bypass validation for GET request until we figure out how to exchange the public key with the SP (#159)

pages/api/saml/sso.ts

@@ -23,17 +23,25 @@ async function processSAMLRequest(req: NextApiRequest, res: NextApiResponse, isP
   } else {
     relayState = req.query.RelayState;
     samlRequest = req.query.SAMLRequest;
+    // sigAlg = req.query.SigAlg;
+    // signature = req.query.Signature;
+
     isDeflated = true;
   }
 
   try {
     const rawRequest = await decodeBase64(samlRequest, isDeflated);
 
-    const { id, audience, acsUrl, providerName, publicKey } = await extractSAMLRequestAttributes(rawRequest);
+    const { id, audience, acsUrl, providerName, publicKey } = await extractSAMLRequestAttributes(
+      rawRequest,
+      isPost
+    );
 
-    const { valid } = await saml.hasValidSignature(rawRequest, publicKey, null);
-    if (!valid) {
-      throw new Error('Invalid signature');
+    if (isPost) {
+      const { valid } = await saml.hasValidSignature(rawRequest, publicKey, null);
+      if (!valid) {
+        throw new Error('Invalid signature');
+      }
     }
 
     const params = new URLSearchParams({ id, audience, acsUrl, providerName, relayState });

utils/request.ts

@@ -32,7 +32,7 @@ const decodeBase64 = async (string: string, isDeflated: boolean) => {
 };
 
 // Parse SAMLRequest attributes
-const extractSAMLRequestAttributes = async (rawRequest: string) => {
+const extractSAMLRequestAttributes = async (rawRequest: string, isPost = true) => {
   const result = await parseXML(rawRequest);
 
   const attributes = result['AuthnRequest']['$'];
@@ -42,7 +42,7 @@ const extractSAMLRequestAttributes = async (rawRequest: string) => {
     ? result['AuthnRequest']['Signature'][0]['KeyInfo'][0]['X509Data'][0]['X509Certificate'][0]
     : null;
 
-  if (!publicKey) {
+  if (!publicKey && isPost) {
     throw new Error('Missing signature');
   }