feat: add GitLab connector (#6529)

Author: devtekve

.changeset/fast-adults-dream.md

@@ -0,0 +1,18 @@
+---
+"@logto/connector-gitlab": major
+---
+
+add GitLab social connector leveraging OAuth2
+
+### Major Changes
+
+- Initial release of the GitLab connector.
+
+  This release introduces the Logto connector for GitLab, enabling social sign-in using GitLab accounts. It supports OAuth 2.0 authentication flow, fetching user information, and handling errors gracefully.
+
+### Features
+
+- **OAuth 2.0 Authentication**: Support for OAuth 2.0 authentication flow with GitLab.
+- **User Information Retrieval**: Fetches user details such as full name, email, profile URL, and avatar.
+- **Error Handling**: Graceful handling of OAuth errors, including token exchange failures and user-denied permissions.
+- **Configurable Scope**: Allows customization of OAuth scopes to access different levels of user information.

packages/connectors/connector-gitlab/README.md

@@ -0,0 +1,62 @@
+# GitLab Connector
+
+The official Logto connector for GitLab social sign-in, based on the Hugging Face connector by Silverhand Inc.
+
+**Table of contents**
+
+- [GitLab connector](#gitlab-connector)
+  - [Get started](#get-started)
+  - [Sign in with GitLab account](#sign-in-with-gitlab-account)
+  - [Create and configure OAuth app](#create-and-configure-oauth-app)
+  - [Managing OAuth apps](#managing-oauth-apps)
+  - [Configure your connector](#configure-your-connector)
+    - [Config types](#config-types)
+  - [Test GitLab connector](#test-gitlab-connector)
+  - [Reference](#reference)
+
+## Get started
+
+The GitLab connector enables end-users to sign in to your application using their own GitLab accounts via the GitLab OAuth 2.0 authentication protocol.
+
+## Sign in with GitLab account
+
+Go to the [GitLab website](https://gitlab.com/) and sign in with your GitLab account. You may register a new account if you don't have one.
+
+## Create and configure OAuth app
+
+Follow the [creating a GitLab OAuth App](https://docs.gitlab.com/ee/integration/oauth_provider.html) guide, and register a new application.
+
+Name your new OAuth application in **Name** and fill up **Redirect URI** of the app. Customize the **Redirect URIs** as `${your_logto_origin}/callback/${connector_id}`. The `connector_id` can be found on the top bar of the Logto Admin Console connector details page.
+
+On scopes, select `openid`. You also may want to enable `profile`, and `email`. `profile` scope is required to get the user's profile information, and `email` scope is required to get the user's email address. Ensure you have allowed these scopes in your GitLab OAuth app if you want to use them.
+
+> Notes: 
+> * If you use custom domains, add both the custom domain and the default Logto domain to the Redirect URIs to ensure the OAuth flow works correctly with both domains. 
+> * If you encounter the error message "The redirect_uri MUST match the registered callback URL for this application." when logging in, try aligning the Redirect URI of your GitLab OAuth App and your Logto App's redirect URL (including the protocol) to resolve the issue.
+
+## Managing OAuth apps
+
+Go to the [Applications page](https://gitlab.com/-/profile/applications) on GitLab, where you can add, edit, or delete existing OAuth apps. You can also find the `Application ID` and generate `Secret` in the OAuth app detail pages.
+
+## Configure your connector
+
+Fill out the `clientId` and `clientSecret` field with the _Application ID_ and _Secret_ you've got from the OAuth app detail pages mentioned in the previous section.
+
+`scope` is a space-delimited list of [scopes](https://docs.gitlab.com/ee/integration/oauth_provider.html#authorized-applications). If not provided, scope defaults to be `openid`. For GitLab connector, the scope you may want to use are `openid`, `profile` and `email`. `profile` scope is required to get the user's profile information, and `email` scope is required to get the user's email address. Ensure you have allowed these scopes in your GitLab OAuth app (configured in [Create an OAuth app in the Hugging Face](#create-and-configure-oauth-app) section).
+
+### Config types
+
+| Name         | Type   |
+|--------------|--------|
+| clientId     | string |
+| clientSecret | string |
+| scope        | string |
+
+## Test GitLab connector
+
+That's it. The GitLab connector should be available now. Don't forget to [Enable connector in sign-in experience](https://docs.logto.io/docs/recipes/configure-connectors/social-connector/enable-social-sign-in/).
+
+## Reference
+
+- [GitLab - API Documentation](https://docs.gitlab.com/ee/api/)
+- [GitLab - OAuth Applications](https://docs.gitlab.com/ee/integration/oauth_provider.html)

