first pass

install/go.mod

@@ -3,8 +3,8 @@ module installer
 go 1.24.0
 
 require (
-	golang.org/x/term v0.40.0
+	golang.org/x/term v0.39.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
-require golang.org/x/sys v0.41.0 // indirect
+require golang.org/x/sys v0.40.0 // indirect

install/go.sum

@@ -1,7 +1,7 @@
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

server/auth/actions.ts

@@ -1,7 +1,7 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { userActions, roleActions } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 
@@ -52,6 +52,7 @@ export enum ActionsEnum {
     listRoleResources = "listRoleResources",
     // listRoleActions = "listRoleActions",
     addUserRole = "addUserRole",
+    removeUserRole = "removeUserRole",
     // addUserSite = "addUserSite",
     // addUserAction = "addUserAction",
     // removeUserAction = "removeUserAction",
@@ -153,29 +154,19 @@ export async function checkUserActionPermission(
     }
 
     try {
-        let userOrgRoleId = req.userOrgRoleId;
+        let userOrgRoleIds = req.userOrgRoleIds;
 
-        // If userOrgRoleId is not available on the request, fetch it
-        if (userOrgRoleId === undefined) {
-            const userOrgRole = await db
-                .select()
-                .from(userOrgs)
-                .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, req.userOrgId!)
-                    )
-                )
-                .limit(1);
-
-            if (userOrgRole.length === 0) {
+        if (userOrgRoleIds === undefined) {
+            const { getUserOrgRoleIds } = await import(
+                "@server/lib/userOrgRoles"
+            );
+            userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
+            if (userOrgRoleIds.length === 0) {
                 throw createHttpError(
                     HttpCode.FORBIDDEN,
                     "User does not have access to this organization"
                 );
             }
-
-            userOrgRoleId = userOrgRole[0].roleId;
         }
 
         // Check if the user has direct permission for the action in the current org
@@ -186,7 +177,7 @@ export async function checkUserActionPermission(
                 and(
                     eq(userActions.userId, userId),
                     eq(userActions.actionId, actionId),
-                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
+                    eq(userActions.orgId, req.userOrgId!)
                 )
             )
             .limit(1);
@@ -195,14 +186,14 @@ export async function checkUserActionPermission(
             return true;
         }
 
-        // If no direct permission, check role-based permission
+        // If no direct permission, check role-based permission (any of user's roles)
         const roleActionPermission = await db
             .select()
             .from(roleActions)
             .where(
                 and(
                     eq(roleActions.actionId, actionId),
-                    eq(roleActions.roleId, userOrgRoleId!),
+                    inArray(roleActions.roleId, userOrgRoleIds),
                     eq(roleActions.orgId, req.userOrgId!)
                 )
             )

server/auth/canUserAccessResource.ts

@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleResources, userResources } from "@server/db";
 
 export async function canUserAccessResource({
     userId,
     resourceId,
-    roleId
+    roleIds
 }: {
     userId: string;
     resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleResources)
-        .where(
-            and(
-                eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
-            )
-        )
-        .limit(1);
+    const roleResourceAccess =
+        roleIds.length > 0
+            ? await db
+                  .select()
+                  .from(roleResources)
+                  .where(
+                      and(
+                          eq(roleResources.resourceId, resourceId),
+                          inArray(roleResources.roleId, roleIds)
+                      )
+                  )
+                  .limit(1)
+            : [];
 
     if (roleResourceAccess.length > 0) {
         return true;

server/auth/canUserAccessSiteResource.ts

@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";
 
 export async function canUserAccessSiteResource({
     userId,
     resourceId,
-    roleId
+    roleIds
 }: {
     userId: string;
     resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleSiteResources)
-        .where(
-            and(
-                eq(roleSiteResources.siteResourceId, resourceId),
-                eq(roleSiteResources.roleId, roleId)
-            )
-        )
-        .limit(1);
+    const roleResourceAccess =
+        roleIds.length > 0
+            ? await db
+                  .select()
+                  .from(roleSiteResources)
+                  .where(
+                      and(
+                          eq(roleSiteResources.siteResourceId, resourceId),
+                          inArray(roleSiteResources.roleId, roleIds)
+                      )
+                  )
+                  .limit(1)
+            : [];
 
     if (roleResourceAccess.length > 0) {
         return true;

server/db/pg/index.ts

@@ -1,5 +1,4 @@
 export * from "./driver";
-export * from "./logsDriver";
 export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";

server/db/pg/logsDriver.ts

@@ -1,89 +0,0 @@
-import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
-import { readConfigFile } from "@server/lib/readConfigFile";
-import { readPrivateConfigFile } from "@server/private/lib/readConfigFile";
-import { withReplicas } from "drizzle-orm/pg-core";
-import { build } from "@server/build";
-import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
-
-function createLogsDb() {
-    // Only use separate logs database in SaaS builds
-    if (build !== "saas") {
-        return mainDb;
-    }
-
-    const config = readConfigFile();
-    const privateConfig = readPrivateConfigFile();
-
-    // Merge configs, prioritizing private config
-    const logsConfig = privateConfig.postgres_logs || config.postgres_logs;
-
-    // Check environment variable first
-    let connectionString = process.env.POSTGRES_LOGS_CONNECTION_STRING;
-    let replicaConnections: Array<{ connection_string: string }> = [];
-
-    if (!connectionString && logsConfig) {
-        connectionString = logsConfig.connection_string;
-        replicaConnections = logsConfig.replicas || [];
-    }
-
-    // If POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS is set, use it
-    if (process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS) {
-        replicaConnections =
-            process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS.split(",").map(
-                (conn) => ({
-                    connection_string: conn.trim()
-                })
-            );
-    }
-
-    // If no logs database is configured, fall back to main database
-    if (!connectionString) {
-        return mainDb;
-    }
-
-    // Create separate connection pool for logs database
-    const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
-        connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
-
-    const replicas = [];
-
-    if (!replicaConnections.length) {
-        replicas.push(
-            DrizzlePostgres(primaryPool, {
-                logger: process.env.QUERY_LOGGING == "true"
-            })
-        );
-    } else {
-        for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
-            replicas.push(
-                DrizzlePostgres(replicaPool, {
-                    logger: process.env.QUERY_LOGGING == "true"
-                })
-            );
-        }
-    }
-
-    return withReplicas(
-        DrizzlePostgres(primaryPool, {
-            logger: process.env.QUERY_LOGGING == "true"
-        }),
-        replicas as any
-    );
-}
-
-export const logsDb = createLogsDb();
-export default logsDb;
-export const primaryLogsDb = logsDb.$primary;

server/db/pg/schema/schema.ts

@@ -9,6 +9,7 @@ import {
     real,
     serial,
     text,
+    unique,
     varchar
 } from "drizzle-orm/pg-core";
 
@@ -332,9 +333,6 @@ export const userOrgs = pgTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
     isOwner: boolean("isOwner").notNull().default(false),
     autoProvisioned: boolean("autoProvisioned").default(false),
     pamUsername: varchar("pamUsername") // cleaned username for ssh and such
@@ -383,6 +381,22 @@ export const roles = pgTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
+export const userOrgRoles = pgTable(
+    "userOrgRoles",
+    {
+        userId: varchar("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = pgTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -1031,6 +1045,7 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;

server/db/queries/verifySessionQueries.ts

@@ -12,6 +12,7 @@ import {
     resources,
     roleResources,
     sessions,
+    userOrgRoles,
     userOrgs,
     userResources,
     users,
@@ -104,24 +105,57 @@ export async function getUserSessionWithUser(
 }
 
 /**
- * Get user organization role
+ * Get user organization role (single role; prefer getUserOrgRoleIds + roles for multi-role).
+ * @deprecated Use userOrgRoles table and getUserOrgRoleIds for multi-role support.
  */
 export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrgRole = await db
+    const userOrg = await db
         .select({
             userId: userOrgs.userId,
             orgId: userOrgs.orgId,
-            roleId: userOrgs.roleId,
             isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned,
-            roleName: roles.name
+            autoProvisioned: userOrgs.autoProvisioned
         })
         .from(userOrgs)
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .limit(1);
 
-    return userOrgRole.length > 0 ? userOrgRole[0] : null;
+    if (userOrg.length === 0) return null;
+
+    const [firstRole] = await db
+        .select({
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        )
+        .limit(1);
+
+    return firstRole
+        ? {
+              ...userOrg[0],
+              roleId: firstRole.roleId,
+              roleName: firstRole.roleName
+          }
+        : { ...userOrg[0], roleId: null, roleName: null };
+}
+
+/**
+ * Get role name by role ID (for display).
+ */
+export async function getRoleName(roleId: number): Promise<string | null> {
+    const [row] = await db
+        .select({ name: roles.name })
+        .from(roles)
+        .where(eq(roles.roleId, roleId))
+        .limit(1);
+    return row?.name ?? null;
 }
 
 /**

server/db/sqlite/index.ts

@@ -1,5 +1,4 @@
 export * from "./driver";
-export * from "./logsDriver";
 export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";

server/db/sqlite/logsDriver.ts

@@ -1,7 +0,0 @@
-import { db as mainDb } from "./driver";
-
-// SQLite doesn't support separate databases for logs in the same way as Postgres
-// Always use the main database connection for SQLite
-export const logsDb = mainDb;
-export default logsDb;
-export const primaryLogsDb = logsDb;

server/db/sqlite/schema/schema.ts

@@ -1,6 +1,12 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";
+import {
+    index,
+    integer,
+    sqliteTable,
+    text,
+    unique
+} from "drizzle-orm/sqlite-core";
 
 export const domains = sqliteTable("domains", {
     domainId: text("domainId").primaryKey(),
@@ -635,9 +641,6 @@ export const userOrgs = sqliteTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
     isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
     autoProvisioned: integer("autoProvisioned", {
         mode: "boolean"
@@ -692,6 +695,22 @@ export const roles = sqliteTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
+export const userOrgRoles = sqliteTable(
+    "userOrgRoles",
+    {
+        userId: text("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = sqliteTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -1126,6 +1145,7 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;

server/index.ts

@@ -74,7 +74,7 @@ declare global {
             session: Session;
             userOrg?: UserOrg;
             apiKeyOrg?: ApiKeyOrg;
-            userOrgRoleId?: number;
+            userOrgRoleIds?: number[];
             userOrgId?: string;
             userOrgIds?: string[];
             remoteExitNode?: RemoteExitNode;

server/lib/blueprints/clientResources.ts

@@ -11,7 +11,7 @@ import {
     userSiteResources
 } from "@server/db";
 import { sites } from "@server/db";
-import { eq, and, ne, inArray, or } from "drizzle-orm";
+import { eq, and, ne, inArray } from "drizzle-orm";
 import { Config } from "./types";
 import logger from "@server/logger";
 import { getNextAvailableAliasAddress } from "../ip";
@@ -142,10 +142,7 @@ export async function updateClientResources(
                     .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
                     .where(
                         and(
-                            or(
-                                inArray(users.username, resourceData.users),
-                                inArray(users.email, resourceData.users)
-                            ),
+                            inArray(users.username, resourceData.users),
                             eq(userOrgs.orgId, orgId)
                         )
                     );
@@ -279,10 +276,7 @@ export async function updateClientResources(
                     .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
                     .where(
                         and(
-                            or(
-                                inArray(users.username, resourceData.users),
-                                inArray(users.email, resourceData.users)
-                            ),
+                            inArray(users.username, resourceData.users),
                             eq(userOrgs.orgId, orgId)
                         )
                     );

server/lib/blueprints/proxyResources.ts

@@ -212,10 +212,7 @@ export async function updateProxyResources(
             } else {
                 // Update existing resource
 
