Implement an authentication adapter that allows clinics to connect their existing identity provider (Azure AD, Okta, Google Workspace) instead of managing local passwords. Architecture: strategy pattern with a common interface: ```typescript interface AuthAdapter { getRedirectUrl(state: string): Promise<string> handleCallback(code: string, state: string): Promise<AuthResult> } // AuthResult: { userId: string, email: string, name: string, isNewUser: boolean } ``` Implement two strategies: 1. `OAuth2Adapter` — standard Authorization Code flow. Config: `{ clientId, clientSecret, authorizationUrl, tokenUrl, userInfoUrl, scopes }` 2. `SamlAdapter` — SP-initiated SSO. Config: `{ entityId, ssoUrl, certificate, attributeMapping }` Common behavior for both: - On `handleCallback`: exchange code/assertion for identity, upsert user record in DB (create on first login, update name/email on subsequent), return `AuthResult` - Validate `state` param to prevent CSRF - Store pending auth state in Redis with 10-minute TTL Factory function: `createAuthAdapter(config: AdapterConfig): AuthAdapter` Write tests for the OAuth 2.0 path using a mock identity provider. Document the SAML config fields with examples.
No contributions yet.