Bump the dev-minor-updates group across 1 directory with 7 updates

Bumps the dev-minor-updates group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@dotenvx/dotenvx](https://github.com/dotenvx/dotenvx) | `1.54.1` | `1.57.2` |
| [@tanstack/react-query-devtools](https://github.com/TanStack/query/tree/HEAD/packages/react-query-devtools) | `5.91.3` | `5.95.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.3.5` | `25.5.0` |
| [@types/pg](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/pg) | `8.18.0` | `8.20.0` |
| [eslint](https://github.com/eslint/eslint) | `10.0.3` | `10.1.0` |
| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.1.7` | `16.2.1` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.56.1` | `8.57.1` |



Updates `@dotenvx/dotenvx` from 1.54.1 to 1.57.2
- [Release notes](https://github.com/dotenvx/dotenvx/releases)
- [Changelog](https://github.com/dotenvx/dotenvx/blob/main/CHANGELOG.md)
- [Commits](https://github.com/dotenvx/dotenvx/compare/v1.54.1...v1.57.2)

Updates `@tanstack/react-query-devtools` from 5.91.3 to 5.95.0
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query-devtools/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query-devtools@5.95.0/packages/react-query-devtools)

Updates `@types/node` from 25.3.5 to 25.5.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@types/pg` from 8.18.0 to 8.20.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/pg)

Updates `eslint` from 10.0.3 to 10.1.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/compare/v10.0.3...v10.1.0)

Updates `eslint-config-next` from 16.1.7 to 16.2.1
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.1/packages/eslint-config-next)

Updates `typescript-eslint` from 8.56.1 to 8.57.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.57.1/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: "@dotenvx/dotenvx"
  dependency-version: 1.57.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-minor-updates
- dependency-name: "@tanstack/react-query-devtools"
  dependency-version: 5.95.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-minor-updates
- dependency-name: "@types/node"
  dependency-version: 25.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-minor-updates
- dependency-name: "@types/pg"
  dependency-version: 8.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-minor-updates
- dependency-name: eslint
  dependency-version: 10.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-minor-updates
- dependency-name: eslint-config-next
  dependency-version: 16.2.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-minor-updates
- dependency-name: typescript-eslint
  dependency-version: 8.57.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>