-                const isLicensed = await isLicensedOrSubscribed(
-                    orgId,
-                    tierMatrix.maintencePage
-                );
+                const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
                 if (!isLicensed) {
                     resourceData.maintenance = undefined;
                 }
@@ -593,10 +590,7 @@ export async function updateProxyResources(
                         existingRule.action !== getRuleAction(rule.action) ||
                         existingRule.match !== rule.match.toUpperCase() ||
                         existingRule.value !==
-                            getRuleValue(
-                                rule.match.toUpperCase(),
-                                rule.value
-                            ) ||
+                        getRuleValue(rule.match.toUpperCase(), rule.value) ||
                         existingRule.priority !== intendedPriority
                     ) {
                         validateRule(rule);
@@ -654,10 +648,7 @@ export async function updateProxyResources(
                 );
             }
 
-            const isLicensed = await isLicensedOrSubscribed(
-                orgId,
-                tierMatrix.maintencePage
-            );
+            const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
             if (!isLicensed) {
                 resourceData.maintenance = undefined;
             }
@@ -944,12 +935,7 @@ async function syncUserResources(
             .select()
             .from(users)
             .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
-            .where(
-                and(
-                    or(eq(users.username, username), eq(users.email, username)),
-                    eq(userOrgs.orgId, orgId)
-                )
-            )
+            .where(and(eq(users.username, username), eq(userOrgs.orgId, orgId)))
             .limit(1);
 
         if (!user) {

server/lib/blueprints/types.ts

@@ -69,7 +69,7 @@ export const AuthSchema = z.object({
         .refine((roles) => !roles.includes("Admin"), {
             error: "Admin role cannot be included in sso-roles"
         }),
-    "sso-users": z.array(z.string()).optional().default([]),
+    "sso-users": z.array(z.email()).optional().default([]),
     "whitelist-users": z.array(z.email()).optional().default([]),
     "auto-login-idp": z.int().positive().optional()
 });
@@ -335,7 +335,7 @@ export const ClientResourceSchema = z
             .refine((roles) => !roles.includes("Admin"), {
                 error: "Admin role cannot be included in roles"
             }),
-        users: z.array(z.string()).optional().default([]),
+        users: z.array(z.email()).optional().default([]),
         machines: z.array(z.string()).optional().default([])
     })
     .refine(

server/lib/calculateUserClientsForOrgs.ts

@@ -10,6 +10,7 @@ import {
     roles,
     Transaction,
     userClients,
+    userOrgRoles,
     userOrgs
 } from "@server/db";
 import { getUniqueClientName } from "@server/db/names";
@@ -39,20 +40,36 @@ export async function calculateUserClientsForOrgs(
             return;
         }
 
-        // Get all user orgs
-        const allUserOrgs = await transaction
+        // Get all user orgs with all roles (for org list and role-based logic)
+        const userOrgRoleRows = await transaction
             .select()
             .from(userOrgs)
-            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
+            .innerJoin(
+                userOrgRoles,
+                and(
+                    eq(userOrgs.userId, userOrgRoles.userId),
+                    eq(userOrgs.orgId, userOrgRoles.orgId)
+                )
+            )
+            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
             .where(eq(userOrgs.userId, userId));
 
-        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);
+        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
+        const orgIdToRoleRows = new Map<
+            string,
+            (typeof userOrgRoleRows)[0][]
+        >();
+        for (const r of userOrgRoleRows) {
+            const list = orgIdToRoleRows.get(r.userOrgs.orgId) ?? [];
+            list.push(r);
+            orgIdToRoleRows.set(r.userOrgs.orgId, list);
+        }
 
         // For each OLM, ensure there's a client in each org the user is in
         for (const olm of userOlms) {
-            for (const userRoleOrg of allUserOrgs) {
-                const { userOrgs: userOrg, roles: role } = userRoleOrg;
-                const orgId = userOrg.orgId;
+            for (const orgId of orgIdToRoleRows.keys()) {
+                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
+                const userOrg = roleRowsForOrg[0].userOrgs;
 
                 const [org] = await transaction
                     .select()
@@ -196,7 +213,7 @@ export async function calculateUserClientsForOrgs(
                 const requireApproval =
                     build !== "oss" &&
                     isOrgLicensed &&
-                    role.requireDeviceApproval;
+                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
 
                 const newClientData: InferInsertModel<typeof clients> = {
                     userId,

server/lib/readConfigFile.ts

@@ -189,46 +189,6 @@ export const configSchema = z
                     .prefault({})
             })
             .optional(),
-        postgres_logs: z
-            .object({
-                connection_string: z
-                    .string()
-                    .optional()
-                    .transform(getEnvOrYaml("POSTGRES_LOGS_CONNECTION_STRING")),
-                replicas: z
-                    .array(
-                        z.object({
-                            connection_string: z.string()
-                        })
-                    )
-                    .optional(),
-                pool: z
-                    .object({
-                        max_connections: z
-                            .number()
-                            .positive()
-                            .optional()
-                            .default(20),
-                        max_replica_connections: z
-                            .number()
-                            .positive()
-                            .optional()
-                            .default(10),
-                        idle_timeout_ms: z
-                            .number()
-                            .positive()
-                            .optional()
-                            .default(30000),
-                        connection_timeout_ms: z
-                            .number()
-                            .positive()
-                            .optional()
-                            .default(5000)
-                    })
-                    .optional()
-                    .prefault({})
-            })
-            .optional(),
         traefik: z
             .object({
                 http_entrypoint: z.string().optional().default("web"),

server/lib/rebuildClientAssociations.ts

@@ -14,6 +14,7 @@ import {
     siteResources,
     sites,
     Transaction,
+    userOrgRoles,
     userOrgs,
     userSiteResources
 } from "@server/db";
@@ -77,10 +78,10 @@ export async function getClientSiteResourceAccess(
     // get all of the users in these roles
     const userIdsFromRoles = await trx
         .select({
-            userId: userOrgs.userId
+            userId: userOrgRoles.userId
         })
-        .from(userOrgs)
-        .where(inArray(userOrgs.roleId, roleIds))
+        .from(userOrgRoles)
+        .where(inArray(userOrgRoles.roleId, roleIds))
         .then((rows) => rows.map((row) => row.userId));
 
     const newAllUserIds = Array.from(
@@ -811,12 +812,12 @@ export async function rebuildClientAssociationsFromClient(
 
         // Role-based access
         const roleIds = await trx
-            .select({ roleId: userOrgs.roleId })
-            .from(userOrgs)
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
             .where(
                 and(
-                    eq(userOrgs.userId, client.userId),
-                    eq(userOrgs.orgId, client.orgId)
+                    eq(userOrgRoles.userId, client.userId),
+                    eq(userOrgRoles.orgId, client.orgId)
                 )
             ) // this needs to be locked onto this org or else cross-org access could happen
             .then((rows) => rows.map((row) => row.roleId));

server/lib/userOrg.ts

@@ -6,7 +6,7 @@ import {
     siteResources,
     sites,
     Transaction,
-    UserOrg,
+    userOrgRoles,
     userOrgs,
     userResources,
     userSiteResources,
@@ -19,9 +19,15 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
     org: Org,
     values: typeof userOrgs.$inferInsert,
+    roleId: number,
     trx: Transaction | typeof db = db
 ) {
     const [userOrg] = await trx.insert(userOrgs).values(values).returning();
+    await trx.insert(userOrgRoles).values({
+        userId: userOrg.userId,
+        orgId: userOrg.orgId,
+        roleId
+    });
 
     // calculate if the user is in any other of the orgs before we count it as an add to the billing org
     if (org.billingOrgId) {
@@ -58,6 +64,14 @@ export async function removeUserFromOrg(
     userId: string,
     trx: Transaction | typeof db = db
 ) {
+    await trx
+        .delete(userOrgRoles)
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, org.orgId)
+            )
+        );
     await trx
         .delete(userOrgs)
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, org.orgId)));

server/lib/userOrgRoles.ts

@@ -0,0 +1,22 @@
+import { db, userOrgRoles } from "@server/db";
+import { and, eq } from "drizzle-orm";
+
+/**
+ * Get all role IDs a user has in an organization.
+ * Returns empty array if the user has no roles in the org (callers must treat as no access).
+ */
+export async function getUserOrgRoleIds(
+    userId: string,
+    orgId: string
+): Promise<number[]> {
+    const rows = await db
+        .select({ roleId: userOrgRoles.roleId })
+        .from(userOrgRoles)
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+    return rows.map((r) => r.roleId);
+}

server/middlewares/getUserOrgs.ts

@@ -21,8 +21,7 @@ export async function getUserOrgs(
     try {
         const userOrganizations = await db
             .select({
-                orgId: userOrgs.orgId,
-                roleId: userOrgs.roleId
+                orgId: userOrgs.orgId
             })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId));

server/middlewares/verifyAccessTokenAccess.ts

@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyAccessTokenAccess(
     req: Request,
@@ -93,7 +94,10 @@ export async function verifyAccessTokenAccess(
                 )
             );
         } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
+                req.userOrg.userId,
+                resource[0].orgId!
+            );
             req.userOrgId = resource[0].orgId!;
         }
 
@@ -118,7 +122,7 @@ export async function verifyAccessTokenAccess(
         const resourceAllowed = await canUserAccessResource({
             userId,
             resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
         });
 
         if (!resourceAllowed) {

server/middlewares/verifyAdmin.ts

@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { roles, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyAdmin(
     req: Request,
@@ -62,13 +63,29 @@ export async function verifyAdmin(
         }
     }
 
-    const userRole = await db
+    req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId!);
+
+    if (req.userOrgRoleIds.length === 0) {
+        return next(
+            createHttpError(
+                HttpCode.FORBIDDEN,
+                "User does not have Admin access"
+            )
+        );
+    }
+
+    const userAdminRoles = await db
         .select()
         .from(roles)
-        .where(eq(roles.roleId, req.userOrg.roleId))
+        .where(
+            and(
+                inArray(roles.roleId, req.userOrgRoleIds),
+                eq(roles.isAdmin, true)
+            )
+        )
         .limit(1);
 
-    if (userRole.length === 0 || !userRole[0].isAdmin) {
+    if (userAdminRoles.length === 0) {
         return next(
             createHttpError(
                 HttpCode.FORBIDDEN,

server/middlewares/verifyApiKeyAccess.ts

@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { userOrgs, apiKeys, apiKeyOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyApiKeyAccess(
     req: Request,
@@ -103,8 +104,10 @@ export async function verifyApiKeyAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            orgId
+        );
 
         return next();
     } catch (error) {

server/middlewares/verifyClientAccess.ts

@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { Client, db } from "@server/db";
 import { userOrgs, clients, roleClients, userClients } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import logger from "@server/logger";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyClientAccess(
     req: Request,
@@ -113,21 +114,30 @@ export async function verifyClientAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            client.orgId
+        );
         req.userOrgId = client.orgId;
 
-        // Check role-based site access first
-        const [roleClientAccess] = await db
-            .select()
-            .from(roleClients)
-            .where(
-                and(
-                    eq(roleClients.clientId, client.clientId),
-                    eq(roleClients.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        // Check role-based client access (any of user's roles)
+        const roleClientAccessList =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleClients)
+                      .where(
+                          and(
+                              eq(roleClients.clientId, client.clientId),
+                              inArray(
+                                  roleClients.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
+        const [roleClientAccess] = roleClientAccessList;
 
         if (roleClientAccess) {
             // User has access to the site through their role

server/middlewares/verifyDomainAccess.ts

@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, domains, orgDomains } from "@server/db";
-import { userOrgs, apiKeyOrg } from "@server/db";
+import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyDomainAccess(
     req: Request,
@@ -63,7 +64,7 @@ export async function verifyDomainAccess(
                 .where(
                     and(
                         eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, apiKeyOrg.orgId)
+                        eq(userOrgs.orgId, orgId)
                     )
                 )
                 .limit(1);
@@ -97,8 +98,7 @@ export async function verifyDomainAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
 
         return next();
     } catch (error) {

server/middlewares/verifyOrgAccess.ts

@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
-import { db, orgs } from "@server/db";
+import { db } from "@server/db";
 import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyOrgAccess(
     req: Request,
@@ -64,8 +65,8 @@ export async function verifyOrgAccess(
             }
         }
 
