProviderConfig | null {
const clientId = readEnv(env, 'WORKOS_CLIENT_ID'); const clientId = readEnv(env, 'WORKOS_CLIENT_ID');
const clientSecret = readEnv(env, 'WORKOS_CLIENT_SECRET'); const clientSecret = readEnv(env, 'WORKOS_CLIENT_SECRET');
const fields = [issuer, clientId, clientSecret];
const presentCount = fields.filter(Boolean).length;
if (presentCount > 0 && presentCount < fields.length) {
throw new Error(
'@mosaic/auth: WorkOS SSO requires WORKOS_ISSUER, WORKOS_CLIENT_ID, WORKOS_CLIENT_SECRET.',
);
}
if (!issuer || !clientId || !clientSecret) { if (!issuer || !clientId || !clientSecret) {
return null; return null;
} }
@@ -105,10 +119,25 @@ function buildWorkosConfig(env: EnvMap): GenericOidcProviderConfig | null {
} }
function buildKeycloakConfig(env: EnvMap): GenericOidcProviderConfig | null { function buildKeycloakConfig(env: EnvMap): GenericOidcProviderConfig | null {
const issuer = readEnv(env, 'KEYCLOAK_ISSUER'); const explicitIssuer = readEnv(env, 'KEYCLOAK_ISSUER');
const keycloakUrl = readEnv(env, 'KEYCLOAK_URL');
const keycloakRealm = readEnv(env, 'KEYCLOAK_REALM');
const clientId = readEnv(env, 'KEYCLOAK_CLIENT_ID'); const clientId = readEnv(env, 'KEYCLOAK_CLIENT_ID');
const clientSecret = readEnv(env, 'KEYCLOAK_CLIENT_SECRET'); const clientSecret = readEnv(env, 'KEYCLOAK_CLIENT_SECRET');
// Derive issuer from KEYCLOAK_URL + KEYCLOAK_REALM if KEYCLOAK_ISSUER not set
const issuer =
explicitIssuer ??
(keycloakUrl && keycloakRealm
? `${keycloakUrl.replace(/\/$/, '')}/realms/${keycloakRealm}`
: undefined);
const anySet = !!(issuer || clientId || clientSecret);
if (anySet && (!issuer || !clientId || !clientSecret)) {
throw new Error(
'@mosaic/auth: Keycloak SSO requires KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET, KEYCLOAK_ISSUER.',
);
}
if (!issuer || !clientId || !clientSecret) { if (!issuer || !clientId || !clientSecret) {
return null; return null;
} }