feat(SSO): メールアドレスのnormalizeを設定可能にする (MisskeyIO#971)

2025-04-22 00:14:13 +09:00 · 2025-04-22 00:14:13 +09:00 · c94e5d7e22
commit c94e5d7e22
parent 17e14bb87e
9 changed files with 49 additions and 3 deletions
--- a/packages/backend/migration/1745247339195-SSO-wantEmailAddressNormalized.js
+++ b/packages/backend/migration/1745247339195-SSO-wantEmailAddressNormalized.js
@ -0,0 +1,11 @@
+export class SSOWantEmailAddressNormalized1745247339195 {
+    name = 'SSOWantEmailAddressNormalized1745247339195'
+
+    async up(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "sso_service_provider" ADD "wantEmailAddressNormalized" boolean NOT NULL DEFAULT true`);
+    }
+
+    async down(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "sso_service_provider" DROP COLUMN "wantEmailAddressNormalized"`);
+    }
+}
--- a/packages/backend/src/models/SingleSignOnServiceProvider.ts
+++ b/packages/backend/src/models/SingleSignOnServiceProvider.ts
@ -79,4 +79,9 @@ export class MiSingleSignOnServiceProvider {
 		default: true,
 	})
 	public wantAssertionsSigned: boolean;
+
+	@Column('boolean', {
+		default: true,
+	})
+	public wantEmailAddressNormalized: boolean;
 }
--- a/packages/backend/src/server/api/endpoints/admin/sso/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/sso/create.ts
@ -84,6 +84,10 @@ export const meta = {
 				type: 'boolean',
 				optional: false, nullable: false,
 			},
+			wantEmailAddressNormalized: {
+				type: 'boolean',
+				optional: false, nullable: false,
+			},
 		},
 	},
 } as const;
@ -101,6 +105,7 @@ export const paramDef = {
 		cipherAlgorithm: { type: 'string', nullable: true },
 		wantAuthnRequestsSigned: { type: 'boolean', nullable: false, default: false },
 		wantAssertionsSigned: { type: 'boolean', nullable: false, default: true },
+		wantEmailAddressNormalized: { type: 'boolean', nullable: false, default: true },
 		useCertificate: { type: 'boolean', nullable: false, default: true },
 		secret: { type: 'string', nullable: true },
 	},
@ -157,6 +162,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				cipherAlgorithm: ps.cipherAlgorithm ? ps.cipherAlgorithm : null,
 				wantAuthnRequestsSigned: ps.wantAuthnRequestsSigned,
 				wantAssertionsSigned: ps.wantAssertionsSigned,
+				wantEmailAddressNormalized: ps.wantEmailAddressNormalized,
 			}).then(r => this.singleSignOnServiceProviderRepository.findOneByOrFail({ id: r.identifiers[0].id }));

 			this.moderationLogService.log(me, 'createSSOServiceProvider', {
@ -178,6 +184,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				cipherAlgorithm: ssoServiceProvider.cipherAlgorithm,
 				wantAuthnRequestsSigned: ssoServiceProvider.wantAuthnRequestsSigned,
 				wantAssertionsSigned: ssoServiceProvider.wantAssertionsSigned,
+				wantEmailAddressNormalized: ssoServiceProvider.wantEmailAddressNormalized,
 			};
 		});
 	}
--- a/packages/backend/src/server/api/endpoints/admin/sso/list.ts
+++ b/packages/backend/src/server/api/endpoints/admin/sso/list.ts
@ -77,6 +77,10 @@ export const meta = {
 					type: 'boolean',
 					optional: false, nullable: false,
 				},
+				wantEmailAddressNormalized: {
+					type: 'boolean',
+					optional: false, nullable: false,
+				},
 			},
 		},
 	},
@ -116,6 +120,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				cipherAlgorithm: service.cipherAlgorithm,
 				wantAuthnRequestsSigned: service.wantAuthnRequestsSigned,
 				wantAssertionsSigned: service.wantAssertionsSigned,
+				wantEmailAddressNormalized: service.wantEmailAddressNormalized,
 			}));
 		});
 	}
--- a/packages/backend/src/server/api/endpoints/admin/sso/update.ts
+++ b/packages/backend/src/server/api/endpoints/admin/sso/update.ts
@ -37,6 +37,7 @@ export const paramDef = {
 		cipherAlgorithm: { type: 'string', nullable: true },
 		wantAuthnRequestsSigned: { type: 'boolean', nullable: false },
 		wantAssertionsSigned: { type: 'boolean', nullable: false },
+		wantEmailAddressNormalized: { type: 'boolean', nullable: false },
 		regenerateCertificate: { type: 'boolean', nullable: true },
 		secret: { type: 'string', nullable: true },
 	},
@ -92,6 +93,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				cipherAlgorithm: ps.cipherAlgorithm !== '' ? ps.cipherAlgorithm : null,
 				wantAuthnRequestsSigned: ps.wantAuthnRequestsSigned,
 				wantAssertionsSigned: ps.wantAssertionsSigned,
+				wantEmailAddressNormalized: ps.wantEmailAddressNormalized,
 			});

 			const updatedService = await this.singleSignOnServiceProviderRepository.findOneByOrFail({ id: service.id });
--- a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts
+++ b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts
@ -180,7 +180,9 @@ export class JWTIdentifyProviderService {
 				preferred_username: user.username,
 				profile: `${this.config.url}/@${user.username}`,
 				picture: user.avatarUrl ?? undefined,
-				email: profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`,
+				email: profile.emailVerified
+					? (ssoServiceProvider.wantEmailAddressNormalized ? normalizeEmailAddress(profile.email) : profile.email)
+					: `${user.username}@users.${this.config.hostname}`,
 				email_verified: profile.emailVerified,
 				mfa_enabled: profile.twoFactorEnabled,
 				updated_at: Math.floor((user.updatedAt?.getTime() ?? user.createdAt.getTime()) / 1000),
--- a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
+++ b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
@ -444,7 +444,9 @@ export class SAMLIdentifyProviderService {
 									'saml:Subject': {
 										'saml:NameID': {
 											'@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-											'#text': profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`,
+											'#text': profile.emailVerified
+												? (ssoServiceProvider.wantEmailAddressNormalized ? normalizeEmailAddress(profile.email) : profile.email)
+												: `${user.username}@users.${this.config.hostname}`,
 										},
 										'saml:SubjectConfirmation': {
 											'@Method': 'urn:oasis:names:tc:SAML:2.0:cm:bearer',
@ -569,7 +571,9 @@ export class SAMLIdentifyProviderService {
 												'@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
 												'saml:AttributeValue': {
 													'@xsi:type': 'xs:string',
-													'#text': profile.emailVerified ? normalizeEmailAddress(profile.email) : `${user.username}@${this.config.hostname}`,
+													'#text': profile.emailVerified
+														? (ssoServiceProvider.wantEmailAddressNormalized ? normalizeEmailAddress(profile.email) : profile.email)
+														: `${user.username}@users.${this.config.hostname}`,
 												},
 											},
 											{