Logout API / SSO Enhancements

.gitignore

@@ -16,6 +16,9 @@
 # Mono auto generated files
 mono_crash.*
 
+# App JSON file
+app.json
+
 # Build results
 [Dd]ebug/
 [Dd]ebugPublic/
@@ -360,10 +363,8 @@ upload-api/extracted_files*
 *copy*
 .qodo
 .vscode
-app.json
 # Snyk Security Extension - AI Rules (auto-generated)
 .cursor/rules/snyk_rules.mdc
 *extracted_files*
 *MigrationData*
 *.zip
-app.json

.talismanrc

@@ -158,4 +158,35 @@ fileignoreconfig:
     checksum: f3bd8c6e981ed0acf26432859b2b7e388c0d90018513005cfc674726f14fe245
   - filename: ui/src/components/SchemaModal/index.tsx
     checksum: 607a465c9cd4a504b9a81750a3f9faa0f4e11c09414354d69ec7308c11f0046a
+
+fileignoreconfig:
+- filename: api/sso.utils.js
+  checksum: 5d589c128c4b38f8aacd70e5d02ddd7fa8e93ff7897ca69a1258378139d1d616
+version: "1.0"
+
+fileignoreconfig:
+- filename: api/package-lock.json
+  checksum: 4d2fd1905b5933e1d2c4d178e1536422d4aac84caa9640149eab0432a75b712d
+- filename: api/src/services/migration.service.ts
+  checksum: 1fdf5423840e170709c7c677c3a6a7c6ae61f373948c2ef295aa645a859c1af5
+- filename: api/src/services/contentMapper.service.ts
+  checksum: 03d5dcc31b38fd435f6a4389d6891c7fc1ba27b32dc2b382b91173d84f4565f7
+- filename: api/src/services/globalField.service.ts
+  checksum: b808815c7372f68fe9a5904d23be50cb0ec066592328ec1721dc3c395cbe3a2c
+- filename: api/src/services/taxonomy.service.ts
+  checksum: 840ab11838ebf08df44ada0a3674dad8cc124bc8bcbc5dfd1d9c585a34e4aeda
+- filename: api/src/services/org.service.ts
+  checksum: 0a50297164d7845d889fc78097164c4794a3f9cd7314c06365c8426a2a6ee52a
+- filename: ui/src/pages/Login/index.tsx
+  checksum: 7f7c008586db60f1cc8df625b88bfdc5c3bb861c21e40a55fc763f0ac4a6a8d2
+version: "1.0"
+
+fileignoreconfig:
+- filename: api/src/services/contentMapper.service.ts
+  checksum: 924b124214a93a7bec4c471304f5b270d5e735d506644180273b7118f3d37dd2
+version: "1.0"
+
+fileignoreconfig:
+- filename: ui/src/pages/Login/index.tsx
+  checksum: 213c6441dc87d82ce6b97679d457ae56c6e40ef13a89bddd4f21afcf566b5576
 version: "1.0"

