add extra org policy checks to middlewares

2026-03-03 01:06:39 +00:00 · 2025-12-03 15:50:24 -05:00
parent 9be5a01173
commit 5afff3c662
18 changed files with 285 additions and 34 deletions
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -5,6 +5,7 @@ import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";

 export async function verifyAccessTokenAccess(
    req: Request,
@@ -96,6 +97,24 @@ export async function verifyAccessTokenAccess(
            req.userOrgId = resource[0].orgId!;
        }

+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,