-        // User has access, attach the user's role to the request for potential future use
-        req.userOrgRoleId = req.userOrg.roleId;
+        // User has access, attach the user's role(s) to the request for potential future use
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
         req.userOrgId = orgId;
 
         return next();

server/middlewares/verifyResourceAccess.ts

@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
 import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyResourceAccess(
     req: Request,
@@ -107,20 +108,28 @@ export async function verifyResourceAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            resource.orgId
+        );
         req.userOrgId = resource.orgId;
 
-        const roleResourceAccess = await db
-            .select()
-            .from(roleResources)
-            .where(
-                and(
-                    eq(roleResources.resourceId, resource.resourceId),
-                    eq(roleResources.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        const roleResourceAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleResources)
+                      .where(
+                          and(
+                              eq(roleResources.resourceId, resource.resourceId),
+                              inArray(
+                                  roleResources.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
 
         if (roleResourceAccess.length > 0) {
             return next();

server/middlewares/verifyRoleAccess.ts

@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyRoleAccess(
     req: Request,
@@ -99,7 +100,6 @@ export async function verifyRoleAccess(
         }
 
         if (!req.userOrg) {
-            // get the userORg
             const userOrg = await db
                 .select()
                 .from(userOrgs)
@@ -109,7 +109,7 @@ export async function verifyRoleAccess(
                 .limit(1);
 
             req.userOrg = userOrg[0];
-            req.userOrgRoleId = userOrg[0].roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(userId, orgId!);
         }
 
         if (!req.userOrg) {

server/middlewares/verifySiteAccess.ts

@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { sites, Site, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteAccess(
     req: Request,
@@ -112,21 +113,29 @@ export async function verifySiteAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            site.orgId
+        );
         req.userOrgId = site.orgId;
 
-        // Check role-based site access first
-        const roleSiteAccess = await db
-            .select()
-            .from(roleSites)
-            .where(
-                and(
-                    eq(roleSites.siteId, site.siteId),
-                    eq(roleSites.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        // Check role-based site access first (any of user's roles)
+        const roleSiteAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleSites)
+                      .where(
+                          and(
+                              eq(roleSites.siteId, site.siteId),
+                              inArray(
+                                  roleSites.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
 
         if (roleSiteAccess.length > 0) {
             // User's role has access to the site

server/middlewares/verifySiteResourceAccess.ts

@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { db, roleSiteResources, userOrgs, userSiteResources } from "@server/db";
 import { siteResources } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { eq, and, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteResourceAccess(
     req: Request,
@@ -109,23 +110,34 @@ export async function verifySiteResourceAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            siteResource.orgId
+        );
         req.userOrgId = siteResource.orgId;
 
         // Attach the siteResource to the request for use in the next middleware/route
         req.siteResource = siteResource;
 
-        const roleResourceAccess = await db
-            .select()
-            .from(roleSiteResources)
-            .where(
-                and(
-                    eq(roleSiteResources.siteResourceId, siteResourceIdNum),
-                    eq(roleSiteResources.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        const roleResourceAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleSiteResources)
+                      .where(
+                          and(
+                              eq(
+                                  roleSiteResources.siteResourceId,
+                                  siteResourceIdNum
+                              ),
+                              inArray(
+                                  roleSiteResources.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
 
         if (roleResourceAccess.length > 0) {
             return next();

server/middlewares/verifyTargetAccess.ts

@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyTargetAccess(
     req: Request,
@@ -99,7 +100,10 @@ export async function verifyTargetAccess(
                 )
             );
         } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
+                req.userOrg.userId,
+                resource[0].orgId!
+            );
             req.userOrgId = resource[0].orgId!;
         }
 
@@ -126,7 +130,7 @@ export async function verifyTargetAccess(
         const resourceAllowed = await canUserAccessResource({
             userId,
             resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
         });
 
         if (!resourceAllowed) {

server/middlewares/verifyUserInRole.ts

@@ -12,7 +12,7 @@ export async function verifyUserInRole(
         const roleId = parseInt(
             req.params.roleId || req.body.roleId || req.query.roleId
         );
-        const userRoleId = req.userOrgRoleId;
+        const userOrgRoleIds = req.userOrgRoleIds ?? [];
 
         if (isNaN(roleId)) {
             return next(
@@ -20,7 +20,7 @@ export async function verifyUserInRole(
             );
         }
 
-        if (!userRoleId) {
+        if (userOrgRoleIds.length === 0) {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
@@ -29,7 +29,7 @@ export async function verifyUserInRole(
             );
         }
 
-        if (userRoleId !== roleId) {
+        if (!userOrgRoleIds.includes(roleId)) {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,

server/private/lib/logAccessAudit.ts

@@ -11,7 +11,7 @@
  * This file is not licensed under the AGPLv3.
  */
 
-import { accessAuditLog, logsDb, db, orgs } from "@server/db";
+import { accessAuditLog, db, orgs } from "@server/db";
 import { getCountryCodeForIp } from "@server/lib/geoip";
 import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
@@ -52,7 +52,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
     const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
 
     try {
-        await logsDb
+        await db
             .delete(accessAuditLog)
             .where(
                 and(
@@ -124,7 +124,7 @@ export async function logAccessAudit(data: {
             ? await getCountryCodeFromIp(data.requestIp)
             : undefined;
 
-        await logsDb.insert(accessAuditLog).values({
+        await db.insert(accessAuditLog).values({
             timestamp: timestamp,
             orgId: data.orgId,
             actorType,

server/private/lib/readConfigFile.ts

@@ -83,46 +83,6 @@ export const privateConfigSchema = z.object({
                 .optional()
         })
         .optional(),
-    postgres_logs: z
-        .object({
-            connection_string: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("POSTGRES_LOGS_CONNECTION_STRING")),
-            replicas: z
-                .array(
-                    z.object({
-                        connection_string: z.string()
-                    })
-                )
-                .optional(),
-            pool: z
-                .object({
-                    max_connections: z
-                        .number()
-                        .positive()
-                        .optional()
-                        .default(20),
-                    max_replica_connections: z
-                        .number()
-                        .positive()
-                        .optional()
-                        .default(10),
-                    idle_timeout_ms: z
-                        .number()
-                        .positive()
-                        .optional()
-                        .default(30000),
-                    connection_timeout_ms: z
-                        .number()
-                        .positive()
-                        .optional()
-                        .default(5000)
-                })
-                .optional()
-                .prefault({})
-        })
-        .optional(),
     gerbil: z
         .object({
             local_exit_node_reachable_at: z

server/private/middlewares/logActionAudit.ts

@@ -12,7 +12,7 @@
  */
 
 import { ActionsEnum } from "@server/auth/actions";
-import { actionAuditLog, logsDb, db, orgs } from "@server/db";
+import { actionAuditLog, db, orgs } from "@server/db";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
 import { Request, Response, NextFunction } from "express";
@@ -54,7 +54,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
     const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
 
     try {
-        await logsDb
+        await db
             .delete(actionAuditLog)
             .where(
                 and(
@@ -123,7 +123,7 @@ export function logActionAudit(action: ActionsEnum) {
                 metadata = JSON.stringify(req.params);
             }
 
-            await logsDb.insert(actionAuditLog).values({
+            await db.insert(actionAuditLog).values({
                 timestamp,
                 orgId,
                 actorType,

server/private/middlewares/verifyIdpAccess.ts

@@ -13,9 +13,10 @@
 
 import { Request, Response, NextFunction } from "express";
 import { userOrgs, db, idp, idpOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyIdpAccess(
     req: Request,
@@ -84,8 +85,10 @@ export async function verifyIdpAccess(
             );
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            idpRes.idpOrg.orgId
+        );
 
         return next();
     } catch (error) {

server/private/middlewares/verifyRemoteExitNodeAccess.ts

@@ -12,11 +12,12 @@
  */
 
 import { Request, Response, NextFunction } from "express";
-import { db, exitNodeOrgs, exitNodes, remoteExitNodes } from "@server/db";
-import { sites, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { db, exitNodeOrgs, remoteExitNodes } from "@server/db";
+import { userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyRemoteExitNodeAccess(
     req: Request,
@@ -103,8 +104,10 @@ export async function verifyRemoteExitNodeAccess(
             );
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            exitNodeOrg.orgId
+        );
 
         return next();
     } catch (error) {

server/private/routers/auditLogs/queryAccessAuditLog.ts

@@ -11,11 +11,11 @@
  * This file is not licensed under the AGPLv3.
  */
 
-import { accessAuditLog, logsDb, resources, db, primaryDb } from "@server/db";
+import { accessAuditLog, db, resources } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
-import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
+import { eq, gt, lt, and, count, desc } from "drizzle-orm";
 import { OpenAPITags } from "@server/openApi";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -115,13 +115,15 @@ function getWhere(data: Q) {
 }
 
 export function queryAccess(data: Q) {
-    return logsDb
+    return db
         .select({
             orgId: accessAuditLog.orgId,
             action: accessAuditLog.action,
             actorType: accessAuditLog.actorType,
             actorId: accessAuditLog.actorId,
             resourceId: accessAuditLog.resourceId,
+            resourceName: resources.name,
+            resourceNiceId: resources.niceId,
             ip: accessAuditLog.ip,
             location: accessAuditLog.location,
             userAgent: accessAuditLog.userAgent,
@@ -131,46 +133,16 @@ export function queryAccess(data: Q) {
             actor: accessAuditLog.actor
         })
         .from(accessAuditLog)
+        .leftJoin(
+            resources,
+            eq(accessAuditLog.resourceId, resources.resourceId)
+        )
         .where(getWhere(data))
         .orderBy(desc(accessAuditLog.timestamp), desc(accessAuditLog.id));
 }
 
-async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAccess>>) {
-    // If logs database is the same as main database, we can do a join
-    // Otherwise, we need to fetch resource details separately
-    const resourceIds = logs
-        .map(log => log.resourceId)
-        .filter((id): id is number => id !== null && id !== undefined);
-
-    if (resourceIds.length === 0) {
-        return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
-    }
-
-    // Fetch resource details from main database
-    const resourceDetails = await primaryDb
-        .select({
-            resourceId: resources.resourceId,
-            name: resources.name,
-            niceId: resources.niceId
-        })
-        .from(resources)
-        .where(inArray(resources.resourceId, resourceIds));
-
-    // Create a map for quick lookup
-    const resourceMap = new Map(
-        resourceDetails.map(r => [r.resourceId, { name: r.name, niceId: r.niceId }])
-    );
-
-    // Enrich logs with resource details
-    return logs.map(log => ({
-        ...log,
-        resourceName: log.resourceId ? resourceMap.get(log.resourceId)?.name ?? null : null,
-        resourceNiceId: log.resourceId ? resourceMap.get(log.resourceId)?.niceId ?? null : null
-    }));
-}
-
 export function countAccessQuery(data: Q) {
-    const countQuery = logsDb
+    const countQuery = db
         .select({ count: count() })
         .from(accessAuditLog)
         .where(getWhere(data));
@@ -189,7 +161,7 @@ async function queryUniqueFilterAttributes(
     );
 
     // Get unique actors
-    const uniqueActors = await logsDb
+    const uniqueActors = await db
         .selectDistinct({
             actor: accessAuditLog.actor
         })
@@ -197,7 +169,7 @@ async function queryUniqueFilterAttributes(
         .where(baseConditions);
 
