feat(sso): introduce authentication with SAML

2023-07-06 11:05:28 +00:00
parent 5176b8c322
commit a7104c41a2
28 changed files with 720 additions and 9 deletions
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -33,7 +33,32 @@ services:
      - '6379:6379'
    expose:
      - 6379
  keycloak:
    image: quay.io/keycloak/keycloak:21.1
    restart: always
    container_name: keycloak
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KC_DB=postgres
      - KC_DB_URL_HOST=postgres
      - KC_DB_URL_DATABASE=keycloak
      - KC_DB_USERNAME=automatisch_user
      - KC_DB_PASSWORD=automatisch_password
      - KC_HEALTH_ENABLED=true
    ports:
      - "8080:8080"
    command: start-dev
    depends_on:
      - postgres
    healthcheck:
      test: "curl -f http://localhost:8080/health/ready || exit 1"
    volumes:
      - keycloak:/opt/keycloak/data/
    expose:
      - 8080
 volumes:
  postgres_data:
  redis_data:
  keycloak:
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@@ -27,10 +27,12 @@
    "@casl/ability": "^6.5.0",
    "@graphql-tools/graphql-file-loader": "^7.3.4",
    "@graphql-tools/load": "^7.5.2",
    "@node-saml/passport-saml": "^4.0.4",
    "@rudderstack/rudder-sdk-node": "^1.1.2",
    "@sentry/node": "^7.42.0",
    "@sentry/tracing": "^7.42.0",
    "@types/luxon": "^2.3.1",
    "@types/passport": "^1.0.12",
    "@types/xmlrpc": "^1.3.7",
    "ajv-formats": "^2.1.1",
    "axios": "0.24.0",
@@ -63,6 +65,7 @@
    "nodemailer": "6.7.0",
    "oauth-1.0a": "^2.2.6",
    "objection": "^3.0.0",
    "passport": "^0.6.0",
    "pg": "^8.7.1",
    "php-serialize": "^4.0.2",
    "stripe": "^11.13.0",
--- a/packages/backend/src/app.ts
+++ b/packages/backend/src/app.ts
@@ -17,6 +17,7 @@ import {
 } from './helpers/create-bull-board-handler';
 import injectBullBoardHandler from './helpers/inject-bull-board-handler';
 import router from './routes';
 import configurePassport from './helpers/passport';
 createBullBoardHandler(serverAdapter);
@@ -50,6 +51,9 @@ app.use(
  })
 );
 app.use(cors(corsOptions));
 configurePassport(app);
 app.use('/', router);
 webUIHandler(app);
--- a/packages/backend/src/db/migrations/20230702210636_create_saml_auth_providers.ts
+++ b/packages/backend/src/db/migrations/20230702210636_create_saml_auth_providers.ts
@@ -0,0 +1,23 @@
 import { Knex } from 'knex';
 export async function up(knex: Knex): Promise<void> {
  return knex.schema.createTable('saml_auth_providers', (table) => {
    table.uuid('id').primary().defaultTo(knex.raw('gen_random_uuid()'));
    table.string('name').notNullable();
    table.text('certificate').notNullable();
    table.string('signature_algorithm').notNullable();
    table.string('issuer').notNullable();
    table.text('entry_point').notNullable();
    table.text('firstname_attribute_name').notNullable();
    table.text('surname_attribute_name').notNullable();
    table.text('email_attribute_name').notNullable();
    table.text('role_attribute_name').notNullable();
    table.uuid('default_role_id').references('id').inTable('roles');
    table.timestamps(true, true);
  });
 }
 export async function down(knex: Knex): Promise<void> {
  return knex.schema.dropTable('saml_auth_providers');
 }
--- a/packages/backend/src/db/migrations/20230707094923_create_identities.ts
+++ b/packages/backend/src/db/migrations/20230707094923_create_identities.ts
@@ -0,0 +1,17 @@
 import { Knex } from 'knex';
 export async function up(knex: Knex): Promise<void> {
  return knex.schema.createTable('identities', (table) => {
    table.uuid('id').primary().defaultTo(knex.raw('gen_random_uuid()'));
    table.uuid('user_id').references('id').inTable('users');
    table.string('remote_id').notNullable();
    table.string('provider_id').notNullable();
    table.string('provider_type').notNullable();
    table.timestamps(true, true);
  });
 }
 export async function down(knex: Knex): Promise<void> {
  return knex.schema.dropTable('identities');
 }
--- a/packages/backend/src/db/migrations/20230715214424_make_user_password_nullable.ts
+++ b/packages/backend/src/db/migrations/20230715214424_make_user_password_nullable.ts
@@ -0,0 +1,14 @@
 import { Knex } from 'knex';
 export async function up(knex: Knex): Promise<void> {
  return await knex.schema.alterTable('users', (table) => {
    table.string('password').nullable().alter();
  });
 }
 export async function down(knex: Knex): Promise<void> {
  return await knex.schema.alterTable('users', table => {
    // what do we do? passwords cannot be left empty
    // table.string('password').notNullable().alter();
  });
 }