package-lock.json

@@ -108,11 +108,11 @@
                 "zod-validation-error": "5.0.0"
             },
             "devDependencies": {
-                "@dotenvx/dotenvx": "1.54.1",
+                "@dotenvx/dotenvx": "1.57.2",
                 "@esbuild-plugins/tsconfig-paths": "0.1.2",
                 "@react-email/preview-server": "5.2.10",
                 "@tailwindcss/postcss": "4.2.1",
-                "@tanstack/react-query-devtools": "5.91.3",
+                "@tanstack/react-query-devtools": "5.95.2",
                 "@types/better-sqlite3": "7.6.13",
                 "@types/cookie-parser": "1.4.10",
                 "@types/cors": "2.8.19",
@@ -123,10 +123,10 @@
                 "@types/jmespath": "0.15.2",
                 "@types/js-yaml": "4.0.9",
                 "@types/jsonwebtoken": "9.0.10",
-                "@types/node": "25.3.5",
+                "@types/node": "25.5.0",
                 "@types/nodemailer": "7.0.11",
                 "@types/nprogress": "0.2.3",
-                "@types/pg": "8.18.0",
+                "@types/pg": "8.20.0",
                 "@types/react": "19.2.14",
                 "@types/react-dom": "19.2.3",
                 "@types/semver": "7.7.1",
@@ -139,8 +139,8 @@
                 "drizzle-kit": "0.31.10",
                 "esbuild": "0.27.3",
                 "esbuild-node-externals": "1.20.1",
-                "eslint": "10.0.3",
-                "eslint-config-next": "16.1.7",
+                "eslint": "10.1.0",
+                "eslint-config-next": "16.2.1",
                 "postcss": "8.5.8",
                 "prettier": "3.8.1",
                 "react-email": "5.2.10",
@@ -148,7 +148,7 @@
                 "tsc-alias": "1.8.16",
                 "tsx": "4.21.0",
                 "typescript": "5.9.3",
-                "typescript-eslint": "8.56.1"
+                "typescript-eslint": "8.57.2"
             }
         },
         "node_modules/@alloc/quick-lru": {
@@ -1460,9 +1460,9 @@
             "license": "MIT"
         },
         "node_modules/@dotenvx/dotenvx": {
-            "version": "1.54.1",
-            "resolved": "https://registry.npmjs.org/@dotenvx/dotenvx/-/dotenvx-1.54.1.tgz",
-            "integrity": "sha512-41gU3q7v05GM92QPuPUf4CmUw+mmF8p4wLUh6MCRlxpCkJ9ByLcY9jUf6MwrMNmiKyG/rIckNxj9SCfmNCmCqw==",
+            "version": "1.57.2",
+            "resolved": "https://registry.npmjs.org/@dotenvx/dotenvx/-/dotenvx-1.57.2.tgz",
+            "integrity": "sha512-lv9+UZPnl/KOvShepevLWm3+/wc1It5kgO5Q580evnvOFMZcgKVEYFwxlL7Ohl9my1yjTsWo28N3PJYUEO8wFQ==",
             "dev": true,
             "license": "BSD-3-Clause",
             "dependencies": {
@@ -2867,9 +2867,9 @@
             "integrity": "sha512-pUvdJN1on574wQHjaBfNGDt9Mz5utDSZFsIIQkMzPgNS8ZvT4H2mwOrOIClwsQOb6EGx5M76/CZr6G8i6pSpLg=="
         },
         "node_modules/@next/eslint-plugin-next": {
-            "version": "16.1.7",
-            "resolved": "https://registry.npmjs.org/@next/eslint-plugin-next/-/eslint-plugin-next-16.1.7.tgz",
-            "integrity": "sha512-v/bRGOJlfRCO+NDKt0bZlIIWjhMKU8xbgEQBo+rV9C8S6czZvs96LZ/v24/GvpEnovZlL4QDpku/RzWHVbmPpA==",
+            "version": "16.2.1",
+            "resolved": "https://registry.npmjs.org/@next/eslint-plugin-next/-/eslint-plugin-next-16.2.1.tgz",
+            "integrity": "sha512-r0epZGo24eT4g08jJlg2OEryBphXqO8aL18oajoTKLzHJ6jVr6P6FI58DLMug04MwD3j8Fj0YK0slyzneKVyzA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
@@ -8394,9 +8394,9 @@
             }
         },
         "node_modules/@tanstack/query-devtools": {
-            "version": "5.93.0",
-            "resolved": "https://registry.npmjs.org/@tanstack/query-devtools/-/query-devtools-5.93.0.tgz",
-            "integrity": "sha512-+kpsx1NQnOFTZsw6HAFCW3HkKg0+2cepGtAWXjiiSOJJ1CtQpt72EE2nyZb+AjAbLRPoeRmPJ8MtQd8r8gsPdg==",
+            "version": "5.95.2",
+            "resolved": "https://registry.npmjs.org/@tanstack/query-devtools/-/query-devtools-5.95.2.tgz",
+            "integrity": "sha512-QfaoqBn9uAZ+ICkA8brd1EHj+qBF6glCFgt94U8XP5BT6ppSsDBI8IJ00BU+cAGjQzp6wcKJL2EmRYvxy0TWIg==",
             "dev": true,
             "license": "MIT",
             "funding": {
@@ -8420,20 +8420,20 @@
             }
         },
         "node_modules/@tanstack/react-query-devtools": {
-            "version": "5.91.3",
-            "resolved": "https://registry.npmjs.org/@tanstack/react-query-devtools/-/react-query-devtools-5.91.3.tgz",
-            "integrity": "sha512-nlahjMtd/J1h7IzOOfqeyDh5LNfG0eULwlltPEonYy0QL+nqrBB+nyzJfULV+moL7sZyxc2sHdNJki+vLA9BSA==",
+            "version": "5.95.2",
+            "resolved": "https://registry.npmjs.org/@tanstack/react-query-devtools/-/react-query-devtools-5.95.2.tgz",
+            "integrity": "sha512-AFQFmbznVkbtfpx8VJ2DylW17wWagQel/qLstVLkYmNRo2CmJt3SNej5hvl6EnEeljJIdC3BTB+W7HZtpsH+3g==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@tanstack/query-devtools": "5.93.0"
+                "@tanstack/query-devtools": "5.95.2"
             },
             "funding": {
                 "type": "github",
                 "url": "https://github.com/sponsors/tannerlinsley"
             },
             "peerDependencies": {
-                "@tanstack/react-query": "^5.90.20",
+                "@tanstack/react-query": "^5.95.2",
                 "react": "^18 || ^19"
             }
         },
@@ -8960,9 +8960,9 @@
             "license": "MIT"
         },
         "node_modules/@types/node": {
-            "version": "25.3.5",
-            "resolved": "https://registry.npmjs.org/@types/node/-/node-25.3.5.tgz",
-            "integrity": "sha512-oX8xrhvpiyRCQkG1MFchB09f+cXftgIXb3a7UUa4Y3wpmZPw5tyZGTLWhlESOLq1Rq6oDlc8npVU2/9xiCuXMA==",
+            "version": "25.5.0",
+            "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz",
+            "integrity": "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==",
             "devOptional": true,
             "license": "MIT",
             "dependencies": {
@@ -8987,9 +8987,9 @@
             "license": "MIT"
         },
         "node_modules/@types/pg": {
-            "version": "8.18.0",
-            "resolved": "https://registry.npmjs.org/@types/pg/-/pg-8.18.0.tgz",
-            "integrity": "sha512-gT+oueVQkqnj6ajGJXblFR4iavIXWsGAFCk3dP4Kki5+a9R4NMt0JARdk6s8cUKcfUoqP5dAtDSLU8xYUTFV+Q==",
+            "version": "8.20.0",
+            "resolved": "https://registry.npmjs.org/@types/pg/-/pg-8.20.0.tgz",
+            "integrity": "sha512-bEPFOaMAHTEP1EzpvHTbmwR8UsFyHSKsRisLIHVMXnpNefSbGA1bD6CVy+qKjGSqmZqNqBDV2azOBo8TgkcVow==",
             "devOptional": true,
             "license": "MIT",
             "dependencies": {
@@ -9144,17 +9144,17 @@
             "license": "MIT"
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.56.1.tgz",
-            "integrity": "sha512-Jz9ZztpB37dNC+HU2HI28Bs9QXpzCz+y/twHOwhyrIRdbuVDxSytJNDl6z/aAKlaRIwC7y8wJdkBv7FxYGgi0A==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.57.2.tgz",
+            "integrity": "sha512-NZZgp0Fm2IkD+La5PR81sd+g+8oS6JwJje+aRWsDocxHkjyRw0J5L5ZTlN3LI1LlOcGL7ph3eaIUmTXMIjLk0w==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/regexpp": "^4.12.2",
-                "@typescript-eslint/scope-manager": "8.56.1",
-                "@typescript-eslint/type-utils": "8.56.1",
-                "@typescript-eslint/utils": "8.56.1",
-                "@typescript-eslint/visitor-keys": "8.56.1",
+                "@typescript-eslint/scope-manager": "8.57.2",
+                "@typescript-eslint/type-utils": "8.57.2",
+                "@typescript-eslint/utils": "8.57.2",
+                "@typescript-eslint/visitor-keys": "8.57.2",
                 "ignore": "^7.0.5",
                 "natural-compare": "^1.4.0",
                 "ts-api-utils": "^2.4.0"
@@ -9167,7 +9167,7 @@
                 "url": "https://opencollective.com/typescript-eslint"
             },
             "peerDependencies": {
-                "@typescript-eslint/parser": "^8.56.1",
+                "@typescript-eslint/parser": "^8.57.2",
                 "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
                 "typescript": ">=4.8.4 <6.0.0"
             }
@@ -9183,16 +9183,16 @@
             }
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.56.1.tgz",
-            "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.57.2.tgz",
+            "integrity": "sha512-30ScMRHIAD33JJQkgfGW1t8CURZtjc2JpTrq5n2HFhOefbAhb7ucc7xJwdWcrEtqUIYJ73Nybpsggii6GtAHjA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/scope-manager": "8.56.1",
-                "@typescript-eslint/types": "8.56.1",
-                "@typescript-eslint/typescript-estree": "8.56.1",
-                "@typescript-eslint/visitor-keys": "8.56.1",
+                "@typescript-eslint/scope-manager": "8.57.2",
+                "@typescript-eslint/types": "8.57.2",
+                "@typescript-eslint/typescript-estree": "8.57.2",
+                "@typescript-eslint/visitor-keys": "8.57.2",
                 "debug": "^4.4.3"
             },
             "engines": {
@@ -9208,14 +9208,14 @@
             }
         },
         "node_modules/@typescript-eslint/project-service": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.56.1.tgz",
-            "integrity": "sha512-TAdqQTzHNNvlVFfR+hu2PDJrURiwKsUvxFn1M0h95BB8ah5jejas08jUWG4dBA68jDMI988IvtfdAI53JzEHOQ==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.57.2.tgz",
+            "integrity": "sha512-FuH0wipFywXRTHf+bTTjNyuNQQsQC3qh/dYzaM4I4W0jrCqjCVuUh99+xd9KamUfmCGPvbO8NDngo/vsnNVqgw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/tsconfig-utils": "^8.56.1",
-                "@typescript-eslint/types": "^8.56.1",
+                "@typescript-eslint/tsconfig-utils": "^8.57.2",
+                "@typescript-eslint/types": "^8.57.2",
                 "debug": "^4.4.3"
             },
             "engines": {
@@ -9230,14 +9230,14 @@
             }
         },
         "node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.56.1.tgz",
-            "integrity": "sha512-YAi4VDKcIZp0O4tz/haYKhmIDZFEUPOreKbfdAN3SzUDMcPhJ8QI99xQXqX+HoUVq8cs85eRKnD+rne2UAnj2w==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.57.2.tgz",
+            "integrity": "sha512-snZKH+W4WbWkrBqj4gUNRIGb/jipDW3qMqVJ4C9rzdFc+wLwruxk+2a5D+uoFcKPAqyqEnSb4l2ULuZf95eSkw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.56.1",
-                "@typescript-eslint/visitor-keys": "8.56.1"
+                "@typescript-eslint/types": "8.57.2",
+                "@typescript-eslint/visitor-keys": "8.57.2"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -9248,9 +9248,9 @@
             }
         },
         "node_modules/@typescript-eslint/tsconfig-utils": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.56.1.tgz",
-            "integrity": "sha512-qOtCYzKEeyr3aR9f28mPJqBty7+DBqsdd63eO0yyDwc6vgThj2UjWfJIcsFeSucYydqcuudMOprZ+x1SpF3ZuQ==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.57.2.tgz",
+            "integrity": "sha512-3Lm5DSM+DCowsUOJC+YqHHnKEfFh5CoGkj5Z31NQSNF4l5wdOwqGn99wmwN/LImhfY3KJnmordBq/4+VDe2eKw==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -9265,15 +9265,15 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.56.1.tgz",
-            "integrity": "sha512-yB/7dxi7MgTtGhZdaHCemf7PuwrHMenHjmzgUW1aJpO+bBU43OycnM3Wn+DdvDO/8zzA9HlhaJ0AUGuvri4oGg==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.57.2.tgz",
+            "integrity": "sha512-Co6ZCShm6kIbAM/s+oYVpKFfW7LBc6FXoPXjTRQ449PPNBY8U0KZXuevz5IFuuUj2H9ss40atTaf9dlGLzbWZg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.56.1",
-                "@typescript-eslint/typescript-estree": "8.56.1",
-                "@typescript-eslint/utils": "8.56.1",
+                "@typescript-eslint/types": "8.57.2",
+                "@typescript-eslint/typescript-estree": "8.57.2",
+                "@typescript-eslint/utils": "8.57.2",
                 "debug": "^4.4.3",
                 "ts-api-utils": "^2.4.0"
             },
@@ -9290,9 +9290,9 @@
             }
         },
         "node_modules/@typescript-eslint/types": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.56.1.tgz",
-            "integrity": "sha512-dbMkdIUkIkchgGDIv7KLUpa0Mda4IYjo4IAMJUZ+3xNoUXxMsk9YtKpTHSChRS85o+H9ftm51gsK1dZReY9CVw==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.57.2.tgz",
+            "integrity": "sha512-/iZM6FnM4tnx9csuTxspMW4BOSegshwX5oBDznJ7S4WggL7Vczz5d2W11ecc4vRrQMQHXRSxzrCsyG5EsPPTbA==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -9304,16 +9304,16 @@
             }
         },
         "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.56.1.tgz",
-            "integrity": "sha512-qzUL1qgalIvKWAf9C1HpvBjif+Vm6rcT5wZd4VoMb9+Km3iS3Cv9DY6dMRMDtPnwRAFyAi7YXJpTIEXLvdfPxg==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.57.2.tgz",
+            "integrity": "sha512-2MKM+I6g8tJxfSmFKOnHv2t8Sk3T6rF20A1Puk0svLK+uVapDZB/4pfAeB7nE83uAZrU6OxW+HmOd5wHVdXwXA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/project-service": "8.56.1",
-                "@typescript-eslint/tsconfig-utils": "8.56.1",
-                "@typescript-eslint/types": "8.56.1",
-                "@typescript-eslint/visitor-keys": "8.56.1",
+                "@typescript-eslint/project-service": "8.57.2",
+                "@typescript-eslint/tsconfig-utils": "8.57.2",
+                "@typescript-eslint/types": "8.57.2",
+                "@typescript-eslint/visitor-keys": "8.57.2",
                 "debug": "^4.4.3",
                 "minimatch": "^10.2.2",
                 "semver": "^7.7.3",
@@ -9332,16 +9332,16 @@
             }
         },
         "node_modules/@typescript-eslint/utils": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.56.1.tgz",
-            "integrity": "sha512-HPAVNIME3tABJ61siYlHzSWCGtOoeP2RTIaHXFMPqjrQKCGB9OgUVdiNgH7TJS2JNIQ5qQ4RsAUDuGaGme/KOA==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.57.2.tgz",
+            "integrity": "sha512-krRIbvPK1ju1WBKIefiX+bngPs+odIQUtR7kymzPfo1POVw3jlF+nLkmexdSSd4UCbDcQn+wMBATOOmpBbqgKg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.9.1",
-                "@typescript-eslint/scope-manager": "8.56.1",
-                "@typescript-eslint/types": "8.56.1",
-                "@typescript-eslint/typescript-estree": "8.56.1"
+                "@typescript-eslint/scope-manager": "8.57.2",
+                "@typescript-eslint/types": "8.57.2",
+                "@typescript-eslint/typescript-estree": "8.57.2"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -9356,13 +9356,13 @@
             }
         },
         "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.56.1.tgz",
-            "integrity": "sha512-KiROIzYdEV85YygXw6BI/Dx4fnBlFQu6Mq4QE4MOH9fFnhohw6wX/OAvDY2/C+ut0I3RSPKenvZJIVYqJNkhEw==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.57.2.tgz",
+            "integrity": "sha512-zhahknjobV2FiD6Ee9iLbS7OV9zi10rG26odsQdfBO/hjSzUQbkIYgda+iNKK1zNiW2ey+Lf8MU5btN17V3dUw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.56.1",
+                "@typescript-eslint/types": "8.57.2",
                 "eslint-visitor-keys": "^5.0.0"
             },
             "engines": {
@@ -12369,16 +12369,16 @@
             }
         },
         "node_modules/eslint": {
-            "version": "10.0.3",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.0.3.tgz",
-            "integrity": "sha512-COV33RzXZkqhG9P2rZCFl9ZmJ7WL+gQSCRzE7RhkbclbQPtLAWReL7ysA0Sh4c8Im2U9ynybdR56PV0XcKvqaQ==",
+            "version": "10.1.0",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.1.0.tgz",
+            "integrity": "sha512-S9jlY/ELKEUwwQnqWDO+f+m6sercqOPSqXM5Go94l7DOmxHVDgmSFGWEzeE/gwgTAr0W103BWt0QLe/7mabIvA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.8.0",
                 "@eslint-community/regexpp": "^4.12.2",
                 "@eslint/config-array": "^0.23.3",
-                "@eslint/config-helpers": "^0.5.2",
+                "@eslint/config-helpers": "^0.5.3",
                 "@eslint/core": "^1.1.1",
                 "@eslint/plugin-kit": "^0.6.1",
                 "@humanfs/node": "^0.16.6",
@@ -12391,7 +12391,7 @@
                 "escape-string-regexp": "^4.0.0",
                 "eslint-scope": "^9.1.2",
                 "eslint-visitor-keys": "^5.0.1",
-                "espree": "^11.1.1",
+                "espree": "^11.2.0",
                 "esquery": "^1.7.0",
                 "esutils": "^2.0.2",
                 "fast-deep-equal": "^3.1.3",
@@ -12425,13 +12425,13 @@
             }
         },
         "node_modules/eslint-config-next": {
-            "version": "16.1.7",
-            "resolved": "https://registry.npmjs.org/eslint-config-next/-/eslint-config-next-16.1.7.tgz",
-            "integrity": "sha512-FTq1i/QDltzq+zf9aB/cKWAiZ77baG0V7h8dRQh3thVx7I4dwr6ZXQrWKAaTB7x5VwVXlzoUTyMLIVQPLj2gJg==",
+            "version": "16.2.1",
+            "resolved": "https://registry.npmjs.org/eslint-config-next/-/eslint-config-next-16.2.1.tgz",
+            "integrity": "sha512-qhabwjQZ1Mk53XzXvmogf8KQ0tG0CQXF0CZ56+2/lVhmObgmaqj7x5A1DSrWdZd3kwI7GTPGUjFne+krRxYmFg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@next/eslint-plugin-next": "16.1.7",
+                "@next/eslint-plugin-next": "16.2.1",
                 "eslint-import-resolver-node": "^0.3.6",
                 "eslint-import-resolver-typescript": "^3.5.2",
                 "eslint-plugin-import": "^2.32.0",
@@ -18808,9 +18808,9 @@
             }
         },
         "node_modules/ts-api-utils": {
-            "version": "2.4.0",
-            "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.4.0.tgz",
-            "integrity": "sha512-3TaVTaAv2gTiMB35i3FiGJaRfwb3Pyn/j3m/bfAvGe8FB7CF6u+LMYqYlDh7reQf7UNvoTvdfAqHGmPGOSsPmA==",
+            "version": "2.5.0",
+            "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.5.0.tgz",
+            "integrity": "sha512-OJ/ibxhPlqrMM0UiNHJ/0CKQkoKF243/AEmplt3qpRgkW8VG7IfOS41h7V8TjITqdByHzrjcS/2si+y4lIh8NA==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -19149,16 +19149,16 @@
             }
         },
         "node_modules/typescript-eslint": {
-            "version": "8.56.1",
-            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.56.1.tgz",
-            "integrity": "sha512-U4lM6pjmBX7J5wk4szltF7I1cGBHXZopnAXCMXb3+fZ3B/0Z3hq3wS/CCUB2NZBNAExK92mCU2tEohWuwVMsDQ==",
+            "version": "8.57.2",
+            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.57.2.tgz",
+            "integrity": "sha512-VEPQ0iPgWO/sBaZOU1xo4nuNdODVOajPnTIbog2GKYr31nIlZ0fWPoCQgGfF3ETyBl1vn63F/p50Um9Z4J8O8A==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/eslint-plugin": "8.56.1",
-                "@typescript-eslint/parser": "8.56.1",
-                "@typescript-eslint/typescript-estree": "8.56.1",
-                "@typescript-eslint/utils": "8.56.1"
+                "@typescript-eslint/eslint-plugin": "8.57.2",
+                "@typescript-eslint/parser": "8.57.2",
+                "@typescript-eslint/typescript-estree": "8.57.2",
+                "@typescript-eslint/utils": "8.57.2"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"