     // Get unique locations
-    const uniqueLocations = await logsDb
+    const uniqueLocations = await db
         .selectDistinct({
             locations: accessAuditLog.location
         })
@@ -205,40 +177,25 @@ async function queryUniqueFilterAttributes(
         .where(baseConditions);
 
     // Get unique resources with names
-    const uniqueResources = await logsDb
+    const uniqueResources = await db
         .selectDistinct({
-            id: accessAuditLog.resourceId
+            id: accessAuditLog.resourceId,
+            name: resources.name
         })
         .from(accessAuditLog)
+        .leftJoin(
+            resources,
+            eq(accessAuditLog.resourceId, resources.resourceId)
+        )
         .where(baseConditions);
 
-    // Fetch resource names from main database for the unique resource IDs
-    const resourceIds = uniqueResources
-        .map(row => row.id)
-        .filter((id): id is number => id !== null);
-
-    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
-
-    if (resourceIds.length > 0) {
-        const resourceDetails = await primaryDb
-            .select({
-                resourceId: resources.resourceId,
-                name: resources.name
-            })
-            .from(resources)
-            .where(inArray(resources.resourceId, resourceIds));
-
-        resourcesWithNames = resourceDetails.map(r => ({
-            id: r.resourceId,
-            name: r.name
-        }));
-    }
-
     return {
         actors: uniqueActors
             .map((row) => row.actor)
             .filter((actor): actor is string => actor !== null),
-        resources: resourcesWithNames,
+        resources: uniqueResources.filter(
+            (row): row is { id: number; name: string | null } => row.id !== null
+        ),
         locations: uniqueLocations
             .map((row) => row.locations)
             .filter((location): location is string => location !== null)
@@ -286,10 +243,7 @@ export async function queryAccessAuditLogs(
 
         const baseQuery = queryAccess(data);
 
-        const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
-
-        // Enrich with resource details (handles cross-database scenario)
-        const log = await enrichWithResourceDetails(logsRaw);
+        const log = await baseQuery.limit(data.limit).offset(data.offset);
 
         const totalCountResult = await countAccessQuery(data);
         const totalCount = totalCountResult[0].count;

server/private/routers/auditLogs/queryActionAuditLog.ts

@@ -11,7 +11,7 @@
  * This file is not licensed under the AGPLv3.
  */
 
-import { actionAuditLog, logsDb } from "@server/db";
+import { actionAuditLog, db } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -97,7 +97,7 @@ function getWhere(data: Q) {
 }
 
 export function queryAction(data: Q) {
-    return logsDb
+    return db
         .select({
             orgId: actionAuditLog.orgId,
             action: actionAuditLog.action,
@@ -113,7 +113,7 @@ export function queryAction(data: Q) {
 }
 
 export function countActionQuery(data: Q) {
-    const countQuery = logsDb
+    const countQuery = db
         .select({ count: count() })
         .from(actionAuditLog)
         .where(getWhere(data));
@@ -132,14 +132,14 @@ async function queryUniqueFilterAttributes(
     );
 
     // Get unique actors
-    const uniqueActors = await logsDb
+    const uniqueActors = await db
         .selectDistinct({
             actor: actionAuditLog.actor
         })
         .from(actionAuditLog)
         .where(baseConditions);
 
-    const uniqueActions = await logsDb
+    const uniqueActions = await db
         .selectDistinct({
             action: actionAuditLog.action
         })

server/private/routers/external.ts

@@ -480,9 +480,9 @@ authenticated.get(
 
 authenticated.post(
     "/re-key/:clientId/regenerate-client-secret",
-    verifyClientAccess, // this is first to set the org id
     verifyValidLicense,
     verifyValidSubscription(tierMatrix.rotateCredentials),
+    verifyClientAccess, // this is first to set the org id
     verifyLimits,
     verifyUserHasAction(ActionsEnum.reGenerateSecret),
     reKey.reGenerateClientSecret
@@ -490,9 +490,9 @@ authenticated.post(
 
 authenticated.post(
     "/re-key/:siteId/regenerate-site-secret",
-    verifySiteAccess, // this is first to set the org id
     verifyValidLicense,
     verifyValidSubscription(tierMatrix.rotateCredentials),
+    verifySiteAccess, // this is first to set the org id
     verifyLimits,
     verifyUserHasAction(ActionsEnum.reGenerateSecret),
     reKey.reGenerateSiteSecret

server/private/routers/org/sendUsageNotifications.ts

@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { userOrgs, users, roles, orgs } from "@server/db";
+import { userOrgs, userOrgRoles, users, roles, orgs } from "@server/db";
 import { eq, and, or } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -95,7 +95,14 @@ async function getOrgAdmins(orgId: string) {
         })
         .from(userOrgs)
         .innerJoin(users, eq(userOrgs.userId, users.userId))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
+        .leftJoin(
+            userOrgRoles,
+            and(
+                eq(userOrgs.userId, userOrgRoles.userId),
+                eq(userOrgs.orgId, userOrgRoles.orgId)
+            )
+        )
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
         .where(
             and(
                 eq(userOrgs.orgId, orgId),
@@ -103,8 +110,11 @@ async function getOrgAdmins(orgId: string) {
             )
         );
 
-    // Filter to only include users with verified emails
-    const orgAdmins = admins.filter(
+    // Dedupe by userId (user may have multiple roles)
+    const byUserId = new Map(
+        admins.map((a) => [a.userId, a])
+    );
+    const orgAdmins = Array.from(byUserId.values()).filter(
         (admin) => admin.email && admin.email.length > 0
     );
 

server/private/routers/remoteExitNode/createRemoteExitNode.ts

@@ -79,7 +79,7 @@ export async function createRemoteExitNode(
 
         const { remoteExitNodeId, secret } = parsedBody.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );

server/private/routers/ssh/signSshKey.ts

@@ -30,7 +30,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { eq, or, and } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
 import { signPublicKey, getOrgCAKeys } from "#private/lib/sshCA";
 import config from "@server/lib/config";
@@ -122,7 +122,7 @@ export async function signSshKey(
             resource: resourceQueryString
         } = parsedBody.data;
         const userId = req.user?.userId;
-        const roleId = req.userOrgRoleId!;
+        const roleIds = req.userOrgRoleIds ?? [];
 
         if (!userId) {
             return next(
@@ -130,6 +130,15 @@ export async function signSshKey(
             );
         }
 
+        if (roleIds.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User has no role in organization"
+                )
+            );
+        }
+
         const [userOrg] = await db
             .select()
             .from(userOrgs)
@@ -310,11 +319,11 @@ export async function signSshKey(
             );
         }
 
-        // Check if the user has access to the resource
+        // Check if the user has access to the resource (any of their roles)
         const hasAccess = await canUserAccessSiteResource({
             userId: userId,
             resourceId: resource.siteResourceId,
-            roleId: roleId
+            roleIds
         });
 
         if (!hasAccess) {
@@ -326,28 +335,39 @@ export async function signSshKey(
             );
         }
 
-        const [roleRow] = await db
+        const roleRows = await db
             .select()
             .from(roles)
-            .where(eq(roles.roleId, roleId))
-            .limit(1);
+            .where(inArray(roles.roleId, roleIds));
 
-        let parsedSudoCommands: string[] = [];
-        let parsedGroups: string[] = [];
-        try {
-            parsedSudoCommands = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
-            if (!Array.isArray(parsedSudoCommands)) parsedSudoCommands = [];
-        } catch {
-            parsedSudoCommands = [];
+        const parsedSudoCommands: string[] = [];
+        const parsedGroupsSet = new Set<string>();
+        let homedir: boolean | null = null;
+        const sudoModeOrder = { none: 0, commands: 1, all: 2 };
+        let sudoMode: "none" | "commands" | "all" = "none";
+        for (const roleRow of roleRows) {
+            try {
+                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
+            } catch {
+                // skip
+            }
+            try {
+                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
+            } catch {
+                // skip
+            }
+            if (roleRow?.sshCreateHomeDir === true) homedir = true;
+            const m = roleRow?.sshSudoMode ?? "none";
+            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
+                sudoMode = m as "none" | "commands" | "all";
+            }
         }
-        try {
-            parsedGroups = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
-            if (!Array.isArray(parsedGroups)) parsedGroups = [];
-        } catch {
-            parsedGroups = [];
+        const parsedGroups = Array.from(parsedGroupsSet);
+        if (homedir === null && roleRows.length > 0) {
+            homedir = roleRows[0].sshCreateHomeDir ?? null;
         }
-        const homedir = roleRow?.sshCreateHomeDir ?? null;
-        const sudoMode = roleRow?.sshSudoMode ?? "none";
 
         // get the site
         const [newt] = await db

server/routers/accessToken/listAccessTokens.ts

@@ -208,7 +208,7 @@ export async function listAccessTokens(
                 .where(
                     or(
                         eq(userResources.userId, req.user!.userId),
-                        eq(roleResources.roleId, req.userOrgRoleId!)
+                        inArray(roleResources.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {

server/routers/auditLogs/queryRequestAnalytics.ts

@@ -1,4 +1,4 @@
-import { logsDb, requestAuditLog, driver, primaryLogsDb } from "@server/db";
+import { db, requestAuditLog, driver, primaryDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -74,12 +74,12 @@ async function query(query: Q) {
         );
     }
 
-    const [all] = await primaryLogsDb
+    const [all] = await primaryDb
         .select({ total: count() })
         .from(requestAuditLog)
         .where(baseConditions);
 
-    const [blocked] = await primaryLogsDb
+    const [blocked] = await primaryDb
         .select({ total: count() })
         .from(requestAuditLog)
         .where(and(baseConditions, eq(requestAuditLog.action, false)));
@@ -90,7 +90,7 @@ async function query(query: Q) {
 
     const DISTINCT_LIMIT = 500;
 
-    const requestsPerCountry = await primaryLogsDb
+    const requestsPerCountry = await primaryDb
         .selectDistinct({
             code: requestAuditLog.location,
             count: totalQ
@@ -118,7 +118,7 @@ async function query(query: Q) {
     const booleanTrue = driver === "pg" ? sql`true` : sql`1`;
     const booleanFalse = driver === "pg" ? sql`false` : sql`0`;
 
-    const requestsPerDay = await primaryLogsDb
+    const requestsPerDay = await primaryDb
         .select({
             day: groupByDayFunction.as("day"),
             allowedCount:

server/routers/auditLogs/queryRequestAuditLog.ts

@@ -1,8 +1,8 @@
-import { logsDb, primaryLogsDb, requestAuditLog, resources, db, primaryDb } from "@server/db";
+import { db, primaryDb, requestAuditLog, resources } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
-import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
+import { eq, gt, lt, and, count, desc } from "drizzle-orm";
 import { OpenAPITags } from "@server/openApi";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -107,7 +107,7 @@ function getWhere(data: Q) {
 }
 
 export function queryRequest(data: Q) {
-    return primaryLogsDb
+    return primaryDb
         .select({
             id: requestAuditLog.id,
             timestamp: requestAuditLog.timestamp,
@@ -129,49 +129,21 @@ export function queryRequest(data: Q) {
             host: requestAuditLog.host,
             path: requestAuditLog.path,
             method: requestAuditLog.method,
-            tls: requestAuditLog.tls
+            tls: requestAuditLog.tls,
+            resourceName: resources.name,
+            resourceNiceId: resources.niceId
         })
         .from(requestAuditLog)
+        .leftJoin(
+            resources,
+            eq(requestAuditLog.resourceId, resources.resourceId)
+        ) // TODO: Is this efficient?
         .where(getWhere(data))
         .orderBy(desc(requestAuditLog.timestamp));
 }
 
