reject user if no policies match and remove root user in auto provision

2026-01-28 22:00:51 +00:00 · 2025-10-10 11:52:45 -07:00
parent d92b87b7c8
commit 6b125bba7c
2 changed files with 35 additions and 3 deletions
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db } from "@server/db";
+import { db, Org } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -32,6 +32,7 @@ import { decrypt } from "@server/lib/crypto";
 import { UserType } from "@server/types/UserTypes";
 import { FeatureId } from "@server/lib/billing";
 import { usageService } from "@server/lib/billing/usageService";
+import { build } from "@server/build";

 const ensureTrailingSlash = (url: string): string => {
    return url;
@@ -255,7 +256,18 @@ export async function validateOidcCallback(
            );

        if (existingIdp.idp.autoProvision) {
-            const allOrgs = await db.select().from(orgs);
+            let allOrgs: Org[] = [];
+
+            if (build === "saas") {
+                const idpOrgs = await db
+                    .select()
+                    .from(idpOrg)
+                    .where(eq(idpOrg.idpId, existingIdp.idp.idpId))
+                    .innerJoin(orgs, eq(orgs.orgId, idpOrg.orgId));
+                allOrgs = idpOrgs.map((o) => o.orgs);
+            } else {
+                allOrgs = await db.select().from(orgs);
+            }

            const defaultRoleMapping = existingIdp.idp.defaultRoleMapping;
            const defaultOrgMapping = existingIdp.idp.defaultOrgMapping;
@@ -292,6 +304,8 @@ export async function validateOidcCallback(
                    }
                }

+                // user could be allowed in this org, now find the role
+
                const roleMapping =
                    idpOrgRes?.roleMapping || defaultRoleMapping;
                if (roleMapping) {
@@ -336,6 +350,24 @@ export async function validateOidcCallback(

            let existingUserId = existingUser?.userId;

+            if (!userOrgInfo.length) {
+                if (existingUser) {
+                    // delete the user
+                    // cascade will also delete org users
+
+                    await db
+                        .delete(users)
+                        .where(eq(users.userId, existingUser.userId));
+                }
+
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        `No policies matched for ${userIdentifier}. This user must be added to an organization before logging in.`
+                    )
+                );
+            }
+
            const orgUserCounts: { orgId: string; userCount: number }[] = [];

            // sync the user with the orgs and roles
--- a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
@@ -829,7 +829,7 @@ export default function GeneralPage() {
                                                <AlertDescription>
                                                    {t(
                                                        "idpJmespathAboutDescription"
-                                                    )}
+                                                    )}{" "}
                                                    <a
                                                        href="https://jmespath.org"
                                                        target="_blank"