refactor: use state-based authentication (#11690)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>

spec/controllers/api/v1/accounts/google/authorization_controller_spec.rb

@@ -32,19 +32,20 @@ RSpec.describe 'Google Authorization API', type: :request do
              as: :json
 
         expect(response).to have_http_status(:success)
-        google_service = Class.new { extend GoogleConcern }
-        response_url = google_service.google_client.auth_code.authorize_url(
-          {
-            redirect_uri: "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback",
-            scope: 'email profile https://mail.google.com/',
-            response_type: 'code',
-            prompt: 'consent',
-            access_type: 'offline',
-            client_id: GlobalConfigService.load('GOOGLE_OAUTH_CLIENT_ID', nil)
-          }
-        )
-        expect(response.parsed_body['url']).to eq response_url
-        expect(Redis::Alfred.get("google::#{administrator.email}")).to eq(account.id.to_s)
+
+        # Validate URL components
+        url = response.parsed_body['url']
+        uri = URI.parse(url)
+        params = CGI.parse(uri.query)
+
+        expect(url).to start_with('https://accounts.google.com/o/oauth2/auth')
+        expect(params['scope']).to eq(['email profile https://mail.google.com/'])
+        expect(params['redirect_uri']).to eq(["#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback"])
+
+        # Validate state parameter exists and can be decoded back to the account
+        expect(params['state']).to be_present
+        decoded_account = GlobalID::Locator.locate_signed(params['state'].first, for: 'default')
+        expect(decoded_account).to eq(account)
       end
     end
   end

spec/controllers/api/v1/accounts/microsoft/authorization_controller_spec.rb

@@ -19,7 +19,6 @@ RSpec.describe 'Microsoft Authorization API', type: :request do
       it 'returns unathorized for agent' do
         post "/api/v1/accounts/#{account.id}/microsoft/authorization",
              headers: agent.create_new_auth_token,
-             params: { email: administrator.email },
              as: :json
 
         expect(response).to have_http_status(:unauthorized)
@@ -28,20 +27,27 @@ RSpec.describe 'Microsoft Authorization API', type: :request do
       it 'creates a new authorization and returns the redirect url' do
         post "/api/v1/accounts/#{account.id}/microsoft/authorization",
              headers: administrator.create_new_auth_token,
-             params: { email: administrator.email },
              as: :json
 
         expect(response).to have_http_status(:success)
-        microsoft_service = Class.new { extend MicrosoftConcern }
-        response_url = microsoft_service.microsoft_client.auth_code.authorize_url(
-          {
-            redirect_uri: "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback",
-            scope: 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send openid profile',
-            prompt: 'consent'
-          }
-        )
-        expect(response.parsed_body['url']).to eq response_url
-        expect(Redis::Alfred.get("microsoft::#{administrator.email}")).to eq(account.id.to_s)
+
+        # Validate URL components
+        url = response.parsed_body['url']
+        uri = URI.parse(url)
+        params = CGI.parse(uri.query)
+
+        expect(url).to start_with('https://login.microsoftonline.com/common/oauth2/v2.0/authorize')
+        expected_scope = [
+          'offline_access https://outlook.office.com/IMAP.AccessAsUser.All ' \
+          'https://outlook.office.com/SMTP.Send openid profile email'
+        ]
+        expect(params['scope']).to eq(expected_scope)
+        expect(params['redirect_uri']).to eq(["#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback"])
+
+        # Validate state parameter exists and can be decoded back to the account
+        expect(params['state']).to be_present
+        decoded_account = GlobalID::Locator.locate_signed(params['state'].first, for: 'default')
+        expect(decoded_account).to eq(account)
       end
     end
   end

spec/controllers/google/callbacks_controller_spec.rb

@@ -4,11 +4,7 @@ RSpec.describe 'Google::CallbacksController', type: :request do
   let(:account) { create(:account) }
   let(:code) { SecureRandom.hex(10) }
   let(:email) { Faker::Internet.email }
-  let(:cache_key) { "google::#{email.downcase}" }
-
-  before do
-    Redis::Alfred.set(cache_key, account.id)
-  end
+  let(:state) { account.to_sgid(expires_in: 15.minutes).to_s }
 
   describe 'GET /google/callback' do
     let(:response_body_success) do
@@ -27,7 +23,7 @@ RSpec.describe 'Google::CallbacksController', type: :request do
                       'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback" })
         .to_return(status: 200, body: response_body_success.to_json, headers: { 'Content-Type' => 'application/json' })
 
-      get google_callback_url, params: { code: code }
+      get google_callback_url, params: { code: code, state: state }
 
       expect(response).to redirect_to app_email_inbox_agents_url(account_id: account.id, inbox_id: account.inboxes.last.id)
       expect(account.inboxes.count).to be 1
@@ -36,7 +32,6 @@ RSpec.describe 'Google::CallbacksController', type: :request do
       expect(inbox.channel.reload.provider_config.keys).to include('access_token', 'refresh_token', 'expires_on')
       expect(inbox.channel.reload.provider_config['access_token']).to eq response_body_success[:access_token]
       expect(inbox.channel.imap_address).to eq 'imap.gmail.com'
-      expect(Redis::Alfred.get(cache_key)).to be_nil
     end
 
     it 'updates inbox channel config if inbox exists with imap_login and authentication is successful' do
@@ -49,14 +44,13 @@ RSpec.describe 'Google::CallbacksController', type: :request do
                       'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback" })
         .to_return(status: 200, body: response_body_success.to_json, headers: { 'Content-Type' => 'application/json' })
 
