Server: Fixes #13490: Make server less likely to generate non-unique SSO codes (#13501)

packages/server/src/models/UserModel.test.ts

@@ -497,4 +497,28 @@ describe('UserModel', () => {
 		}
 	});
 
+	test('should generate a unique SSO code', async () => {
+		const createExternalUser = async (index: number) => {
+			const user = await createUser(index);
+			return await models().user().save({
+				id: user.id,
+				is_external: 1,
+			}, { skipValidation: true });
+		};
+		const user1 = await createExternalUser(1);
+		const user2 = await createExternalUser(2);
+		config().SAML_ENABLED = true;
+
+		try {
+			await models().user().generateSsoCode(user1);
+			await models().user().generateSsoCode(user2);
+
+			const code1 = (await models().user().load(user1.id)).sso_auth_code;
+			const code2 = (await models().user().load(user2.id)).sso_auth_code;
+			expect(code1).not.toBe(code2);
+		} finally {
+			config().SAML_ENABLED = false;
+		}
+	});
+
 });

packages/server/src/models/UserModel.ts

@@ -191,14 +191,19 @@ export default class UserModel extends BaseModel<User> {
 	}
 
 	public async generateSsoCode(user: User) {
-		let authCode;
+		const codeInUse = async (authCode: string) => {
+			return !!await this.loadBySsoAuthCode(authCode);
+		};
 
-		// Make sure that the code is not already in use.
-		do {
-			authCode = randomInt(0, 999999999).toString().padStart(9, '0');
-		} while (await this.loadBySsoAuthCode(authCode) === null);
+		const getUniqueAuthCode = async () => {
+			let authCode;
+			do {
+				authCode = randomInt(0, 999999999).toString().padStart(9, '0');
+			} while (await codeInUse(authCode));
+			return authCode;
+		};
 
-		user.sso_auth_code = authCode;
+		user.sso_auth_code = await getUniqueAuthCode();
 		user.sso_auth_code_expire_at = Date.now() + this.authCodeTtl;
 
 		await this.save(user, { skipValidation: true });