diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts index 5350e7cf37..ac88c40844 100644 --- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts +++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts @@ -44,6 +44,7 @@ import type { MiLocalUser } from '@/models/User.js'; import { LoggerService } from '@/core/LoggerService.js'; import Logger from '@/logger.js'; import { StatusError } from '@/misc/status-error.js'; +import { normalizeEmailAddress } from '@/misc/normalize-email-address.js'; import type { ServerResponse } from 'node:http'; import type { FastifyInstance } from 'fastify'; @@ -508,25 +509,31 @@ export class OAuth2ProviderService { return; } - const accessToken = await this.accessTokensRepository.findOne({ where: { token }, relations: ['user'] }); + const accessToken = await this.accessTokensRepository.findOneBy({ token }); if (!accessToken) { reply.code(401); return; } - const user = await this.userProfilesRepository.findOneBy({ userId: accessToken.userId }); + const user = await this.usersRepository.findOneBy({ id: accessToken.userId }); + if (!user) { + reply.code(401); + return; + } + + const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id }); reply.code(200); return { - sub: accessToken.userId, - name: accessToken.user?.name, - preferred_username: accessToken.user?.username, - profile: accessToken.user ? `${this.config.url}/@${accessToken.user.username}` : undefined, - picture: accessToken.user?.avatarUrl, - email: user?.email, - email_verified: user?.emailVerified, - mfa_enabled: user?.twoFactorEnabled, - updated_at: Math.floor((accessToken.user?.updatedAt?.getTime() ?? accessToken.user?.createdAt.getTime() ?? 0) / 1000), + sub: user.id, + name: user.name ? `${user.name} (@${user.username})` : `@${user.username}`, + preferred_username: user.username, + profile: `${this.config.url}/@${user.username}`, + picture: user.avatarUrl ?? undefined, + email: profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`, + email_verified: profile.emailVerified, + mfa_enabled: profile.twoFactorEnabled, + updated_at: Math.floor((user.updatedAt?.getTime() ?? user.createdAt.getTime()) / 1000), }; }); } diff --git a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts index 2671a7fcb4..f73966d5b5 100644 --- a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts +++ b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts @@ -178,7 +178,7 @@ export class JWTIdentifyProviderService { preferred_username: user.username, profile: `${this.config.url}/@${user.username}`, picture: user.avatarUrl ?? undefined, - email: profile.emailVerified ? normalizeEmailAddress(profile.email) : undefined, + email: profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`, email_verified: profile.emailVerified, mfa_enabled: profile.twoFactorEnabled, updated_at: Math.floor((user.updatedAt?.getTime() ?? user.createdAt.getTime()) / 1000), diff --git a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts index 15ca1eecc7..2412f03576 100644 --- a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts +++ b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts @@ -440,9 +440,10 @@ export class SAMLIdentifyProviderService { '#text': `${this.config.url}/sso/saml/${ssoServiceProvider.id}/metadata`, }, 'saml:Subject': { - 'saml:NameID': profile.emailVerified - ? { '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', '#text': normalizeEmailAddress(profile.email) } - : { '@Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', '#text': user.id }, + 'saml:NameID': { + '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', + '#text': profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`, + }, 'saml:SubjectConfirmation': { '@Method': 'urn:oasis:names:tc:SAML:2.0:cm:bearer', 'saml:SubjectConfirmationData': { @@ -540,14 +541,14 @@ export class SAMLIdentifyProviderService { '#text': user.avatarUrl, }, }] : []), - ...(profile.emailVerified ? [{ + { '@Name': 'email', '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'saml:AttributeValue': { '@xsi:type': 'xs:string', - '#text': normalizeEmailAddress(profile.email), + '#text': profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`, }, - }] : []), + }, { '@Name': 'email_verified', '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',