packages/connectors/connector-gitlab/logo.svg

@@ -0,0 +1,72 @@
+{
+  "name": "@logto/connector-gitlab",
+  "version": "0.0.1",
+  "description": "GitLab social connector implementation.",
+  "dependencies": {
+    "@logto/connector-kit": "workspace:^4.0.0",
+    "@logto/connector-oauth": "workspace:^1.4.0",
+    "@logto/shared": "workspace:^3.1.1",
+    "@silverhand/essentials": "^2.9.1",
+    "jose": "^5.6.3",
+    "ky": "^1.2.3",
+    "nanoid": "^5.0.1",
+    "snakecase-keys": "^8.0.1",
+    "zod": "^3.23.8"
+  },
+  "main": "./lib/index.js",
+  "module": "./lib/index.js",
+  "exports": "./lib/index.js",
+  "license": "MPL-2.0",
+  "type": "module",
+  "files": [
+    "lib",
+    "docs",
+    "logo.svg",
+    "logo-dark.svg"
+  ],
+  "scripts": {
+    "precommit": "lint-staged",
+    "check": "tsc --noEmit",
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "lint": "eslint --ext .ts src",
+    "lint:report": "pnpm lint --format json --output-file report.json",
+    "test": "vitest src",
+    "test:ci": "pnpm run test --silent --coverage",
+    "prepublishOnly": "pnpm build"
+  },
+  "engines": {
+    "node": "^20.9.0"
+  },
+  "eslintConfig": {
+    "extends": "@silverhand",
+    "settings": {
+      "import/core-modules": [
+        "@silverhand/essentials",
+        "got",
+        "nock",
+        "snakecase-keys",
+        "zod"
+      ]
+    }
+  },
+  "prettier": "@silverhand/eslint-config/.prettierrc",
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "@silverhand/eslint-config": "6.0.1",
+    "@silverhand/ts-config": "6.0.0",
+    "@types/node": "^20.11.20",
+    "@types/supertest": "^6.0.2",
+    "@vitest/coverage-v8": "^2.0.0",
+    "eslint": "^8.56.0",
+    "lint-staged": "^15.0.2",
+    "nock": "14.0.0-beta.9",
+    "prettier": "^3.0.0",
+    "supertest": "^7.0.0",
+    "tsup": "^8.1.0",
+    "typescript": "^5.5.3",
+    "vitest": "^2.0.0"
+  }
+}

packages/connectors/connector-gitlab/package.json

@@ -0,0 +1,36 @@
+import type { ConnectorMetadata } from '@logto/connector-kit';
+import { ConnectorPlatform } from '@logto/connector-kit';
+import { clientSecretFormItem, clientIdFormItem, scopeFormItem } from '@logto/connector-oauth';
+
+export const jwksUri = 'https://gitlab.com/oauth/discovery/keys';
+export const authorizationEndpoint = 'https://gitlab.com/oauth/authorize';
+export const userInfoEndpoint = 'https://gitlab.com/oauth/userinfo';
+export const tokenEndpoint = 'https://gitlab.com/oauth/token';
+export const mandatoryScope = 'openid'; // Always required
+export const defaultScopes = [mandatoryScope];
+
+export const defaultMetadata: ConnectorMetadata = {
+  id: 'gitlab-universal',
+  target: 'gitlab',
+  platform: ConnectorPlatform.Universal,
+  name: {
+    en: 'GitLab',
+  },
+  logo: './logo.svg',
+  logoDark: null,
+  description: {
+    en: 'GitLab is an online community for software development and version control.',
+  },
+  readme: './README.md',
+  formItems: [
+    clientIdFormItem,
+    clientSecretFormItem,
+    {
+      ...scopeFormItem,
+      description:
+        "`openid` is required to allow OIDC and it's always added to the scopes if not present, `profile` is required to get user's profile information and `email` is required to get user's email address. These scopes can be used individually or in combination; if no scopes are specified, `openid` will be used by default.",
+    },
+  ],
+};
+
+export const defaultTimeout = 5000;