-async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryRequest>>) {
-    // If logs database is the same as main database, we can do a join
-    // Otherwise, we need to fetch resource details separately
-    const resourceIds = logs
-        .map(log => log.resourceId)
-        .filter((id): id is number => id !== null && id !== undefined);
-
-    if (resourceIds.length === 0) {
-        return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
-    }
-
-    // Fetch resource details from main database
-    const resourceDetails = await primaryDb
-        .select({
-            resourceId: resources.resourceId,
-            name: resources.name,
-            niceId: resources.niceId
-        })
-        .from(resources)
-        .where(inArray(resources.resourceId, resourceIds));
-
-    // Create a map for quick lookup
-    const resourceMap = new Map(
-        resourceDetails.map(r => [r.resourceId, { name: r.name, niceId: r.niceId }])
-    );
-
-    // Enrich logs with resource details
-    return logs.map(log => ({
-        ...log,
-        resourceName: log.resourceId ? resourceMap.get(log.resourceId)?.name ?? null : null,
-        resourceNiceId: log.resourceId ? resourceMap.get(log.resourceId)?.niceId ?? null : null
-    }));
-}
-
 export function countRequestQuery(data: Q) {
-    const countQuery = primaryLogsDb
+    const countQuery = primaryDb
         .select({ count: count() })
         .from(requestAuditLog)
         .where(getWhere(data));
@@ -213,31 +185,36 @@ async function queryUniqueFilterAttributes(
         uniquePaths,
         uniqueResources
     ] = await Promise.all([
-        primaryLogsDb
+        primaryDb
             .selectDistinct({ actor: requestAuditLog.actor })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        primaryDb
             .selectDistinct({ locations: requestAuditLog.location })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        primaryDb
             .selectDistinct({ hosts: requestAuditLog.host })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        primaryDb
             .selectDistinct({ paths: requestAuditLog.path })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        primaryDb
             .selectDistinct({
-                id: requestAuditLog.resourceId
+                id: requestAuditLog.resourceId,
+                name: resources.name
             })
             .from(requestAuditLog)
+            .leftJoin(
+                resources,
+                eq(requestAuditLog.resourceId, resources.resourceId)
+            )
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1)
     ]);
@@ -254,33 +231,13 @@ async function queryUniqueFilterAttributes(
     //     throw new Error("Too many distinct filter attributes to retrieve. Please refine your time range.");
     // }
 
-    // Fetch resource names from main database for the unique resource IDs
-    const resourceIds = uniqueResources
-        .map(row => row.id)
-        .filter((id): id is number => id !== null);
-
-    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
-
-    if (resourceIds.length > 0) {
-        const resourceDetails = await primaryDb
-            .select({
-                resourceId: resources.resourceId,
-                name: resources.name
-            })
-            .from(resources)
-            .where(inArray(resources.resourceId, resourceIds));
-
-        resourcesWithNames = resourceDetails.map(r => ({
-            id: r.resourceId,
-            name: r.name
-        }));
-    }
-
     return {
         actors: uniqueActors
             .map((row) => row.actor)
             .filter((actor): actor is string => actor !== null),
-        resources: resourcesWithNames,
+        resources: uniqueResources.filter(
+            (row): row is { id: number; name: string | null } => row.id !== null
+        ),
         locations: uniqueLocations
             .map((row) => row.locations)
             .filter((location): location is string => location !== null),
@@ -323,10 +280,7 @@ export async function queryRequestAuditLogs(
 
         const baseQuery = queryRequest(data);
 
-        const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
-
-        // Enrich with resource details (handles cross-database scenario)
-        const log = await enrichWithResourceDetails(logsRaw);
+        const log = await baseQuery.limit(data.limit).offset(data.offset);
 
         const totalCountResult = await countRequestQuery(data);
         const totalCount = totalCountResult[0].count;

server/routers/badger/logRequestAudit.ts

@@ -1,4 +1,4 @@
-import { logsDb, primaryLogsDb, db, orgs, requestAuditLog } from "@server/db";
+import { db, orgs, requestAuditLog } from "@server/db";
 import logger from "@server/logger";
 import { and, eq, lt, sql } from "drizzle-orm";
 import cache from "@server/lib/cache";
@@ -69,7 +69,7 @@ async function flushAuditLogs() {
     try {
         // Use a transaction to ensure all inserts succeed or fail together
         // This prevents index corruption from partial writes
-        await logsDb.transaction(async (tx) => {
+        await db.transaction(async (tx) => {
             // Batch insert logs in groups of 25 to avoid overwhelming the database
             const BATCH_DB_SIZE = 25;
             for (let i = 0; i < logsToWrite.length; i += BATCH_DB_SIZE) {
@@ -162,7 +162,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
     const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
 
     try {
-        await logsDb
+        await db
             .delete(requestAuditLog)
             .where(
                 and(

server/routers/badger/verifySession.ts

@@ -3,12 +3,13 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import {
     getResourceByDomain,
     getResourceRules,
+    getRoleName,
     getRoleResourceAccess,
-    getUserOrgRole,
     getUserResourceAccess,
     getOrgLoginPage,
     getUserSessionWithUser
 } from "@server/db/queries/verifySessionQueries";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 import {
     LoginPage,
     Org,
@@ -916,9 +917,9 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const userOrgRole = await getUserOrgRole(user.userId, resource.orgId);
+    const userOrgRoleIds = await getUserOrgRoleIds(user.userId, resource.orgId);
 
-    if (!userOrgRole) {
+    if (!userOrgRoleIds.length) {
         return null;
     }
 
@@ -934,17 +935,23 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const roleResourceAccess = await getRoleResourceAccess(
-        resource.resourceId,
-        userOrgRole.roleId
-    );
-
-    if (roleResourceAccess) {
+    const roleNames: string[] = [];
+    for (const roleId of userOrgRoleIds) {
+        const roleResourceAccess = await getRoleResourceAccess(
+            resource.resourceId,
+            roleId
+        );
+        if (roleResourceAccess) {
+            const roleName = await getRoleName(roleId);
+            if (roleName) roleNames.push(roleName);
+        }
+    }
+    if (roleNames.length > 0) {
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role: userOrgRole.roleName
+            role: roleNames.join(", ")
         };
     }
 
@@ -954,11 +961,15 @@ async function isUserAllowedToAccessResource(
     );
 
     if (userResourceAccess) {
+        const names = await Promise.all(
+            userOrgRoleIds.map((id) => getRoleName(id))
+        );
+        const role = names.filter(Boolean).join(", ") || "";
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role: userOrgRole.roleName
+            role
         };
     }
 

server/routers/client/createClient.ts

@@ -92,7 +92,7 @@ export async function createClient(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -234,7 +234,7 @@ export async function createClient(
                 clientId: newClient.clientId
             });
 
-            if (req.user && req.userOrgRoleId != adminRole.roleId) {
+            if (req.user && !req.userOrgRoleIds?.includes(adminRole.roleId)) {
                 // make sure the user can access the client
                 trx.insert(userClients).values({
                     userId: req.user.userId,

server/routers/client/listClients.ts

@@ -297,7 +297,7 @@ export async function listClients(
                 .where(
                     or(
                         eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {

server/routers/client/listUserDevices.ts

@@ -316,7 +316,7 @@ export async function listUserDevices(
                 .where(
                     or(
                         eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {

server/routers/external.ts

@@ -654,6 +654,16 @@ authenticated.post(
     user.addUserRole
 );
 
+authenticated.delete(
+    "/role/:roleId/remove/:userId",
+    verifyRoleAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
+
 authenticated.post(
     "/resource/:resourceId/roles",
     verifyResourceAccess,

server/routers/idp/validateOidcCallback.ts

@@ -13,6 +13,7 @@ import {
     orgs,
     Role,
     roles,
+    userOrgRoles,
     userOrgs,
     users
 } from "@server/db";
@@ -570,32 +571,28 @@ export async function validateOidcCallback(
                     }
                 }
 
-                // Update roles for existing auto-provisioned orgs where the role has changed
-                const orgsToUpdate = autoProvisionedOrgs.filter(
-                    (currentOrg) => {
-                        const newOrg = userOrgInfo.find(
-                            (newOrg) => newOrg.orgId === currentOrg.orgId
-                        );
-                        return newOrg && newOrg.roleId !== currentOrg.roleId;
-                    }
-                );
-
-                if (orgsToUpdate.length > 0) {
-                    for (const org of orgsToUpdate) {
-                        const newRole = userOrgInfo.find(
-                            (newOrg) => newOrg.orgId === org.orgId
-                        );
-                        if (newRole) {
-                            await trx
-                                .update(userOrgs)
-                                .set({ roleId: newRole.roleId })
-                                .where(
-                                    and(
-                                        eq(userOrgs.userId, userId!),
-                                        eq(userOrgs.orgId, org.orgId)
-                                    )
-                                );
-                        }
+                // Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
+                const userRolesInOrgs = await trx
+                    .select()
+                    .from(userOrgRoles)
+                    .where(eq(userOrgRoles.userId, userId!));
+                for (const currentOrg of autoProvisionedOrgs) {
+                    const newRole = userOrgInfo.find(
+                        (newOrg) => newOrg.orgId === currentOrg.orgId
+                    );
+                    if (!newRole) continue;
+                    const currentRolesInOrg = userRolesInOrgs.filter(
+                        (r) => r.orgId === currentOrg.orgId
+                    );
+                    const hasIdpRole = currentRolesInOrg.some(
+                        (r) => r.roleId === newRole.roleId
+                    );
+                    if (!hasIdpRole) {
+                        await trx.insert(userOrgRoles).values({
+                            userId: userId!,
+                            orgId: currentOrg.orgId,
+                            roleId: newRole.roleId
+                        });
                     }
                 }
 
@@ -619,9 +616,9 @@ export async function validateOidcCallback(
                                 {
                                     orgId: org.orgId,
                                     userId: userId!,
-                                    roleId: org.roleId,
                                     autoProvisioned: true,
                                 },
+                                org.roleId,
                                 trx
                             );
                         }

server/routers/integration.ts

@@ -532,6 +532,16 @@ authenticated.post(
     user.addUserRole
 );
 
+authenticated.delete(
+    "/role/:roleId/remove/:userId",
+    verifyApiKeyRoleAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
+
 authenticated.post(
     "/resource/:resourceId/roles",
     verifyApiKeyResourceAccess,

server/routers/newt/createNewt.ts

@@ -46,7 +46,7 @@ export async function createNewt(
 
         const { newtId, secret } = parsedBody.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );

server/routers/olm/createOlm.ts

@@ -46,7 +46,7 @@ export async function createNewt(
 
         const { newtId, secret } = parsedBody.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );

server/routers/org/checkOrgUserAccess.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgs, users } from "@server/db";
+import { roles, userOrgRoles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -14,7 +14,7 @@ import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { CheckOrgAccessPolicyResult } from "@server/lib/checkOrgAccessPolicy";
 
 async function queryUser(orgId: string, userId: string) {
-    const [user] = await db
+    const [userRow] = await db
         .select({
             orgId: userOrgs.orgId,
             userId: users.userId,
@@ -22,10 +22,7 @@ async function queryUser(orgId: string, userId: string) {
             username: users.username,
             name: users.name,
             type: users.type,
-            roleId: userOrgs.roleId,
-            roleName: roles.name,
             isOwner: userOrgs.isOwner,
-            isAdmin: roles.isAdmin,
             twoFactorEnabled: users.twoFactorEnabled,
             autoProvisioned: userOrgs.autoProvisioned,
             idpId: users.idpId,
@@ -35,13 +32,40 @@ async function queryUser(orgId: string, userId: string) {
             idpAutoProvision: idp.autoProvision
         })
         .from(userOrgs)
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(users, eq(userOrgs.userId, users.userId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
         .limit(1);
-    return user;
+
+    if (!userRow) return undefined;
+
+    const roleRows = await db
+        .select({
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name,
+            isAdmin: roles.isAdmin
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+
+    const isAdmin = roleRows.some((r) => r.isAdmin);
+
+    return {
+        ...userRow,
+        isAdmin,
+        roleIds: roleRows.map((r) => r.roleId),
+        roles: roleRows.map((r) => ({
+            roleId: r.roleId,
+            name: r.roleName ?? ""
+        }))
+    };
 }
 
