From b684413c3289536da29dc9087f12063830995fc1 Mon Sep 17 00:00:00 2001
From: Darcy Ye <darcyye@silverhand.io>
Date: Fri, 24 Jan 2025 13:51:33 +0800
Subject: [PATCH] chore: hide oidcClientMetadata of SAML apps when using GET
 app APIs

---
 .../core/src/routes/applications/application.ts   | 15 +++++++++++++--
 .../api/application/saml-application.test.ts      |  8 ++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/packages/core/src/routes/applications/application.ts b/packages/core/src/routes/applications/application.ts
index 828e54b66d1..dc927137276 100644
--- a/packages/core/src/routes/applications/application.ts
+++ b/packages/core/src/routes/applications/application.ts
@@ -10,7 +10,7 @@ import {
   InternalRole,
 } from '@logto/schemas';
 import { generateStandardId, generateStandardSecret } from '@logto/shared';
-import { conditional } from '@silverhand/essentials';
+import { cond, conditional } from '@silverhand/essentials';
 import { boolean, object, string, z } from 'zod';
 
 import RequestError from '#src/errors/RequestError/index.js';
@@ -134,7 +134,12 @@ export default function applicationRoutes<T extends ManagementApiRouter>(
 
       // Return totalCount to pagination middleware
       ctx.pagination.totalCount = count;
-      ctx.body = applications;
+      ctx.body = applications.map((application) =>
+        application.type === ApplicationType.SAML
+          ? // Hide `oidcClientMetadata` for SAML application
+            { ...application, oidcClientMetadata: buildOidcClientMetadata() }
+          : application
+      );
 
       return next();
     }
@@ -239,6 +244,12 @@ export default function applicationRoutes<T extends ManagementApiRouter>(
 
       ctx.body = {
         ...application,
+        ...cond(
+          // Hide `oidcClientMetadata` for SAML application
+          application.type === ApplicationType.SAML && {
+            oidcClientMetadata: buildOidcClientMetadata(),
+          }
+        ),
         isAdmin: includesInternalAdminRole(applicationsRoles),
       };
 
diff --git a/packages/integration-tests/src/tests/api/application/saml-application.test.ts b/packages/integration-tests/src/tests/api/application/saml-application.test.ts
index 7713bc2fb00..12a2b11294d 100644
--- a/packages/integration-tests/src/tests/api/application/saml-application.test.ts
+++ b/packages/integration-tests/src/tests/api/application/saml-application.test.ts
@@ -5,6 +5,7 @@ import {
   createApplication,
   deleteApplication,
   getApplications,
+  getApplication,
   updateApplication,
 } from '#src/api/application.js';
 import {
@@ -30,6 +31,13 @@ describe('SAML application', () => {
       description: 'test',
     });
 
+    await expect(getApplication(createdSamlApplication.id)).resolves.toContain({
+      oidcClientMetadata: {
+        redirectUris: [],
+        postLogoutRedirectUris: [],
+      },
+    });
+
     expect(createdSamlApplication.nameIdFormat).toBe(NameIdFormat.Persistent);
 
     // Check if the SAML application's OIDC metadata redirect URI is properly set.