package.json

@@ -131,11 +131,11 @@
         "zod-validation-error": "5.0.0"
     },
     "devDependencies": {
-        "@dotenvx/dotenvx": "1.54.1",
+        "@dotenvx/dotenvx": "1.57.2",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
         "@react-email/preview-server": "5.2.10",
         "@tailwindcss/postcss": "4.2.1",
-        "@tanstack/react-query-devtools": "5.91.3",
+        "@tanstack/react-query-devtools": "5.95.2",
         "@types/better-sqlite3": "7.6.13",
         "@types/cookie-parser": "1.4.10",
         "@types/cors": "2.8.19",
@@ -146,10 +146,10 @@
         "@types/jmespath": "0.15.2",
         "@types/js-yaml": "4.0.9",
         "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "25.3.5",
+        "@types/node": "25.5.0",
         "@types/nodemailer": "7.0.11",
         "@types/nprogress": "0.2.3",
-        "@types/pg": "8.18.0",
+        "@types/pg": "8.20.0",
         "@types/react": "19.2.14",
         "@types/react-dom": "19.2.3",
         "@types/semver": "7.7.1",
@@ -162,8 +162,8 @@
         "drizzle-kit": "0.31.10",
         "esbuild": "0.27.3",
         "esbuild-node-externals": "1.20.1",
-        "eslint": "10.0.3",
-        "eslint-config-next": "16.1.7",
+        "eslint": "10.1.0",
+        "eslint-config-next": "16.2.1",
         "postcss": "8.5.8",
         "prettier": "3.8.1",
         "react-email": "5.2.10",
@@ -171,7 +171,7 @@
         "tsc-alias": "1.8.16",
         "tsx": "4.21.0",
         "typescript": "5.9.3",
-        "typescript-eslint": "8.56.1"
+        "typescript-eslint": "8.57.2"
     },
     "overrides": {
         "esbuild": "0.27.3",

server/auth/actions.ts

@@ -1,7 +1,7 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { userActions, roleActions, userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 
@@ -53,7 +53,6 @@ export enum ActionsEnum {
     listRoleResources = "listRoleResources",
     // listRoleActions = "listRoleActions",
     addUserRole = "addUserRole",
-    removeUserRole = "removeUserRole",
     // addUserSite = "addUserSite",
     // addUserAction = "addUserAction",
     // removeUserAction = "removeUserAction",
@@ -155,19 +154,29 @@ export async function checkUserActionPermission(
     }
 
     try {
-        let userOrgRoleIds = req.userOrgRoleIds;
+        let userOrgRoleId = req.userOrgRoleId;
 
-        if (userOrgRoleIds === undefined) {
-            const { getUserOrgRoleIds } = await import(
-                "@server/lib/userOrgRoles"
-            );
-            userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
-            if (userOrgRoleIds.length === 0) {
+        // If userOrgRoleId is not available on the request, fetch it
+        if (userOrgRoleId === undefined) {
+            const userOrgRole = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(userOrgs.orgId, req.userOrgId!)
+                    )
+                )
+                .limit(1);
+
+            if (userOrgRole.length === 0) {
                 throw createHttpError(
                     HttpCode.FORBIDDEN,
                     "User does not have access to this organization"
                 );
             }
+
+            userOrgRoleId = userOrgRole[0].roleId;
         }
 
         // Check if the user has direct permission for the action in the current org
@@ -178,7 +187,7 @@ export async function checkUserActionPermission(
                 and(
                     eq(userActions.userId, userId),
                     eq(userActions.actionId, actionId),
-                    eq(userActions.orgId, req.userOrgId!)
+                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
                 )
             )
             .limit(1);
@@ -187,14 +196,14 @@ export async function checkUserActionPermission(
             return true;
         }
 
-        // If no direct permission, check role-based permission (any of user's roles)
+        // If no direct permission, check role-based permission
         const roleActionPermission = await db
             .select()
             .from(roleActions)
             .where(
                 and(
                     eq(roleActions.actionId, actionId),
-                    inArray(roleActions.roleId, userOrgRoleIds),
+                    eq(roleActions.roleId, userOrgRoleId!),
                     eq(roleActions.orgId, req.userOrgId!)
                 )
             )

server/auth/canUserAccessResource.ts

@@ -1,29 +1,26 @@
 import { db } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { roleResources, userResources } from "@server/db";
 
 export async function canUserAccessResource({
     userId,
     resourceId,
-    roleIds
+    roleId
 }: {
     userId: string;
     resourceId: number;
-    roleIds: number[];
+    roleId: number;
 }): Promise<boolean> {
-    const roleResourceAccess =
-        roleIds.length > 0
-            ? await db
-                  .select()
-                  .from(roleResources)
-                  .where(
-                      and(
-                          eq(roleResources.resourceId, resourceId),
-                          inArray(roleResources.roleId, roleIds)
-                      )
-                  )
-                  .limit(1)
-            : [];
+    const roleResourceAccess = await db
+        .select()
+        .from(roleResources)
+        .where(
+            and(
+                eq(roleResources.resourceId, resourceId),
+                eq(roleResources.roleId, roleId)
+            )
+        )
+        .limit(1);
 
     if (roleResourceAccess.length > 0) {
         return true;

server/auth/canUserAccessSiteResource.ts

@@ -1,29 +1,26 @@
 import { db } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";
 
 export async function canUserAccessSiteResource({
     userId,
     resourceId,
-    roleIds
+    roleId
 }: {
     userId: string;
     resourceId: number;
-    roleIds: number[];
+    roleId: number;
 }): Promise<boolean> {
-    const roleResourceAccess =
-        roleIds.length > 0
-            ? await db
-                  .select()
-                  .from(roleSiteResources)
-                  .where(
-                      and(
-                          eq(roleSiteResources.siteResourceId, resourceId),
-                          inArray(roleSiteResources.roleId, roleIds)
-                      )
-                  )
-                  .limit(1)
-            : [];
+    const roleResourceAccess = await db
+        .select()
+        .from(roleSiteResources)
+        .where(
+            and(
+                eq(roleSiteResources.siteResourceId, resourceId),
+                eq(roleSiteResources.roleId, roleId)
+            )
+        )
+        .limit(1);
 
     if (roleResourceAccess.length > 0) {
         return true;

server/db/pg/driver.ts

@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
+import { createPool } from "./poolConfig";
 
 function createDb() {
     const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {
 
     // Create connection pools instead of individual connections
     const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "primary"
+    );
 
     const replicas = [];
 
@@ -55,14 +60,16 @@ function createDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ export default db;
 export const primaryDb = db.$primary;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
+>[0];

server/db/pg/logsDriver.ts

@@ -1,9 +1,9 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { createPool } from "./poolConfig";
 
 function createLogsDb() {
     // Only use separate logs database in SaaS builds
@@ -42,12 +42,17 @@ function createLogsDb() {
 
     // Create separate connection pool for logs database
     const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "logs-primary"
+    );
 
     const replicas = [];
 
@@ -58,14 +63,16 @@ function createLogsDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "logs-replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ function createLogsDb() {
 
 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;

server/db/pg/poolConfig.ts

@@ -0,0 +1,63 @@
+import { Pool, PoolConfig } from "pg";
+import logger from "@server/logger";
+
+export function createPoolConfig(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number
+): PoolConfig {
+    return {
+        connectionString,
+        max: maxConnections,
+        idleTimeoutMillis: idleTimeoutMs,
+        connectionTimeoutMillis: connectionTimeoutMs,
+        // TCP keepalive to prevent silent connection drops by NAT gateways,
+        // load balancers, and other intermediate network devices (e.g. AWS
+        // NAT Gateway drops idle TCP connections after ~350s)
+        keepAlive: true,
+        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
+        // Allow connections to be released and recreated more aggressively
+        // to avoid stale connections building up
+        allowExitOnIdle: false
+    };
+}
+
+export function attachPoolErrorHandlers(pool: Pool, label: string): void {
+    pool.on("error", (err) => {
+        // This catches errors on idle clients in the pool. Without this
+        // handler an unexpected disconnect would crash the process.
+        logger.error(
+            `Unexpected error on idle ${label} database client: ${err.message}`
+        );
+    });
+
+    pool.on("connect", (client) => {
+        // Set a statement timeout on every new connection so a single slow
+        // query can't block the pool forever
+        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
+            logger.warn(
+                `Failed to set statement_timeout on ${label} client: ${err.message}`
+            );
+        });
+    });
+}
+
+export function createPool(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number,
+    label: string
+): Pool {
+    const pool = new Pool(
+        createPoolConfig(
+            connectionString,
+            maxConnections,
+            idleTimeoutMs,
+            connectionTimeoutMs
+        )
+    );
+    attachPoolErrorHandlers(pool, label);
+    return pool;
+}

server/db/pg/schema/schema.ts

@@ -9,7 +9,6 @@ import {
     real,
     serial,
     text,
-    unique,
     varchar
 } from "drizzle-orm/pg-core";
 
@@ -336,6 +335,9 @@ export const userOrgs = pgTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId),
     isOwner: boolean("isOwner").notNull().default(false),
     autoProvisioned: boolean("autoProvisioned").default(false),
     pamUsername: varchar("pamUsername") // cleaned username for ssh and such
@@ -384,22 +386,6 @@ export const roles = pgTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
-export const userOrgRoles = pgTable(
-    "userOrgRoles",
-    {
-        userId: varchar("userId")
-            .notNull()
-            .references(() => users.userId, { onDelete: "cascade" }),
-        orgId: varchar("orgId")
-            .notNull()
-            .references(() => orgs.orgId, { onDelete: "cascade" }),
-        roleId: integer("roleId")
-            .notNull()
-            .references(() => roles.roleId, { onDelete: "cascade" })
-    },
-    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
-);
-
 export const roleActions = pgTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -1049,7 +1035,6 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
-export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;

server/db/queries/verifySessionQueries.ts

@@ -12,7 +12,6 @@ import {
     resources,
     roleResources,
     sessions,
-    userOrgRoles,
     userOrgs,
     userResources,
     users,
@@ -105,57 +104,24 @@ export async function getUserSessionWithUser(
 }
 
 /**
- * Get user organization role (single role; prefer getUserOrgRoleIds + roles for multi-role).
- * @deprecated Use userOrgRoles table and getUserOrgRoleIds for multi-role support.
+ * Get user organization role
  */
 export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrg = await db
+    const userOrgRole = await db
         .select({
             userId: userOrgs.userId,
             orgId: userOrgs.orgId,
+            roleId: userOrgs.roleId,
             isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned
+            autoProvisioned: userOrgs.autoProvisioned,
+            roleName: roles.name
         })
         .from(userOrgs)
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .limit(1);
 
-    if (userOrg.length === 0) return null;
-
-    const [firstRole] = await db
-        .select({
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        )
-        .limit(1);
-
-    return firstRole
-        ? {
-              ...userOrg[0],
-              roleId: firstRole.roleId,
-              roleName: firstRole.roleName
-          }
-        : { ...userOrg[0], roleId: null, roleName: null };
-}
-
-/**
- * Get role name by role ID (for display).
- */
-export async function getRoleName(roleId: number): Promise<string | null> {
-    const [row] = await db
-        .select({ name: roles.name })
-        .from(roles)
-        .where(eq(roles.roleId, roleId))
-        .limit(1);
-    return row?.name ?? null;
+    return userOrgRole.length > 0 ? userOrgRole[0] : null;
 }
 