--- a/packages/backend/src/graphql/queries/get-saml-auth-providers.ee.ts
+++ b/packages/backend/src/graphql/queries/get-saml-auth-providers.ee.ts
@@ -0,0 +1,9 @@
 import SamlAuthProvider from '../../models/saml-auth-provider.ee';
 const getSamlAuthProviders = async () => {
  const providers = await SamlAuthProvider.query();
  return providers;
 };
 export default getSamlAuthProviders;
--- a/packages/backend/src/graphql/query-resolvers.ts
+++ b/packages/backend/src/graphql/query-resolvers.ts
@@ -18,6 +18,7 @@ import getInvoices from './queries/get-invoices.ee';
 import getAutomatischInfo from './queries/get-automatisch-info';
 import getTrialStatus from './queries/get-trial-status.ee';
 import getSubscriptionStatus from './queries/get-subscription-status.ee';
 import getSamlAuthProviders from './queries/get-saml-auth-providers.ee';
 import healthcheck from './queries/healthcheck';
 const queryResolvers = {
@@ -41,6 +42,7 @@ const queryResolvers = {
  getAutomatischInfo,
  getTrialStatus,
  getSubscriptionStatus,
  getSamlAuthProviders,
  healthcheck,
 };
--- a/packages/backend/src/graphql/schema.graphql
+++ b/packages/backend/src/graphql/schema.graphql
@@ -41,6 +41,7 @@ type Query {
  getAutomatischInfo: GetAutomatischInfo
  getTrialStatus: GetTrialStatus
  getSubscriptionStatus: GetSubscriptionStatus
  getSamlAuthProviders: [GetSamlAuthProviders]
  healthcheck: AppHealth
 }
@@ -554,6 +555,12 @@ type PaymentPlan {
  productId: String
 }
 type GetSamlAuthProviders {
  id: String
  name: String
  issuer: String
 }
 schema {
  query: Query
  mutation: Mutation
--- a/packages/backend/src/helpers/authentication.ts
+++ b/packages/backend/src/helpers/authentication.ts
@@ -33,6 +33,7 @@ const authentication = shield(
    Query: {
      '*': isAuthenticated,
      getAutomatischInfo: allow,
      getSamlAuthProviders: allow,
      healthcheck: allow,
    },
    Mutation: {
--- a/packages/backend/src/helpers/create-auth-token-by-user-id.ts
+++ b/packages/backend/src/helpers/create-auth-token-by-user-id.ts
@@ -0,0 +1,14 @@
 import jwt from 'jsonwebtoken';
 import appConfig from '../config/app';
 const TOKEN_EXPIRES_IN = '14d';
 const createAuthTokenByUserId = (userId: string) => {
  const token = jwt.sign({ userId }, appConfig.appSecretKey, {
    expiresIn: TOKEN_EXPIRES_IN,
  });
  return token;
 };
 export default createAuthTokenByUserId;
--- a/packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts
+++ b/packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts
@@ -0,0 +1,48 @@
 import SamlAuthProvider from '../models/saml-auth-provider.ee';
 import User from '../models/user';
 import Identity from '../models/identity.ee';
 const getUser = (user: Record<string, unknown>, providerConfig: SamlAuthProvider) => ({
  name: user[providerConfig.firstnameAttributeName],
  surname: user[providerConfig.surnameAttributeName],
  id: user.nameID,
  email: user[providerConfig.emailAttributeName],
  role: user[providerConfig.roleAttributeName],
 })
 const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unknown>, samlAuthProvider: SamlAuthProvider) => {
  const mappedUser = getUser(userIdentity, samlAuthProvider);
  const identity = await Identity.query().findOne({
    remote_id: mappedUser.id,
  });
  if (identity) {
    const user = await identity.$relatedQuery('user');
    return user;
  }
  const createdUser = await User.query().insertGraphAndFetch({
    fullName: [
      mappedUser.name,
      mappedUser.surname
    ]
      .filter(Boolean)
      .join(' '),
    email: mappedUser.email as string,
    roleId: samlAuthProvider.defaultRoleId,
    identities: [
      {
        remoteId: mappedUser.id as string,
        providerId: samlAuthProvider.id,
        providerType: 'saml'
      }
    ]
  }, {
    relate: ['identities']
  });
  return createdUser;
 };
 export default findOrCreateUserBySamlIdentity;
--- a/packages/backend/src/helpers/passport.ts
+++ b/packages/backend/src/helpers/passport.ts
@@ -0,0 +1,84 @@
 import { URL } from 'node:url';
 import { IRequest } from '@automatisch/types';
 import { MultiSamlStrategy } from '@node-saml/passport-saml';
 import { Express } from 'express';
 import passport from 'passport';
 import appConfig from '../config/app';
 import createAuthTokenByUserId from '../helpers/create-auth-token-by-user-id';
 import SamlAuthProvider from '../models/saml-auth-provider.ee';
 import findOrCreateUserBySamlIdentity from './find-or-create-user-by-saml-identity.ee'
 export default function configurePassport(app: Express) {
  app.use(passport.initialize({
    userProperty: 'currentUser',
  }));
  passport.use(new MultiSamlStrategy(
