fix(sso): load SP metadata from backend

[Dalanir]

Summary (AI generated)

• Updated SSO configuration UI to load SP metadata from GET /private/sso/sp-metadata instead of building URLs from frontend host config.
• Added sp_metadata_url in the SSO SP metadata backend response.
• Exposed /private/sso/sp-metadata route in the Cloudflare API worker to make the endpoint available on api.capgo.app.

Motivation (AI generated)

The SSO setup screen could display incorrect SAML endpoints when frontend runtime config temporarily resolved to the API domain. This caused admins to configure IdPs with invalid URLs. Fetching metadata from backend source-of-truth prevents host mismatches.

Business Impact (AI generated)

This reduces SSO setup failures for Enterprise customers, lowers support/debug time during onboarding, and improves reliability of identity integration flows.

Test Plan (AI generated)

• bunx eslint "src/components/organizations/SsoConfiguration.vue" "supabase/functions/_backend/private/sso/sp-metadata.ts" "cloudflare_workers/api/index.ts"
• Open Organization Security > SSO Configuration and verify displayed ACS/Entity/Metadata URLs use the Supabase host.
• Verify GET https://api.capgo.app/private/sso/sp-metadata returns 200 (after deploy) and UI still loads metadata block.

Generated with AI

Summary by CodeRabbit

• Improvements
  • SSO SP metadata retrieval has been enhanced with a dedicated server endpoint, replacing previous client-side computation for improved consistency and reliability. The endpoint now includes robust error handling to gracefully manage retrieval failures and maintain platform stability. Concurrent loading of SSO configuration components during initialization ensures faster, more responsive configuration updates.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR reworked SP metadata fetching in the SsoConfiguration component by replacing the prior implementation with a version that explicitly maps API response fields (acs_url, entity_id, nameid_format, sp_metadata_url) to the SpMetadata shape, defaults sp_metadata_url to entity_id when absent, and updated error handling to set spMetadata to null on failures while preserving existing error messaging.

Changes

Cohort / File(s)	Summary
SP Metadata Fetching src/components/organizations/SsoConfiguration.vue	Reworked fetchSpMetadata() to map API fields to SpMetadata shape with sp_metadata_url defaulting to entity_id; updated error handling to set spMetadata.value to null on non-OK responses or exceptions; component mount now calls fetchSpMetadata() via Promise.all alongside fetchProviders().

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• fix(sso): prevent orphan org on first login and fix IdP config URLs #1821: Directly modifies the same fetchSpMetadata() implementation in SsoConfiguration.vue, reworking SP metadata parsing and mount orchestration.
• fix(sso): fix duplicate users and metadata urls #1824: Backend changes that expose SP metadata URLs and fields being mapped in this PR's client-side implementation.

Poem

🐰 A rabbit hops with glee so bright,
Mapping fields with logic tight,
Default values, errors squared,
Promise.all with double care—
Metadata flows just right! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description includes a comprehensive summary and test plan, but is missing manual testing evidence and incomplete checklist items required by the template.	Complete the manual test steps (verify URLs in UI and confirm API endpoint returns 200), and check/uncheck the checklist boxes appropriately to indicate compliance with project standards.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(sso): load SP metadata from backend' is clear, specific, and directly summarizes the main change in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/identifier-o-configurer-le-sso

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/components/organizations/SsoConfiguration.vue (1)

116-147: Consider showing a toast on metadata fetch failure for UX consistency.

The fetchProviders() function shows toast.error(t('sso-error-loading')) on failure, but fetchSpMetadata() silently fails (only logs to console). Users may be confused if the SP metadata section doesn't appear without any feedback.

Proposed enhancement

   catch (error) {
     console.error('Error fetching SSO SP metadata:', error)
     spMetadata.value = null
+    toast.error(t('sso-error-loading-metadata'))
   }

This would require adding a new translation key sso-error-loading-metadata to messages/en.json.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/organizations/SsoConfiguration.vue` around lines 116 - 147,
fetchSpMetadata currently only logs errors to console; update it to show a
user-facing error toast on both non-OK responses and exceptions by calling
toast.error(t('sso-error-loading-metadata')). Inside fetchSpMetadata, after the
existing console.error branches (both the if (!response.ok) branch and the catch
block that sets spMetadata.value = null), add
toast.error(t('sso-error-loading-metadata')) so users see feedback when
spMetadata.value is not populated; ensure the new translation key
sso-error-loading-metadata is added to messages/en.json.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/components/organizations/SsoConfiguration.vue`:
- Around line 116-147: fetchSpMetadata currently only logs errors to console;
update it to show a user-facing error toast on both non-OK responses and
exceptions by calling toast.error(t('sso-error-loading-metadata')). Inside
fetchSpMetadata, after the existing console.error branches (both the if
(!response.ok) branch and the catch block that sets spMetadata.value = null),
add toast.error(t('sso-error-loading-metadata')) so users see feedback when
spMetadata.value is not populated; ensure the new translation key
sso-error-loading-metadata is added to messages/en.json.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9dfce61f-7e72-447b-8917-f5085bf2dd35

📥 Commits

Reviewing files that changed from the base of the PR and between ad8a88d and 956d3e8.

📒 Files selected for processing (3)

• cloudflare_workers/api/index.ts
• src/components/organizations/SsoConfiguration.vue
• supabase/functions/_backend/private/sso/sp-metadata.ts

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/identifier-o-configurer-le-sso (d807027) with main (ad8a88d)}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (1)

src/components/organizations/SsoConfiguration.vue (1)

131-141: Align response typing with the backend contract.

sp_metadata_url is treated as optional here, but the backend contract returns it as required. Keeping it optional with a fallback can hide contract regressions.

Proposed contract-tightening diff

-    const data = await response.json() as {
+    const data = await response.json() as {
       acs_url: string
       entity_id: string
       nameid_format: string
-      sp_metadata_url?: string
+      sp_metadata_url: string
     }
     spMetadata.value = {
       acs_url: data.acs_url,
       entity_id: data.entity_id,
-      sp_metadata_url: data.sp_metadata_url ?? data.entity_id,
+      sp_metadata_url: data.sp_metadata_url,
       nameid_format: data.nameid_format,
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/organizations/SsoConfiguration.vue` around lines 131 - 141,
The response typing currently marks sp_metadata_url as optional and uses a
fallback (sp_metadata_url ?? entity_id), which hides backend contract
regressions; update the response type from response.json() so sp_metadata_url is
required (sp_metadata_url: string) and assign spMetadata.value.sp_metadata_url
directly from data.sp_metadata_url (remove the fallback), ensuring the component
relies on the backend-provided value; adjust any related form/usage that assumed
a fallback accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/components/organizations/SsoConfiguration.vue`:
- Around line 131-141: The response typing currently marks sp_metadata_url as
optional and uses a fallback (sp_metadata_url ?? entity_id), which hides backend
contract regressions; update the response type from response.json() so
sp_metadata_url is required (sp_metadata_url: string) and assign
spMetadata.value.sp_metadata_url directly from data.sp_metadata_url (remove the
fallback), ensuring the component relies on the backend-provided value; adjust
any related form/usage that assumed a fallback accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0591897c-9aa0-4950-b321-2f06486e942d

📥 Commits

Reviewing files that changed from the base of the PR and between 956d3e8 and d807027.

📒 Files selected for processing (1)

• src/components/organizations/SsoConfiguration.vue