MCPcopy Index your code
hub / github.com/sourcebot-dev/sourcebot / createGCPIAPProvider

Function createGCPIAPProvider

packages/web/src/ee/features/sso/sso.ts:406–480  ·  view source on GitHub ↗
(id: string, audience: string)

Source from the content-addressed store, hash-verified

404}
405
406const createGCPIAPProvider = (id: string, audience: string): Provider => {
407 return Credentials({
408 id,
409 name: "Google Cloud IAP",
410 credentials: {},
411 authorize: async (_credentials, req) => {
412 try {
413 const iapAssertion = req.headers?.get("x-goog-iap-jwt-assertion");
414 if (!iapAssertion || typeof iapAssertion !== "string") {
415 logger.warn("No IAP assertion found in headers");
416 return null;
417 }
418
419 const oauth2Client = new OAuth2Client();
420
421 const { pubkeys } = await oauth2Client.getIapPublicKeys();
422 const ticket = await oauth2Client.verifySignedJwtWithCertsAsync(
423 iapAssertion,
424 pubkeys,
425 audience,
426 ['https://cloud.google.com/iap']
427 );
428
429 const payload = ticket.getPayload();
430 if (!payload) {
431 logger.warn("Invalid IAP token payload");
432 return null;
433 }
434
435 const email = payload.email;
436 const name = payload.name || payload.email;
437 const image = payload.picture;
438
439 if (!email) {
440 logger.warn("Missing email in IAP token");
441 return null;
442 }
443
444 const existingUser = await __unsafePrisma.user.findUnique({
445 where: { email }
446 });
447
448 if (!existingUser) {
449 const newUser = await __unsafePrisma.user.create({
450 data: {
451 email,
452 name,
453 image,
454 }
455 });
456
457 const authJsUser: AuthJsUser = {
458 id: newUser.id,
459 email: newUser.email,
460 name: newUser.name,
461 image: newUser.image,
462 };
463

Callers 1

getEEIdentityProvidersFunction · 0.85

Calls 1

onCreateUserFunction · 0.90

Tested by

no test coverage detected