-      get google_callback_url, params: { code: code }
+      get google_callback_url, params: { code: code, state: state }
 
       expect(response).to redirect_to app_email_inbox_settings_url(account_id: account.id, inbox_id: inbox.id)
       expect(account.inboxes.count).to be 1
       expect(inbox.channel.reload.provider_config.keys).to include('access_token', 'refresh_token', 'expires_on')
       expect(inbox.channel.reload.provider_config['access_token']).to eq response_body_success[:access_token]
       expect(inbox.channel.imap_address).to eq 'imap.gmail.com'
-      expect(Redis::Alfred.get(cache_key)).to be_nil
     end
 
     it 'creates inboxes with fallback_name when account name is not present in id_token' do
@@ -65,7 +59,7 @@ RSpec.describe 'Google::CallbacksController', type: :request do
                       'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback" })
         .to_return(status: 200, body: response_body_success_without_name.to_json, headers: { 'Content-Type' => 'application/json' })
 
-      get google_callback_url, params: { code: code }
+      get google_callback_url, params: { code: code, state: state }
 
       expect(response).to redirect_to app_email_inbox_agents_url(account_id: account.id, inbox_id: account.inboxes.last.id)
       expect(account.inboxes.count).to be 1
@@ -79,10 +73,9 @@ RSpec.describe 'Google::CallbacksController', type: :request do
                       'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback" })
         .to_return(status: 401)
 
-      get google_callback_url, params: { code: code }
+      get google_callback_url, params: { code: code, state: state }
 
       expect(response).to redirect_to '/'
-      expect(Redis::Alfred.get(cache_key).to_i).to eq account.id
     end
   end
 end

spec/controllers/microsoft/callbacks_controller_spec.rb

@@ -4,11 +4,7 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do
   let(:account) { create(:account) }
   let(:code) { SecureRandom.hex(10) }
   let(:email) { Faker::Internet.email }
-  let(:cache_key) { "microsoft::#{email.downcase}" }
-
-  before do
-    Redis::Alfred.set(cache_key, account.id)
-  end
+  let(:state) { account.to_sgid(expires_in: 15.minutes).to_s }
 
   describe 'GET /microsoft/callback' do
     let(:response_body_success) do
@@ -27,7 +23,7 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do
                       'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback" })
         .to_return(status: 200, body: response_body_success.to_json, headers: { 'Content-Type' => 'application/json' })
 
-      get microsoft_callback_url, params: { code: code }
+      get microsoft_callback_url, params: { code: code, state: state }
 
       expect(response).to redirect_to app_email_inbox_agents_url(account_id: account.id, inbox_id: account.inboxes.last.id)
       expect(account.inboxes.count).to be 1
@@ -36,7 +32,6 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do
       expect(inbox.channel.reload.provider_config.keys).to include('access_token', 'refresh_token', 'expires_on')
       expect(inbox.channel.reload.provider_config['access_token']).to eq response_body_success[:access_token]
       expect(inbox.channel.imap_address).to eq 'outlook.office365.com'
-      expect(Redis::Alfred.get(cache_key)).to be_nil
     end
 
     it 'creates updates inbox channel config if inbox exists and authentication is successful' do
@@ -48,14 +43,13 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do
                       'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback" })
         .to_return(status: 200, body: response_body_success.to_json, headers: { 'Content-Type' => 'application/json' })
 
-      get microsoft_callback_url, params: { code: code }
+      get microsoft_callback_url, params: { code: code, state: state }
 
       expect(response).to redirect_to app_email_inbox_settings_url(account_id: account.id, inbox_id: account.inboxes.last.id)
       expect(account.inboxes.count).to be 1
       expect(inbox.channel.reload.provider_config.keys).to include('access_token', 'refresh_token', 'expires_on')
       expect(inbox.channel.reload.provider_config['access_token']).to eq response_body_success[:access_token]
       expect(inbox.channel.imap_address).to eq 'outlook.office365.com'
-      expect(Redis::Alfred.get(cache_key)).to be_nil
     end
 
     it 'creates inboxes with fallback_name when account name is not present in id_token' do
@@ -64,7 +58,7 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do
                       'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback" })
         .to_return(status: 200, body: response_body_success_without_name.to_json, headers: { 'Content-Type' => 'application/json' })
 
-      get microsoft_callback_url, params: { code: code }
+      get microsoft_callback_url, params: { code: code, state: state }
 
       expect(response).to redirect_to app_email_inbox_agents_url(account_id: account.id, inbox_id: account.inboxes.last.id)
       expect(account.inboxes.count).to be 1
@@ -78,10 +72,9 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do
                       'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback" })
         .to_return(status: 401)
 
-      get microsoft_callback_url, params: { code: code }
+      get microsoft_callback_url, params: { code: code, state: state }
 
       expect(response).to redirect_to '/'
-      expect(Redis::Alfred.get(cache_key).to_i).to eq account.id
     end
   end
 end