Phase 4c: Reject non-sso logins for sso-enforced domains

Author: GregorShear

supabase/config.toml

@@ -45,6 +45,10 @@ jwt_expiry = 604800
 # Allow/disallow new user signups to your project.
 enable_signup = true
 
+[auth.hook.custom_access_token]
+enabled = true
+uri = "pg-functions://postgres/public/check_sso_requirement"
+
 [auth.email]
 # Allow/disallow new user signups via email to your project.
 enable_signup = true

supabase/migrations/20260320120000_check_sso_requirement_hook.sql

@@ -0,0 +1,84 @@
+-- Access token hook that blocks social login for users whose email domain
+-- matches an SSO-enforcing tenant's configured domain.
+--
+-- When enforce_sso is true and the user's email domain appears in
+-- auth.sso_domains for that tenant's provider, the hook refuses to mint
+-- a token — returning an error that tells the frontend to redirect to SSO.
+--
+-- Users whose email domain does NOT match (e.g. contractors, partners)
+-- are not blocked here; their grants on enforcing tenants are filtered
+-- out in user_roles() / the GraphQL snapshot instead.
+
+begin;
+
+-- Add enforce_sso column to tenants. When true, SSO is required for
+-- users whose email domain matches the tenant's SSO provider domains.
+alter table public.tenants
+  add column if not exists enforce_sso boolean not null default false;
+
+comment on column public.tenants.enforce_sso is
+  'When true, users whose email domain matches this tenant''s SSO provider '
+  'domains must authenticate via SSO. Social login is blocked for these users.';
+
+create or replace function public.check_sso_requirement(event jsonb)
+returns jsonb
+language plpgsql
+stable
+security definer
+set search_path to ''
+as $$
+declare
+  target_user_id uuid;
+  user_email     text;
+  user_domain    text;
+  user_is_sso    boolean;
+begin
+  target_user_id = (event->>'user_id')::uuid;
+
+  select u.email, u.is_sso_user
+    into user_email, user_is_sso
+    from auth.users u
+    where u.id = target_user_id;
+
+  -- SSO users pass through unconditionally.
+  if user_is_sso then
+    return event;
+  end if;
+
+  user_domain = split_part(user_email, '@', 2);
+
+  -- Check whether this user's email domain matches an SSO-enforcing tenant.
+  -- If so, block token issuance — the user should be logging in via SSO.
+  if exists (
+    select 1
+      from auth.sso_domains sd
+      join public.tenants t on t.sso_provider_id = sd.sso_provider_id
+      where t.enforce_sso = true
+        and sd.domain = user_domain
+  ) then
+    return jsonb_build_object(
+      'error', jsonb_build_object(
+        'http_code', 403,
+        'message', 'sso_required:' || user_domain
+      )
+    );
+  end if;
+
+  return event;
+end;
+$$;
+
+-- The hook is invoked by GoTrue as the supabase_auth_admin role.
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.check_sso_requirement(jsonb) to supabase_auth_admin;
+
+-- The function reads from these tables.
+grant select on public.tenants to supabase_auth_admin;
+grant select on auth.users to supabase_auth_admin;
+grant select on auth.sso_domains to supabase_auth_admin;
+
+-- Anon and authenticated roles have execute privileges by default - revoke them.
+-- check_sso_requirement is exclusively for supabase_auth_admin.
+revoke execute on function public.check_sso_requirement(jsonb) from authenticated, anon;
+
+commit;

