fix(sso): keep Vercel install across SSO handoff; harden SSO callback

0ski · 0ski · commit f43222736510 · 2026-06-18T15:18:43.000+01:00
- vercel.onboarding: already-authenticated users whose domain requires SSO were redirected to /login/sso, which bounces authed users home and dropped the single-use Vercel code. Destroy the session first via authenticator.logout so /login/sso accepts them and the resume URL survives the round-trip (addresses PR #3911 review). - auth.sso.callback: sanitize redirectTo at the exit point (IdP-initiated values come from relay-state and never passed the host sanitizer) and attribute the referral source, matching the other auth callbacks. - ssoAuth: extract private early-return helpers (resolveSsoUserId, attachSsoIdentityBestEffort, provisionJitMembershipBestEffort, runPostAuthentication) and fail closed if the user can't be confirmed post-resolution instead of minting a session.
diff --git a/apps/webapp/app/routes/auth.sso.callback.tsx b/apps/webapp/app/routes/auth.sso.callback.tsx
@@ -9,6 +9,8 @@ import { logger } from "~/services/logger.server";
 import { ssoController } from "~/services/sso.server";
 import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { commitSession, getUserSession } from "~/services/sessionStorage.server";
+import { trackAndClearReferralSource } from "~/services/referralSource.server";
+import { sanitizeRedirectPath } from "~/utils";
 
 // Resolve the SSO completion for either the SP-initiated (state present)
 // or IdP-initiated (no state) flow. Throws a redirect to the error page
@@ -44,7 +46,15 @@ export async function loader({ request }: LoaderFunctionArgs) {
   }
   const state = url.searchParams.get("state");
 
-  const { profile, redirectTo, flow } = await resolveSsoCompletion(code, state);
+  const { profile, redirectTo: rawRedirectTo, flow } = await resolveSsoCompletion(code, state);
+  // Sanitize at the exit point regardless of flow. SP-initiated values were
+  // sanitized on the way in (auth.sso.ts) and signed into the state token, but
+  // IdP-initiated `redirectTo` originates from the IdP's relay-state and never
+  // passed through the host — without this an IdP admin could craft an open
+  // redirect. Mirrors every other auth callback. A rejected value falls back
+  // to "/". The Vercel resume URL (`/vercel/onboarding?...`) is navigable and
+  // survives.
+  const redirectTo = sanitizeRedirectPath(rawRedirectTo);
 
   // `throwOnError` makes the SSO strategy's verify-callback failures
   // (resolveSsoIdentity errors, DB failures in findOrCreateSsoUser,
@@ -106,5 +116,9 @@ export async function loader({ request }: LoaderFunctionArgs) {
   headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("sso"));
 
+  // Attribute the referral source on the final session creation, like the
+  // other non-MFA auth callbacks. The MFA path defers this to `completeLogin`.
+  await trackAndClearReferralSource(request, auth.userId, headers);
+
   return redirect(redirectTo, { headers });
 }
diff --git a/apps/webapp/app/routes/vercel.onboarding.tsx b/apps/webapp/app/routes/vercel.onboarding.tsx
@@ -17,6 +17,7 @@ import { Label } from "~/components/primitives/Label";
 import { Select, SelectItem } from "~/components/primitives/Select";
 import { ButtonSpinner } from "~/components/primitives/Spinner";
 import { prisma } from "~/db.server";
+import { authenticator } from "~/services/auth.server";
 import { logger } from "~/services/logger.server";
 import { requireUserId } from "~/services/session.server";
 import { ssoRedirectForEmail } from "~/services/ssoAutoDiscovery.server";
@@ -221,7 +222,17 @@ export async function action({ request }: ActionFunctionArgs) {
       resumeUrl
     );
     if (ssoRedirect) {
-      return redirect(ssoRedirect);
+      // The user is already authenticated via a non-SSO method, so a plain
+      // redirect to `/login/sso` would be bounced straight home by that
+      // route's already-authenticated guard — silently dropping the install.
+      // Destroy the current session first (mirroring the OAuth callbacks,
+      // which never commit a session when SSO is required) so `/login/sso`
+      // accepts them. `authenticator.logout` redirects to `ssoRedirect`
+      // verbatim — unlike the `/logout` route it doesn't run the redirect
+      // sanitizer, which would otherwise reject the non-navigable
+      // `/login/sso` target. The resume URL rides along as `redirectTo` and
+      // survives the SSO round-trip.
+      return authenticator.logout(request, { redirectTo: ssoRedirect });
     }
   }
 
