feat: allow SP initiated SAML (#12447)

Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
2025-09-23 18:29:16 +05:30
parent 5c5abc24e3
commit 2e108653ae
11 changed files with 337 additions and 4 deletions
--- a/spec/enterprise/controllers/api/v1/auth_controller_spec.rb
+++ b/spec/enterprise/controllers/api/v1/auth_controller_spec.rb
@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Api::V1::Auth', type: :request do
+  let(:account) { create(:account) }
+  let(:user) { create(:user, email: 'user@example.com') }
+
+  before do
+    account.enable_features('saml')
+    account.save!
+  end
+
+  def json_response
+    JSON.parse(response.body, symbolize_names: true)
+  end
+
+  describe 'POST /api/v1/auth/saml_login' do
+    context 'when email is blank' do
+      it 'returns bad request' do
+        post '/api/v1/auth/saml_login', params: { email: '' }
+
+        expect(response).to have_http_status(:bad_request)
+      end
+    end
+
+    context 'when email is nil' do
+      it 'returns bad request' do
+        post '/api/v1/auth/saml_login', params: {}
+
+        expect(response).to have_http_status(:bad_request)
+      end
+    end
+
+    context 'when user does not exist' do
+      it 'returns unauthorized with generic message' do
+        post '/api/v1/auth/saml_login', params: { email: 'nonexistent@example.com' }
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
+    context 'when user exists but has no SAML enabled accounts' do
+      before do
+        create(:account_user, user: user, account: account)
+      end
+
+      it 'returns unauthorized' do
+        post '/api/v1/auth/saml_login', params: { email: user.email }
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
+    context 'when user has account without SAML feature enabled' do
+      let(:saml_settings) { create(:account_saml_settings, account: account) }
+
+      before do
+        saml_settings
+        create(:account_user, user: user, account: account)
+        account.disable_features('saml')
+        account.save!
+      end
+
+      it 'returns unauthorized' do
+        post '/api/v1/auth/saml_login', params: { email: user.email }
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+
+    context 'when user has valid SAML configuration' do
+      let(:saml_settings) do
+        create(:account_saml_settings, account: account)
+      end
+
+      before do
+        saml_settings
+        create(:account_user, user: user, account: account)
+      end
+
+      it 'redirects to SAML initiation URL' do
+        post '/api/v1/auth/saml_login', params: { email: user.email }
+
+        expect(response).to have_http_status(:temporary_redirect)
+        expect(response.location).to include("/auth/saml?account_id=#{account.id}")
+      end
+
+      it 'handles email case insensitivity' do
+        post '/api/v1/auth/saml_login', params: { email: user.email.upcase }
+
+        expect(response).to have_http_status(:temporary_redirect)
+        expect(response.location).to include("/auth/saml?account_id=#{account.id}")
+      end
+
+      it 'strips whitespace from email' do
+        post '/api/v1/auth/saml_login', params: { email: "  #{user.email}  " }
+
+        expect(response).to have_http_status(:temporary_redirect)
+        expect(response.location).to include("/auth/saml?account_id=#{account.id}")
+      end
+    end
+
+    context 'when user has multiple accounts with SAML' do
+      let(:account2) { create(:account) }
+      let(:saml_settings1) do
+        create(:account_saml_settings, account: account)
+      end
+      let(:saml_settings2) do
+        create(:account_saml_settings, account: account2)
+      end
+
+      before do
+        account2.enable_features('saml')
+        account2.save!
+        saml_settings1
+        saml_settings2
+        create(:account_user, user: user, account: account)
+        create(:account_user, user: user, account: account2)
+      end
+
+      it 'redirects to the first SAML enabled account' do
+        post '/api/v1/auth/saml_login', params: { email: user.email }
+
+        expect(response).to have_http_status(:temporary_redirect)
+        returned_account_id = response.location.match(/account_id=(\d+)/)[1].to_i
+        expect([account.id, account2.id]).to include(returned_account_id)
+      end
+    end
+  end
+end