supabase/tests/sso_access_token_hook.test.sql

@@ -0,0 +1,150 @@
+-- Tests for check_sso_requirement hook that blocks social login
+-- when the user's email domain matches an SSO-enforcing tenant.
+create function tests.test_sso_access_token_hook()
+returns setof text as $$
+declare
+  provider_acme uuid = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
+  provider_widgetly uuid = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb';
+  alice_id uuid = '11111111-1111-1111-1111-111111111111';
+  bob_id uuid = '22222222-2222-2222-2222-222222222222';
+  carol_id uuid = '33333333-3333-3333-3333-333333333333';
+  result jsonb;
+  base_event jsonb;
+begin
+  -- Setup: test users.
+  insert into auth.users (id, email) values
+    (alice_id, 'alice@acme.com'),
+    (bob_id, 'bob@gmail.com'),
+    (carol_id, 'carol@widgetly.io')
+  on conflict (id) do update set email = excluded.email;
+
+  -- Setup: SSO providers and domains.
+  insert into auth.sso_providers (id) values (provider_acme), (provider_widgetly)
+    on conflict do nothing;
+  insert into auth.sso_domains (id, sso_provider_id, domain) values
+    (gen_random_uuid(), provider_acme, 'acme.com'),
+    (gen_random_uuid(), provider_widgetly, 'widgetly.io')
+    on conflict do nothing;
+
+  -- Tenants: acmeCo and widgetlyCo enforce SSO, openCo does not.
+  insert into tenants (tenant, sso_provider_id, enforce_sso) values
+    ('acmeCo/', provider_acme, true),
+    ('widgetlyCo/', provider_widgetly, true),
+    ('openCo/', null, false)
+  on conflict (tenant) do update set
+    sso_provider_id = excluded.sso_provider_id,
+    enforce_sso = excluded.enforce_sso;
+
+  -- Ensure all test users start as non-SSO.
+  update auth.users set is_sso_user = false where id in (alice_id, bob_id, carol_id);
+
+  -- =========================================================
+  -- Case 1: Social user with matching domain → blocked
+  -- =========================================================
+  base_event = jsonb_build_object(
+    'user_id', alice_id,
+    'claims', jsonb_build_object('sub', alice_id)
+  );
+
+  select public.check_sso_requirement(base_event) into result;
+
+  return next is(
+    result->'error'->>'http_code', '403',
+    'Social user with matching domain gets 403'
+  );
+  return next is(
+    result->'error'->>'message', 'sso_required:acme.com',
+    'Error message includes domain'
+  );
+
+  -- =========================================================
+  -- Case 2: Social user on a different SSO domain → blocked with that domain
+  -- =========================================================
+  base_event = jsonb_build_object(
+    'user_id', carol_id,
+    'claims', jsonb_build_object('sub', carol_id)
+  );
+
+  select public.check_sso_requirement(base_event) into result;
+
+  return next is(
+    result->'error'->>'message', 'sso_required:widgetly.io',
+    'Error message includes the users own domain, not a hardcoded one'
+  );
+
+  -- =========================================================
+  -- Case 3: Social user with non-matching domain → allowed
+  -- =========================================================
+  base_event = jsonb_build_object(
+    'user_id', bob_id,
+    'claims', jsonb_build_object('sub', bob_id)
+  );
+
+  select public.check_sso_requirement(base_event) into result;
+
+  return next ok(
+    result->'error' is null,
+    'Social user with non-matching domain is not blocked'
+  );
+  return next is(
+    result->'claims'->>'sub', bob_id::text,
+    'Non-matching domain user gets claims passed through'
+  );
+
+  -- =========================================================
+  -- Case 4: SSO user with matching domain → allowed (token refresh)
+  -- =========================================================
+  update auth.users set is_sso_user = true where id = alice_id;
+
+  base_event = jsonb_build_object(
+    'user_id', alice_id,
+    'claims', jsonb_build_object('sub', alice_id)
+  );
+
+  select public.check_sso_requirement(base_event) into result;
+
+  return next ok(
+    result->'error' is null,
+    'SSO user with matching domain is not blocked'
+  );
+
+  -- =========================================================
+  -- Case 5: enforce_sso = false → not blocked even with matching domain
+  -- =========================================================
+  update auth.users set is_sso_user = false where id = alice_id;
+  update tenants set enforce_sso = false where tenant = 'acmeCo/';
+
+  base_event = jsonb_build_object(
+    'user_id', alice_id,
+    'claims', jsonb_build_object('sub', alice_id)
+  );
+
+  select public.check_sso_requirement(base_event) into result;
+
+  return next ok(
+    result->'error' is null,
+    'Social user with matching domain allowed when enforce_sso is false'
+  );
+
+  -- Restore for remaining tests.
+  update tenants set enforce_sso = true where tenant = 'acmeCo/';
+
+  -- =========================================================
+  -- Case 6: Malformed user_id propagates as an exception (does not silently pass through)
+  -- =========================================================
+  -- 'not-a-uuid' triggers an invalid_text_representation error on the
+  -- ::uuid cast. With no exception handler, this should raise to the caller.
+  begin
+    select public.check_sso_requirement(jsonb_build_object(
+      'user_id', 'not-a-uuid',
+      'claims', jsonb_build_object('sub', 'bogus')
+    )) into result;
+
+    return next ok(false, 'Malformed event should have raised an exception');
+  exception when others then
+    return next ok(true, 'Malformed event raises an exception (does not silently pass through)');
+  end;
+
+  return;
+end
+$$ language plpgsql;