    {
      passReqToCallback: true,
      getSamlOptions: async function (request, done) {
        const { issuer } = request.params;
        const notFoundIssuer = new Error('Issuer cannot be found!');
        if (!issuer) return done(notFoundIssuer);
        const authProvider = await SamlAuthProvider.query().findOne({
          issuer: request.params.issuer as string,
        });
        if (!authProvider) {
          return done(notFoundIssuer);
        }
        return done(null, authProvider.config);
      },
    },
    async function (request, user: Record<string, unknown>, done) {
      const { issuer } = request.params;
      const notFoundIssuer = new Error('Issuer cannot be found!');
      if (!issuer) return done(notFoundIssuer);
      const authProvider = await SamlAuthProvider.query().findOne({
        issuer: request.params.issuer as string,
      });
      if (!authProvider) {
        return done(notFoundIssuer);
      }
      const foundUserWithIdentity = await findOrCreateUserBySamlIdentity(user, authProvider);
      return done(null, foundUserWithIdentity as unknown as Record<string, unknown>);
    },
    function (request, user: Record<string, unknown>, done: (error: any, user: Record<string, unknown>) => void) {
      return done(null, null);
    }
  ));
  app.get('/login/saml/:issuer',
    passport.authenticate('saml',
      {
        session: false,
        successRedirect: '/',
      })
  );
  app.post(
    '/login/saml/:issuer/callback',
    passport.authenticate('saml', {
      session: false,
      failureRedirect: '/',
      failureFlash: true,
    }),
    (req: IRequest, res) => {
      const token = createAuthTokenByUserId(req.currentUser.id);
      const redirectUrl = new URL(
        `/login/callback?token=${token}`,
        appConfig.webAppUrl,
      ).toString();
      res.redirect(redirectUrl);
    }
  );
 };
--- a/packages/backend/src/models/identity.ee.ts
+++ b/packages/backend/src/models/identity.ee.ts
@@ -0,0 +1,53 @@
 import Base from './base';
 import SamlAuthProvider from './saml-auth-provider.ee';
 import User from './user';
 class Identity extends Base {
  id!: string;
  remoteId!: string;
  userId!: string;
  providerId!: string;
  providerType!: 'saml';
  static tableName = 'identities';
  static jsonSchema = {
    type: 'object',
    required: [
      'providerId',
      'remoteId',
      'userId',
      'providerType',
    ],
    properties: {
      id: { type: 'string', format: 'uuid' },
      userId: { type: 'string', format: 'uuid' },
      remoteId: { type: 'string', minLength: 1 },
      providerId: { type: 'string', format: 'uuid' },
      providerType: { type: 'string', enum: ['saml'] },
    },
  };
  static relationMappings = () => ({
    user: {
      relation: Base.BelongsToOneRelation,
      modelClass: User,
      join: {
        from: 'users.id',
        to: 'identities.user_id',
      },
    },
    samlAuthProvider: {
      relation: Base.BelongsToOneRelation,
      modelClass: SamlAuthProvider,
      join: {
        from: 'saml_auth_providers.id',
        to: 'identities.provider_id'
      },
    },
  });
 }
 export default Identity;
--- a/packages/backend/src/models/saml-auth-provider.ee.ts
+++ b/packages/backend/src/models/saml-auth-provider.ee.ts
@@ -0,0 +1,79 @@
 import { URL } from 'node:url';
 import type { SamlConfig } from '@node-saml/passport-saml';
 import appConfig from '../config/app';
 import Base from './base';
 import Identity from './identity.ee';
 class SamlAuthProvider extends Base {
  id!: string;
  name: string;
  certificate: string;
  signatureAlgorithm: SamlConfig["signatureAlgorithm"];
  issuer: string;
  entryPoint: string;
  firstnameAttributeName: string;
  surnameAttributeName: string;
  emailAttributeName: string;
  roleAttributeName: string;
  defaultRoleId: string;
  static tableName = 'saml_auth_providers';
  static jsonSchema = {
    type: 'object',
    required: [
      'name',
      'certificate',
      'signatureAlgorithm',
      'entryPoint',
      'issuer',
      'firstnameAttributeName',
      'surnameAttributeName',
      'emailAttributeName',
      'roleAttributeName',
      'defaultRoleId',
    ],
    properties: {
      id: { type: 'string', format: 'uuid' },
      name: { type: 'string', minLength: 1 },
      certificate: { type: 'string', minLength: 1 },
      signatureAlgorithm: { type: 'string', enum: ['sha1', 'sha256', 'sha512'] },
      issuer: { type: 'string', minLength: 1 },
      entryPoint: { type: 'string', minLength: 1 },
      firstnameAttributeName: { type: 'string', minLength: 1 },
