calcom · emrysal · Aug 8, 2025 · Aug 8, 2025 · Aug 8, 2025 · Aug 8, 2025
diff --git a/apps/web/app/api/auth/oidc/route.ts b/apps/web/app/api/auth/oidc/route.ts
@@ -4,13 +4,16 @@ import { NextResponse } from "next/server";
 
 import jackson from "@calcom/features/ee/sso/lib/jackson";
 import { HttpError } from "@calcom/lib/http-error";
+import logger from "@calcom/lib/logger";
 
 // This is the callback endpoint for the OIDC provider
 // A team must set this endpoint in the OIDC provider's configuration
 async function handler(req: NextRequest) {
+  const log = logger.getSubLogger({ prefix: ["[ODIC auth]"] });
   const { searchParams } = req.nextUrl;
   const code = searchParams.get("code");
   const state = searchParams.get("state");
+  const tenant = searchParams.get("tenant");
 
   if (!code || !state) {
     return NextResponse.json({ message: "Code and state are required" }, { status: 400 });
@@ -30,6 +33,7 @@ async function handler(req: NextRequest) {
 
     return NextResponse.redirect(redirect_url, 302);
   } catch (err) {
+    log.error(`Error authorizing tenant ${tenant}: ${err}`);
     const { message, statusCode = 500 } = err as HttpError;
 
     return NextResponse.json({ message }, { status: statusCode });

diff --git a/apps/web/app/api/auth/saml/authorize/route.ts b/apps/web/app/api/auth/saml/authorize/route.ts
@@ -5,17 +5,20 @@ import { NextResponse } from "next/server";
 import type { OAuthReq } from "@calcom/features/ee/sso/lib/jackson";
 import jackson from "@calcom/features/ee/sso/lib/jackson";
 import type { HttpError } from "@calcom/lib/http-error";
+import logger from "@calcom/lib/logger";
 
 async function handler(req: NextRequest) {
+  const log = logger.getSubLogger({ prefix: ["[SAML authorize]"] });
   const { oauthController } = await jackson();
 
+  const oAuthReq = Object.fromEntries(req.nextUrl.searchParams) as unknown as OAuthReq;
+
   try {
-    const { redirect_url } = await oauthController.authorize(
-      Object.fromEntries(req.nextUrl.searchParams) as unknown as OAuthReq
-    );
+    const { redirect_url } = await oauthController.authorize(oAuthReq);
 
     return NextResponse.redirect(redirect_url as string, 302);
   } catch (err) {
+    log.error(`Error initaiting SAML login for tenant ${oAuthReq?.tenant}: ${err}`);
     const { message, statusCode = 500 } = err as HttpError;
 
     return NextResponse.json({ message }, { status: statusCode });

diff --git a/apps/web/app/api/auth/saml/callback/route.ts b/apps/web/app/api/auth/saml/callback/route.ts
@@ -2,21 +2,32 @@ import { defaultResponderForAppDir } from "app/api/defaultResponderForAppDir";
 import { parseRequestData } from "app/api/parseRequestData";
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
+import { uuid } from "short-uuid";
 
 import jackson from "@calcom/features/ee/sso/lib/jackson";
 import type { SAMLResponsePayload } from "@calcom/features/ee/sso/lib/jackson";
+import logger from "@calcom/lib/logger";
 
 async function handler(req: NextRequest) {
+  const log = logger.getSubLogger({ prefix: ["[SAML callback]"] });
   const { oauthController } = await jackson();
 
-  const { redirect_url } = await oauthController.samlResponse(
-    (await parseRequestData(req)) as SAMLResponsePayload
-  );
+  const requestData = (await parseRequestData(req)) as SAMLResponsePayload;
+
+  const { redirect_url, error } = await oauthController.samlResponse(requestData);
 
   if (redirect_url) {
     return NextResponse.redirect(redirect_url, 302);
   }
 
+  if (error) {
+    const uid = uuid();
+    log.error(
+      `Error authenticating user with error ${error} for relayState ${requestData?.RelayState} trace:${uid}`
+    );
+    return NextResponse.json({ message: `Error authorizing user. trace: ${uid}` }, { status: 400 });
+  }
+
   return NextResponse.json({ message: "No redirect URL provided" }, { status: 400 });
 }
 

diff --git a/apps/web/app/api/auth/saml/token/route.ts b/apps/web/app/api/auth/saml/token/route.ts
@@ -2,14 +2,26 @@ import { defaultResponderForAppDir } from "app/api/defaultResponderForAppDir";
 import { parseRequestData } from "app/api/parseRequestData";
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
+import { uuid } from "short-uuid";
 
 import jackson from "@calcom/features/ee/sso/lib/jackson";
 import type { OAuthTokenReq } from "@calcom/features/ee/sso/lib/jackson";
+import logger from "@calcom/lib/logger";
 
 async function handler(req: NextRequest) {
   const { oauthController } = await jackson();
-  const tokenResponse = await oauthController.token((await parseRequestData(req)) as OAuthTokenReq);
-  return NextResponse.json(tokenResponse);
+  const log = logger.getSubLogger({ prefix: ["[SAML token]"] });
+
+  const oauthTokenReq = (await parseRequestData(req)) as OAuthTokenReq;
+
+  try {
+    const tokenResponse = await oauthController.token(oauthTokenReq);
+    return NextResponse.json(tokenResponse);
+  } catch (error) {
+    const uid = uuid();
+    log.error(`Error getting auth token for client id ${oauthTokenReq?.client_id}: ${error} trace: ${uid}`);
+    throw new Error(`Error getting auth token with error ${error} trace: ${uid}`);
+  }
 }
 