 /**

server/db/sqlite/schema/schema.ts

@@ -1,12 +1,6 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import {
-    index,
-    integer,
-    sqliteTable,
-    text,
-    unique
-} from "drizzle-orm/sqlite-core";
+import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";
 
 export const domains = sqliteTable("domains", {
     domainId: text("domainId").primaryKey(),
@@ -649,6 +643,9 @@ export const userOrgs = sqliteTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId),
     isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
     autoProvisioned: integer("autoProvisioned", {
         mode: "boolean"
@@ -703,22 +700,6 @@ export const roles = sqliteTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
-export const userOrgRoles = sqliteTable(
-    "userOrgRoles",
-    {
-        userId: text("userId")
-            .notNull()
-            .references(() => users.userId, { onDelete: "cascade" }),
-        orgId: text("orgId")
-            .notNull()
-            .references(() => orgs.orgId, { onDelete: "cascade" }),
-        roleId: integer("roleId")
-            .notNull()
-            .references(() => roles.roleId, { onDelete: "cascade" })
-    },
-    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
-);
-
 export const roleActions = sqliteTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -1153,7 +1134,6 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
-export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;

server/index.ts

@@ -74,7 +74,7 @@ declare global {
             session: Session;
             userOrg?: UserOrg;
             apiKeyOrg?: ApiKeyOrg;
-            userOrgRoleIds?: number[];
+            userOrgRoleId?: number;
             userOrgId?: string;
             userOrgIds?: string[];
             remoteExitNode?: RemoteExitNode;

server/lib/calculateUserClientsForOrgs.ts

@@ -10,7 +10,6 @@ import {
     roles,
     Transaction,
     userClients,
-    userOrgRoles,
     userOrgs
 } from "@server/db";
 import { getUniqueClientName } from "@server/db/names";
@@ -40,36 +39,20 @@ export async function calculateUserClientsForOrgs(
             return;
         }
 
-        // Get all user orgs with all roles (for org list and role-based logic)
-        const userOrgRoleRows = await transaction
+        // Get all user orgs
+        const allUserOrgs = await transaction
             .select()
             .from(userOrgs)
-            .innerJoin(
-                userOrgRoles,
-                and(
-                    eq(userOrgs.userId, userOrgRoles.userId),
-                    eq(userOrgs.orgId, userOrgRoles.orgId)
-                )
-            )
-            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
             .where(eq(userOrgs.userId, userId));
 
-        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
-        const orgIdToRoleRows = new Map<
-            string,
-            (typeof userOrgRoleRows)[0][]
-        >();
-        for (const r of userOrgRoleRows) {
-            const list = orgIdToRoleRows.get(r.userOrgs.orgId) ?? [];
-            list.push(r);
-            orgIdToRoleRows.set(r.userOrgs.orgId, list);
-        }
+        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);
 
         // For each OLM, ensure there's a client in each org the user is in
         for (const olm of userOlms) {
-            for (const orgId of orgIdToRoleRows.keys()) {
-                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
-                const userOrg = roleRowsForOrg[0].userOrgs;
+            for (const userRoleOrg of allUserOrgs) {
+                const { userOrgs: userOrg, roles: role } = userRoleOrg;
+                const orgId = userOrg.orgId;
 
                 const [org] = await transaction
                     .select()
@@ -213,7 +196,7 @@ export async function calculateUserClientsForOrgs(
                 const requireApproval =
                     build !== "oss" &&
                     isOrgLicensed &&
-                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
+                    role.requireDeviceApproval;
 
                 const newClientData: InferInsertModel<typeof clients> = {
                     userId,

server/lib/rebuildClientAssociations.ts

@@ -14,7 +14,6 @@ import {
     siteResources,
     sites,
     Transaction,
-    userOrgRoles,
     userOrgs,
     userSiteResources
 } from "@server/db";
@@ -78,10 +77,10 @@ export async function getClientSiteResourceAccess(
     // get all of the users in these roles
     const userIdsFromRoles = await trx
         .select({
-            userId: userOrgRoles.userId
+            userId: userOrgs.userId
         })
-        .from(userOrgRoles)
-        .where(inArray(userOrgRoles.roleId, roleIds))
+        .from(userOrgs)
+        .where(inArray(userOrgs.roleId, roleIds))
         .then((rows) => rows.map((row) => row.userId));
 
     const newAllUserIds = Array.from(
@@ -821,12 +820,12 @@ export async function rebuildClientAssociationsFromClient(
 
         // Role-based access
         const roleIds = await trx
-            .select({ roleId: userOrgRoles.roleId })
-            .from(userOrgRoles)
+            .select({ roleId: userOrgs.roleId })
+            .from(userOrgs)
             .where(
                 and(
-                    eq(userOrgRoles.userId, client.userId),
-                    eq(userOrgRoles.orgId, client.orgId)
+                    eq(userOrgs.userId, client.userId),
+                    eq(userOrgs.orgId, client.orgId)
                 )
             ) // this needs to be locked onto this org or else cross-org access could happen
             .then((rows) => rows.map((row) => row.roleId));

server/lib/userOrg.ts

@@ -6,7 +6,7 @@ import {
     siteResources,
     sites,
     Transaction,
-    userOrgRoles,
+    UserOrg,
     userOrgs,
     userResources,
     userSiteResources,
@@ -19,15 +19,9 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
     org: Org,
     values: typeof userOrgs.$inferInsert,
-    roleId: number,
     trx: Transaction | typeof db = db
 ) {
     const [userOrg] = await trx.insert(userOrgs).values(values).returning();
-    await trx.insert(userOrgRoles).values({
-        userId: userOrg.userId,
-        orgId: userOrg.orgId,
-        roleId
-    });
 
     // calculate if the user is in any other of the orgs before we count it as an add to the billing org
     if (org.billingOrgId) {
@@ -64,14 +58,6 @@ export async function removeUserFromOrg(
     userId: string,
     trx: Transaction | typeof db = db
 ) {
-    await trx
-        .delete(userOrgRoles)
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, org.orgId)
-            )
-        );
     await trx
         .delete(userOrgs)
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, org.orgId)));

server/lib/userOrgRoles.ts

@@ -1,22 +0,0 @@
-import { db, userOrgRoles } from "@server/db";
-import { and, eq } from "drizzle-orm";
-
-/**
- * Get all role IDs a user has in an organization.
- * Returns empty array if the user has no roles in the org (callers must treat as no access).
- */
-export async function getUserOrgRoleIds(
-    userId: string,
-    orgId: string
-): Promise<number[]> {
-    const rows = await db
-        .select({ roleId: userOrgRoles.roleId })
-        .from(userOrgRoles)
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        );
-    return rows.map((r) => r.roleId);
-}

server/middlewares/getUserOrgs.ts

@@ -21,7 +21,8 @@ export async function getUserOrgs(
     try {
         const userOrganizations = await db
             .select({
-                orgId: userOrgs.orgId
+                orgId: userOrgs.orgId,
+                roleId: userOrgs.roleId
             })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId));

server/middlewares/verifyAccessTokenAccess.ts

@@ -6,7 +6,6 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyAccessTokenAccess(
     req: Request,
@@ -94,10 +93,7 @@ export async function verifyAccessTokenAccess(
                 )
             );
         } else {
-            req.userOrgRoleIds = await getUserOrgRoleIds(
-                req.userOrg.userId,
-                resource[0].orgId!
-            );
+            req.userOrgRoleId = req.userOrg.roleId;
             req.userOrgId = resource[0].orgId!;
         }
 
@@ -122,7 +118,7 @@ export async function verifyAccessTokenAccess(
         const resourceAllowed = await canUserAccessResource({
             userId,
             resourceId,
-            roleIds: req.userOrgRoleIds ?? []
+            roleId: req.userOrgRoleId!
         });
 
         if (!resourceAllowed) {

server/middlewares/verifyAdmin.ts

@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { roles, userOrgs } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyAdmin(
     req: Request,
@@ -63,29 +62,13 @@ export async function verifyAdmin(
         }
     }
 
-    req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId!);
-
-    if (req.userOrgRoleIds.length === 0) {
-        return next(
-            createHttpError(
-                HttpCode.FORBIDDEN,
-                "User does not have Admin access"
-            )
-        );
-    }
-
-    const userAdminRoles = await db
+    const userRole = await db
         .select()
         .from(roles)
-        .where(
-            and(
-                inArray(roles.roleId, req.userOrgRoleIds),
-                eq(roles.isAdmin, true)
-            )
-        )
+        .where(eq(roles.roleId, req.userOrg.roleId))
         .limit(1);
 
-    if (userAdminRoles.length === 0) {
+    if (userRole.length === 0 || !userRole[0].isAdmin) {
         return next(
             createHttpError(
                 HttpCode.FORBIDDEN,

server/middlewares/verifyApiKeyAccess.ts

@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { userOrgs, apiKeys, apiKeyOrg } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyApiKeyAccess(
     req: Request,
@@ -104,10 +103,8 @@ export async function verifyApiKeyAccess(
             }
         }
 
-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
 
         return next();
     } catch (error) {

server/middlewares/verifyClientAccess.ts

@@ -1,12 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { Client, db } from "@server/db";
 import { userOrgs, clients, roleClients, userClients } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import logger from "@server/logger";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyClientAccess(
     req: Request,
@@ -114,30 +113,21 @@ export async function verifyClientAccess(
             }
         }
 
-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            client.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
         req.userOrgId = client.orgId;
 
-        // Check role-based client access (any of user's roles)
-        const roleClientAccessList =
-            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleClients)
-                      .where(
-                          and(
-                              eq(roleClients.clientId, client.clientId),
-                              inArray(
-                                  roleClients.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
-        const [roleClientAccess] = roleClientAccessList;
+        // Check role-based site access first
+        const [roleClientAccess] = await db
+            .select()
+            .from(roleClients)
+            .where(
+                and(
+                    eq(roleClients.clientId, client.clientId),
+                    eq(roleClients.roleId, userOrgRoleId)
+                )
+            )
+            .limit(1);
 
         if (roleClientAccess) {
             // User has access to the site through their role

server/middlewares/verifyDomainAccess.ts

@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db, domains, orgDomains } from "@server/db";
-import { userOrgs } from "@server/db";
+import { userOrgs, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyDomainAccess(
     req: Request,
@@ -64,7 +63,7 @@ export async function verifyDomainAccess(
                 .where(
                     and(
                         eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, orgId)
+                        eq(userOrgs.orgId, apiKeyOrg.orgId)
                     )
                 )
                 .limit(1);
@@ -98,7 +97,8 @@ export async function verifyDomainAccess(
             }
         }
 
-        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
 
         return next();
     } catch (error) {

server/middlewares/verifyOrgAccess.ts

@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
-import { db } from "@server/db";
+import { db, orgs } from "@server/db";
 import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyOrgAccess(
     req: Request,
@@ -65,8 +64,8 @@ export async function verifyOrgAccess(
             }
         }
 
-        // User has access, attach the user's role(s) to the request for potential future use
-        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
+        // User has access, attach the user's role to the request for potential future use
+        req.userOrgRoleId = req.userOrg.roleId;
         req.userOrgId = orgId;
 
         return next();

server/middlewares/verifyResourceAccess.ts

@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
 import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyResourceAccess(
     req: Request,
@@ -108,28 +107,20 @@ export async function verifyResourceAccess(
             }
         }
 
-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            resource.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
         req.userOrgId = resource.orgId;
 
-        const roleResourceAccess =
-            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleResources)
-                      .where(
-                          and(
-                              eq(roleResources.resourceId, resource.resourceId),
-                              inArray(
-                                  roleResources.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
+        const roleResourceAccess = await db
+            .select()
+            .from(roleResources)
+            .where(
+                and(
+                    eq(roleResources.resourceId, resource.resourceId),
+                    eq(roleResources.roleId, userOrgRoleId)
+                )
+            )
+            .limit(1);
 
         if (roleResourceAccess.length > 0) {
             return next();

server/middlewares/verifyRoleAccess.ts

@@ -6,7 +6,6 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyRoleAccess(
     req: Request,
@@ -100,6 +99,7 @@ export async function verifyRoleAccess(
         }
 
         if (!req.userOrg) {
+            // get the userORg
             const userOrg = await db
                 .select()
                 .from(userOrgs)
@@ -109,7 +109,7 @@ export async function verifyRoleAccess(
                 .limit(1);
 
             req.userOrg = userOrg[0];
-            req.userOrgRoleIds = await getUserOrgRoleIds(userId, orgId!);
+            req.userOrgRoleId = userOrg[0].roleId;
         }
 
         if (!req.userOrg) {

server/middlewares/verifySiteAccess.ts

@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { sites, Site, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, inArray, or } from "drizzle-orm";
+import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteAccess(
     req: Request,
@@ -113,29 +112,21 @@ export async function verifySiteAccess(
             }
         }
 
