move most of the code to strapi/ee

packages/core/admin/ee/server/services/passport.js

@@ -5,14 +5,25 @@ const { features } = require('@strapi/strapi/lib/utils/ee');
 
 const createLocalStrategy = require('../../../server/services/passport/local-strategy');
 const sso = require('./passport/sso');
+const { isSsoLocked } = require('../utils/sso-lock');
+
+const localStrategyMiddleware = async ([error, user, message], done) => {
+  if (await isSsoLocked(user)) {
+    return done(error, null, {
+      message: 'Login not allowed, please contact your administrator',
+    });
+  }
+
+  return done(error, user, message);
+};
 
 const getPassportStrategies = () => {
-  const localStrategy = createLocalStrategy(strapi);
-
   if (!features.isEnabled('sso')) {
-    return [localStrategy];
+    return [createLocalStrategy(strapi)];
   }
 
+  const localStrategy = createLocalStrategy(strapi, localStrategyMiddleware);
+
   if (!strapi.isLoaded) {
     sso.syncProviderRegistryWithConfig();
   }

packages/core/admin/ee/server/utils/sso-lock.js

@@ -1,36 +1,41 @@
 'use strict';
 
+const { features } = require('@strapi/strapi/ee');
+const { isEmpty } = require('lodash/fp');
+
 const isSsoLocked = async (user) => {
-  if (!strapi.EE || !user) {
+  if (!features.isEnabled('sso') || !user) {
     // TODO: we should be calling strapi.features.isEnabled("sso") but that's EE code. Should we load it dynamically when EE is enabled? Or add EE code to override this strategy?
     return false;
   }
 
-  // TODO: if user object has roles === undefined, we need to query for it. [] should be fine, it means we got the roles object but they don't have any
-
+  // check if any roles are locked
   const adminStore = await strapi.store({ type: 'core', name: 'admin' });
   const { providers } = await adminStore.get({ key: 'auth' });
   const lockedRoles = providers.authenticationDisabled || [];
+  if (isEmpty(lockedRoles)) {
+    return false;
+  }
+
+  // Ensure we have user.roles and get them if we don't have them
+  let roles = user.roles;
+  if (!user.roles) {
+    const u = await strapi.query('admin::user').findOne({
+      where: { id: user.id },
+      populate: ['roles'],
+    });
+    roles = u.roles;
+  }
 
   // Check for roles that have blocked
   const isLocked = lockedRoles.some((lockedId) =>
     // lockedRoles will be a string to avoid issues with frontend and bigints
-    user.roles?.some((role) => lockedId === role.id.toString())
+    roles?.some((role) => lockedId === role.id.toString())
   );
 
   return isLocked;
 };
 
-const userPopulateForSso = () => {
-  if (!strapi.EE) {
-    // TODO: we should be calling strapi.features.isEnabled("sso") but that's EE code. Should we load it dynamically when EE is enabled? Or add EE code to override this strategy?
-    return undefined;
-  }
-
-  return ['roles'];
-};
-
 module.exports = {
   isSsoLocked,
-  userPopulateForSso,
 };

packages/core/admin/server/services/auth.js

@@ -5,7 +5,7 @@ const _ = require('lodash');
 const { getAbsoluteAdminUrl } = require('@strapi/utils');
 const { ApplicationError } = require('@strapi/utils').errors;
 const { getService } = require('../utils');
-const { isSsoLocked, userPopulateForSso } = require('./passport/utils/sso-lock');
+const { isSsoLocked } = require('../../ee/server/utils/sso-lock');
 
 /**
  * hashes a password
@@ -31,7 +31,6 @@ const validatePassword = (password, hash) => bcrypt.compare(password, hash);
 const checkCredentials = async ({ email, password }) => {
   const user = await strapi.query('admin::user').findOne({
     where: { email },
-    populate: userPopulateForSso(),
   });
 
   if (!user || !user.password) {
@@ -59,11 +58,10 @@ const checkCredentials = async ({ email, password }) => {
  * @param {string} param.email user email for which to reset the password
  */
 const forgotPassword = async ({ email } = {}) => {
-  const user = await strapi
-    .query('admin::user')
-    .findOne({ where: { email, isActive: true }, populate: userPopulateForSso() });
+  const user = await strapi.query('admin::user').findOne({ where: { email, isActive: true } });
 
   if (!user || (await isSsoLocked(user))) {
+    // TODO: this needs to be removed and overidden in /ee/
     return;
   }
 
@@ -104,9 +102,10 @@ const forgotPassword = async ({ email } = {}) => {
 const resetPassword = async ({ resetPasswordToken, password } = {}) => {
   const matchingUser = await strapi
     .query('admin::user')
-    .findOne({ where: { resetPasswordToken, isActive: true }, populate: userPopulateForSso() });
+    .findOne({ where: { resetPasswordToken, isActive: true } });
 
   if (!matchingUser || isSsoLocked(matchingUser)) {
+    // TODO: this needs to be removed and overidden in /ee/
     throw new ApplicationError();
   }
 

packages/core/admin/server/services/passport/local-strategy.js

@@ -2,9 +2,8 @@
 
 const { toLower } = require('lodash/fp');
 const { Strategy: LocalStrategy } = require('passport-local');
-const { isSsoLocked } = require('./utils/sso-lock');
 
-const createLocalStrategy = (strapi) => {
+const createLocalStrategy = (strapi, middleware) => {
   return new LocalStrategy(
     {
       usernameField: 'email',
@@ -18,10 +17,8 @@ const createLocalStrategy = (strapi) => {
           password,
         })
         .then(async ([error, user, message]) => {
-          if (await isSsoLocked(user)) {
-            return done(error, null, {
-              message: 'Login not allowed, please contact your administrator',
-            });
+          if (middleware) {
+            return middleware([error, user, message], done);
           }
 
           return done(error, user, message);