 export const POST = defaultResponderForAppDir(handler);
diff --git a/apps/web/app/api/auth/saml/userinfo/route.ts b/apps/web/app/api/auth/saml/userinfo/route.ts
@@ -1,34 +1,52 @@
 import { defaultResponderForAppDir } from "app/api/defaultResponderForAppDir";
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
-import z from "zod";
+import { uuid } from "short-uuid";
+import { z } from "zod";
 
 import jackson from "@calcom/features/ee/sso/lib/jackson";
 import { HttpError } from "@calcom/lib/http-error";
+import logger from "@calcom/lib/logger";
 
 const extractAuthToken = (req: NextRequest) => {
+  const log = logger.getSubLogger({ prefix: ["SAML extractAuthToken"] });
+  const uid = uuid();
   const authHeader = req.headers.get("authorization");
   const parts = (authHeader || "").split(" ");
   if (parts.length > 1) return parts[1];
 
   // check for query param
   let arr: string[] = [];
-  const { access_token } = requestQuery.parse(Object.fromEntries(req.nextUrl.searchParams));
+  const tokenParse = requestQuery.safeParse(Object.fromEntries(req.nextUrl.searchParams));
+  let access_token;
+  if (!tokenParse.success) {
+    log.error(`Error parsing request query: ${tokenParse.error} trace ${uid}`);
+    throw new HttpError({ statusCode: 401, message: `Unauthorized trace: ${uid}` });
+  }
+  access_token = tokenParse.data.access_token;
   arr = arr.concat(access_token);
   if (arr[0].length > 0) return arr[0];
 
-  throw new HttpError({ statusCode: 401, message: "Unauthorized" });
+  throw new HttpError({ statusCode: 401, message: `Unauthorized trace: ${uid}` });
 };
 
 const requestQuery = z.object({
   access_token: z.string(),
 });
 
 async function handler(req: NextRequest) {
+  const log = logger.getSubLogger({ prefix: ["SAML userinfo"] });
   const { oauthController } = await jackson();
   const token = extractAuthToken(req);
-  const userInfo = await oauthController.userInfo(token);
-  return NextResponse.json(userInfo);
+
+  try {
+    const userInfo = await oauthController.userInfo(token);
+    return NextResponse.json(userInfo);
+  } catch (error) {
+    const uid = uuid();
+    log.error(`trace: ${uid} Error getting user info from token: ${error}`);
+    throw new Error(`Error getting user info from token. trace: ${uid}`);
+  }
-  try {
-    const userInfo = await oauthController.userInfo(token);
-    return NextResponse.json(userInfo);
-  } catch (error) {
-    const uid = uuid();
-    log.error(`trace: ${uid} Error getting user info from token: ${error}`);
-    throw new Error(`Error getting user info from token. trace: ${uid}`);
-  }
+  try {
+    const userInfo = await oauthController.userInfo(token);
+    return NextResponse.json(userInfo);
+  } catch (error) {
+    const uid = uuid();
+    log.error(`trace: ${uid} Error getting user info from token: ${error}`);
+    return NextResponse.json(
+      { message: `Error getting user info from token. trace: ${uid}` },
+      { status: 500 }
+    );
+  }
-  try {
-    const userInfo = await oauthController.userInfo(token);
-    return NextResponse.json(userInfo);
-  } catch (error) {
-    const uid = uuid();
-    log.error(`trace: ${uid} Error getting user info from token: ${error}`);
-    throw new Error(`Error getting user info from token. trace: ${uid}`);
-  }
+  try {
+    const userInfo = await oauthController.userInfo(token);
+    return NextResponse.json(userInfo);
+  } catch (error) {
+    const uid = uuid();
+    log.error(`trace: ${uid} Error getting user info from token: ${error}`);
+    return NextResponse.json(
+      { message: `Error getting user info from token. trace: ${uid}` },
+      { status: 500 }
+    );
+  }
 }
 
 export const GET = defaultResponderForAppDir(handler);

@@ -31,6 +31,7 @@ import { isENVDev } from "@calcom/lib/env";
 import logger from "@calcom/lib/logger";
 import { randomString } from "@calcom/lib/random";
 import { safeStringify } from "@calcom/lib/safeStringify";
+import { hashEmail } from "@calcom/lib/server/PiiHasher";
 import { CredentialRepository } from "@calcom/lib/server/repository/credential";
 import { DeploymentRepository } from "@calcom/lib/server/repository/deployment";
 import { OrganizationRepository } from "@calcom/lib/server/repository/organization";
@@ -48,7 +49,6 @@ import { dub } from "./dub";
 import { isPasswordValid } from "./isPasswordValid";
 import CalComAdapter from "./next-auth-custom-adapter";
 import { verifyPassword } from "./verifyPassword";
-import { hashEmail } from "@calcom/lib/server/PiiHasher";
 
 const log = logger.getSubLogger({ prefix: ["next-auth-options"] });
 const GOOGLE_API_CREDENTIALS = process.env.GOOGLE_API_CREDENTIALS || "{}";