-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            site.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
         req.userOrgId = site.orgId;
 
-        // Check role-based site access first (any of user's roles)
-        const roleSiteAccess =
-            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleSites)
-                      .where(
-                          and(
-                              eq(roleSites.siteId, site.siteId),
-                              inArray(
-                                  roleSites.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
+        // Check role-based site access first
+        const roleSiteAccess = await db
+            .select()
+            .from(roleSites)
+            .where(
+                and(
+                    eq(roleSites.siteId, site.siteId),
+                    eq(roleSites.roleId, userOrgRoleId)
+                )
+            )
+            .limit(1);
 
         if (roleSiteAccess.length > 0) {
             // User's role has access to the site

server/middlewares/verifySiteResourceAccess.ts

@@ -1,12 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, roleSiteResources, userOrgs, userSiteResources } from "@server/db";
 import { siteResources } from "@server/db";
-import { eq, and, inArray } from "drizzle-orm";
+import { eq, and } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteResourceAccess(
     req: Request,
@@ -110,34 +109,23 @@ export async function verifySiteResourceAccess(
             }
         }
 
-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            siteResource.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
         req.userOrgId = siteResource.orgId;
 
         // Attach the siteResource to the request for use in the next middleware/route
         req.siteResource = siteResource;
 
-        const roleResourceAccess =
-            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleSiteResources)
-                      .where(
-                          and(
-                              eq(
-                                  roleSiteResources.siteResourceId,
-                                  siteResourceIdNum
-                              ),
-                              inArray(
-                                  roleSiteResources.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
+        const roleResourceAccess = await db
+            .select()
+            .from(roleSiteResources)
+            .where(
+                and(
+                    eq(roleSiteResources.siteResourceId, siteResourceIdNum),
+                    eq(roleSiteResources.roleId, userOrgRoleId)
+                )
+            )
+            .limit(1);
 
         if (roleResourceAccess.length > 0) {
             return next();

server/middlewares/verifyTargetAccess.ts

@@ -6,7 +6,6 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyTargetAccess(
     req: Request,
@@ -100,10 +99,7 @@ export async function verifyTargetAccess(
                 )
             );
         } else {
-            req.userOrgRoleIds = await getUserOrgRoleIds(
-                req.userOrg.userId,
-                resource[0].orgId!
-            );
+            req.userOrgRoleId = req.userOrg.roleId;
             req.userOrgId = resource[0].orgId!;
         }
 
@@ -130,7 +126,7 @@ export async function verifyTargetAccess(
         const resourceAllowed = await canUserAccessResource({
             userId,
             resourceId,
-            roleIds: req.userOrgRoleIds ?? []
+            roleId: req.userOrgRoleId!
         });
 
         if (!resourceAllowed) {

server/middlewares/verifyUserInRole.ts

@@ -12,7 +12,7 @@ export async function verifyUserInRole(
         const roleId = parseInt(
             req.params.roleId || req.body.roleId || req.query.roleId
         );
-        const userOrgRoleIds = req.userOrgRoleIds ?? [];
+        const userRoleId = req.userOrgRoleId;
 
         if (isNaN(roleId)) {
             return next(
@@ -20,7 +20,7 @@ export async function verifyUserInRole(
             );
         }
 
-        if (userOrgRoleIds.length === 0) {
+        if (!userRoleId) {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
@@ -29,7 +29,7 @@ export async function verifyUserInRole(
             );
         }
 
-        if (!userOrgRoleIds.includes(roleId)) {
+        if (userRoleId !== roleId) {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,

server/private/middlewares/verifyIdpAccess.ts

@@ -13,10 +13,9 @@
 
 import { Request, Response, NextFunction } from "express";
 import { userOrgs, db, idp, idpOrg } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyIdpAccess(
     req: Request,
@@ -85,10 +84,8 @@ export async function verifyIdpAccess(
             );
         }
 
-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            idpRes.idpOrg.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
 
         return next();
     } catch (error) {

server/private/middlewares/verifyRemoteExitNodeAccess.ts

@@ -12,12 +12,11 @@
  */
 
 import { Request, Response, NextFunction } from "express";
-import { db, exitNodeOrgs, remoteExitNodes } from "@server/db";
-import { userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { db, exitNodeOrgs, exitNodes, remoteExitNodes } from "@server/db";
+import { sites, userOrgs, userSites, roleSites, roles } from "@server/db";
+import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyRemoteExitNodeAccess(
     req: Request,
@@ -104,10 +103,8 @@ export async function verifyRemoteExitNodeAccess(
             );
         }
 
-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            exitNodeOrg.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
 
         return next();
     } catch (error) {

server/private/routers/org/sendUsageNotifications.ts

@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { userOrgs, userOrgRoles, users, roles, orgs } from "@server/db";
+import { userOrgs, users, roles, orgs } from "@server/db";
 import { eq, and, or } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -95,14 +95,7 @@ async function getOrgAdmins(orgId: string) {
         })
         .from(userOrgs)
         .innerJoin(users, eq(userOrgs.userId, users.userId))
-        .leftJoin(
-            userOrgRoles,
-            and(
-                eq(userOrgs.userId, userOrgRoles.userId),
-                eq(userOrgs.orgId, userOrgRoles.orgId)
-            )
-        )
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .where(
             and(
                 eq(userOrgs.orgId, orgId),
@@ -110,11 +103,8 @@ async function getOrgAdmins(orgId: string) {
             )
         );
 
-    // Dedupe by userId (user may have multiple roles)
-    const byUserId = new Map(
-        admins.map((a) => [a.userId, a])
-    );
-    const orgAdmins = Array.from(byUserId.values()).filter(
+    // Filter to only include users with verified emails
+    const orgAdmins = admins.filter(
         (admin) => admin.email && admin.email.length > 0
     );
 

server/private/routers/remoteExitNode/createRemoteExitNode.ts

@@ -79,7 +79,7 @@ export async function createRemoteExitNode(
 
         const { remoteExitNodeId, secret } = parsedBody.data;
 
-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );

server/private/routers/ssh/signSshKey.ts

@@ -31,7 +31,7 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import { and, eq, inArray, or } from "drizzle-orm";
+import { eq, or, and } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
 import { signPublicKey, getOrgCAKeys } from "@server/lib/sshCA";
 import config from "@server/lib/config";
@@ -125,7 +125,7 @@ export async function signSshKey(
             resource: resourceQueryString
         } = parsedBody.data;
         const userId = req.user?.userId;
-        const roleIds = req.userOrgRoleIds ?? [];
+        const roleId = req.userOrgRoleId!;
 
         if (!userId) {
             return next(
@@ -133,15 +133,6 @@ export async function signSshKey(
             );
         }
 
-        if (roleIds.length === 0) {
-            return next(
-                createHttpError(
-                    HttpCode.FORBIDDEN,
-                    "User has no role in organization"
-                )
-            );
-        }
-
         const [userOrg] = await db
             .select()
             .from(userOrgs)
@@ -348,7 +339,7 @@ export async function signSshKey(
         const hasAccess = await canUserAccessSiteResource({
             userId: userId,
             resourceId: resource.siteResourceId,
-            roleIds
+            roleId: roleId
         });
 
         if (!hasAccess) {
@@ -360,39 +351,28 @@ export async function signSshKey(
             );
         }
 
-        const roleRows = await db
+        const [roleRow] = await db
             .select()
             .from(roles)
-            .where(inArray(roles.roleId, roleIds));
+            .where(eq(roles.roleId, roleId))
+            .limit(1);
 
-        const parsedSudoCommands: string[] = [];
-        const parsedGroupsSet = new Set<string>();
-        let homedir: boolean | null = null;
-        const sudoModeOrder = { none: 0, commands: 1, all: 2 };
-        let sudoMode: "none" | "commands" | "all" = "none";
-        for (const roleRow of roleRows) {
-            try {
-                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
-                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
-            } catch {
-                // skip
-            }
-            try {
-                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
-                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
-            } catch {
-                // skip
-            }
-            if (roleRow?.sshCreateHomeDir === true) homedir = true;
-            const m = roleRow?.sshSudoMode ?? "none";
-            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
-                sudoMode = m as "none" | "commands" | "all";
-            }
+        let parsedSudoCommands: string[] = [];
+        let parsedGroups: string[] = [];
+        try {
+            parsedSudoCommands = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+            if (!Array.isArray(parsedSudoCommands)) parsedSudoCommands = [];
+        } catch {
+            parsedSudoCommands = [];
         }
-        const parsedGroups = Array.from(parsedGroupsSet);
-        if (homedir === null && roleRows.length > 0) {
-            homedir = roleRows[0].sshCreateHomeDir ?? null;
+        try {
+            parsedGroups = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+            if (!Array.isArray(parsedGroups)) parsedGroups = [];
+        } catch {
+            parsedGroups = [];
         }
+        const homedir = roleRow?.sshCreateHomeDir ?? null;
+        const sudoMode = roleRow?.sshSudoMode ?? "none";
 
         // get the site
         const [newt] = await db

server/routers/accessToken/listAccessTokens.ts

@@ -208,7 +208,7 @@ export async function listAccessTokens(
                 .where(
                     or(
                         eq(userResources.userId, req.user!.userId),
-                        inArray(roleResources.roleId, req.userOrgRoleIds!)
+                        eq(roleResources.roleId, req.userOrgRoleId!)
                     )
                 );
         } else {

server/routers/badger/verifySession.ts

@@ -3,13 +3,12 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import {
     getResourceByDomain,
     getResourceRules,
-    getRoleName,
     getRoleResourceAccess,
+    getUserOrgRole,
     getUserResourceAccess,
     getOrgLoginPage,
     getUserSessionWithUser
 } from "@server/db/queries/verifySessionQueries";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 import {
     LoginPage,
     Org,
@@ -917,9 +916,9 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const userOrgRoleIds = await getUserOrgRoleIds(user.userId, resource.orgId);
+    const userOrgRole = await getUserOrgRole(user.userId, resource.orgId);
 
-    if (!userOrgRoleIds.length) {
+    if (!userOrgRole) {
         return null;
     }
 
@@ -935,23 +934,17 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const roleNames: string[] = [];
-    for (const roleId of userOrgRoleIds) {
-        const roleResourceAccess = await getRoleResourceAccess(
-            resource.resourceId,
-            roleId
-        );
-        if (roleResourceAccess) {
-            const roleName = await getRoleName(roleId);
-            if (roleName) roleNames.push(roleName);
-        }
-    }
-    if (roleNames.length > 0) {
+    const roleResourceAccess = await getRoleResourceAccess(
+        resource.resourceId,
+        userOrgRole.roleId
+    );
+
+    if (roleResourceAccess) {
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role: roleNames.join(", ")
+            role: userOrgRole.roleName
         };
     }
 
@@ -961,15 +954,11 @@ async function isUserAllowedToAccessResource(
     );
 
     if (userResourceAccess) {
-        const names = await Promise.all(
-            userOrgRoleIds.map((id) => getRoleName(id))
-        );
-        const role = names.filter(Boolean).join(", ") || "";
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role
+            role: userOrgRole.roleName
         };
     }
 

server/routers/client/createClient.ts

@@ -92,7 +92,7 @@ export async function createClient(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -234,7 +234,7 @@ export async function createClient(
                 clientId: newClient.clientId
             });
 
-            if (req.user && !req.userOrgRoleIds?.includes(adminRole.roleId)) {
+            if (req.user && req.userOrgRoleId != adminRole.roleId) {
                 // make sure the user can access the client
                 trx.insert(userClients).values({
                     userId: req.user.userId,

server/routers/client/listClients.ts

@@ -297,7 +297,7 @@ export async function listClients(
                 .where(
                     or(
                         eq(userClients.userId, req.user!.userId),
-                        inArray(roleClients.roleId, req.userOrgRoleIds!)
+                        eq(roleClients.roleId, req.userOrgRoleId!)
                     )
                 );
         } else {

server/routers/client/listUserDevices.ts

@@ -316,7 +316,7 @@ export async function listUserDevices(
                 .where(
                     or(
                         eq(userClients.userId, req.user!.userId),
-                        inArray(roleClients.roleId, req.userOrgRoleIds!)
+                        eq(roleClients.roleId, req.userOrgRoleId!)
                     )
                 );
         } else {

server/routers/external.ts

@@ -654,16 +654,6 @@ authenticated.post(
     user.addUserRole
 );
 