api/encrypt-manifest.js

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+
+/**
+ * One-time script to encrypt sensitive fields in manifest.json.
+ *
+ * Usage:
+ *   MANIFEST_ENCRYPT_KEY=<your-secret-key> node encrypt-manifest.js
+ *
+ * This will overwrite manifest.json with encrypted uid, client_id, and client_secret.
+ * Run once, then commit the encrypted manifest.json.
+ */
+
+const crypto = require("crypto");
+const fs = require("fs");
+const path = require("path");
+
+const ALGORITHM = "aes-256-gcm";
+const ENC_PREFIX = "enc:";
+const ENCRYPT_KEY = process.env.MANIFEST_ENCRYPT_KEY;
+const ENCRYPT_SALT = process.env.MANIFEST_ENCRYPT_SALT;
+
+if (!ENCRYPT_KEY || !ENCRYPT_SALT) {
+  console.error("Error: MANIFEST_ENCRYPT_KEY and MANIFEST_ENCRYPT_SALT environment variables are required.");
+  console.error("Usage: MANIFEST_ENCRYPT_KEY=<key> MANIFEST_ENCRYPT_SALT=<salt> node encrypt-manifest.js");
+  process.exit(1);
+}
+
+function encrypt(plaintext) {
+  const key = crypto.scryptSync(ENCRYPT_KEY, ENCRYPT_SALT, 32);
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  let encrypted = cipher.update(plaintext, "utf8", "hex");
+  encrypted += cipher.final("hex");
+  const authTag = cipher.getAuthTag().toString("hex");
+  return `${ENC_PREFIX}${iv.toString("hex")}:${authTag}:${encrypted}`;
+}
+
+const manifestPath = path.join(__dirname, "manifest.json");
+const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
+
+let changed = false;
+
+if (manifest.uid && !manifest.uid.startsWith(ENC_PREFIX)) {
+  console.log(`Encrypting uid: ${manifest.uid.substring(0, 8)}...`);
+  manifest.uid = encrypt(manifest.uid);
+  changed = true;
+}
+
+if (manifest.oauth?.client_id && !manifest.oauth.client_id.startsWith(ENC_PREFIX)) {
+  console.log(`Encrypting oauth.client_id: ${manifest.oauth.client_id.substring(0, 8)}...`);
+  manifest.oauth.client_id = encrypt(manifest.oauth.client_id);
+  changed = true;
+}
+
+if (manifest.oauth?.client_secret && !manifest.oauth.client_secret.startsWith(ENC_PREFIX)) {
+  console.log(`Encrypting oauth.client_secret: ${manifest.oauth.client_secret.substring(0, 8)}...`);
+  manifest.oauth.client_secret = encrypt(manifest.oauth.client_secret);
+  changed = true;
+}
+
+if (!changed) {
+  console.log("All sensitive fields are already encrypted. Nothing to do.");
+  process.exit(0);
+}
+
+fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 4) + "\n");
+console.log("\nmanifest.json updated with encrypted values.");
+console.log("Make sure to store MANIFEST_ENCRYPT_KEY securely (e.g. in your .env file).");

