From d18cf70c4778862b432e91c4bae2022f15e04bae Mon Sep 17 00:00:00 2001
From: Deepak Prabhakara <deepak@boxyhq.com>
Date: Fri, 24 Mar 2023 23:01:42 +0000
Subject: [PATCH] bypass validation for GET request until we figure out how to
 exchange the public key with the SP (#159)

---
 pages/api/saml/sso.ts | 16 ++++++++++++----
 utils/request.ts      |  4 ++--
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/pages/api/saml/sso.ts b/pages/api/saml/sso.ts
index c6bc669..0815140 100644
--- a/pages/api/saml/sso.ts
+++ b/pages/api/saml/sso.ts
@@ -23,17 +23,25 @@ async function processSAMLRequest(req: NextApiRequest, res: NextApiResponse, isP
   } else {
     relayState = req.query.RelayState;
     samlRequest = req.query.SAMLRequest;
+    // sigAlg = req.query.SigAlg;
+    // signature = req.query.Signature;
+
     isDeflated = true;
   }
 
   try {
     const rawRequest = await decodeBase64(samlRequest, isDeflated);
 
-    const { id, audience, acsUrl, providerName, publicKey } = await extractSAMLRequestAttributes(rawRequest);
+    const { id, audience, acsUrl, providerName, publicKey } = await extractSAMLRequestAttributes(
+      rawRequest,
+      isPost
+    );
 
-    const { valid } = await saml.hasValidSignature(rawRequest, publicKey, null);
-    if (!valid) {
-      throw new Error('Invalid signature');
+    if (isPost) {
+      const { valid } = await saml.hasValidSignature(rawRequest, publicKey, null);
+      if (!valid) {
+        throw new Error('Invalid signature');
+      }
     }
 
     const params = new URLSearchParams({ id, audience, acsUrl, providerName, relayState });
diff --git a/utils/request.ts b/utils/request.ts
index e424bb5..caae245 100644
--- a/utils/request.ts
+++ b/utils/request.ts
@@ -32,7 +32,7 @@ const decodeBase64 = async (string: string, isDeflated: boolean) => {
 };
 
 // Parse SAMLRequest attributes
-const extractSAMLRequestAttributes = async (rawRequest: string) => {
+const extractSAMLRequestAttributes = async (rawRequest: string, isPost = true) => {
   const result = await parseXML(rawRequest);
 
   const attributes = result['AuthnRequest']['$'];
@@ -42,7 +42,7 @@ const extractSAMLRequestAttributes = async (rawRequest: string) => {
     ? result['AuthnRequest']['Signature'][0]['KeyInfo'][0]['X509Data'][0]['X509Certificate'][0]
     : null;
 
-  if (!publicKey) {
+  if (!publicKey && isPost) {
     throw new Error('Missing signature');
   }