-authenticated.delete(
-    "/role/:roleId/remove/:userId",
-    verifyRoleAccess,
-    verifyUserAccess,
-    verifyLimits,
-    verifyUserHasAction(ActionsEnum.removeUserRole),
-    logActionAudit(ActionsEnum.removeUserRole),
-    user.removeUserRole
-);
-
 authenticated.post(
     "/resource/:resourceId/roles",
     verifyResourceAccess,

server/routers/idp/validateOidcCallback.ts

@@ -13,7 +13,6 @@ import {
     orgs,
     Role,
     roles,
-    userOrgRoles,
     userOrgs,
     users
 } from "@server/db";
@@ -571,28 +570,32 @@ export async function validateOidcCallback(
                     }
                 }
 
-                // Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
-                const userRolesInOrgs = await trx
-                    .select()
-                    .from(userOrgRoles)
-                    .where(eq(userOrgRoles.userId, userId!));
-                for (const currentOrg of autoProvisionedOrgs) {
-                    const newRole = userOrgInfo.find(
-                        (newOrg) => newOrg.orgId === currentOrg.orgId
-                    );
-                    if (!newRole) continue;
-                    const currentRolesInOrg = userRolesInOrgs.filter(
-                        (r) => r.orgId === currentOrg.orgId
-                    );
-                    const hasIdpRole = currentRolesInOrg.some(
-                        (r) => r.roleId === newRole.roleId
-                    );
-                    if (!hasIdpRole) {
-                        await trx.insert(userOrgRoles).values({
-                            userId: userId!,
-                            orgId: currentOrg.orgId,
-                            roleId: newRole.roleId
-                        });
+                // Update roles for existing auto-provisioned orgs where the role has changed
+                const orgsToUpdate = autoProvisionedOrgs.filter(
+                    (currentOrg) => {
+                        const newOrg = userOrgInfo.find(
+                            (newOrg) => newOrg.orgId === currentOrg.orgId
+                        );
+                        return newOrg && newOrg.roleId !== currentOrg.roleId;
+                    }
+                );
+
+                if (orgsToUpdate.length > 0) {
+                    for (const org of orgsToUpdate) {
+                        const newRole = userOrgInfo.find(
+                            (newOrg) => newOrg.orgId === org.orgId
+                        );
+                        if (newRole) {
+                            await trx
+                                .update(userOrgs)
+                                .set({ roleId: newRole.roleId })
+                                .where(
+                                    and(
+                                        eq(userOrgs.userId, userId!),
+                                        eq(userOrgs.orgId, org.orgId)
+                                    )
+                                );
+                        }
                     }
                 }
 
@@ -616,9 +619,9 @@ export async function validateOidcCallback(
                                 {
                                     orgId: org.orgId,
                                     userId: userId!,
+                                    roleId: org.roleId,
                                     autoProvisioned: true,
                                 },
-                                org.roleId,
                                 trx
                             );
                         }

server/routers/integration.ts

@@ -598,16 +598,6 @@ authenticated.post(
     user.addUserRole
 );
 
-authenticated.delete(
-    "/role/:roleId/remove/:userId",
-    verifyApiKeyRoleAccess,
-    verifyApiKeyUserAccess,
-    verifyLimits,
-    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
-    logActionAudit(ActionsEnum.removeUserRole),
-    user.removeUserRole
-);
-
 authenticated.post(
     "/resource/:resourceId/roles",
     verifyApiKeyResourceAccess,

server/routers/newt/createNewt.ts

@@ -46,7 +46,7 @@ export async function createNewt(
 
         const { newtId, secret } = parsedBody.data;
 
-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );

server/routers/olm/createOlm.ts

@@ -46,7 +46,7 @@ export async function createNewt(
 
         const { newtId, secret } = parsedBody.data;
 
-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );

server/routers/org/checkOrgUserAccess.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgRoles, userOrgs, users } from "@server/db";
+import { roles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -14,7 +14,7 @@ import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { CheckOrgAccessPolicyResult } from "@server/lib/checkOrgAccessPolicy";
 
 async function queryUser(orgId: string, userId: string) {
-    const [userRow] = await db
+    const [user] = await db
         .select({
             orgId: userOrgs.orgId,
             userId: users.userId,
@@ -22,7 +22,10 @@ async function queryUser(orgId: string, userId: string) {
             username: users.username,
             name: users.name,
             type: users.type,
+            roleId: userOrgs.roleId,
+            roleName: roles.name,
             isOwner: userOrgs.isOwner,
+            isAdmin: roles.isAdmin,
             twoFactorEnabled: users.twoFactorEnabled,
             autoProvisioned: userOrgs.autoProvisioned,
             idpId: users.idpId,
@@ -32,40 +35,13 @@ async function queryUser(orgId: string, userId: string) {
             idpAutoProvision: idp.autoProvision
         })
         .from(userOrgs)
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(users, eq(userOrgs.userId, users.userId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
         .limit(1);
-
-    if (!userRow) return undefined;
-
-    const roleRows = await db
-        .select({
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name,
-            isAdmin: roles.isAdmin
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        );
-
-    const isAdmin = roleRows.some((r) => r.isAdmin);
-
-    return {
-        ...userRow,
-        isAdmin,
-        roleIds: roleRows.map((r) => r.roleId),
-        roles: roleRows.map((r) => ({
-            roleId: r.roleId,
-            name: r.roleName ?? ""
-        }))
-    };
+    return user;
 }
 
 export type CheckOrgUserAccessResponse = CheckOrgAccessPolicyResult;

server/routers/org/createOrg.ts

@@ -9,7 +9,6 @@ import {
     orgs,
     roleActions,
     roles,
-    userOrgRoles,
     userOrgs,
     users,
     actions
@@ -313,13 +312,9 @@ export async function createOrg(
                 await trx.insert(userOrgs).values({
                     userId: req.user!.userId,
                     orgId: newOrg[0].orgId,
+                    roleId: roleId,
                     isOwner: true
                 });
-                await trx.insert(userOrgRoles).values({
-                    userId: req.user!.userId,
-                    orgId: newOrg[0].orgId,
-                    roleId
-                });
                 ownerUserId = req.user!.userId;
             } else {
                 // if org created by root api key, set the server admin as the owner
@@ -337,13 +332,9 @@ export async function createOrg(
                 await trx.insert(userOrgs).values({
                     userId: serverAdmin.userId,
                     orgId: newOrg[0].orgId,
+                    roleId: roleId,
                     isOwner: true
                 });
-                await trx.insert(userOrgRoles).values({
-                    userId: serverAdmin.userId,
-                    orgId: newOrg[0].orgId,
-                    roleId
-                });
                 ownerUserId = serverAdmin.userId;
             }
 

server/routers/org/getOrgOverview.ts

@@ -117,26 +117,20 @@ export async function getOrgOverview(
             .from(userOrgs)
             .where(eq(userOrgs.orgId, orgId));
 
-        const roleIds = req.userOrgRoleIds ?? [];
-        const roleRows =
-            roleIds.length > 0
-                ? await db
-                      .select({ name: roles.name, isAdmin: roles.isAdmin })
-                      .from(roles)
-                      .where(inArray(roles.roleId, roleIds))
-                : [];
-        const userRoleName = roleRows.map((r) => r.name ?? "").join(", ") ?? "";
-        const isAdmin = roleRows.some((r) => r.isAdmin === true);
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, req.userOrg.roleId));
 
         return response<GetOrgOverviewResponse>(res, {
             data: {
                 orgName: org[0].name,
                 orgId: org[0].orgId,
-                userRoleName,
+                userRoleName: role.name,
                 numSites,
                 numUsers,
                 numResources,
-                isAdmin,
+                isAdmin: role.isAdmin || false,
                 isOwner: req.userOrg?.isOwner || false
             },
             success: true,

server/routers/org/listUserOrgs.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, roles } from "@server/db";
-import { Org, orgs, userOrgRoles, userOrgs } from "@server/db";
+import { Org, orgs, userOrgs } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -82,7 +82,10 @@ export async function listUserOrgs(
         const { userId } = parsedParams.data;
 
         const userOrganizations = await db
-            .select({ orgId: userOrgs.orgId })
+            .select({
+                orgId: userOrgs.orgId,
+                roleId: userOrgs.roleId
+            })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId));
 
@@ -113,27 +116,10 @@ export async function listUserOrgs(
                 userOrgs,
                 and(eq(userOrgs.orgId, orgs.orgId), eq(userOrgs.userId, userId))
             )
+            .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
             .limit(limit)
             .offset(offset);
 
-        const roleRows = await db
-            .select({
-                orgId: userOrgRoles.orgId,
-                isAdmin: roles.isAdmin
-            })
-            .from(userOrgRoles)
-            .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-            .where(
-                and(
-                    eq(userOrgRoles.userId, userId),
-                    inArray(userOrgRoles.orgId, userOrgIds)
-                )
-            );
-
-        const orgHasAdmin = new Set(
-            roleRows.filter((r) => r.isAdmin).map((r) => r.orgId)
-        );
-
         const totalCountResult = await db
             .select({ count: sql<number>`cast(count(*) as integer)` })
             .from(orgs)
@@ -147,8 +133,8 @@ export async function listUserOrgs(
             if (val.userOrgs && val.userOrgs.isOwner) {
                 res.isOwner = val.userOrgs.isOwner;
             }
-            if (val.orgs && orgHasAdmin.has(val.orgs.orgId)) {
-                res.isAdmin = true;
+            if (val.roles && val.roles.isAdmin) {
+                res.isAdmin = val.roles.isAdmin;
             }
             if (val.userOrgs?.isOwner && val.orgs?.isBillingOrg) {
                 res.isPrimaryOrg = val.orgs.isBillingOrg;

server/routers/resource/createResource.ts

@@ -112,7 +112,7 @@ export async function createResource(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -292,7 +292,7 @@ async function createHttpResource(
             resourceId: newResource[0].resourceId
         });
 
-        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
+        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
             // make sure the user can access the resource
             await trx.insert(userResources).values({
                 userId: req.user?.userId!,
@@ -385,7 +385,7 @@ async function createRawResource(
             resourceId: newResource[0].resourceId
         });
 
-        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
+        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
             // make sure the user can access the resource
             await trx.insert(userResources).values({
                 userId: req.user?.userId!,

server/routers/resource/getUserResources.ts

@@ -5,7 +5,6 @@ import {
     resources,
     userResources,
     roleResources,
-    userOrgRoles,
     userOrgs,
     resourcePassword,
     resourcePincode,
@@ -33,29 +32,22 @@ export async function getUserResources(
             );
         }
 
-        // Check user is in organization and get their role IDs
-        const [userOrg] = await db
-            .select()
+        // First get the user's role in the organization
+        const userOrgResult = await db
+            .select({
+                roleId: userOrgs.roleId
+            })
             .from(userOrgs)
             .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
             .limit(1);
 
-        if (!userOrg) {
+        if (userOrgResult.length === 0) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User not in organization")
             );
         }
 
-        const userRoleIds = await db
-            .select({ roleId: userOrgRoles.roleId })
-            .from(userOrgRoles)
-            .where(
-                and(
-                    eq(userOrgRoles.userId, userId),
-                    eq(userOrgRoles.orgId, orgId)
-                )
-            )
-            .then((rows) => rows.map((r) => r.roleId));
+        const userRoleId = userOrgResult[0].roleId;
 
         // Get resources accessible through direct assignment or role assignment
         const directResourcesQuery = db
@@ -63,28 +55,20 @@ export async function getUserResources(
             .from(userResources)
             .where(eq(userResources.userId, userId));
 