diff --git a/apps/webapp/app/services/ssoAuth.server.ts b/apps/webapp/app/services/ssoAuth.server.ts
@@ -54,93 +54,114 @@ class SsoStrategy extends Strategy<AuthUser, SsoVerifyParams> {
   }
 }
 
-export function addSsoStrategy(authenticator: Authenticator<AuthUser>) {
-  authenticator.use(
-    new SsoStrategy(async ({ profile, flow }) => {
-      const decision = await ssoController.resolveSsoIdentity({ profile });
-      if (decision.isErr()) {
-        // Surfaces "feature_disabled" in OSS deployments. The callback
-        // route's error path translates this into a generic
-        // sign-in-failed user-facing message.
-        throw new Error(`SSO resolve failed: ${decision.error}`);
-      }
+// Resolve the host User for a verified SSO profile, creating one on the
+// `create_new_user` decision. Throws on an errored decision — this surfaces
+// "feature_disabled" in OSS deployments, which the callback route's error
+// path translates into a generic sign-in-failed user-facing message.
+async function resolveSsoUserId(
+  profile: SsoProfile
+): Promise<{ userId: string; isNewUser: boolean }> {
+  const decision = await ssoController.resolveSsoIdentity({ profile });
+  if (decision.isErr()) {
+    throw new Error(`SSO resolve failed: ${decision.error}`);
+  }
+
+  if (decision.value.kind === "create_new_user") {
+    const created = await findOrCreateSsoUser({
+      authenticationMethod: "SSO",
+      email: profile.email,
+      firstName: profile.firstName,
+      lastName: profile.lastName,
+    });
+    return { userId: created.user.id, isNewUser: created.isNewUser };
+  }
 
-      const value = decision.value;
+  return { userId: decision.value.userId, isNewUser: false };
+}
 
-      let userId: string;
-      let isNewUser = false;
+// Best-effort: attaching the IdP identity row is an optimisation for the
+// next login (it lets resolveSsoIdentity take the existing_user_by_idp fast
+// path instead of falling back to linked_by_email). The user is already
+// authenticated by this point, so we log and continue rather than failing
+// the sign-in; a later successful login will write the row.
+async function attachSsoIdentityBestEffort(
+  userId: string,
+  profile: SsoProfile,
+  flow: SsoFlow
+): Promise<void> {
+  const attach = await ssoController.attachSsoIdentity({ userId, profile });
+  if (attach.isErr()) {
+    logger.warn("SSO attachSsoIdentity failed", { reason: attach.error, userId, flow });
+  }
+}
 
-      if (value.kind === "create_new_user") {
-        const created = await findOrCreateSsoUser({
-          authenticationMethod: "SSO",
-          email: profile.email,
-          firstName: profile.firstName,
-          lastName: profile.lastName,
-        });
-        userId = created.user.id;
-        isNewUser = created.isNewUser;
-      } else {
-        userId = value.userId;
-      }
+// Best-effort JIT org provisioning. Like attachSsoIdentity above, a failure
+// must not block an otherwise-valid sign-in: the user simply isn't
+// provisioned this time and a later login retries. "feature_disabled" is the
+// expected OSS-fallback result, so it's swallowed silently.
+async function provisionJitMembershipBestEffort(
+  userId: string,
+  profile: SsoProfile,
+  flow: SsoFlow
+): Promise<void> {
+  const jit = await ssoController.evaluateJit({ userId, idpOrgId: profile.idpOrgId });
+  if (jit.isErr()) {
+    if (jit.error !== "feature_disabled") {
+      logger.warn("SSO evaluateJit failed", { reason: jit.error, userId, flow });
+    }
+    return;
+  }
 