      surnameAttributeName: { type: 'string', minLength: 1 },
      emailAttributeName: { type: 'string', minLength: 1 },
      roleAttributeName: { type: 'string', minLength: 1 },
      defaultRoleId: { type: 'string', format: 'uuid' }
    },
  };
  static relationMappings = () => ({
    identities: {
      relation: Base.HasOneRelation,
      modelClass: Identity,
      join: {
        from: 'identities.provider_id',
        to: 'saml_auth_providers.id',
      },
    },
  });
  get config(): SamlConfig {
    const callbackUrl = new URL(
      `/login/saml/${this.issuer}/callback`,
      appConfig.baseUrl
    ).toString();
    return {
      callbackUrl,
      cert: this.certificate,
      entryPoint: this.entryPoint,
      issuer: this.issuer,
      signatureAlgorithm: this.signatureAlgorithm,
    }
  }
 }
 export default SamlAuthProvider;
--- a/packages/backend/src/models/user.ts
+++ b/packages/backend/src/models/user.ts
@@ -14,6 +14,7 @@ import Step from './step';
 import Role from './role';
 import Permission from './permission';
 import Execution from './execution';
 import Identity from './identity.ee';
 import UsageData from './usage-data.ee';
 import Subscription from './subscription.ee';
@@ -36,18 +37,19 @@ class User extends Base {
  currentSubscription?: Subscription;
  role: Role;
  permissions: Permission[];
  identities: Identity[];
  static tableName = 'users';
  static jsonSchema = {
    type: 'object',
-    required: ['fullName', 'email', 'password'],
+    required: ['fullName', 'email'],
    properties: {
      id: { type: 'string', format: 'uuid' },
      fullName: { type: 'string', minLength: 1 },
      email: { type: 'string', format: 'email', minLength: 1, maxLength: 255 },
-      password: { type: 'string', minLength: 1, maxLength: 255 },
+      password: { type: 'string' },
      resetPasswordToken: { type: 'string' },
      resetPasswordTokenSentAt: { type: 'string' },
      trialExpiryDate: { type: 'string' },
@@ -157,6 +159,14 @@ class User extends Base {
        to: 'permissions.id',
      },
    },
    identities: {
      relation: Base.HasManyRelation,
      modelClass: Identity,
      join: {
        from: 'identities.user_id',
        to: 'users.id',
      }
    }
  });
  login(password: string) {
@@ -191,7 +201,9 @@ class User extends Base {
  }
  async generateHash() {
-    this.password = await bcrypt.hash(this.password, 10);
+    if (this.password) {
      this.password = await bcrypt.hash(this.password, 10);
    }
  }
  async startTrialPeriod() {
@@ -265,9 +277,7 @@ class User extends Base {
  async $beforeUpdate(opt: ModelOptions, queryContext: QueryContext) {
    await super.$beforeUpdate(opt, queryContext);
-    if (this.password) {
+    await this.generateHash();
      await this.generateHash();
    }
  }
  async $afterInsert(queryContext: QueryContext) {
--- a/packages/types/index.d.ts
+++ b/packages/types/index.d.ts
@@ -386,6 +386,20 @@ type TInvoice = {
  receipt_url: string;
 };
 type TSamlAuthProvider = {
  id: string;
  name: string;
  certificate: string;
  signatureAlgorithm: "sha1" | "sha256" | "sha512";
  issuer: string;
  entryPoint: string;
  firstnameAttributeName: string;
  surnameAttributeName: string;
  emailAttributeName: string;
  roleAttributeName: string;
  defaultRoleId: string;
 }
 declare module 'axios' {
  interface AxiosResponse {
    httpError?: IJSONObject;
--- a/packages/web/.env-example
+++ b/packages/web/.env-example
@@ -1,4 +1,5 @@
 PORT=3001
 REACT_APP_API_URL=http://localhost:3000
 REACT_APP_GRAPHQL_URL=http://localhost:3000/graphql
 # HTTPS=true
 REACT_APP_BASE_URL=http://localhost:3001
--- a/packages/web/src/components/SsoProviders/index.ee.tsx
+++ b/packages/web/src/components/SsoProviders/index.ee.tsx
@@ -0,0 +1,39 @@
 import * as React from 'react';
 import Paper from '@mui/material/Paper';
 import Button from '@mui/material/Button';
 import Stack from '@mui/material/Stack';
 import Divider from '@mui/material/Divider';
 import appConfig from 'config/app';
 import useSamlAuthProviders from 'hooks/useSamlAuthProviders.ee';
 import useFormatMessage from 'hooks/useFormatMessage';
 function SsoProviders() {
  const formatMessage = useFormatMessage();
  const { providers, loading } = useSamlAuthProviders();
  if (!loading && providers.length === 0) return null;
  return (
    <>
      <Divider>{formatMessage('loginPage.divider')}</Divider>
      <Paper sx={{ px: 2, py: 4 }}>
        <Stack direction="column" gap={1}>
          {providers.map((provider) => (
            <Button
              key={provider.id}
              component="a"