-        const roleResourcesQuery =
-            userRoleIds.length > 0
-                ? db
-                      .select({ resourceId: roleResources.resourceId })
-                      .from(roleResources)
-                      .where(inArray(roleResources.roleId, userRoleIds))
-                : Promise.resolve([]);
+        const roleResourcesQuery = db
+            .select({ resourceId: roleResources.resourceId })
+            .from(roleResources)
+            .where(eq(roleResources.roleId, userRoleId));
 
         const directSiteResourcesQuery = db
             .select({ siteResourceId: userSiteResources.siteResourceId })
             .from(userSiteResources)
             .where(eq(userSiteResources.userId, userId));
 
-        const roleSiteResourcesQuery =
-            userRoleIds.length > 0
-                ? db
-                      .select({
-                          siteResourceId: roleSiteResources.siteResourceId
-                      })
-                      .from(roleSiteResources)
-                      .where(inArray(roleSiteResources.roleId, userRoleIds))
-                : Promise.resolve([]);
+        const roleSiteResourcesQuery = db
+            .select({ siteResourceId: roleSiteResources.siteResourceId })
+            .from(roleSiteResources)
+            .where(eq(roleSiteResources.roleId, userRoleId));
 
         const [directResources, roleResourceResults, directSiteResourceResults, roleSiteResourceResults] = await Promise.all([
             directResourcesQuery,

server/routers/resource/listResources.ts

@@ -305,7 +305,7 @@ export async function listResources(
                 .where(
                     or(
                         eq(userResources.userId, req.user!.userId),
-                        inArray(roleResources.roleId, req.userOrgRoleIds!)
+                        eq(roleResources.roleId, req.userOrgRoleId!)
                     )
                 );
         } else {

server/routers/role/deleteRole.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { roles, userOrgRoles } from "@server/db";
+import { roles, userOrgs } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -114,11 +114,11 @@ export async function deleteRole(
         }
 
         await db.transaction(async (trx) => {
-            // move all users from userOrgRoles with roleId to newRoleId
+            // move all users from the userOrgs table with roleId to newRoleId
             await trx
-                .update(userOrgRoles)
+                .update(userOrgs)
                 .set({ roleId: newRoleId })
-                .where(eq(userOrgRoles.roleId, roleId));
+                .where(eq(userOrgs.roleId, roleId));
 
             // delete the old role
             await trx.delete(roles).where(eq(roles.roleId, roleId));

server/routers/site/createSite.ts

@@ -111,7 +111,7 @@ export async function createSite(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -399,7 +399,7 @@ export async function createSite(
                 siteId: newSite.siteId
             });
 
-            if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
+            if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
                 // make sure the user can access the site
                 trx.insert(userSites).values({
                     userId: req.user?.userId!,

server/routers/site/listSites.ts

@@ -235,7 +235,7 @@ export async function listSites(
                 .where(
                     or(
                         eq(userSites.userId, req.user!.userId),
-                        inArray(roleSites.roleId, req.userOrgRoleIds!)
+                        eq(roleSites.roleId, req.userOrgRoleId!)
                     )
                 );
         } else {

server/routers/user/acceptInvite.ts

@@ -165,9 +165,9 @@ export async function acceptInvite(
                 org,
                 {
                     userId: existingUser[0].userId,
-                    orgId: existingInvite.orgId
+                    orgId: existingInvite.orgId,
+                    roleId: existingInvite.roleId
                 },
-                existingInvite.roleId,
                 trx
             );
 

server/routers/user/addUserRole.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { clients, db } from "@server/db";
-import { userOrgRoles, userOrgs, roles } from "@server/db";
+import { clients, db, UserOrg } from "@server/db";
+import { userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -111,23 +111,20 @@ export async function addUserRole(
             );
         }
 
-        let newUserRole: { userId: string; orgId: string; roleId: number } | null =
-            null;
+        let newUserRole: UserOrg | null = null;
         await db.transaction(async (trx) => {
-            const inserted = await trx
-                .insert(userOrgRoles)
-                .values({
-                    userId,
-                    orgId: role.orgId,
-                    roleId
-                })
-                .onConflictDoNothing()
+            [newUserRole] = await trx
+                .update(userOrgs)
+                .set({ roleId })
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(userOrgs.orgId, role.orgId)
+                    )
+                )
                 .returning();
 
-            if (inserted.length > 0) {
-                newUserRole = inserted[0];
-            }
-
+            // get the client associated with this user in this org
             const orgClients = await trx
                 .select()
                 .from(clients)
@@ -136,15 +133,17 @@ export async function addUserRole(
                         eq(clients.userId, userId),
                         eq(clients.orgId, role.orgId)
                     )
-                );
+                )
+                .limit(1);
 
             for (const orgClient of orgClients) {
+                // we just changed the user's role, so we need to rebuild client associations and what they have access to
                 await rebuildClientAssociationsFromClient(orgClient, trx);
             }
         });
 
         return response(res, {
-            data: newUserRole ?? { userId, orgId: role.orgId, roleId },
+            data: newUserRole,
             success: true,
             error: false,
             message: "Role added to user successfully",

server/routers/user/createOrgUser.ts

@@ -221,16 +221,12 @@ export async function createOrgUser(
                         );
                     }
 
-                    await assignUserToOrg(
-                        org,
-                        {
-                            orgId,
-                            userId: existingUser.userId,
-                            autoProvisioned: false,
-                        },
-                        role.roleId,
-                        trx
-                    );
+                    await assignUserToOrg(org, {
+                        orgId,
+                        userId: existingUser.userId,
+                        roleId: role.roleId,
+                        autoProvisioned: false
+                    }, trx);
                 } else {
                     userId = generateId(15);
 
@@ -248,16 +244,12 @@ export async function createOrgUser(
                         })
                         .returning();
 
-                        await assignUserToOrg(
-                            org,
-                            {
-                                orgId,
-                                userId: newUser.userId,
-                                autoProvisioned: false,
-                            },
-                            role.roleId,
-                            trx
-                        );
+                        await assignUserToOrg(org, {
+                            orgId,
+                            userId: newUser.userId,
+                            roleId: role.roleId,
+                            autoProvisioned: false
+                        }, trx);
                 }
 
                 await calculateUserClientsForOrgs(userId, trx);

server/routers/user/getOrgUser.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgRoles, userOrgs, users } from "@server/db";
+import { roles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -12,7 +12,7 @@ import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
 import { OpenAPITags, registry } from "@server/openApi";
 
 export async function queryUser(orgId: string, userId: string) {
-    const [userRow] = await db
+    const [user] = await db
         .select({
             orgId: userOrgs.orgId,
             userId: users.userId,
@@ -20,7 +20,10 @@ export async function queryUser(orgId: string, userId: string) {
             username: users.username,
             name: users.name,
             type: users.type,
+            roleId: userOrgs.roleId,
+            roleName: roles.name,
             isOwner: userOrgs.isOwner,
+            isAdmin: roles.isAdmin,
             twoFactorEnabled: users.twoFactorEnabled,
             autoProvisioned: userOrgs.autoProvisioned,
             idpId: users.idpId,
@@ -30,40 +33,13 @@ export async function queryUser(orgId: string, userId: string) {
             idpAutoProvision: idp.autoProvision
         })
         .from(userOrgs)
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(users, eq(userOrgs.userId, users.userId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
         .limit(1);
-
-    if (!userRow) return undefined;
-
-    const roleRows = await db
-        .select({
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name,
-            isAdmin: roles.isAdmin
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        );
-
-    const isAdmin = roleRows.some((r) => r.isAdmin);
-
-    return {
-        ...userRow,
-        isAdmin,
-        roleIds: roleRows.map((r) => r.roleId),
-        roles: roleRows.map((r) => ({
-            roleId: r.roleId,
-            name: r.roleName ?? ""
-        }))
-    };
+    return user;
 }
 
 export type GetOrgUserResponse = NonNullable<

server/routers/user/index.ts

@@ -2,7 +2,6 @@ export * from "./getUser";
 export * from "./removeUserOrg";
 export * from "./listUsers";
 export * from "./addUserRole";
-export * from "./removeUserRole";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";

server/routers/user/listUsers.ts

@@ -1,11 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idpOidcConfig } from "@server/db";
-import { idp, roles, userOrgRoles, userOrgs, users } from "@server/db";
+import { idp, roles, userOrgs, users } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { sql } from "drizzle-orm";
+import { and, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -31,7 +31,7 @@ const listUsersSchema = z.strictObject({
 });
 
 async function queryUsers(orgId: string, limit: number, offset: number) {
-    const rows = await db
+    return await db
         .select({
             id: users.userId,
             email: users.email,
@@ -41,6 +41,8 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
             username: users.username,
             name: users.name,
             type: users.type,
+            roleId: userOrgs.roleId,
+            roleName: roles.name,
             isOwner: userOrgs.isOwner,
             idpName: idp.name,
             idpId: users.idpId,
@@ -50,39 +52,12 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
         })
         .from(users)
         .leftJoin(userOrgs, eq(users.userId, userOrgs.userId))
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idpOidcConfig.idpId, idp.idpId))
         .where(eq(userOrgs.orgId, orgId))
         .limit(limit)
         .offset(offset);
-
-    const roleRows = await db
-        .select({
-            userId: userOrgRoles.userId,
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(eq(userOrgRoles.orgId, orgId));
-
-    const rolesByUser = new Map<
-        string,
-        { roleId: number; roleName: string }[]
-    >();
-    for (const r of roleRows) {
-        const list = rolesByUser.get(r.userId) ?? [];
-        list.push({ roleId: r.roleId, roleName: r.roleName ?? "" });
-        rolesByUser.set(r.userId, list);
-    }
-
-    return rows.map((row) => {
-        const userRoles = rolesByUser.get(row.id) ?? [];
-        return {
-            ...row,
-            roles: userRoles
-        };
-    });
 }
 
 export type ListUsersResponse = {

server/routers/user/myDevice.ts

@@ -1,5 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { db, Olm, olms, orgs, userOrgRoles, userOrgs } from "@server/db";
+import { db, Olm, olms, orgs, userOrgs } from "@server/db";
 import { idp, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -84,31 +84,16 @@ export async function myDevice(
             .from(olms)
             .where(and(eq(olms.userId, userId), eq(olms.olmId, olmId)));
 
-        const userOrgRows = await db
+        const userOrganizations = await db
             .select({
                 orgId: userOrgs.orgId,
-                orgName: orgs.name
+                orgName: orgs.name,
+                roleId: userOrgs.roleId
             })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId))
             .innerJoin(orgs, eq(userOrgs.orgId, orgs.orgId));
 
-        const roleRows = await db
-            .select({
-                orgId: userOrgRoles.orgId,
-                roleId: userOrgRoles.roleId
-            })
-            .from(userOrgRoles)
-            .where(eq(userOrgRoles.userId, userId));
-
-        const roleByOrg = new Map(
-            roleRows.map((r) => [r.orgId, r.roleId])
-        );
-        const userOrganizations = userOrgRows.map((row) => ({
-            ...row,
-            roleId: roleByOrg.get(row.orgId) ?? 0
-        }));
-
         return response<MyDeviceResponse>(res, {
             data: {
                 user,

