add validate callback loading state and encryption

server/routers/idp/createOidcIdp.ts

@@ -9,6 +9,8 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { idp, idpOidcConfig, idpOrg, orgs } from "@server/db/schemas";
 import { generateOidcRedirectUrl } from "@server/lib/idp/generateRedirectUrl";
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
 
 const paramsSchema = z.object({}).strict();
 
@@ -22,7 +24,8 @@ const bodySchema = z
         identifierPath: z.string().nonempty(),
         emailPath: z.string().optional(),
         namePath: z.string().optional(),
-        scopes: z.array(z.string().nonempty())
+        scopes: z.array(z.string().nonempty()),
+        autoProvision: z.boolean().optional()
     })
     .strict();
 
@@ -73,9 +76,15 @@ export async function createOidcIdp(
             identifierPath,
             emailPath,
             namePath,
-            name
+            name,
+            autoProvision
         } = parsedBody.data;
 
+        const key = config.getRawConfig().server.secret;
+
+        const encryptedSecret = encrypt(clientSecret, key);
+        const encryptedClientId = encrypt(clientId, key);
+
         let idpId: number | undefined;
         await db.transaction(async (trx) => {
             const [idpRes] = await trx
@@ -90,11 +99,11 @@ export async function createOidcIdp(
 
             await trx.insert(idpOidcConfig).values({
                 idpId: idpRes.idpId,
-                clientId,
-                clientSecret,
+                clientId: encryptedClientId,
+                clientSecret: encryptedSecret,
                 authUrl,
                 tokenUrl,
-                autoProvision: true,
+                autoProvision,
                 scopes: JSON.stringify(scopes),
                 identifierPath,
                 emailPath,

server/routers/idp/generateOidcUrl.ts

@@ -13,6 +13,7 @@ import { generateOidcRedirectUrl } from "@server/lib/idp/generateRedirectUrl";
 import cookie from "cookie";
 import jsonwebtoken from "jsonwebtoken";
 import config from "@server/lib/config";
+import { decrypt } from "@server/lib/crypto";
 
 const paramsSchema = z
     .object({
@@ -77,10 +78,21 @@ export async function generateOidcUrl(
 
         const parsedScopes = JSON.parse(existingIdp.idpOidcConfig.scopes);
 
+        const key = config.getRawConfig().server.secret;
+
+        const decryptedClientId = decrypt(
+            existingIdp.idpOidcConfig.clientId,
+            key
+        );
+        const decryptedClientSecret = decrypt(
+            existingIdp.idpOidcConfig.clientSecret,
+            key
+        );
+
         const redirectUrl = generateOidcRedirectUrl(idpId);
         const client = new arctic.OAuth2Client(
-            existingIdp.idpOidcConfig.clientId,
-            existingIdp.idpOidcConfig.clientSecret,
+            decryptedClientId,
+            decryptedClientSecret,
             redirectUrl
         );
 

server/routers/idp/validateOidcCallback.ts

@@ -28,6 +28,7 @@ import {
     generateSessionToken,
     serializeSessionCookie
 } from "@server/auth/sessions/app";
+import { decrypt } from "@server/lib/crypto";
 
 const paramsSchema = z
     .object({
@@ -90,10 +91,21 @@ export async function validateOidcCallback(
             );
         }
 
+        const key = config.getRawConfig().server.secret;
+
+        const decryptedClientId = decrypt(
+            existingIdp.idpOidcConfig.clientId,
+            key
+        );
+        const decryptedClientSecret = decrypt(
+            existingIdp.idpOidcConfig.clientSecret,
+            key
+        );
+
         const redirectUrl = generateOidcRedirectUrl(existingIdp.idp.idpId);
         const client = new arctic.OAuth2Client(
-            existingIdp.idpOidcConfig.clientId,
-            existingIdp.idpOidcConfig.clientSecret,
+            decryptedClientId,
+            decryptedClientSecret,
             redirectUrl
         );