              href={`${appConfig.apiUrl}/login/saml/${provider.issuer}`}
              variant="outlined"
            >
              {provider.name}
            </Button>
          ))}
        </Stack>
      </Paper>
    </>
  );
 }
 export default SsoProviders;
--- a/packages/web/src/config/app.ts
+++ b/packages/web/src/config/app.ts
@@ -1,13 +1,24 @@
 type Config = {
  [key: string]: string;
  baseUrl: string;
  apiUrl: string;
  graphqlUrl: string;
  notificationsUrl: string;
  chatwootBaseUrl: string;
  supportEmailAddress: string;
 };
 const config: Config = {
  baseUrl: process.env.REACT_APP_BASE_URL as string,
  apiUrl: process.env.REACT_APP_API_URL as string,
  graphqlUrl: process.env.REACT_APP_GRAPHQL_URL as string,
  notificationsUrl: process.env.REACT_APP_NOTIFICATIONS_URL as string,
  chatwootBaseUrl: 'https://app.chatwoot.com',
  supportEmailAddress: 'support@automatisch.io'
 };
 if (!config.apiUrl) {
  config.apiUrl = (new URL(config.graphqlUrl)).origin;
 }
 export default config;
--- a/packages/web/src/config/urls.ts
+++ b/packages/web/src/config/urls.ts
@@ -5,6 +5,7 @@ export const EXECUTION = (executionId: string): string =>
  `/executions/${executionId}`;
 export const LOGIN = '/login';
 export const LOGIN_CALLBACK = `${LOGIN}/callback`;
 export const SIGNUP = '/sign-up';
 export const FORGOT_PASSWORD = '/forgot-password';
 export const RESET_PASSWORD = '/reset-password';
--- a/packages/web/src/graphql/queries/get-saml-auth-providers.ee.ts
+++ b/packages/web/src/graphql/queries/get-saml-auth-providers.ee.ts
@@ -0,0 +1,11 @@
 import { gql } from '@apollo/client';
 export const GET_SAML_AUTH_PROVIDERS = gql`
  query GetSamlAuthProviders {
    getSamlAuthProviders {
      id
      name
      issuer
    }
  }
 `;
--- a/packages/web/src/hooks/useSamlAuthProviders.ee.ts
+++ b/packages/web/src/hooks/useSamlAuthProviders.ee.ts
@@ -0,0 +1,18 @@
 import { useQuery } from '@apollo/client';
 import { TSamlAuthProvider } from '@automatisch/types';
 import { GET_SAML_AUTH_PROVIDERS } from 'graphql/queries/get-saml-auth-providers.ee';
 type UseSamlAuthProvidersReturn = {
  providers: TSamlAuthProvider[];
  loading: boolean;
 };
 export default function useSamlAuthProviders(): UseSamlAuthProvidersReturn {
  const { data, loading } = useQuery(GET_SAML_AUTH_PROVIDERS);
  return {
    providers: data?.getSamlAuthProviders || [],
    loading
  };
 }
--- a/packages/web/src/locales/en.json
+++ b/packages/web/src/locales/en.json
@@ -129,6 +129,7 @@
  "loginForm.submit": "Login",
  "loginForm.noAccount": "Don't have an Automatisch account yet?",
  "loginForm.signUp": "Sign up",
  "loginPage.divider": "OR",
  "forgotPasswordForm.title": "Forgot password",
  "forgotPasswordForm.submit": "Send reset instructions",
  "forgotPasswordForm.instructionsSent": "The instructions have been sent!",
--- a/packages/web/src/pages/Login/index.tsx
+++ b/packages/web/src/pages/Login/index.tsx
@@ -1,13 +1,20 @@
 import * as React from 'react';
 import Box from '@mui/material/Box';
 import Stack from '@mui/material/Stack';
 import Container from 'components/Container';
 import LoginForm from 'components/LoginForm';
 import SsoProviders from 'components/SsoProviders/index.ee';
 export default function Login(): React.ReactElement {
  return (
    <Box sx={{ display: 'flex', flex: 1, alignItems: 'center' }}>
      <Container maxWidth="sm">
-        <LoginForm />
+        <Stack direction="column" gap={2}>
          <LoginForm />
          <SsoProviders />
        </Stack>
      </Container>
    </Box>
  );
--- a/packages/web/src/pages/LoginCallback/index.tsx
+++ b/packages/web/src/pages/LoginCallback/index.tsx
@@ -0,0 +1,29 @@
 import * as React from 'react';
 import { useNavigate, useSearchParams } from 'react-router-dom';
 import useAuthentication from 'hooks/useAuthentication';
 import * as URLS from 'config/urls';
 export default function LoginCallback(): React.ReactElement {
  const navigate = useNavigate();
  const authentication = useAuthentication();
  const [searchParams] = useSearchParams();
  React.useEffect(() => {
    if (authentication.isAuthenticated) {
      navigate(URLS.DASHBOARD);
    }
  }, [authentication.isAuthenticated]);
  React.useEffect(() => {
    const token = searchParams.get('token');
    if (token) {
      authentication.updateToken(token);
    }
    // TODO: handle non-existing token scenario
  }, []);
  return (<></>);
 }
--- a/packages/web/src/routes.tsx
+++ b/packages/web/src/routes.tsx
@@ -8,6 +8,7 @@ import Execution from 'pages/Execution';
 import Flows from 'pages/Flows';
 import Flow from 'pages/Flow';