packages/connectors/connector-gitlab/src/constant.ts

@@ -0,0 +1,187 @@
+import nock from 'nock';
+
+import { ConnectorError, ConnectorErrorCodes, type SocialUserInfo } from '@logto/connector-kit';
+
+import { authorizationEndpoint, tokenEndpoint, userInfoEndpoint } from './constant.js';
+import createConnector from './index.js';
+
+const getConfig = vi.fn().mockResolvedValue({
+  clientId: '<client-id>',
+  clientSecret: '<client-secret>',
+  scope: 'profile email',
+});
+
+const getSessionMock = vi.fn().mockResolvedValue({ redirectUri: 'http://localhost:3000/callback' });
+
+describe('GitLab connector', () => {
+  beforeEach(() => {
+    nock(tokenEndpoint).post('').reply(200, {
+      access_token: 'access_token',
+      scope: 'scope',
+      token_type: 'token_type',
+    });
+  });
+
+  afterEach(() => {
+    nock.cleanAll();
+    vi.clearAllMocks();
+  });
+
+  it('should get a valid uri by redirectUri and state', async () => {
+    const connector = await createConnector({ getConfig });
+    const authorizationUri = await connector.getAuthorizationUri(
+      {
+        state: 'some_state',
+        redirectUri: 'http://localhost:3000/callback',
+        connectorId: 'some_connector_id',
+        connectorFactoryId: 'some_connector_factory_id',
+        jti: 'some_jti',
+        headers: {},
+      },
+      vi.fn()
+    );
+
+    expect(authorizationUri).toEqual(
+      `${authorizationEndpoint}?${new URLSearchParams({
+        response_type: 'code',
+        client_id: '<client-id>',
+        scope: 'profile email openid', // We add openid to the scopes if not present always
+        redirect_uri: 'http://localhost:3000/callback',
+        state: 'some_state',
+      }).toString()}`
+    );
+  });
+
+  it('should get valid SocialUserInfo', async () => {
+    nock(userInfoEndpoint)
+      .get('')
+      .reply(200, {
+        sub: '1234567',
+        sub_legacy: 'abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890',
+        name: 'John Doe',
+        nickname: 'john.doe',
+        preferred_username: 'john.doe',
+        email: 'john.doe@example.com',
+        email_verified: true,
+        profile: 'https://gitlab.com/john.doe',
+        picture: 'https://gitlab.com/uploads/-/system/user/avatar/1234567/avatar.png',
+        groups: ['group1', 'group2', 'group3'],
+      });
+
+    const connector = await createConnector({ getConfig });
+    const socialUserInfo = await connector.getUserInfo({ code: 'code' }, getSessionMock);
+    const expectedSocialUserInfo: SocialUserInfo = {
+      id: '1234567',
+      avatar: 'https://gitlab.com/uploads/-/system/user/avatar/1234567/avatar.png',
+      name: 'John Doe',
+      email: 'john.doe@example.com',
+      rawData: {
+        sub: '1234567',
+        sub_legacy: 'abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890',
+        name: 'John Doe',
+        nickname: 'john.doe',
+        preferred_username: 'john.doe',
+        email: 'john.doe@example.com',
+        email_verified: true,
+        profile: 'https://gitlab.com/john.doe',
+        picture: 'https://gitlab.com/uploads/-/system/user/avatar/1234567/avatar.png',
+        groups: ['group1', 'group2', 'group3'],
+      },
+    };
+
+    expect(socialUserInfo).toStrictEqual(expectedSocialUserInfo);
+  });
+
+  it('should not return email when email_verified is false on SocialUserInfo', async () => {
+    nock(userInfoEndpoint)
+      .get('')
+      .reply(200, {
+        sub: '1234567',
