chore: hide oidcClientMetadata of SAML apps when using GET app APIs

logto-io · Jan 24, 2025 · b684413 · b684413
1 parent 3bc701e
commit b684413
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/packages/core/src/routes/applications/application.ts b/packages/core/src/routes/applications/application.ts
@@ -10,7 +10,7 @@ import {
   InternalRole,
 } from '@logto/schemas';
 import { generateStandardId, generateStandardSecret } from '@logto/shared';
-import { conditional } from '@silverhand/essentials';
+import { cond, conditional } from '@silverhand/essentials';
 import { boolean, object, string, z } from 'zod';
 
 import RequestError from '#src/errors/RequestError/index.js';
@@ -134,7 +134,12 @@ export default function applicationRoutes<T extends ManagementApiRouter>(
 
       // Return totalCount to pagination middleware
       ctx.pagination.totalCount = count;
-      ctx.body = applications;
+      ctx.body = applications.map((application) =>
+        application.type === ApplicationType.SAML
+          ? // Hide `oidcClientMetadata` for SAML application
+            { ...application, oidcClientMetadata: buildOidcClientMetadata() }
+          : application
+      );
 
       return next();
     }
@@ -239,6 +244,12 @@ export default function applicationRoutes<T extends ManagementApiRouter>(
 
       ctx.body = {
         ...application,
+        ...cond(
+          // Hide `oidcClientMetadata` for SAML application
+          application.type === ApplicationType.SAML && {
+            oidcClientMetadata: buildOidcClientMetadata(),
+          }
+        ),
         isAdmin: includesInternalAdminRole(applicationsRoles),
       };
 

diff --git a/packages/integration-tests/src/tests/api/application/saml-application.test.ts b/packages/integration-tests/src/tests/api/application/saml-application.test.ts
@@ -5,6 +5,7 @@ import {
   createApplication,
   deleteApplication,
   getApplications,
+  getApplication,
   updateApplication,
 } from '#src/api/application.js';
 import {
@@ -30,6 +31,13 @@ describe('SAML application', () => {
       description: 'test',
     });
 
+    await expect(getApplication(createdSamlApplication.id)).resolves.toContain({
+      oidcClientMetadata: {
+        redirectUris: [],
+        postLogoutRedirectUris: [],
+      },
+    });
+
     expect(createdSamlApplication.nameIdFormat).toBe(NameIdFormat.Persistent);
 
     // Check if the SAML application's OIDC metadata redirect URI is properly set.