 export type CheckOrgUserAccessResponse = CheckOrgAccessPolicyResult;

server/routers/org/createOrg.ts

@@ -9,6 +9,7 @@ import {
     orgs,
     roleActions,
     roles,
+    userOrgRoles,
     userOrgs,
     users,
     actions
@@ -312,9 +313,13 @@ export async function createOrg(
                 await trx.insert(userOrgs).values({
                     userId: req.user!.userId,
                     orgId: newOrg[0].orgId,
-                    roleId: roleId,
                     isOwner: true
                 });
+                await trx.insert(userOrgRoles).values({
+                    userId: req.user!.userId,
+                    orgId: newOrg[0].orgId,
+                    roleId
+                });
                 ownerUserId = req.user!.userId;
             } else {
                 // if org created by root api key, set the server admin as the owner
@@ -332,9 +337,13 @@ export async function createOrg(
                 await trx.insert(userOrgs).values({
                     userId: serverAdmin.userId,
                     orgId: newOrg[0].orgId,
-                    roleId: roleId,
                     isOwner: true
                 });
+                await trx.insert(userOrgRoles).values({
+                    userId: serverAdmin.userId,
+                    orgId: newOrg[0].orgId,
+                    roleId
+                });
                 ownerUserId = serverAdmin.userId;
             }
 

server/routers/org/getOrgOverview.ts

@@ -117,20 +117,26 @@ export async function getOrgOverview(
             .from(userOrgs)
             .where(eq(userOrgs.orgId, orgId));
 
-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(eq(roles.roleId, req.userOrg.roleId));
+        const roleIds = req.userOrgRoleIds ?? [];
+        const roleRows =
+            roleIds.length > 0
+                ? await db
+                      .select({ name: roles.name, isAdmin: roles.isAdmin })
+                      .from(roles)
+                      .where(inArray(roles.roleId, roleIds))
+                : [];
+        const userRoleName = roleRows.map((r) => r.name ?? "").join(", ") ?? "";
+        const isAdmin = roleRows.some((r) => r.isAdmin === true);
 
         return response<GetOrgOverviewResponse>(res, {
             data: {
                 orgName: org[0].name,
                 orgId: org[0].orgId,
-                userRoleName: role.name,
+                userRoleName,
                 numSites,
                 numUsers,
                 numResources,
-                isAdmin: role.isAdmin || false,
+                isAdmin,
                 isOwner: req.userOrg?.isOwner || false
             },
             success: true,

server/routers/org/listUserOrgs.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, roles } from "@server/db";
-import { Org, orgs, userOrgs } from "@server/db";
+import { Org, orgs, userOrgRoles, userOrgs } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -82,10 +82,7 @@ export async function listUserOrgs(
         const { userId } = parsedParams.data;
 
         const userOrganizations = await db
-            .select({
-                orgId: userOrgs.orgId,
-                roleId: userOrgs.roleId
-            })
+            .select({ orgId: userOrgs.orgId })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId));
 
@@ -116,10 +113,27 @@ export async function listUserOrgs(
                 userOrgs,
                 and(eq(userOrgs.orgId, orgs.orgId), eq(userOrgs.userId, userId))
             )
-            .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
             .limit(limit)
             .offset(offset);
 
+        const roleRows = await db
+            .select({
+                orgId: userOrgRoles.orgId,
+                isAdmin: roles.isAdmin
+            })
+            .from(userOrgRoles)
+            .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+            .where(
+                and(
+                    eq(userOrgRoles.userId, userId),
+                    inArray(userOrgRoles.orgId, userOrgIds)
+                )
+            );
+
+        const orgHasAdmin = new Set(
+            roleRows.filter((r) => r.isAdmin).map((r) => r.orgId)
+        );
+
         const totalCountResult = await db
             .select({ count: sql<number>`cast(count(*) as integer)` })
             .from(orgs)
@@ -133,8 +147,8 @@ export async function listUserOrgs(
             if (val.userOrgs && val.userOrgs.isOwner) {
                 res.isOwner = val.userOrgs.isOwner;
             }
-            if (val.roles && val.roles.isAdmin) {
-                res.isAdmin = val.roles.isAdmin;
+            if (val.orgs && orgHasAdmin.has(val.orgs.orgId)) {
+                res.isAdmin = true;
             }
             if (val.userOrgs?.isOwner && val.orgs?.isBillingOrg) {
                 res.isPrimaryOrg = val.orgs.isBillingOrg;

server/routers/resource/createResource.ts

@@ -112,7 +112,7 @@ export async function createResource(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -278,7 +278,7 @@ async function createHttpResource(
             resourceId: newResource[0].resourceId
         });
 
-        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             // make sure the user can access the resource
             await trx.insert(userResources).values({
                 userId: req.user?.userId!,
@@ -371,7 +371,7 @@ async function createRawResource(
             resourceId: newResource[0].resourceId
         });
 
-        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             // make sure the user can access the resource
             await trx.insert(userResources).values({
                 userId: req.user?.userId!,

server/routers/resource/getUserResources.ts

@@ -5,6 +5,7 @@ import {
     resources,
     userResources,
     roleResources,
+    userOrgRoles,
     userOrgs,
     resourcePassword,
     resourcePincode,
@@ -32,22 +33,29 @@ export async function getUserResources(
             );
         }
 
-        // First get the user's role in the organization
-        const userOrgResult = await db
-            .select({
-                roleId: userOrgs.roleId
-            })
+        // Check user is in organization and get their role IDs
+        const [userOrg] = await db
+            .select()
             .from(userOrgs)
             .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
             .limit(1);
 
-        if (userOrgResult.length === 0) {
+        if (!userOrg) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User not in organization")
             );
         }
 
-        const userRoleId = userOrgResult[0].roleId;
+        const userRoleIds = await db
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
+            .where(
+                and(
+                    eq(userOrgRoles.userId, userId),
+                    eq(userOrgRoles.orgId, orgId)
+                )
+            )
+            .then((rows) => rows.map((r) => r.roleId));
 
         // Get resources accessible through direct assignment or role assignment
         const directResourcesQuery = db
@@ -55,20 +63,28 @@ export async function getUserResources(
             .from(userResources)
             .where(eq(userResources.userId, userId));
 
-        const roleResourcesQuery = db
-            .select({ resourceId: roleResources.resourceId })
-            .from(roleResources)
-            .where(eq(roleResources.roleId, userRoleId));
+        const roleResourcesQuery =
+            userRoleIds.length > 0
+                ? db
+                      .select({ resourceId: roleResources.resourceId })
+                      .from(roleResources)
+                      .where(inArray(roleResources.roleId, userRoleIds))
+                : Promise.resolve([]);
 
         const directSiteResourcesQuery = db
             .select({ siteResourceId: userSiteResources.siteResourceId })
             .from(userSiteResources)
             .where(eq(userSiteResources.userId, userId));
 
-        const roleSiteResourcesQuery = db
-            .select({ siteResourceId: roleSiteResources.siteResourceId })
-            .from(roleSiteResources)
-            .where(eq(roleSiteResources.roleId, userRoleId));
+        const roleSiteResourcesQuery =
+            userRoleIds.length > 0
+                ? db
+                      .select({
+                          siteResourceId: roleSiteResources.siteResourceId
+                      })
+                      .from(roleSiteResources)
+                      .where(inArray(roleSiteResources.roleId, userRoleIds))
+                : Promise.resolve([]);
 
         const [directResources, roleResourceResults, directSiteResourceResults, roleSiteResourceResults] = await Promise.all([
             directResourcesQuery,

server/routers/resource/listResources.ts

@@ -276,7 +276,7 @@ export async function listResources(
                 .where(
                     or(
                         eq(userResources.userId, req.user!.userId),
-                        eq(roleResources.roleId, req.userOrgRoleId!)
+                        inArray(roleResources.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {

server/routers/role/deleteRole.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { roles, userOrgs } from "@server/db";
+import { roles, userOrgRoles } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -114,11 +114,11 @@ export async function deleteRole(
         }
 
         await db.transaction(async (trx) => {
-            // move all users from the userOrgs table with roleId to newRoleId
+            // move all users from userOrgRoles with roleId to newRoleId
             await trx
-                .update(userOrgs)
+                .update(userOrgRoles)
                 .set({ roleId: newRoleId })
-                .where(eq(userOrgs.roleId, roleId));
+                .where(eq(userOrgRoles.roleId, roleId));
 
             // delete the old role
             await trx.delete(roles).where(eq(roles.roleId, roleId));

server/routers/site/createSite.ts

@@ -111,7 +111,7 @@ export async function createSite(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -399,7 +399,7 @@ export async function createSite(
                 siteId: newSite.siteId
             });
 
-            if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+            if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
                 // make sure the user can access the site
                 trx.insert(userSites).values({
                     userId: req.user?.userId!,

server/routers/site/listSites.ts

@@ -235,7 +235,7 @@ export async function listSites(
                 .where(
                     or(
                         eq(userSites.userId, req.user!.userId),
-                        eq(roleSites.roleId, req.userOrgRoleId!)
+                        inArray(roleSites.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {

server/routers/user/acceptInvite.ts

@@ -165,9 +165,9 @@ export async function acceptInvite(
                 org,
                 {
                     userId: existingUser[0].userId,
-                    orgId: existingInvite.orgId,
-                    roleId: existingInvite.roleId
+                    orgId: existingInvite.orgId
                 },
+                existingInvite.roleId,
                 trx
             );
 

server/routers/user/addUserRole.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { clients, db, UserOrg } from "@server/db";
-import { userOrgs, roles } from "@server/db";
+import { clients, db } from "@server/db";
+import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -111,20 +111,23 @@ export async function addUserRole(
             );
         }
 
-        let newUserRole: UserOrg | null = null;
+        let newUserRole: { userId: string; orgId: string; roleId: number } | null =
+            null;
         await db.transaction(async (trx) => {
-            [newUserRole] = await trx
-                .update(userOrgs)
-                .set({ roleId })
-                .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, role.orgId)
-                    )
-                )
+            const inserted = await trx
+                .insert(userOrgRoles)
+                .values({
+                    userId,
+                    orgId: role.orgId,
+                    roleId
+                })
+                .onConflictDoNothing()
                 .returning();
 
-            // get the client associated with this user in this org
+            if (inserted.length > 0) {
+                newUserRole = inserted[0];
+            }
+
             const orgClients = await trx
                 .select()
                 .from(clients)
@@ -133,17 +136,15 @@ export async function addUserRole(
                         eq(clients.userId, userId),
                         eq(clients.orgId, role.orgId)
                     )
-                )
-                .limit(1);
+                );
 
             for (const orgClient of orgClients) {
-                // we just changed the user's role, so we need to rebuild client associations and what they have access to
                 await rebuildClientAssociationsFromClient(orgClient, trx);
             }
         });
 
         return response(res, {
-            data: newUserRole,
+            data: newUserRole ?? { userId, orgId: role.orgId, roleId },
             success: true,
             error: false,
             message: "Role added to user successfully",

server/routers/user/createOrgUser.ts

@@ -221,12 +221,16 @@ export async function createOrgUser(
                         );
                     }
 
-                    await assignUserToOrg(org, {
-                        orgId,
-                        userId: existingUser.userId,
-                        roleId: role.roleId,
-                        autoProvisioned: false
-                    }, trx);
+                    await assignUserToOrg(
+                        org,
+                        {
+                            orgId,
+                            userId: existingUser.userId,
+                            autoProvisioned: false,
+                        },
+                        role.roleId,
+                        trx
+                    );
                 } else {
                     userId = generateId(15);
 