api/manifest.json

@@ -0,0 +1,165 @@
+{
+    "uid": "enc:2328a77c3fccc2ea40ea89fa:6aa942508755fb0c12dfcf45fcd49ea7:187574417cb98ec8a40dddef7b210212a812e4f1e3adb0ce",
+    "name": "Migration Tool",
+    "description": "",
+    "target_type": "organization",
+    "visibility": "private",
+    "version": 2,
+    "icon": "",
+    "oauth": {
+        "client_id": "enc:3daed09564545513282e14fc:d624fbb2a4291cd3cd7a8a0a190de76b:08f0867848f185185a8bb1aae11d52df",
+        "client_secret": "enc:7e2ee2214ebb800a125beee0:a549969a5320938b45c0b2c8e41beac2:5917736a65336616dabbed509740309f336f4b580b4848f7e31b215d712cba7a",
+        "redirect_uri": "http://localhost:5001/v2/auth/save-token",
+        "user_token_config": {
+            "enabled": true,
+            "scopes": [
+                "app.manifests:read",
+                "app.manifest:read",
+                "app.manifest:write",
+                "app.hosting:read",
+                "app.hosting:write",
+                "app.installations:read",
+                "app.installations.management:read",
+                "app.installations.management:write",
+                "app.authorizations:manage",
+                "app.authorizations.management:write",
+                "app.requests:write",
+                "app.requests.management:write",
+                "scim:manage",
+                "user.profile:read",
+                "user:read",
+                "user:write",
+                "user.tfa:write",
+                "user.assignments:read",
+                "user.assignments:write",
+                "user.notifications:read",
+                "user.notifications:write",
+                "organizations:read",
+                "organization:read",
+                "organization.roles:read",
+                "organization.share:read",
+                "organization.share:write",
+                "organization.ownership:write",
+                "organization.settings:write",
+                "organization.logs:read",
+                "organization.usage:read",
+                "organization.jobs:read",
+                "organization.jobs:write",
+                "cm.stacks.management:read",
+                "cm.stacks.management:write",
+                "cm.stack.management:read",
+                "cm.stack.management:write",
+                "cm.stack.settings:read",
+                "cm.stack.settings:write",
+                "cm.stack:share",
+                "cm.stack:unshare",
+                "cm.stack.users:read",
+                "cm.stack.users:write",
+                "cm.stack.delivery-tokens:read",
+                "cm.stack.delivery-tokens:write",
+                "cm.stack.management-tokens:read",
+                "cm.stack.management-tokens:write",
+                "cm.content-types.management:read",
+                "cm.content-types.management:write",
+                "cm.content-types:import",
+                "cm.content-types:export",
+                "cm.content-type:read",
+                "cm.content-type:write",
+                "cm.content-type:copy",
+                "cm.global-fields.management:read",
+                "cm.global-fields.management:write",
+                "cm.global-fields:import",
+                "cm.global-fields:export",
+                "cm.entries.management:read",
+                "cm.entries.management:write",
+                "cm.entries:import",
+                "cm.entries:export",
+                "cm.entry:read",
+                "cm.entry:write",
+                "cm.entry:publish",
+                "cm.entry:unpublish",
+                "cm.entry.workflow:write",
+                "cm.webhooks.management:read",
+                "cm.webhooks.management:write",
+                "cm.webhooks:import",
+                "cm.webhooks:export",
+                "cm.webhook:read",
+                "cm.webhook:write",
+                "cm.assets.management:read",
+                "cm.assets.management:write",
+                "cm.assets.rt:read",
+                "cm.assets.rt:write",
+                "cm.assets:download",
+                "cm.asset:read",
+                "cm.asset:write",
+                "cm.asset:publish",
+                "cm.asset:unpublish",
+                "cm.workflows.management:read",
+                "cm.workflows.management:write",
+                "cm.workflows.publishing-rules:read",
+                "cm.workflows.publishing-rules:write",
+                "cm.environments.management:read",
+                "cm.environments.management:write",
+                "cm.extensions.management:read",
+                "cm.extensions.management:write",
+                "cm.languages.management:read",
+                "cm.languages.management:write",
+                "cm.labels.management:read",
+                "cm.labels.management:write",
+                "cm.bulk-operations:publish",
+                "cm.bulk-operations:unpublish",
+                "cm.bulk-operations:add-to-release",
+                "cm.bulk-operations:delete",
+                "cm.bulk-operations:move-to-folder",
+                "cm.bulk-operations:workflow",
+                "cm.releases.management:read",
+                "cm.releases.management:write",
+                "cm.release:read",
+                "cm.release:write",
+                "cm.release:clone",
+                "cm.release:deploy",
+                "cm.roles.management:read",
+                "cm.roles.management:write",
+                "cm.audit-logs:read",
+                "personalize:read",
+                "personalize:manage",
+                "cm.publish-queue.management:read",
+                "cm.publish-queue.management:write",
+                "cm.taxonomies.management:read",
+                "cm.taxonomies.management:write",
+                "cm.taxonomy.terms:read",
+                "cm.taxonomy.terms:write",
+                "cm.branches.management:read",
+                "cm.branches.management:write",
+                "cm.branches:compare-merge",
+                "cm.branch-aliases.management:read",
+                "cm.branch-aliases.management:write",
+                "launch:manage",
+                "launch.gitproviders:manage",
+                "automationhub.projects.management:read",
+                "automationhub.projects.management:write",
+                "automationhub.automations:read",
+                "automationhub.automations:write",
+                "automationhub.executions:read",
+                "automationhub.audit-logs:read",
+                "automationhub.variables:read",
+                "automationhub.variables:write",
+                "automationhub.accounts:read",
+                "brand-kits:read",
+                "brand-kits:manage",
+                "cm.variant:read",
+                "cm.variant:write",
+                "analytics:read",
+                "auditlogs:read",
+                "teams:read",
+                "teams:write"
+            ],
+            "allow_pkce": true
+        },
+        "app_token_config": {
+            "enabled": false,
+            "scopes": []
+        }
+    },
+    "group": "user"
+}