 import Login from 'pages/Login';
 import LoginCallback from 'pages/LoginCallback';
 import SignUp from 'pages/SignUp/index.ee';
 import ForgotPassword from 'pages/ForgotPassword/index.ee';
 import ResetPassword from 'pages/ResetPassword/index.ee';
@@ -83,6 +84,11 @@ export default (
      }
    />
    <Route
      path={URLS.LOGIN_CALLBACK}
      element={<LoginCallback />}
    />
    <Route
      path={URLS.SIGNUP}
      element={
--- a/yarn.lock
+++ b/yarn.lock
@@ -2963,6 +2963,35 @@
    prop-types "^15.8.1"
    react-is "^18.2.0"
 "@node-saml/node-saml@^4.0.4":
  version "4.0.4"
  resolved "https://registry.yarnpkg.com/@node-saml/node-saml/-/node-saml-4.0.4.tgz#472a6b17021a0c9d8261964bf6e1dd686ae2d515"
  integrity sha512-oybUBWBYVsHGckQxzyzlpRM4E2iuW3I2Ok/J9SwlotdmjvmZxSo6Ub74D9wltG8C9daJZYI57uy+1UK4FtcGXA==
  dependencies:
    "@types/debug" "^4.1.7"
    "@types/passport" "^1.0.11"
    "@types/xml-crypto" "^1.4.2"
    "@types/xml-encryption" "^1.2.1"
    "@types/xml2js" "^0.4.11"
    "@xmldom/xmldom" "^0.8.6"
    debug "^4.3.4"
    xml-crypto "^3.0.1"
    xml-encryption "^3.0.2"
    xml2js "^0.5.0"
    xmlbuilder "^15.1.1"
 "@node-saml/passport-saml@^4.0.4":
  version "4.0.4"
  resolved "https://registry.yarnpkg.com/@node-saml/passport-saml/-/passport-saml-4.0.4.tgz#dce5ca38828fb2e5f63d56d4c0aefa01ba3c1dbc"
  integrity sha512-xFw3gw0yo+K1mzlkW15NeBF7cVpRHN/4vpjmBKzov5YFImCWh/G0LcTZ8krH3yk2/eRPc3Or8LRPudVJBjmYaw==
  dependencies:
    "@node-saml/node-saml" "^4.0.4"
    "@types/express" "^4.17.14"
    "@types/passport" "^1.0.11"
    "@types/passport-strategy" "^0.2.35"
    passport "^0.6.0"
    passport-strategy "^1.0.0"
 "@nodelib/fs.scandir@2.1.5":
  version "2.1.5"
  resolved "https://registry.yarnpkg.com/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz#7619c2eb21b25483f6d167548b4cfd5a7488c3d5"
@@ -3821,6 +3850,13 @@
  resolved "https://registry.yarnpkg.com/@types/crypto-js/-/crypto-js-4.1.0.tgz#09ba1b49bcce62c9a8e6d5e50a3364aa98975578"
  integrity sha512-DCFfy/vh2lG6qHSGezQ+Sn2Ulf/1Mx51dqOdmOKyW5nMK3maLlxeS3onC7r212OnBM2pBR95HkAmAjjF08YkxQ==
 "@types/debug@^4.1.7":
  version "4.1.8"
  resolved "https://registry.yarnpkg.com/@types/debug/-/debug-4.1.8.tgz#cef723a5d0a90990313faec2d1e22aee5eecb317"
  integrity sha512-/vPO1EPOs306Cvhwv7KfVfYvOJqA/S/AXjaHQiJboCZzcNDb+TIJFN9/2C9DZ//ijSKWioNyUxD792QmDJ+HKQ==
  dependencies:
    "@types/ms" "*"
 "@types/eslint-scope@^3.7.3":
  version "3.7.4"
  resolved "https://registry.yarnpkg.com/@types/eslint-scope/-/eslint-scope-3.7.4.tgz#37fc1223f0786c39627068a12e94d6e6fc61de16"
@@ -3883,6 +3919,16 @@
    "@types/qs" "*"
    "@types/range-parser" "*"
 "@types/express-serve-static-core@^4.17.33":
  version "4.17.35"
  resolved "https://registry.yarnpkg.com/@types/express-serve-static-core/-/express-serve-static-core-4.17.35.tgz#c95dd4424f0d32e525d23812aa8ab8e4d3906c4f"
  integrity sha512-wALWQwrgiB2AWTT91CB62b6Yt0sNHpznUXeZEcnPU3DRdlDIz74x8Qg1UUYKSVFi+va5vKOLYRBI1bRKiLLKIg==
  dependencies:
    "@types/node" "*"
    "@types/qs" "*"
    "@types/range-parser" "*"
    "@types/send" "*"
 "@types/express@*":
  version "4.17.13"
  resolved "https://registry.yarnpkg.com/@types/express/-/express-4.17.13.tgz#a76e2995728999bab51a33fabce1d705a3709034"
@@ -3893,6 +3939,16 @@
    "@types/qs" "*"
    "@types/serve-static" "*"
 "@types/express@^4.17.14":
  version "4.17.17"
  resolved "https://registry.yarnpkg.com/@types/express/-/express-4.17.17.tgz#01d5437f6ef9cfa8668e616e13c2f2ac9a491ae4"
  integrity sha512-Q4FmmuLGBG58btUnfS1c1r/NQdlp3DMfGDGig8WhfpA2YRUtEkxAjkZb0yvplJGYdF1fsQ81iMDcH24sSCNC/Q==
  dependencies:
    "@types/body-parser" "*"
    "@types/express-serve-static-core" "^4.17.33"
    "@types/qs" "*"
    "@types/serve-static" "*"
 "@types/express@^4.17.15":
  version "4.17.15"
  resolved "https://registry.yarnpkg.com/@types/express/-/express-4.17.15.tgz#9290e983ec8b054b65a5abccb610411953d417ff"
@@ -4066,6 +4122,11 @@
  dependencies:
    "@types/node" "*"
 "@types/ms@*":
  version "0.7.31"
  resolved "https://registry.yarnpkg.com/@types/ms/-/ms-0.7.31.tgz#31b7ca6407128a3d2bbc27fe2d21b345397f6197"
  integrity sha512-iiUgKzV9AuaEkZqkOLDIvlQiL6ltuZd9tGcW3gwpnX8JbuiuhFlEGmmFXEXkN50Cvq7Os88IY2v0dkDqXYWVgA==
 "@types/multer@1.4.7":
  version "1.4.7"
  resolved "https://registry.yarnpkg.com/@types/multer/-/multer-1.4.7.tgz#89cf03547c28c7bbcc726f029e2a76a7232cc79e"
@@ -4130,6 +4191,21 @@
  resolved "https://registry.yarnpkg.com/@types/parse-json/-/parse-json-4.0.0.tgz#2f8bb441434d163b35fb8ffdccd7138927ffb8c0"
  integrity sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==
 "@types/passport-strategy@^0.2.35":
  version "0.2.35"
  resolved "https://registry.yarnpkg.com/@types/passport-strategy/-/passport-strategy-0.2.35.tgz#e52f5212279ea73f02d9b06af67efe9cefce2d0c"
  integrity sha512-o5D19Jy2XPFoX2rKApykY15et3Apgax00RRLf0RUotPDUsYrQa7x4howLYr9El2mlUApHmCMv5CZ1IXqKFQ2+g==
  dependencies:
    "@types/express" "*"
    "@types/passport" "*"
 "@types/passport@*", "@types/passport@^1.0.11", "@types/passport@^1.0.12":
  version "1.0.12"
  resolved "https://registry.yarnpkg.com/@types/passport/-/passport-1.0.12.tgz#7dc8ab96a5e895ec13688d9e3a96920a7f42e73e"
  integrity sha512-QFdJ2TiAEoXfEQSNDISJR1Tm51I78CymqcBa8imbjo6dNNu+l2huDxxbDEIoFIwOSKMkOfHEikyDuZ38WwWsmw==
  dependencies:
    "@types/express" "*"
 "@types/pg@^8.6.1":
  version "8.6.4"
  resolved "https://registry.yarnpkg.com/@types/pg/-/pg-8.6.4.tgz#da1ae9d2f53f2dbfdd2b37e0eb478bf60d517f60"
@@ -4244,6 +4320,14 @@
  resolved "https://registry.yarnpkg.com/@types/scheduler/-/scheduler-0.16.2.tgz#1a62f89525723dde24ba1b01b092bf5df8ad4d39"
  integrity sha512-hppQEBDmlwhFAXKJX2KnWLYu5yMfi91yazPb2l+lbJiwW+wdo1gNeRA+3RgNSO39WYX2euey41KEwnqesU2Jew==
 "@types/send@*":
  version "0.17.1"
  resolved "https://registry.yarnpkg.com/@types/send/-/send-0.17.1.tgz#ed4932b8a2a805f1fe362a70f4e62d0ac994e301"
  integrity sha512-Cwo8LE/0rnvX7kIIa3QHCkcuF21c05Ayb0ZfxPiv0W8VRiZiNW/WuRupHKpqqGVGf7SUA44QSOUKaEd9lIrd/Q==
  dependencies:
    "@types/mime" "^1"
    "@types/node" "*"
 "@types/serve-index@^1.9.1":
  version "1.9.1"
  resolved "https://registry.yarnpkg.com/@types/serve-index/-/serve-index-1.9.1.tgz#1b5e85370a192c01ec6cec4735cf2917337a6278"
@@ -4335,6 +4419,28 @@
  dependencies:
    "@types/node" "*"
 "@types/xml-crypto@^1.4.2":
  version "1.4.2"
  resolved "https://registry.yarnpkg.com/@types/xml-crypto/-/xml-crypto-1.4.2.tgz#5ea7ef970f525ae8fe1e2ce0b3d40da1e3b279ae"
  integrity sha512-1kT+3gVkeBDg7Ih8NefxGYfCApwZViMIs5IEs5AXF6Fpsrnf9CLAEIRh0DYb1mIcRcvysVbe27cHsJD6rJi36w==
  dependencies:
    "@types/node" "*"
    xpath "0.0.27"
 "@types/xml-encryption@^1.2.1":
  version "1.2.1"
  resolved "https://registry.yarnpkg.com/@types/xml-encryption/-/xml-encryption-1.2.1.tgz#39842a42f7f9f2a6bc014e8d14d5fd5ae5f968c3"
  integrity sha512-UeyZkfZFZSa9XCGU5uGgUmsSLwQESDJvF076bJGyDf2gkXJjKvK8fW/x4ckvEHB2M/5RHJEkMc5xI+JrdmCTKA==
  dependencies:
    "@types/node" "*"
 "@types/xml2js@^0.4.11":
  version "0.4.11"
  resolved "https://registry.yarnpkg.com/@types/xml2js/-/xml2js-0.4.11.tgz#bf46a84ecc12c41159a7bd9cf51ae84129af0e79"
  integrity sha512-JdigeAKmCyoJUiQljjr7tQG3if9NkqGUgwEUqBvV0N7LM4HyQk7UXCnusRa1lnvXAEYJ8mw8GtZWioagNztOwA==
  dependencies:
    "@types/node" "*"
 "@types/xmlrpc@^1.3.7":
  version "1.3.7"
  resolved "https://registry.yarnpkg.com/@types/xmlrpc/-/xmlrpc-1.3.7.tgz#a95e8636fe9b848772088cfaa8021d0ad0ad99a0"
@@ -4917,6 +5023,16 @@
  dependencies:
    tslib "^2.3.0"
 "@xmldom/xmldom@0.8.7":
  version "0.8.7"
  resolved "https://registry.yarnpkg.com/@xmldom/xmldom/-/xmldom-0.8.7.tgz#8b1e39c547013941974d83ad5e9cf5042071a9a0"
  integrity sha512-sI1Ly2cODlWStkINzqGrZ8K6n+MTSbAeQnAipGyL+KZCXuHaRlj2gyyy8B/9MvsFFqN7XHryQnB2QwhzvJXovg==
 "@xmldom/xmldom@^0.8.5", "@xmldom/xmldom@^0.8.6":
  version "0.8.8"
  resolved "https://registry.yarnpkg.com/@xmldom/xmldom/-/xmldom-0.8.8.tgz#d0d11511cbc1de77e53342ad1546a4d487d6ea72"
  integrity sha512-0LNz4EY8B/8xXY86wMrQ4tz6zEHZv9ehFMJPm8u2gq5lQ71cfRKdaKyxfJAx5aUoyzx0qzgURblTisPGgz3d+Q==
 "@xtuc/ieee754@^1.2.0":
  version "1.2.0"
  resolved "https://registry.yarnpkg.com/@xtuc/ieee754/-/ieee754-1.2.0.tgz#eef014a3145ae477a1cbc00cd1e552336dceb790"
@@ -8129,7 +8245,7 @@ escape-goat@^2.0.0:
  resolved "https://registry.yarnpkg.com/escape-goat/-/escape-goat-2.1.1.tgz#1b2dc77003676c457ec760b2dc68edb648188675"
  integrity sha512-8/uIhbG12Csjy2JEW7D9pHbreaVaS/OpN3ycnyvElTdwM5n6GY6W6e2IPemfvGZeUMqZ9A/3GqIZMgKnBhAw/Q==
-escape-html@~1.0.3:
+escape-html@^1.0.3, escape-html@~1.0.3:
  version "1.0.3"
  resolved "https://registry.yarnpkg.com/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988"
  integrity sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=
@@ -13498,6 +13614,20 @@ pascal-case@^3.1.2:
    no-case "^3.0.4"
    tslib "^2.0.3"
 passport-strategy@1.x.x, passport-strategy@^1.0.0:
  version "1.0.0"
  resolved "https://registry.yarnpkg.com/passport-strategy/-/passport-strategy-1.0.0.tgz#b5539aa8fc225a3d1ad179476ddf236b440f52e4"
  integrity sha512-CB97UUvDKJde2V0KDWWB3lyf6PC3FaZP7YxZ2G8OAtn9p4HI9j9JLP9qjOGZFvyl8uwNT8qM+hGnz/n16NI7oA==
 passport@^0.6.0:
  version "0.6.0"