+        sub_legacy: 'abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890',
+        name: 'John Doe',
+        nickname: 'john.doe',
+        preferred_username: 'john.doe',
+        email: 'john.doe@example.com',
+        email_verified: false,
+        profile: 'https://gitlab.com/john.doe',
+        picture: 'https://gitlab.com/uploads/-/system/user/avatar/1234567/avatar.png',
+        groups: ['group1', 'group2', 'group3'],
+      });
+
+    const connector = await createConnector({ getConfig });
+    const socialUserInfo = await connector.getUserInfo({ code: 'code' }, getSessionMock);
+    const expectedSocialUserInfo: SocialUserInfo = {
+      id: '1234567',
+      avatar: 'https://gitlab.com/uploads/-/system/user/avatar/1234567/avatar.png',
+      name: 'John Doe',
+      rawData: {
+        sub: '1234567',
+        sub_legacy: 'abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890',
+        name: 'John Doe',
+        nickname: 'john.doe',
+        preferred_username: 'john.doe',
+        email: 'john.doe@example.com',
+        email_verified: false,
+        profile: 'https://gitlab.com/john.doe',
+        picture: 'https://gitlab.com/uploads/-/system/user/avatar/1234567/avatar.png',
+        groups: ['group1', 'group2', 'group3'],
+      },
+    };
+
+    expect(socialUserInfo).toStrictEqual(expectedSocialUserInfo);
+  });
+
+  it('throws AuthorizationFailed error if authentication failed', async () => {
+    const connector = await createConnector({ getConfig });
+    await expect(
+      connector.getUserInfo({ error: 'some error' }, getSessionMock)
+    ).rejects.toStrictEqual(
+      new ConnectorError(ConnectorErrorCodes.AuthorizationFailed, { error: 'some error' })
+    );
+  });
+
+  it('throws InvalidResponse error if token response is invalid', async () => {
+    // Clear token response mock
+    nock.cleanAll();
+
+    nock(tokenEndpoint).post('').reply(200, {
+      invalid_field: true,
+    });
+
+    const connector = await createConnector({ getConfig });
+    await expect(connector.getUserInfo({ code: 'code' }, getSessionMock)).rejects.toSatisfy(
+      (connectorError) =>
+        (connectorError as ConnectorError).code === ConnectorErrorCodes.InvalidResponse
+    );
+  });
+
+  it('throws InvalidResponse error if userinfo response is invalid', async () => {
+    nock(userInfoEndpoint).get('').reply(200, {
+      id: 'id',
+    });
+
+    const connector = await createConnector({ getConfig });
+    await expect(connector.getUserInfo({ code: 'code' }, getSessionMock)).rejects.toSatisfy(
+      (connectorError) =>
+        (connectorError as ConnectorError).code === ConnectorErrorCodes.InvalidResponse
+    );
+  });
+
+  it('throws SocialAccessTokenInvalid error if user info responded with 401', async () => {
+    nock(userInfoEndpoint).get('').reply(401);
+
+    const connector = await createConnector({ getConfig });
+    await expect(connector.getUserInfo({ code: 'code' }, getSessionMock)).rejects.toStrictEqual(
+      new ConnectorError(ConnectorErrorCodes.SocialAccessTokenInvalid)
+    );
+  });
+
+  it('throws General error if user info responded with a non-401 error', async () => {
+    nock(userInfoEndpoint).get('').reply(422);
+
+    const connector = await createConnector({ getConfig });
+    await expect(connector.getUserInfo({ code: 'code' }, getSessionMock)).rejects.toStrictEqual(
+      new ConnectorError(ConnectorErrorCodes.General)
+    );
+  });
+});