Handle delete org and checking org policy

2026-03-01 08:16:44 +00:00 · 2025-11-26 15:35:33 -05:00
parent ceae787cf5
commit de83cf9d8c
4 changed files with 155 additions and 34 deletions
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -5,6 +5,8 @@ import { clients, Olm } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { validateSessionToken } from "@server/auth/sessions/app";
+import { checkOrgAccessPolicy } from "@server/lib/checkOrgAccessPolicy";
+import { sendTerminateClient } from "../client/terminate";

 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
@@ -57,6 +59,9 @@ export const startOlmOfflineChecker = (): void => {

                // Send a disconnect message to the client if connected
                try {
+                    await sendTerminateClient(offlineClient.clientId); // terminate first
+                    // wait a moment to ensure the message is sent
+                    await new Promise(resolve => setTimeout(resolve, 1000));
                    await disconnectClient(offlineClient.olmId);
                } catch (error) {
                    logger.error(
@@ -110,6 +115,36 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
            logger.warn("User ID mismatch for olm ping");
            return;
        }
+
+        // get the client
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(
+                and(
+                    eq(clients.olmId, olm.olmId),
+                    eq(clients.userId, olm.userId)
+                )
+            )
+            .limit(1);
+
+        if (!client) {
+            logger.warn("Client not found for olm ping");
+            return;
+        }
+
+        const policyCheck = await checkOrgAccessPolicy({
+            orgId: client.orgId,
+            userId: olm.userId,
+            session: userToken // this is the user token passed in the message
+        });
+
+        if (!policyCheck.allowed) {
+            logger.warn(
+                `Olm user ${olm.userId} does not pass access policies for org ${client.orgId}: ${policyCheck.error}`
+            );
+            return;
+        }
    }

    if (!olm.clientId) {
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -32,6 +32,8 @@ import {
 } from "@server/lib/ip";
 import { generateRemoteSubnets } from "@server/lib/ip";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+import { checkOrgAccessPolicy } from "@server/lib/checkOrgAccessPolicy";
+import { validateSessionToken } from "@server/auth/sessions/app";

 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    logger.info("Handling register olm message!");
@@ -45,7 +47,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        return;
    }

-    const { publicKey, relay, olmVersion, orgId, doNotCreateNewClient } =
+    const { publicKey, relay, olmVersion, orgId, doNotCreateNewClient, token: userToken } =
        message.data;

    let client: Client | undefined;
@@ -78,6 +80,35 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            return;
        }

+        if (!olm.userId) {
+            logger.warn("Olm has no user ID");
+            return;
+        }
+
+        const { session: userSession, user } =
+            await validateSessionToken(userToken);
+        if (!userSession || !user) {
+            logger.warn("Invalid user session for olm ping");
+            return; // by returning here we just ignore the ping and the setInterval will force it to disconnect
+        }
+        if (user.userId !== olm.userId) {
+            logger.warn("User ID mismatch for olm ping");
+            return;
+        }
+
+        const policyCheck = await checkOrgAccessPolicy({
+            orgId: orgId,
+            userId: olm.userId,
+            session: userToken // this is the user token passed in the message
+        });
+
+        if (!policyCheck.allowed) {
+            logger.warn(
+                `Olm user ${olm.userId} does not pass access policies for org ${orgId}: ${policyCheck.error}`
+            );
+            return;
+        }
+
        logger.debug(
            `Switching olm client ${olm.olmId} to org ${orgId} for user ${olm.userId}`
        );