fix: insecure routes not working for SSO #1587

elibosley · 2025-08-15T16:27:45Z

Summary by CodeRabbit

New Features
- Added SSO token-based login with UI support; accepts tokens 500+ characters.
- Improved OIDC redirect handling to respect protocol/host/port and dev proxy, fixing redirects behind reverse proxies.
Documentation
- API docs and images now fully refreshed in the docs site during publishing.
Tests
- Expanded test coverage for redirect URI generation and edge cases.

coderabbitai · 2025-08-15T16:27:51Z

Caution

Review failed

The pull request is closed.

Walkthrough

Updates OIDC redirect handling to use full request origin, adjusts REST controller to be proxy-aware, and expands tests. Introduces SSO login path in Unraid PHP patch, lowering SSO token-length threshold from 800 to 500 and integrating UI include. Workflow updates fully refresh Docusaurus API docs and images with existence checks.

Changes

Cohort / File(s)	Summary
Docs workflow refresh `.github/workflows/create-docusaurus-pr.yml`	Rebuilds docs/API directory; clears and copies Markdown; clears images and conditionally copies from two sources with existence checks.
OIDC redirect origin handling `api/src/unraid-api/graph/resolvers/sso/oidc-auth.service.ts`, `api/src/unraid-api/graph/resolvers/sso/oidc-auth.service.test.ts`, `api/src/unraid-api/rest/rest.controller.ts`	Service signatures change requestHost→requestOrigin; redirect URI constructed from full origin with scheme/port handling and localhost:3000 dev case; REST controller derives origin via forwarded headers; tests expanded for schemes/ports.
SSO token threshold and login flow `api/src/unraid-api/unraid-file-modifier/modifications/patches/sso.patch`, `api/src/unraid-api/unraid-file-modifier/modifications/sso.modification.ts`, `api/src/unraid-api/unraid-file-modifier/modifications/__test__/snapshots/.login.php.modified.snapshot.php`	Adds verifyUsernamePasswordAndSSO, integrates into login, includes SSO UI hook, and lowers SSO token-length threshold to >500; snapshot updated accordingly.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant REST as REST Controller
  participant OIDC as OidcAuthService
  participant IdP as OIDC Provider

  Client->>REST: GET /oidc/authorize
  REST->>REST: Derive requestOrigin (proto + host)
  REST->>OIDC: getAuthorizationUrl(providerId, state, requestOrigin)
  OIDC->>OIDC: Build redirectUri from origin or BASE_URL
  OIDC->>IdP: Construct authorization URL
  IdP-->>Client: Redirect to IdP login

  Client->>REST: GET /oidc/callback
  REST->>REST: Derive requestOrigin and fullUrl
  REST->>OIDC: handleCallback(providerId, code, state, requestOrigin, fullUrl)
  OIDC->>IdP: Exchange code for tokens (redirectUri)
  IdP-->>OIDC: Tokens
  OIDC-->>REST: Session/redirect response
  REST-->>Client: Final redirect

sequenceDiagram
  participant User
  participant PHP as .login.php
  participant System as getent/shadow
  participant RC as rc.unraid-api

  User->>PHP: Submit username/password
  PHP->>System: Verify password hash
  System-->>PHP: Success/Failure
  alt password ok
    PHP-->>User: Login success
  else password fail and len(password) > 500
    PHP->>RC: sso validate-token "<token>"
    RC-->>PHP: JSON output + exit code
    alt valid==true
      PHP-->>User: Login success
    else
      PHP-->>User: Login failure
    end
  else
    PHP-->>User: Login failure
  end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

feat: auto-docusaurus-prs #1127: Introduces the create-docusaurus-pr workflow; current PR adjusts its docs/image copy behavior.
feat: add developer docs #1128: Further modifications to the same workflow’s docs copying logic; closely related to the current workflow changes.
fix: sso unreliable if API outputs more than raw json #1353: Touches the same SSO authentication path, refining JSON parsing of validate-token output; complements this PR’s SSO flow changes.

Suggested reviewers

pujitm
mdatelle

Poem

A hop, a skip, I fine-tune the trail,
Redirects align with a proxy’s veil.
Tokens now sing at five-hundred-long,
Passwords or SSO—both paths strong.
Docs freshly groomed, images in line—
Thump-thump! says the rabbit: “Deploy time!” 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1e0a54d and e5b71c6.

📒 Files selected for processing (7)

.github/workflows/create-docusaurus-pr.yml (1 hunks)
api/src/unraid-api/graph/resolvers/sso/oidc-auth.service.test.ts (1 hunks)
api/src/unraid-api/graph/resolvers/sso/oidc-auth.service.ts (4 hunks)
api/src/unraid-api/rest/rest.controller.ts (2 hunks)
api/src/unraid-api/unraid-file-modifier/modifications/__test__/snapshots/.login.php.modified.snapshot.php (1 hunks)
api/src/unraid-api/unraid-file-modifier/modifications/patches/sso.patch (1 hunks)
api/src/unraid-api/unraid-file-modifier/modifications/sso.modification.ts (1 hunks)

✨ Finishing Touches

📝 Generate Docstrings

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch fix/http-endpoints-not-working

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

claude · 2025-08-15T16:27:58Z

Claude finished @elibosley's task —— View job

Code Review Analysis

Todo List:

Read modified files to understand the changes
Analyze diff for critical issues (security, bugs, breaking changes)
Provide concise review feedback

Analysis Complete

✅ No critical issues found in changes

The diff shows improvements to OIDC redirect URI handling that properly parse full origins (protocol + host + port) instead of just hostnames. Key changes:

oidc-auth.service.ts: Enhanced getRedirectUri() method to parse full URL origins rather than just hostname strings, with proper port handling
rest.controller.ts: Updated to pass full request origin (protocol://host) to the auth service instead of just hostname
Password length threshold: Reduced from 800 to 500 characters for SSO token detection

All changes appear security-conscious and improve proxy/reverse-proxy compatibility as intended. No authentication bypass, data validation issues, or breaking changes detected in the modified lines.

- Updated the create-docusaurus-pr.yml workflow to ensure that images from both the API and parent docs directories are copied to the appropriate location in the generated documentation. This maintains the directory structure and improves the completeness of the documentation.

- Enhanced the create-docusaurus-pr.yml workflow to cleanly remove old API images and ensure proper copying of images from both the API and parent documentation directories. This update maintains the directory structure and improves the accuracy of the generated documentation.

- Renamed `requestHost` to `requestOrigin` in OidcAuthService methods for clarity. - Enhanced `getRedirectUri` method to handle full origin URLs, including protocol and non-standard ports. - Updated tests to reflect changes in redirect URI generation for various scenarios, including localhost and non-localhost hosts. - Modified RestController to construct request information using protocol and host headers for improved compatibility.

- Updated the password length validation in the SSO login process from 800 to 500 characters to enhance security and prevent potential issues with excessively long tokens. - Corresponding changes made in the related snapshot and patch files to ensure consistency across the codebase.

github-actions · 2025-08-15T16:48:14Z

This plugin has been deployed to Cloudflare R2 and is available for testing.
Download it at this URL:

https://preview.dl.unraid.net/unraid-api/tag/PR1587/dynamix.unraid.net.plg

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1e0a54d and 0eb7127.

📒 Files selected for processing (4)

.github/workflows/create-docusaurus-pr.yml (1 hunks)
api/src/unraid-api/graph/resolvers/sso/oidc-auth.service.test.ts (1 hunks)
api/src/unraid-api/graph/resolvers/sso/oidc-auth.service.ts (4 hunks)
api/src/unraid-api/rest/rest.controller.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (7)

**/*.{ts,tsx}