feat(web): add Idira SSO support#1459
Conversation
This comment has been minimized.
This comment has been minimized.
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
WalkthroughAdds Idira as an OIDC SSO provider across configuration schemas, TypeScript types, web authentication registration, login analytics, provider branding, setup documentation, and the unreleased changelog. ChangesIdira identity provider support
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant IdentityProviderConfig
participant getEEIdentityProviders
participant createIdiraProvider
participant IdiraOIDC
IdentityProviderConfig->>getEEIdentityProviders: provide Idira credentials and issuer
getEEIdentityProviders->>createIdiraProvider: create OIDC provider
createIdiraProvider->>IdiraOIDC: use PKCE, state, and OIDC scopes
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/web/src/ee/features/sso/sso.ts`:
- Line 175: Update the AUTH_EE_GCP_IAP_ENABLED condition in the SSO flow to
compare explicitly against 'true', matching the booleanSchema string
representation. Leave the existing AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING
comparison unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c33af8f8-60a4-44f9-801f-b591c8f53b38
⛔ Files ignored due to path filters (1)
packages/web/public/idira.svgis excluded by!**/*.svg
📒 Files selected for processing (13)
CHANGELOG.mddocs/docs/configuration/idp.mdxdocs/snippets/schemas/v3/identityProvider.schema.mdxdocs/snippets/schemas/v3/index.schema.mdxpackages/schemas/src/v3/identityProvider.schema.tspackages/schemas/src/v3/identityProvider.type.tspackages/schemas/src/v3/index.schema.tspackages/schemas/src/v3/index.type.tspackages/web/src/app/login/components/loginForm.tsxpackages/web/src/ee/features/sso/sso.tspackages/web/src/lib/posthogEvents.tspackages/web/src/lib/utils.tsschemas/v3/identityProvider.json
| clientId, | ||
| clientSecret, | ||
| issuer, | ||
| allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true', |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Check the implementation of booleanSchema to understand its runtime type
ast-grep run --pattern 'const booleanSchema = $$$' packages/shared/src/env.server.tsRepository: sourcebot-dev/sourcebot
Length of output: 247
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '150,220p' packages/web/src/ee/features/sso/sso.ts | cat -nRepository: sourcebot-dev/sourcebot
Length of output: 3526
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '1,80p' packages/shared/src/env.server.ts | cat -nRepository: sourcebot-dev/sourcebot
Length of output: 3511
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '160,215p' packages/web/src/ee/features/sso/sso.ts | cat -nRepository: sourcebot-dev/sourcebot
Length of output: 2718
Compare AUTH_EE_GCP_IAP_ENABLED to 'true' explicitly.
booleanSchema stores booleans as 'true' | 'false', so env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true' is fine. The remaining bug is if (env.AUTH_EE_GCP_IAP_ENABLED) in packages/web/src/ee/features/sso/sso.ts:202, which treats 'false' as enabled.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/web/src/ee/features/sso/sso.ts` at line 175, Update the
AUTH_EE_GCP_IAP_ENABLED condition in the SSO flow to compare explicitly against
'true', matching the booleanSchema string representation. Leave the existing
AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING comparison unchanged.
Fixes SOU-1520
Summary
Validation
Notes
Note
High Risk
New authentication provider and OIDC callback path; misconfiguration or IdP-specific behavior could block sign-in, and the flow was not end-to-end tested without an Idira tenant.
Overview
Adds Idira as an enterprise OpenID Connect SSO identity provider (
provider: "idira"), alongside existing issuer-based OIDC providers.Configuration is wired through v3
identityProviderswithclientId,clientSecret, andissuer(env or Google Cloud Secret), plus generated schema/docs and a new setup section in the IdP docs. The EE SSO layer registers an Auth.js OIDC provider at/api/auth/callback/idirawith PKCE/state,openid profile emailscopes, and the same optional email account-linking flag as other providers.The login UI gets Idira branding (
idira.svg), awa_login_with_idiraPostHog event, and a minor newline fix at the end ofutils.ts. Changelog notes the feature as EE.Reviewed by Cursor Bugbot for commit 891f696. Bugbot is set up for automated code reviews on this repo. Configure here.
Summary by CodeRabbit
New Features
Documentation