@@ -244,12 +248,16 @@ export async function createOrgUser(
                         })
                         .returning();
 
-                        await assignUserToOrg(org, {
-                            orgId,
-                            userId: newUser.userId,
-                            roleId: role.roleId,
-                            autoProvisioned: false
-                        }, trx);
+                        await assignUserToOrg(
+                            org,
+                            {
+                                orgId,
+                                userId: newUser.userId,
+                                autoProvisioned: false,
+                            },
+                            role.roleId,
+                            trx
+                        );
                 }
 
                 await calculateUserClientsForOrgs(userId, trx);

server/routers/user/getOrgUser.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgs, users } from "@server/db";
+import { roles, userOrgRoles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -12,7 +12,7 @@ import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
 import { OpenAPITags, registry } from "@server/openApi";
 
 async function queryUser(orgId: string, userId: string) {
-    const [user] = await db
+    const [userRow] = await db
         .select({
             orgId: userOrgs.orgId,
             userId: users.userId,
@@ -20,10 +20,7 @@ async function queryUser(orgId: string, userId: string) {
             username: users.username,
             name: users.name,
             type: users.type,
-            roleId: userOrgs.roleId,
-            roleName: roles.name,
             isOwner: userOrgs.isOwner,
-            isAdmin: roles.isAdmin,
             twoFactorEnabled: users.twoFactorEnabled,
             autoProvisioned: userOrgs.autoProvisioned,
             idpId: users.idpId,
@@ -33,13 +30,40 @@ async function queryUser(orgId: string, userId: string) {
             idpAutoProvision: idp.autoProvision
         })
         .from(userOrgs)
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(users, eq(userOrgs.userId, users.userId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
         .limit(1);
-    return user;
+
+    if (!userRow) return undefined;
+
+    const roleRows = await db
+        .select({
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name,
+            isAdmin: roles.isAdmin
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+
+    const isAdmin = roleRows.some((r) => r.isAdmin);
+
+    return {
+        ...userRow,
+        isAdmin,
+        roleIds: roleRows.map((r) => r.roleId),
+        roles: roleRows.map((r) => ({
+            roleId: r.roleId,
+            name: r.roleName ?? ""
+        }))
+    };
 }
 
 export type GetOrgUserResponse = NonNullable<

server/routers/user/index.ts

@@ -2,6 +2,7 @@ export * from "./getUser";
 export * from "./removeUserOrg";
 export * from "./listUsers";
 export * from "./addUserRole";
+export * from "./removeUserRole";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";

server/routers/user/listUsers.ts

@@ -1,11 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idpOidcConfig } from "@server/db";
-import { idp, roles, userOrgs, users } from "@server/db";
+import { idp, roles, userOrgRoles, userOrgs, users } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { and, sql } from "drizzle-orm";
+import { sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -31,7 +31,7 @@ const listUsersSchema = z.strictObject({
 });
 
 async function queryUsers(orgId: string, limit: number, offset: number) {
-    return await db
+    const rows = await db
         .select({
             id: users.userId,
             email: users.email,
@@ -41,8 +41,6 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
             username: users.username,
             name: users.name,
             type: users.type,
-            roleId: userOrgs.roleId,
-            roleName: roles.name,
             isOwner: userOrgs.isOwner,
             idpName: idp.name,
             idpId: users.idpId,
@@ -52,12 +50,39 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
         })
         .from(users)
         .leftJoin(userOrgs, eq(users.userId, userOrgs.userId))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idpOidcConfig.idpId, idp.idpId))
         .where(eq(userOrgs.orgId, orgId))
         .limit(limit)
         .offset(offset);
+
+    const roleRows = await db
+        .select({
+            userId: userOrgRoles.userId,
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(eq(userOrgRoles.orgId, orgId));
+
+    const rolesByUser = new Map<
+        string,
+        { roleId: number; roleName: string }[]
+    >();
+    for (const r of roleRows) {
+        const list = rolesByUser.get(r.userId) ?? [];
+        list.push({ roleId: r.roleId, roleName: r.roleName ?? "" });
+        rolesByUser.set(r.userId, list);
+    }
+
+    return rows.map((row) => {
+        const userRoles = rolesByUser.get(row.id) ?? [];
+        return {
+            ...row,
+            roles: userRoles
+        };
+    });
 }
 
 export type ListUsersResponse = {

server/routers/user/myDevice.ts

@@ -1,5 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { db, Olm, olms, orgs, userOrgs } from "@server/db";
+import { db, Olm, olms, orgs, userOrgRoles, userOrgs } from "@server/db";
 import { idp, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -84,16 +84,31 @@ export async function myDevice(
             .from(olms)
             .where(and(eq(olms.userId, userId), eq(olms.olmId, olmId)));
 
-        const userOrganizations = await db
+        const userOrgRows = await db
             .select({
                 orgId: userOrgs.orgId,
-                orgName: orgs.name,
-                roleId: userOrgs.roleId
+                orgName: orgs.name
             })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId))
             .innerJoin(orgs, eq(userOrgs.orgId, orgs.orgId));
 
+        const roleRows = await db
+            .select({
+                orgId: userOrgRoles.orgId,
+                roleId: userOrgRoles.roleId
+            })
+            .from(userOrgRoles)
+            .where(eq(userOrgRoles.userId, userId));
+
+        const roleByOrg = new Map(
+            roleRows.map((r) => [r.orgId, r.roleId])
+        );
+        const userOrganizations = userOrgRows.map((row) => ({
+            ...row,
+            roleId: roleByOrg.get(row.orgId) ?? 0
+        }));
+
         return response<MyDeviceResponse>(res, {
             data: {
                 user,

server/routers/user/removeUserRole.ts

@@ -0,0 +1,157 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import stoi from "@server/lib/stoi";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+
+const removeUserRoleParamsSchema = z.strictObject({
+    userId: z.string(),
+    roleId: z.string().transform(stoi).pipe(z.number())
+});
+
+registry.registerPath({
+    method: "delete",
+    path: "/role/{roleId}/remove/{userId}",
+    description: "Remove a role from a user. User must have at least one role left in the org.",
+    tags: [OpenAPITags.Role, OpenAPITags.User],
+    request: {
+        params: removeUserRoleParamsSchema
+    },
+    responses: {}
+});
+
+export async function removeUserRole(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = removeUserRoleParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { userId, roleId } = parsedParams.data;
+
+        if (req.user && !req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "You do not have access to this organization"
+                )
+            );
+        }
+
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, roleId))
+            .limit(1);
+
+        if (!role) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
+            );
+        }
+
+        const [existingUser] = await db
+            .select()
+            .from(userOrgs)
+            .where(
+                and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId))
+            )
+            .limit(1);
+
+        if (!existingUser) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "User not found or does not belong to the specified organization"
+                )
+            );
+        }
+
+        if (existingUser.isOwner) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Cannot change the roles of the owner of the organization"
+                )
+            );
+        }
+
+        const remainingRoles = await db
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
+            .where(
+                and(
+                    eq(userOrgRoles.userId, userId),
+                    eq(userOrgRoles.orgId, role.orgId)
+                )
+            );
+
+        if (remainingRoles.length <= 1) {
+            const hasThisRole = remainingRoles.some((r) => r.roleId === roleId);
+            if (hasThisRole) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "User must have at least one role in the organization. Remove the last role is not allowed."
+                    )
+                );
+            }
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(userOrgRoles)
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, role.orgId),
+                        eq(userOrgRoles.roleId, roleId)
+                    )
+                );
+
+            const orgClients = await trx
+                .select()
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.userId, userId),
+                        eq(clients.orgId, role.orgId)
+                    )
+                );
+
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
+        });
+
+        return response(res, {
+            data: { userId, orgId: role.orgId, roleId },
+            success: true,
+            error: false,
+            message: "Role removed from user successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/types/Auth.ts

@@ -5,5 +5,5 @@ import { Session } from "@server/db";
 export interface AuthenticatedRequest extends Request {
     user: User;
     session: Session;
-    userOrgRoleId?: number;
+    userOrgRoleIds?: number[];
 }

src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx

@@ -8,7 +8,6 @@ import {
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
-import { Input } from "@app/components/ui/input";
 import {
     Select,
     SelectContent,
@@ -19,7 +18,6 @@ import {
 import { Checkbox } from "@app/components/ui/checkbox";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { InviteUserResponse } from "@server/routers/user";
 import { AxiosResponse } from "axios";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -44,6 +42,9 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { UserType } from "@server/types/UserTypes";
+import { Badge } from "@app/components/ui/badge";
+
+type UserRole = { roleId: number; name: string };
 
 export default function AccessControlsPage() {
     const { orgUser: user } = userOrgUserContext();
@@ -54,12 +55,12 @@ export default function AccessControlsPage() {
 
     const [loading, setLoading] = useState(false);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
+    const [userRoles, setUserRoles] = useState<UserRole[]>([]);
 
     const t = useTranslations();
 
     const formSchema = z.object({
         username: z.string(),
-        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") }),
         autoProvisioned: z.boolean()
     });
 
@@ -67,11 +68,17 @@ export default function AccessControlsPage() {
         resolver: zodResolver(formSchema),
         defaultValues: {
             username: user.username!,
-            roleId: user.roleId?.toString(),
             autoProvisioned: user.autoProvisioned || false
         }
     });
 
+    const currentRoleIds = user.roleIds ?? [];
+    const currentRoles: UserRole[] = user.roles ?? [];
+
+    useEffect(() => {
+        setUserRoles(currentRoles);
+    }, [user.userId, currentRoleIds.join(",")]);
+
     useEffect(() => {
         async function fetchRoles() {
             const res = await api
@@ -94,32 +101,20 @@ export default function AccessControlsPage() {
         }
 
         fetchRoles();
-
-        form.setValue("roleId", user.roleId.toString());
         form.setValue("autoProvisioned", user.autoProvisioned || false);
     }, []);
 
-    async function onSubmit(values: z.infer<typeof formSchema>) {
+    async function handleAddRole(roleId: number) {
         setLoading(true);
-
         try {
-            // Execute both API calls simultaneously
-            const [roleRes, userRes] = await Promise.all([
-                api.post<AxiosResponse<InviteUserResponse>>(
-                    `/role/${values.roleId}/add/${user.userId}`
-                ),
-                api.post(`/org/${orgId}/user/${user.userId}`, {
-                    autoProvisioned: values.autoProvisioned
-                })
-            ]);
-
-            if (roleRes.status === 200 && userRes.status === 200) {
-                toast({
-                    variant: "default",
-                    title: t("userSaved"),
-                    description: t("userSavedDescription")
-                });
-            }
+            await api.post(`/role/${roleId}/add/${user.userId}`);
+            toast({
+                variant: "default",
+                title: t("userSaved"),
+                description: t("userSavedDescription")
+            });
+            const role = roles.find((r) => r.roleId === roleId);
+            if (role) setUserRoles((prev) => [...prev, role]);
         } catch (e) {
             toast({
                 variant: "destructive",
@@ -130,10 +125,61 @@ export default function AccessControlsPage() {
                 )
             });
         }
-
         setLoading(false);
     }
 