-      // Best-effort: attaching the IdP identity row is an optimisation
-      // for the next login (it lets resolveSsoIdentity take the
-      // existing_user_by_idp fast path instead of falling back to
-      // linked_by_email). The user is already authenticated by this
-      // point, so we log and continue rather than failing the sign-in;
-      // a later successful login will write the row.
-      const attach = await ssoController.attachSsoIdentity({ userId, profile });
-      if (attach.isErr()) {
-        logger.warn("SSO attachSsoIdentity failed", {
-          reason: attach.error,
-          userId,
-          flow,
-        });
-      }
+  if (!jit.value.shouldProvision) return;
 
-      const jit = await ssoController.evaluateJit({
-        userId,
-        idpOrgId: profile.idpOrgId,
-      });
-      if (jit.isOk() && jit.value.shouldProvision) {
-        const [provisionError, result] = await tryCatch(
-          ensureOrgMember({
-            userId,
-            organizationId: jit.value.organizationId,
-            roleId: jit.value.roleId,
-            source: "sso_jit",
-          })
-        );
-        if (provisionError) {
-          // Best-effort, like attachSsoIdentity above: a provisioning failure
-          // (e.g. the RBAC role couldn't be applied, so ensureOrgMember rolled
-          // back the membership) must not block an otherwise-valid sign-in.
-          // The user simply isn't provisioned this time; a later login retries.
-          logger.warn("SSO JIT provisioning failed", {
-            reason:
-              provisionError instanceof Error ? provisionError.message : String(provisionError),
-            userId,
-            organizationId: jit.value.organizationId,
-            flow,
-          });
-        } else if (!result.created) {
-          logger.info("SSO JIT skipped — membership already exists", {
-            userId,
-            organizationId: jit.value.organizationId,
-          });
-        }
-      } else if (jit.isErr() && jit.error !== "feature_disabled") {
-        logger.warn("SSO evaluateJit failed", { reason: jit.error, userId, flow });
-      }
+  const [provisionError, result] = await tryCatch(
+    ensureOrgMember({
+      userId,
+      organizationId: jit.value.organizationId,
+      roleId: jit.value.roleId,
+      source: "sso_jit",
+    })
+  );
+  if (provisionError) {
+    // e.g. the RBAC role couldn't be applied, so ensureOrgMember rolled back
+    // the membership.
+    logger.warn("SSO JIT provisioning failed", {
+      reason: provisionError instanceof Error ? provisionError.message : String(provisionError),
+      userId,
+      organizationId: jit.value.organizationId,
+      flow,
+    });
+    return;
+  }
+
+  if (!result.created) {
+    logger.info("SSO JIT skipped — membership already exists", {
+      userId,
+      organizationId: jit.value.organizationId,
+    });
+  }
+}
+
+async function runPostAuthentication(userId: string, isNewUser: boolean): Promise<void> {
+  const user = await prisma.user.findFirst({ where: { id: userId } });
+  if (!user) {
+    // The user was just resolved or created above, so a null here means it
+    // was hard-deleted mid-flow (or a DB inconsistency). Fail closed — throw
+    // rather than skipping postAuthentication and still returning a valid
+    // AuthUser, which would mint a session for a user we can't confirm.
+    throw new Error(`SSO user not found after resolution: ${userId}`);
+  }
+  await postAuthentication({ user, isNewUser, loginMethod: "SSO" });
+}
+
+export function addSsoStrategy(authenticator: Authenticator<AuthUser>) {
+  authenticator.use(
+    new SsoStrategy(async ({ profile, flow }) => {
+      const { userId, isNewUser } = await resolveSsoUserId(profile);
 
-      const user = await prisma.user.findFirst({ where: { id: userId } });
-      if (user) {
-        await postAuthentication({
-          user,
-          isNewUser,
-          loginMethod: "SSO",
-        });
-      }
+      await attachSsoIdentityBestEffort(userId, profile, flow);
+      await provisionJitMembershipBestEffort(userId, profile, flow);
+      await runPostAuthentication(userId, isNewUser);
 
       // Carry the SSO marker on the returned AuthUser so the session is
       // self-describing — `revalidateSsoSession()` keys off `AuthUser.sso`,