server/routers/user/removeUserRole.ts

@@ -1,157 +0,0 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db } from "@server/db";
-import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
-import { eq, and } from "drizzle-orm";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import stoi from "@server/lib/stoi";
-import { OpenAPITags, registry } from "@server/openApi";
-import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
-
-const removeUserRoleParamsSchema = z.strictObject({
-    userId: z.string(),
-    roleId: z.string().transform(stoi).pipe(z.number())
-});
-
-registry.registerPath({
-    method: "delete",
-    path: "/role/{roleId}/remove/{userId}",
-    description: "Remove a role from a user. User must have at least one role left in the org.",
-    tags: [OpenAPITags.Role, OpenAPITags.User],
-    request: {
-        params: removeUserRoleParamsSchema
-    },
-    responses: {}
-});
-
-export async function removeUserRole(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedParams = removeUserRoleParamsSchema.safeParse(req.params);
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedParams.error).toString()
-                )
-            );
-        }
-
-        const { userId, roleId } = parsedParams.data;
-
-        if (req.user && !req.userOrg) {
-            return next(
-                createHttpError(
-                    HttpCode.FORBIDDEN,
-                    "You do not have access to this organization"
-                )
-            );
-        }
-
-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(eq(roles.roleId, roleId))
-            .limit(1);
-
-        if (!role) {
-            return next(
-                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
-            );
-        }
-
-        const [existingUser] = await db
-            .select()
-            .from(userOrgs)
-            .where(
-                and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId))
-            )
-            .limit(1);
-
-        if (!existingUser) {
-            return next(
-                createHttpError(
-                    HttpCode.NOT_FOUND,
-                    "User not found or does not belong to the specified organization"
-                )
-            );
-        }
-
-        if (existingUser.isOwner) {
-            return next(
-                createHttpError(
-                    HttpCode.FORBIDDEN,
-                    "Cannot change the roles of the owner of the organization"
-                )
-            );
-        }
-
-        const remainingRoles = await db
-            .select({ roleId: userOrgRoles.roleId })
-            .from(userOrgRoles)
-            .where(
-                and(
-                    eq(userOrgRoles.userId, userId),
-                    eq(userOrgRoles.orgId, role.orgId)
-                )
-            );
-
-        if (remainingRoles.length <= 1) {
-            const hasThisRole = remainingRoles.some((r) => r.roleId === roleId);
-            if (hasThisRole) {
-                return next(
-                    createHttpError(
-                        HttpCode.FORBIDDEN,
-                        "User must have at least one role in the organization. Remove the last role is not allowed."
-                    )
-                );
-            }
-        }
-
-        await db.transaction(async (trx) => {
-            await trx
-                .delete(userOrgRoles)
-                .where(
-                    and(
-                        eq(userOrgRoles.userId, userId),
-                        eq(userOrgRoles.orgId, role.orgId),
-                        eq(userOrgRoles.roleId, roleId)
-                    )
-                );
-
-            const orgClients = await trx
-                .select()
-                .from(clients)
-                .where(
-                    and(
-                        eq(clients.userId, userId),
-                        eq(clients.orgId, role.orgId)
-                    )
-                );
-
-            for (const orgClient of orgClients) {
-                await rebuildClientAssociationsFromClient(orgClient, trx);
-            }
-        });
-
-        return response(res, {
-            data: { userId, orgId: role.orgId, roleId },
-            success: true,
-            error: false,
-            message: "Role removed from user successfully",
-            status: HttpCode.OK
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
-        );
-    }
-}

server/types/Auth.ts

@@ -5,5 +5,5 @@ import { Session } from "@server/db";
 export interface AuthenticatedRequest extends Request {
     user: User;
     session: Session;
-    userOrgRoleIds?: number[];
+    userOrgRoleId?: number;
 }

src/app/[orgId]/settings/(private)/idp/create/page.tsx

@@ -275,6 +275,8 @@ export default function Page() {
         }
     }
 
+    const disabled = !isPaidUser(tierMatrix.orgOidc);
+
     return (
         <>
             <div className="flex justify-between">
@@ -292,6 +294,9 @@ export default function Page() {
                 </Button>
             </div>
 
+            <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+
+            <fieldset disabled={disabled} className={disabled ? "opacity-50 pointer-events-none" : ""}>
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -812,9 +817,10 @@ export default function Page() {
                 </Button>
                 <Button
                     type="submit"
-                    disabled={createLoading || !isPaidUser(tierMatrix.orgOidc)}
+                    disabled={createLoading || disabled}
                     loading={createLoading}
                     onClick={() => {
+                        if (disabled) return;
                         // log any issues with the form
                         console.log(form.formState.errors);
                         form.handleSubmit(onSubmit)();
@@ -823,6 +829,7 @@ export default function Page() {
                     {t("idpSubmit")}
                 </Button>
             </div>
+            </fieldset>
         </>
     );
 }

src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx

@@ -8,6 +8,7 @@ import {
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
+import { Input } from "@app/components/ui/input";
 import {
     Select,
     SelectContent,
@@ -18,6 +19,7 @@ import {
 import { Checkbox } from "@app/components/ui/checkbox";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
+import { InviteUserResponse } from "@server/routers/user";
 import { AxiosResponse } from "axios";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -42,9 +44,6 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { UserType } from "@server/types/UserTypes";
-import { Badge } from "@app/components/ui/badge";
-
-type UserRole = { roleId: number; name: string };
 
 export default function AccessControlsPage() {
     const { orgUser: user } = userOrgUserContext();
@@ -55,12 +54,12 @@ export default function AccessControlsPage() {
 
     const [loading, setLoading] = useState(false);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [userRoles, setUserRoles] = useState<UserRole[]>([]);
 
     const t = useTranslations();
 
     const formSchema = z.object({
         username: z.string(),
+        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") }),
         autoProvisioned: z.boolean()
     });
 
@@ -68,17 +67,11 @@ export default function AccessControlsPage() {
         resolver: zodResolver(formSchema),
         defaultValues: {
             username: user.username!,
+            roleId: user.roleId?.toString(),
             autoProvisioned: user.autoProvisioned || false
         }
     });
 
-    const currentRoleIds = user.roleIds ?? [];
-    const currentRoles: UserRole[] = user.roles ?? [];
-
-    useEffect(() => {
-        setUserRoles(currentRoles);
-    }, [user.userId, currentRoleIds.join(",")]);
-
     useEffect(() => {
         async function fetchRoles() {
             const res = await api
@@ -101,67 +94,32 @@ export default function AccessControlsPage() {
         }
 
         fetchRoles();
+
+        form.setValue("roleId", user.roleId.toString());
         form.setValue("autoProvisioned", user.autoProvisioned || false);
     }, []);
 
-    async function handleAddRole(roleId: number) {
-        setLoading(true);
-        try {
-            await api.post(`/role/${roleId}/add/${user.userId}`);
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
-            const role = roles.find((r) => r.roleId === roleId);
-            if (role) setUserRoles((prev) => [...prev, role]);
-        } catch (e) {
-            toast({
-                variant: "destructive",
-                title: t("accessRoleErrorAdd"),
-                description: formatAxiosError(
-                    e,
-                    t("accessRoleErrorAddDescription")
-                )
-            });
-        }
-        setLoading(false);
-    }
-
-    async function handleRemoveRole(roleId: number) {
-        setLoading(true);
-        try {
-            await api.delete(`/role/${roleId}/remove/${user.userId}`);
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
-            setUserRoles((prev) => prev.filter((r) => r.roleId !== roleId));
-        } catch (e) {
-            toast({
-                variant: "destructive",
-                title: t("accessRoleErrorAdd"),
-                description: formatAxiosError(
-                    e,
-                    t("accessRoleErrorAddDescription")
-                )
-            });
-        }
-        setLoading(false);
-    }
-
     async function onSubmit(values: z.infer<typeof formSchema>) {
         setLoading(true);
+
         try {
-            await api.post(`/org/${orgId}/user/${user.userId}`, {
-                autoProvisioned: values.autoProvisioned
-            });
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
+            // Execute both API calls simultaneously
+            const [roleRes, userRes] = await Promise.all([
+                api.post<AxiosResponse<InviteUserResponse>>(
+                    `/role/${values.roleId}/add/${user.userId}`
+                ),
+                api.post(`/org/${orgId}/user/${user.userId}`, {
+                    autoProvisioned: values.autoProvisioned
+                })
+            ]);
+
+            if (roleRes.status === 200 && userRes.status === 200) {
+                toast({
+                    variant: "default",
+                    title: t("userSaved"),
+                    description: t("userSavedDescription")
+                });
+            }
         } catch (e) {
             toast({
                 variant: "destructive",
@@ -172,14 +130,10 @@ export default function AccessControlsPage() {
                 )
             });
         }
+
         setLoading(false);
     }
 
-    const availableRolesToAdd = roles.filter(
-        (r) => !userRoles.some((ur) => ur.roleId === r.roleId)
-    );
-    const canRemoveRole = userRoles.length > 1;
-
     return (
         <SettingsContainer>
             <SettingsSection>
@@ -200,6 +154,7 @@ export default function AccessControlsPage() {
                                 className="space-y-4"
                                 id="access-controls-form"
                             >
+                                {/* IDP Type Display */}
                                 {user.type !== UserType.Internal &&
                                     user.idpType && (
                                         <div className="flex items-center space-x-2 mb-4">
@@ -216,72 +171,49 @@ export default function AccessControlsPage() {
                                         </div>
                                     )}
 
-                                <FormItem>
-                                    <FormLabel>{t("role")}</FormLabel>
-                                    <div className="flex flex-wrap gap-2 items-center">
-                                        {userRoles.map((r) => (
-                                            <Badge
-                                                key={r.roleId}
-                                                variant="secondary"
-                                                className="flex items-center gap-1"
-                                            >
-                                                {r.name}
-                                                {canRemoveRole && (
-                                                    <button
-                                                        type="button"
-                                                        onClick={() =>
-                                                            handleRemoveRole(
-                                                                r.roleId
-                                                            )
-                                                        }
-                                                        disabled={loading}
-                                                        className="ml-1 rounded hover:bg-muted"
-                                                        aria-label={`Remove ${r.name}`}
-                                                    >
-                                                        ×
-                                                    </button>
-                                                )}
-                                            </Badge>
-                                        ))}
-                                        {availableRolesToAdd.length > 0 && (
+                                <FormField
+                                    control={form.control}
+                                    name="roleId"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>{t("role")}</FormLabel>
                                             <Select
                                                 onValueChange={(value) => {
-                                                    handleAddRole(
-                                                        parseInt(value, 10)
-                                                    );
+                                                    field.onChange(value);
+                                                    // If auto provision is enabled, set it to false when role changes
+                                                    if (user.idpAutoProvision) {
+                                                        form.setValue(
+                                                            "autoProvisioned",
+                                                            false
+                                                        );
+                                                    }
                                                 }}
-                                                disabled={loading}
+                                                value={field.value}
                                             >
-                                                <SelectTrigger className="w-[180px]">
-                                                    <SelectValue
-                                                        placeholder={t(
-                                                            "accessRoleSelect"
-                                                        )}
-                                                    />
-                                                </SelectTrigger>
+                                                <FormControl>
+                                                    <SelectTrigger>
+                                                        <SelectValue
+                                                            placeholder={t(
+                                                                "accessRoleSelect"
+                                                            )}
+                                                        />
+                                                    </SelectTrigger>
+                                                </FormControl>
                                                 <SelectContent>
-                                                    {availableRolesToAdd.map(
-                                                        (role) => (
-                                                            <SelectItem
-                                                                key={
-                                                                    role.roleId
-                                                                }
-                                                                value={role.roleId.toString()}
-                                                            >
-                                                                {role.name}
-                                                            </SelectItem>
-                                                        )
-                                                    )}
+                                                    {roles.map((role) => (
+                                                        <SelectItem
+                                                            key={role.roleId}
+                                                            value={role.roleId.toString()}
+                                                        >
+                                                            {role.name}
+                                                        </SelectItem>
+                                                    ))}
                                                 </SelectContent>
                                             </Select>
-                                        )}
-                                    </div>
-                                    {userRoles.length === 0 && (
-                                        <p className="text-sm text-muted-foreground">
-                                            {t("accessRoleSelectPlease")}
-                                        </p>
+                                            <FormMessage />
+                                        </FormItem>
                                     )}
-                                </FormItem>
+                                />
 
                                 {user.idpAutoProvision && (
                                     <FormField
@@ -299,9 +231,7 @@ export default function AccessControlsPage() {
                                                 </FormControl>
                                                 <div className="space-y-1 leading-none">
                                                     <FormLabel>
-                                                        {t(
-                                                            "autoProvisioned"
-                                                        )}
+                                                        {t("autoProvisioned")}
                                                     </FormLabel>
                                                     <p className="text-sm text-muted-foreground">
                                                         {t(

src/app/[orgId]/settings/access/users/page.tsx

@@ -88,9 +88,7 @@ export default async function UsersPage(props: UsersPageProps) {
             status: t("userConfirmed"),
             role: user.isOwner
                 ? t("accessRoleOwner")
-                : user.roles?.length
-                  ? user.roles.map((r) => r.roleName).join(", ")
-                  : t("accessRoleMember"),
+                : user.roleName || t("accessRoleMember"),
             isOwner: user.isOwner || false
         };
     });