  resolved "https://registry.yarnpkg.com/passport/-/passport-0.6.0.tgz#e869579fab465b5c0b291e841e6cc95c005fac9d"
  integrity sha512-0fe+p3ZnrWRW74fe8+SvCyf4a3Pb2/h7gFkQ8yTJpAO50gDzlfjZUZTO1k5Eg9kUct22OxHLqDZoKUWRHOh9ug==
  dependencies:
    passport-strategy "1.x.x"
    pause "0.0.1"
    utils-merge "^1.0.1"
 password-prompt@^1.1.2:
  version "1.1.2"
  resolved "https://registry.yarnpkg.com/password-prompt/-/password-prompt-1.1.2.tgz#85b2f93896c5bd9e9f2d6ff0627fa5af3dc00923"
@@ -13560,6 +13690,11 @@ path-type@^4.0.0:
  resolved "https://registry.yarnpkg.com/path-type/-/path-type-4.0.0.tgz#84ed01c0a7ba380afe09d90a8c180dcd9d03043b"
  integrity sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==
 pause@0.0.1:
  version "0.0.1"
  resolved "https://registry.yarnpkg.com/pause/-/pause-0.0.1.tgz#1d408b3fdb76923b9543d96fb4c9dfd535d9cb5d"
  integrity sha512-KG8UEiEVkR3wGEb4m5yZkVCzigAD+cVEJck2CzYZO37ZGJfctvVptVO192MwrtPhzONn6go8ylnOdMhKqi4nfg==
 pend@~1.2.0:
  version "1.2.0"
  resolved "https://registry.yarnpkg.com/pend/-/pend-1.2.0.tgz#7a57eb550a6783f9115331fcf4663d5c8e007a50"
@@ -17275,7 +17410,7 @@ utila@~0.4:
  resolved "https://registry.yarnpkg.com/utila/-/utila-0.4.0.tgz#8a16a05d445657a3aea5eecc5b12a4fa5379772c"
  integrity sha1-ihagXURWV6Oupe7MWxKk+lN5dyw=
-utils-merge@1.0.1:
+utils-merge@1.0.1, utils-merge@^1.0.1:
  version "1.0.1"
  resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.1.tgz#9f95710f50a267947b2ccc124741c1028427e713"
  integrity sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM=
@@ -18034,6 +18169,23 @@ xdg-basedir@^4.0.0:
  resolved "https://registry.yarnpkg.com/xdg-basedir/-/xdg-basedir-4.0.0.tgz#4bc8d9984403696225ef83a1573cbbcb4e79db13"
  integrity sha512-PSNhEJDejZYV7h50BohL09Er9VaIefr2LMAf3OEmpCkjOi34eYyQYAXUTjEQtZJTKcF0E2UKTh+osDLsgNim9Q==
 xml-crypto@^3.0.1:
  version "3.1.0"
  resolved "https://registry.yarnpkg.com/xml-crypto/-/xml-crypto-3.1.0.tgz#6baeb46c0f3687a9fd8afd4c7be71c6e6e9accc4"
  integrity sha512-GPDprzBeCvn2ByTzeX+DOXbQ7V2IHmE6H1WZkrR+5LPrRQrwwYC9RoCYZ2++y2yJTYzRre1qY4gqNjmJLKdQ6Q==
  dependencies:
    "@xmldom/xmldom" "0.8.7"
    xpath "0.0.32"
 xml-encryption@^3.0.2:
  version "3.0.2"
  resolved "https://registry.yarnpkg.com/xml-encryption/-/xml-encryption-3.0.2.tgz#d3cb67d97cdd9673313a42cc0d7fa43ff0886c21"
  integrity sha512-VxYXPvsWB01/aqVLd6ZMPWZ+qaj0aIdF+cStrVJMcFj3iymwZeI0ABzB3VqMYv48DkSpRhnrXqTUkR34j+UDyg==
  dependencies:
    "@xmldom/xmldom" "^0.8.5"
    escape-html "^1.0.3"
    xpath "0.0.32"
 xml-name-validator@^3.0.0:
  version "3.0.0"
  resolved "https://registry.yarnpkg.com/xml-name-validator/-/xml-name-validator-3.0.0.tgz#6ae73e06de4d8c6e47f9fb181f78d648ad457c6a"
@@ -18047,11 +18199,29 @@ xml2js@0.4.19:
    sax ">=0.6.0"
    xmlbuilder "~9.0.1"
 xml2js@^0.5.0:
  version "0.5.0"
  resolved "https://registry.yarnpkg.com/xml2js/-/xml2js-0.5.0.tgz#d9440631fbb2ed800203fad106f2724f62c493b7"
  integrity sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==
  dependencies:
    sax ">=0.6.0"
    xmlbuilder "~11.0.0"
 xmlbuilder@8.2.x:
  version "8.2.2"
  resolved "https://registry.yarnpkg.com/xmlbuilder/-/xmlbuilder-8.2.2.tgz#69248673410b4ba42e1a6136551d2922335aa773"
  integrity sha512-eKRAFz04jghooy8muekqzo8uCSVNeyRedbuJrp0fovbLIi7wlsYtdUn3vBAAPq2Y3/0xMz2WMEUQ8yhVVO9Stw==
 xmlbuilder@^15.1.1:
  version "15.1.1"
  resolved "https://registry.yarnpkg.com/xmlbuilder/-/xmlbuilder-15.1.1.tgz#9dcdce49eea66d8d10b42cae94a79c3c8d0c2ec5"
  integrity sha512-yMqGBqtXyeN1e3TGYvgNgDVZ3j84W4cwkOXQswghol6APgZWaff9lnbvN7MHYJOiXsvGPXtjTYJEiC9J2wv9Eg==
 xmlbuilder@~11.0.0:
  version "11.0.1"
  resolved "https://registry.yarnpkg.com/xmlbuilder/-/xmlbuilder-11.0.1.tgz#be9bae1c8a046e76b31127726347d0ad7002beb3"
  integrity sha512-fDlsI/kFEx7gLvbecc0/ohLG50fugQp8ryHzMTuW9vSa1GJ0XYWKnhsUx7oie3G98+r56aTQIUB4kht42R3JvA==
 xmlbuilder@~9.0.1:
  version "9.0.7"
  resolved "https://registry.yarnpkg.com/xmlbuilder/-/xmlbuilder-9.0.7.tgz#132ee63d2ec5565c557e20f4c22df9aca686b10d"
@@ -18070,6 +18240,16 @@ xmlrpc@^1.3.2:
    sax "1.2.x"
    xmlbuilder "8.2.x"
 xpath@0.0.27:
  version "0.0.27"
  resolved "https://registry.yarnpkg.com/xpath/-/xpath-0.0.27.tgz#dd3421fbdcc5646ac32c48531b4d7e9d0c2cfa92"
  integrity sha512-fg03WRxtkCV6ohClePNAECYsmpKKTv5L8y/X3Dn1hQrec3POx2jHZ/0P2qQ6HvsrU1BmeqXcof3NGGueG6LxwQ==
 xpath@0.0.32:
  version "0.0.32"
  resolved "https://registry.yarnpkg.com/xpath/-/xpath-0.0.32.tgz#1b73d3351af736e17ec078d6da4b8175405c48af"
  integrity sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==
 xtend@^4.0.0, xtend@^4.0.2, xtend@~4.0.1:
  version "4.0.2"
  resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"