Skip to content

Enforce corporate_id claim in Twenty SSO proxy-login and JWT guard#19

Open
UsamaSadiq wants to merge 1 commit into
foss-sandboxfrom
usama/enforce-corporate-id-auth
Open

Enforce corporate_id claim in Twenty SSO proxy-login and JWT guard#19
UsamaSadiq wants to merge 1 commit into
foss-sandboxfrom
usama/enforce-corporate-id-auth

Conversation

@UsamaSadiq

Copy link
Copy Markdown
Collaborator

Description

Add corporate_id enforcement to Twenty's SSO auth flow. When SMB_CORPORATE_ID is set, both the proxy-login controller and the JWT auth guard decode the X-Auth-Request-Access-Token header and reject requests where custom:is_corporate is not "true" or custom:corporate_id does not match. Returns 403 on mismatch. When the env var is empty, all checks are skipped (backward compatible).

Changes:

  • sso-proxy-login.controller.ts: new checkCorporateId() method, called after email resolution before user provisioning
  • jwt-auth.guard.ts: new checkCorporateId() method, called after proxy identity check on every authenticated request
  • config-variables.ts: register SMB_CORPORATE_ID config variable

This is the per-app Layer 2 enforcement that closes the Bearer token bypass path (SKIP_JWT_BEARER_TOKENS=true in oauth2-proxy). Layer 1 enforcement in mpass-auth-proxy is in foss-server-bundle PR twentyhq#116.

Testing

  • Enforcement disabled: empty SMB_CORPORATE_ID skips all checks
  • Matching corporate_id: proxy-login succeeds, guard passes
  • Mismatched corporate_id: 403 at both proxy-login and guard level
  • Non-corporate account: 403 (missing custom:is_corporate)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant