refactor(okta): move validateOktaDomain to centralized input-validation

waleedlatif1 · claude · waleedlatif1 · commit 67096560db57 · 2026-03-19T15:53:17.000-07:00
- Moved validateOktaDomain from tools/okta/types.ts to
  lib/core/security/input-validation.ts alongside other validation utils
- Added .trim() to handle copy-paste whitespace in domain input
- Updated all 18 tool files to import from the new location

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/lib/core/security/input-validation.ts b/apps/sim/lib/core/security/input-validation.ts
@@ -1192,3 +1192,33 @@ export function validateCallbackUrl(url: string): boolean {
     return false
   }
 }
+
+const OKTA_DOMAIN_PATTERN =
+  /^[a-zA-Z0-9][a-zA-Z0-9-]*\.(okta|okta-gov|okta-emea|oktapreview|trexcloud)\.com$/
+
+/**
+ * Validates and sanitizes an Okta domain to prevent SSRF.
+ * Ensures the domain matches a known Okta domain suffix.
+ *
+ * @param rawDomain - The raw domain string (may include protocol, trailing slash, or whitespace)
+ * @returns The cleaned, validated domain string
+ * @throws Error if the domain does not match a known Okta domain suffix
+ *
+ * @example
+ * ```typescript
+ * const domain = validateOktaDomain(params.domain)
+ * // Returns: "dev-123456.okta.com"
+ * ```
+ */
+export function validateOktaDomain(rawDomain: string): string {
+  const domain = rawDomain
+    .trim()
+    .replace(/^https?:\/\//, '')
+    .replace(/\/$/, '')
+  if (!OKTA_DOMAIN_PATTERN.test(domain)) {
+    throw new Error(
+      `Invalid Okta domain: "${domain}". Must be a valid Okta domain (e.g., dev-123456.okta.com)`
+    )
+  }
+  return domain
+}
diff --git a/apps/sim/tools/okta/activate_user.ts b/apps/sim/tools/okta/activate_user.ts
@@ -1,9 +1,9 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaActivateUserParams,
-  type OktaActivateUserResponse,
-  type OktaApiError,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaActivateUserParams,
+  OktaActivateUserResponse,
+  OktaApiError,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/add_user_to_group.ts b/apps/sim/tools/okta/add_user_to_group.ts
@@ -1,9 +1,9 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaAddUserToGroupParams,
-  type OktaAddUserToGroupResponse,
-  type OktaApiError,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaAddUserToGroupParams,
+  OktaAddUserToGroupResponse,
+  OktaApiError,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/create_group.ts b/apps/sim/tools/okta/create_group.ts
@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaCreateGroupParams,
-  type OktaCreateGroupResponse,
-  type OktaGroup,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaCreateGroupParams,
+  OktaCreateGroupResponse,
+  OktaGroup,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/create_user.ts b/apps/sim/tools/okta/create_user.ts
@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaCreateUserParams,
-  type OktaCreateUserResponse,
-  type OktaUser,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaCreateUserParams,
+  OktaCreateUserResponse,
+  OktaUser,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/deactivate_user.ts b/apps/sim/tools/okta/deactivate_user.ts
@@ -1,9 +1,9 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaDeactivateUserParams,
-  type OktaDeactivateUserResponse,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaDeactivateUserParams,
+  OktaDeactivateUserResponse,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/delete_group.ts b/apps/sim/tools/okta/delete_group.ts
@@ -1,9 +1,9 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaDeleteGroupParams,
-  type OktaDeleteGroupResponse,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaDeleteGroupParams,
+  OktaDeleteGroupResponse,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/delete_user.ts b/apps/sim/tools/okta/delete_user.ts
@@ -1,10 +1,6 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaDeleteUserParams,
-  type OktaDeleteUserResponse,
-  validateOktaDomain,
-} from '@/tools/okta/types'
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type { OktaApiError, OktaDeleteUserParams, OktaDeleteUserResponse } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
 const logger = createLogger('OktaDeleteUser')
diff --git a/apps/sim/tools/okta/get_group.ts b/apps/sim/tools/okta/get_group.ts
@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaGetGroupParams,
-  type OktaGetGroupResponse,
-  type OktaGroup,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaGetGroupParams,
+  OktaGetGroupResponse,
+  OktaGroup,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/get_user.ts b/apps/sim/tools/okta/get_user.ts
@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaGetUserParams,
-  type OktaGetUserResponse,
-  type OktaUser,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaGetUserParams,
+  OktaGetUserResponse,
+  OktaUser,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/list_group_members.ts b/apps/sim/tools/okta/list_group_members.ts
@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaListGroupMembersParams,
-  type OktaListGroupMembersResponse,
-  type OktaUser,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaListGroupMembersParams,
+  OktaListGroupMembersResponse,
+  OktaUser,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/list_groups.ts b/apps/sim/tools/okta/list_groups.ts
@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaGroup,
-  type OktaListGroupsParams,
-  type OktaListGroupsResponse,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaGroup,
+  OktaListGroupsParams,
+  OktaListGroupsResponse,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/list_users.ts b/apps/sim/tools/okta/list_users.ts
@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaListUsersParams,
-  type OktaListUsersResponse,
-  type OktaUser,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaListUsersParams,
+  OktaListUsersResponse,
+  OktaUser,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/remove_user_from_group.ts b/apps/sim/tools/okta/remove_user_from_group.ts
@@ -1,9 +1,9 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaRemoveUserFromGroupParams,
-  type OktaRemoveUserFromGroupResponse,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaRemoveUserFromGroupParams,
+  OktaRemoveUserFromGroupResponse,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/reset_password.ts b/apps/sim/tools/okta/reset_password.ts
@@ -1,9 +1,9 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaResetPasswordParams,
-  type OktaResetPasswordResponse,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaResetPasswordParams,
+  OktaResetPasswordResponse,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/suspend_user.ts b/apps/sim/tools/okta/suspend_user.ts
@@ -1,9 +1,9 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaSuspendUserParams,
-  type OktaSuspendUserResponse,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaSuspendUserParams,
+  OktaSuspendUserResponse,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/types.ts b/apps/sim/tools/okta/types.ts
@@ -1,22 +1,5 @@
 import type { ToolResponse } from '@/tools/types'
 
-const OKTA_DOMAIN_PATTERN =
-  /^[a-zA-Z0-9][a-zA-Z0-9-]*\.(okta|okta-gov|okta-emea|oktapreview|trexcloud)\.com$/
-
-/**
- * Validates and sanitizes an Okta domain to prevent SSRF.
- * Ensures the domain matches a known Okta domain suffix.
- */
-export function validateOktaDomain(rawDomain: string): string {
-  const domain = rawDomain.replace(/^https?:\/\//, '').replace(/\/$/, '')
-  if (!OKTA_DOMAIN_PATTERN.test(domain)) {
-    throw new Error(
-      `Invalid Okta domain: "${domain}". Must be a valid Okta domain (e.g., dev-123456.okta.com)`
-    )
-  }
-  return domain
-}
-
 /**
  * Okta API error response
  */
diff --git a/apps/sim/tools/okta/unsuspend_user.ts b/apps/sim/tools/okta/unsuspend_user.ts
@@ -1,9 +1,9 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaUnsuspendUserParams,
-  type OktaUnsuspendUserResponse,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaUnsuspendUserParams,
+  OktaUnsuspendUserResponse,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/update_group.ts b/apps/sim/tools/okta/update_group.ts
@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaGroup,
-  type OktaUpdateGroupParams,
-  type OktaUpdateGroupResponse,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaGroup,
+  OktaUpdateGroupParams,
+  OktaUpdateGroupResponse,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
diff --git a/apps/sim/tools/okta/update_user.ts b/apps/sim/tools/okta/update_user.ts
@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
-import {
-  type OktaApiError,
-  type OktaUpdateUserParams,
-  type OktaUpdateUserResponse,
-  type OktaUser,
-  validateOktaDomain,
+import { validateOktaDomain } from '@/lib/core/security/input-validation'
+import type {
+  OktaApiError,
+  OktaUpdateUserParams,
+  OktaUpdateUserResponse,
+  OktaUser,
 } from '@/tools/okta/types'
 import type { ToolConfig } from '@/tools/types'
 
