diff --git a/app/Http/Controllers/DashboardController.php b/app/Http/Controllers/DashboardController.php index 2d060d9..1c95544 100644 --- a/app/Http/Controllers/DashboardController.php +++ b/app/Http/Controllers/DashboardController.php @@ -49,10 +49,18 @@ public function launchSSO($id) session(['sso_target_url' => $app->url]); try { - // Redirect to Microsoft OAuth authorize page with login_hint and custom callback + // Determine domain hint based on user's email domain to skip account type prompt + $domainHint = (str_ends_with($user->email, '.onmicrosoft.com') || (str_contains($user->email, '@') && !str_ends_with($user->email, 'outlook.com') && !str_ends_with($user->email, 'hotmail.com') && !str_ends_with($user->email, 'live.com'))) + ? 'organizations' + : 'consumers'; + + // Redirect to Microsoft OAuth authorize page with login_hint, domain_hint and custom callback return Socialite::driver('microsoft') ->redirectUrl(route('sso.callback')) - ->with(['login_hint' => $user->email]) + ->with([ + 'login_hint' => $user->email, + 'domain_hint' => $domainHint + ]) ->redirect(); } catch (\Exception $e) { \Illuminate\Support\Facades\Log::error('Microsoft SSO launch failed', [ diff --git a/public/Screenshot_2.png b/public/Screenshot_2.png new file mode 100644 index 0000000..b1f497d Binary files /dev/null and b/public/Screenshot_2.png differ diff --git a/resources/views/auth/admin-login.blade.php b/resources/views/auth/admin-login.blade.php index 1f60841..ca6444a 100644 --- a/resources/views/auth/admin-login.blade.php +++ b/resources/views/auth/admin-login.blade.php @@ -363,19 +363,6 @@ Login as Administrator - -
or
- - - -
-
-
-
-
-
- Sign in with Microsoft -
diff --git a/tests/Feature/SecurityAndAdminTest.php b/tests/Feature/SecurityAndAdminTest.php index 8422d0d..a95c804 100644 --- a/tests/Feature/SecurityAndAdminTest.php +++ b/tests/Feature/SecurityAndAdminTest.php @@ -158,4 +158,34 @@ public function test_additional_service_is_displayed_to_the_user(): void $response->assertSee('Outlook'); $response->assertSee('Keka HR'); } + + /** + * Test admin user cannot authenticate via Microsoft OAuth callback. + */ + public function test_admin_cannot_authenticate_via_microsoft_oauth_callback(): void + { + $admin = User::create([ + 'name' => 'Admin User', + 'email' => 'admin@company.com', + 'role' => 'admin', + 'microsoft_id' => 'admin-microsoft-id-999' + ]); + + $mockSocialite = \Mockery::mock('Laravel\Socialite\Contracts\Provider'); + $mockUser = \Mockery::mock('Laravel\Socialite\Two\User'); + + $mockUser->shouldReceive('getId')->andReturn('admin-microsoft-id-999'); + $mockUser->shouldReceive('getEmail')->andReturn('admin@company.com'); + $mockUser->shouldReceive('getName')->andReturn('Admin User'); + $mockUser->shouldReceive('getAvatar')->andReturn(null); + + $mockSocialite->shouldReceive('user')->andReturn($mockUser); + \Laravel\Socialite\Facades\Socialite::shouldReceive('driver')->with('microsoft')->andReturn($mockSocialite); + + $response = $this->get('/auth/microsoft/callback'); + + $response->assertRedirect(route('admin.login')); + $response->assertSessionHas('error', 'Security protocol: Administrators are restricted to email and password authentication only.'); + $this->assertFalse(auth()->check()); + } }