+    async function handleRemoveRole(roleId: number) {
+        setLoading(true);
+        try {
+            await api.delete(`/role/${roleId}/remove/${user.userId}`);
+            toast({
+                variant: "default",
+                title: t("userSaved"),
+                description: t("userSavedDescription")
+            });
+            setUserRoles((prev) => prev.filter((r) => r.roleId !== roleId));
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("accessRoleErrorAdd"),
+                description: formatAxiosError(
+                    e,
+                    t("accessRoleErrorAddDescription")
+                )
+            });
+        }
+        setLoading(false);
+    }
+
+    async function onSubmit(values: z.infer<typeof formSchema>) {
+        setLoading(true);
+        try {
+            await api.post(`/org/${orgId}/user/${user.userId}`, {
+                autoProvisioned: values.autoProvisioned
+            });
+            toast({
+                variant: "default",
+                title: t("userSaved"),
+                description: t("userSavedDescription")
+            });
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("accessRoleErrorAdd"),
+                description: formatAxiosError(
+                    e,
+                    t("accessRoleErrorAddDescription")
+                )
+            });
+        }
+        setLoading(false);
+    }
+
+    const availableRolesToAdd = roles.filter(
+        (r) => !userRoles.some((ur) => ur.roleId === r.roleId)
+    );
+    const canRemoveRole = userRoles.length > 1;
+
     return (
         <SettingsContainer>
             <SettingsSection>
@@ -154,7 +200,6 @@ export default function AccessControlsPage() {
                                 className="space-y-4"
                                 id="access-controls-form"
                             >
-                                {/* IDP Type Display */}
                                 {user.type !== UserType.Internal &&
                                     user.idpType && (
                                         <div className="flex items-center space-x-2 mb-4">
@@ -171,49 +216,72 @@ export default function AccessControlsPage() {
                                         </div>
                                     )}
 
-                                <FormField
-                                    control={form.control}
-                                    name="roleId"
-                                    render={({ field }) => (
-                                        <FormItem>
-                                            <FormLabel>{t("role")}</FormLabel>
+                                <FormItem>
+                                    <FormLabel>{t("role")}</FormLabel>
+                                    <div className="flex flex-wrap gap-2 items-center">
+                                        {userRoles.map((r) => (
+                                            <Badge
+                                                key={r.roleId}
+                                                variant="secondary"
+                                                className="flex items-center gap-1"
+                                            >
+                                                {r.name}
+                                                {canRemoveRole && (
+                                                    <button
+                                                        type="button"
+                                                        onClick={() =>
+                                                            handleRemoveRole(
+                                                                r.roleId
+                                                            )
+                                                        }
+                                                        disabled={loading}
+                                                        className="ml-1 rounded hover:bg-muted"
+                                                        aria-label={`Remove ${r.name}`}
+                                                    >
+                                                        ×
+                                                    </button>
+                                                )}
+                                            </Badge>
+                                        ))}
+                                        {availableRolesToAdd.length > 0 && (
                                             <Select
                                                 onValueChange={(value) => {
-                                                    field.onChange(value);
-                                                    // If auto provision is enabled, set it to false when role changes
-                                                    if (user.idpAutoProvision) {
-                                                        form.setValue(
-                                                            "autoProvisioned",
-                                                            false
-                                                        );
-                                                    }
+                                                    handleAddRole(
+                                                        parseInt(value, 10)
+                                                    );
                                                 }}
-                                                value={field.value}
+                                                disabled={loading}
                                             >
-                                                <FormControl>
-                                                    <SelectTrigger>
-                                                        <SelectValue
-                                                            placeholder={t(
-                                                                "accessRoleSelect"
-                                                            )}
-                                                        />
-                                                    </SelectTrigger>
-                                                </FormControl>
+                                                <SelectTrigger className="w-[180px]">
+                                                    <SelectValue
+                                                        placeholder={t(
+                                                            "accessRoleSelect"
+                                                        )}
+                                                    />
+                                                </SelectTrigger>
                                                 <SelectContent>
-                                                    {roles.map((role) => (
-                                                        <SelectItem
-                                                            key={role.roleId}
-                                                            value={role.roleId.toString()}
-                                                        >
-                                                            {role.name}
-                                                        </SelectItem>
-                                                    ))}
+                                                    {availableRolesToAdd.map(
+                                                        (role) => (
+                                                            <SelectItem
+                                                                key={
+                                                                    role.roleId
+                                                                }
+                                                                value={role.roleId.toString()}
+                                                            >
+                                                                {role.name}
+                                                            </SelectItem>
+                                                        )
+                                                    )}
                                                 </SelectContent>
                                             </Select>
-                                            <FormMessage />
-                                        </FormItem>
+                                        )}
+                                    </div>
+                                    {userRoles.length === 0 && (
+                                        <p className="text-sm text-muted-foreground">
+                                            {t("accessRoleSelectPlease")}
+                                        </p>
                                     )}
-                                />
+                                </FormItem>
 
                                 {user.idpAutoProvision && (
                                     <FormField
@@ -231,7 +299,9 @@ export default function AccessControlsPage() {
                                                 </FormControl>
                                                 <div className="space-y-1 leading-none">
                                                     <FormLabel>
-                                                        {t("autoProvisioned")}
+                                                        {t(
+                                                            "autoProvisioned"
+                                                        )}
                                                     </FormLabel>
                                                     <p className="text-sm text-muted-foreground">
                                                         {t(

src/app/[orgId]/settings/access/users/page.tsx

@@ -88,7 +88,9 @@ export default async function UsersPage(props: UsersPageProps) {
             status: t("userConfirmed"),
             role: user.isOwner
                 ? t("accessRoleOwner")
-                : user.roleName || t("accessRoleMember"),
+                : user.roles?.length
+                  ? user.roles.map((r) => r.roleName).join(", ")
+                  : t("accessRoleMember"),
             isOwner: user.isOwner || false
         };
     });

src/components/LayoutMobileMenu.tsx

@@ -5,13 +5,11 @@ import { SidebarNav } from "@app/components/SidebarNav";
 import { OrgSelector } from "@app/components/OrgSelector";
 import { cn } from "@app/lib/cn";
 import { ListUserOrgsResponse } from "@server/routers/org";
-import SupporterStatus from "@app/components/SupporterStatus";
 import { Button } from "@app/components/ui/button";
-import { ExternalLink, Menu, Server } from "lucide-react";
+import { ArrowRight, Menu, Server } from "lucide-react";
 import Link from "next/link";
 import { usePathname } from "next/navigation";
 import { useUserContext } from "@app/hooks/useUserContext";
-import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import ProfileIcon from "@app/components/ProfileIcon";
 import ThemeSwitcher from "@app/components/ThemeSwitcher";
@@ -44,7 +42,6 @@ export function LayoutMobileMenu({
     const pathname = usePathname();
     const isAdminPage = pathname?.startsWith("/admin");
     const { user } = useUserContext();
-    const { env } = useEnvContext();
     const t = useTranslations();
 
     return (
@@ -83,7 +80,7 @@ export function LayoutMobileMenu({
                                         <div className="px-3 pt-3">
                                             {!isAdminPage &&
                                                 user.serverAdmin && (
-                                                    <div className="py-2">
+                                                    <div className="mb-1">
                                                         <Link
                                                             href="/admin"
                                                             className={cn(
@@ -98,11 +95,12 @@ export function LayoutMobileMenu({
                                                             <span className="flex-shrink-0 mr-2">
                                                                 <Server className="h-4 w-4" />
                                                             </span>
-                                                            <span>
+                                                            <span className="flex-1">
                                                                 {t(
                                                                     "serverAdmin"
                                                                 )}
                                                             </span>
+                                                            <ArrowRight className="h-4 w-4 shrink-0 ml-auto opacity-70" />
                                                         </Link>
                                                     </div>
                                                 )}
@@ -115,22 +113,6 @@ export function LayoutMobileMenu({
                                         </div>
                                         <div className="sticky bottom-0 left-0 right-0 h-8 pointer-events-none bg-gradient-to-t from-card to-transparent" />
                                     </div>
-                                    <div className="px-3 pt-3 pb-3 space-y-4 border-t shrink-0">
-                                        <SupporterStatus />
-                                        {env?.app?.version && (
-                                            <div className="text-xs text-muted-foreground text-center">
-                                                <Link
-                                                    href={`https://github.com/fosrl/pangolin/releases/tag/${env.app.version}`}
-                                                    target="_blank"
-                                                    rel="noopener noreferrer"
-                                                    className="flex items-center justify-center gap-1"
-                                                >
-                                                    v{env.app.version}
-                                                    <ExternalLink size={12} />
-                                                </Link>
-                                            </div>
-                                        )}
-                                    </div>
                                 </SheetContent>
                             </Sheet>
                         </div>

src/components/LayoutSidebar.tsx

@@ -146,6 +146,46 @@ export function LayoutSidebar({
             />
             <div className="flex-1 overflow-y-auto relative">
                 <div className="px-2 pt-3">
+                    {!isAdminPage && user.serverAdmin && (
+                        <div
+                            className={cn(
+                                "shrink-0",
+                                isSidebarCollapsed ? "mb-4" : "mb-1"
+                            )}
+                        >
+                            <Link
+                                href="/admin"
+                                className={cn(
+                                    "flex items-center transition-colors text-muted-foreground hover:text-foreground text-sm w-full hover:bg-secondary/80 dark:hover:bg-secondary/50 rounded-md",
+                                    isSidebarCollapsed
+                                        ? "px-2 py-2 justify-center"
+                                        : "px-3 py-1.5"
+                                )}
+                                title={
+                                    isSidebarCollapsed
+                                        ? t("serverAdmin")
+                                        : undefined
+                                }
+                            >
+                                <span
+                                    className={cn(
+                                        "shrink-0",
+                                        !isSidebarCollapsed && "mr-2"
+                                    )}
+                                >
+                                    <Server className="h-4 w-4" />
+                                </span>
+                                {!isSidebarCollapsed && (
+                                    <>
+                                        <span className="flex-1">
+                                            {t("serverAdmin")}
+                                        </span>
+                                        <ArrowRight className="h-4 w-4 shrink-0 ml-auto opacity-70" />
+                                    </>
+                                )}
+                            </Link>
+                        </div>
+                    )}
                     <SidebarNav
                         sections={navItems}
                         isCollapsed={isSidebarCollapsed}
@@ -156,40 +196,6 @@ export function LayoutSidebar({
                 <div className="sticky bottom-0 left-0 right-0 h-8 pointer-events-none bg-gradient-to-t from-card to-transparent" />
             </div>
 
-            {!isAdminPage && user.serverAdmin && (
-                <div className="shrink-0 px-2 pb-2">
-                    <Link
-                        href="/admin"
-                        className={cn(
-                            "flex items-center transition-colors text-muted-foreground hover:text-foreground text-sm w-full hover:bg-secondary/80 dark:hover:bg-secondary/50 rounded-md",
-                            isSidebarCollapsed
-                                ? "px-2 py-2 justify-center"
-                                : "px-3 py-1.5"
-                        )}
-                        title={
-                            isSidebarCollapsed ? t("serverAdmin") : undefined
-                        }
-                    >
-                        <span
-                            className={cn(
-                                "shrink-0",
-                                !isSidebarCollapsed && "mr-2"
-                            )}
-                        >
-                            <Server className="h-4 w-4" />
-                        </span>
-                        {!isSidebarCollapsed && (
-                            <>
-                                <span className="flex-1">
-                                    {t("serverAdmin")}
-                                </span>
-                                <ArrowRight className="h-4 w-4 shrink-0 ml-auto opacity-70" />
-                            </>
-                        )}
-                    </Link>
-                </div>
-            )}
-
             {isSidebarCollapsed && (
                 <div className="shrink-0 flex justify-center py-2">
                     <TooltipProvider>
@@ -218,7 +224,7 @@ export function LayoutSidebar({
 
             <div className="w-full border-t border-border mb-3" />
 
-            <div className="p-4 pt-0 mt-0 flex flex-col shrink-0">
+            <div className="p-4 pt-1 flex flex-col shrink-0">
                 {canShowProductUpdates && (
                     <div className="mb-3 empty:mb-0">
                         <ProductUpdates isCollapsed={isSidebarCollapsed} />