Handle delete org and checking org policy

2026-03-02 00:36:38 +00:00 · 2025-11-26 15:35:33 -05:00
parent ceae787cf5
commit de83cf9d8c
4 changed files with 155 additions and 34 deletions
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -32,6 +32,8 @@ import {
 } from "@server/lib/ip";
 import { generateRemoteSubnets } from "@server/lib/ip";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+import { checkOrgAccessPolicy } from "@server/lib/checkOrgAccessPolicy";
+import { validateSessionToken } from "@server/auth/sessions/app";

 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    logger.info("Handling register olm message!");
@@ -45,7 +47,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        return;
    }

-    const { publicKey, relay, olmVersion, orgId, doNotCreateNewClient } =
+    const { publicKey, relay, olmVersion, orgId, doNotCreateNewClient, token: userToken } =
        message.data;

    let client: Client | undefined;
@@ -78,6 +80,35 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            return;
        }

+        if (!olm.userId) {
+            logger.warn("Olm has no user ID");
+            return;
+        }
+
+        const { session: userSession, user } =
+            await validateSessionToken(userToken);
+        if (!userSession || !user) {
+            logger.warn("Invalid user session for olm ping");
+            return; // by returning here we just ignore the ping and the setInterval will force it to disconnect
+        }
+        if (user.userId !== olm.userId) {
+            logger.warn("User ID mismatch for olm ping");
+            return;
+        }
+
+        const policyCheck = await checkOrgAccessPolicy({
+            orgId: orgId,
+            userId: olm.userId,
+            session: userToken // this is the user token passed in the message
+        });
+
+        if (!policyCheck.allowed) {
+            logger.warn(
+                `Olm user ${olm.userId} does not pass access policies for org ${orgId}: ${policyCheck.error}`
+            );
+            return;
+        }
+
        logger.debug(
            `Switching olm client ${olm.olmId} to org ${orgId} for user ${olm.userId}`
        );