remove SuperTokens and OIDC user guards

Author: XiNiHa

packages/services/api/src/modules/oidc-integrations/resolvers/User.ts

@@ -1,5 +1,5 @@
 import type { UserResolvers } from './../../../__generated__/types';
 
 export const User: Pick<UserResolvers, 'canSwitchOrganization'> = {
-  canSwitchOrganization: user => !user.oidcIntegrationId,
+  canSwitchOrganization: () => true,
 };

packages/services/api/src/modules/organization/providers/organization-manager.ts

@@ -297,20 +297,11 @@ export class OrganizationManager {
     user: {
       id: string;
       superTokensUserId: string | null;
-      oidcIntegrationId: string | null;
     };
   }) {
     const { slug, user } = input;
     this.logger.info('Creating an organization (input=%o)', input);
 
-    if (user.oidcIntegrationId) {
-      this.logger.debug(
-        'Failed to create organization as oidc user is not allowed to do so (input=%o)',
-        input,
-      );
-      throw new HiveError('Cannot create organization with OIDC user.');
-    }
-
     const result = await this.storage.createOrganization({
       slug,
       userId: user.id,
@@ -652,13 +643,9 @@ export class OrganizationManager {
   async joinOrganization({ code }: { code: string }): Promise<Organization | { message: string }> {
     this.logger.info('Joining an organization (code=%s)', code);
 
-    const user = await this.session.getViewer();
-    const isOIDCUser = user.oidcIntegrationId !== null;
-
-    if (isOIDCUser) {
-      return {
-        message: `You cannot join an organization with an OIDC account.`,
-      };
+    const actor = await this.session.getActor();
+    if (actor.type !== 'user') {
+      throw new Error('Only users can join organizations');
     }
 
     const organization = await this.getOrganizationByInviteCode({
@@ -674,9 +661,10 @@ export class OrganizationManager {
         organizationId: organization.id,
       });
 
-      if (oidcIntegration?.oidcUserAccessOnly && !isOIDCUser) {
+      if (oidcIntegration?.oidcUserAccessOnly && actor.oidcIntegrationId !== oidcIntegration.id) {
         return {
-          message: 'Non-OIDC users are not allowed to join this organization.',
+          message:
+            'The user is not authorized through the OIDC integration required for the organization',
         };
       }
     }
@@ -685,7 +673,7 @@ export class OrganizationManager {
 
     await this.storage.addOrganizationMemberViaInvitationCode({
       code,
-      userId: user.id,
+      userId: actor.user.id,
       organizationId: organization.id,
     });
 
@@ -701,7 +689,7 @@ export class OrganizationManager {
         eventType: 'USER_JOINED',
         organizationId: organization.id,
         metadata: {
-          inviteeEmail: user.email,
+          inviteeEmail: actor.user.email,
         },
       }),
     ]);

packages/services/api/src/modules/organization/resolvers/Query/myDefaultOrganization.ts

@@ -1,5 +1,4 @@
 import { Session } from '../../../auth/lib/authz';
-import { OIDCIntegrationsProvider } from '../../../oidc-integrations/providers/oidc-integrations.provider';
 import { IdTranslator } from '../../../shared/providers/id-translator';
 import { OrganizationManager } from '../../providers/organization-manager';
 import type { QueryResolvers } from './../../../../__generated__/types';
@@ -12,27 +11,6 @@ export const myDefaultOrganization: NonNullable<QueryResolvers['myDefaultOrganiz
   const user = await injector.get(Session).getViewer();
   const organizationManager = injector.get(OrganizationManager);
 
-  // For an OIDC Integration User we want to return the linked organization
-  if (user?.oidcIntegrationId) {
-    const oidcIntegration = await injector.get(OIDCIntegrationsProvider).getOIDCIntegrationById({
-      oidcIntegrationId: user.oidcIntegrationId,
-    });
-    if (oidcIntegration.type === 'ok') {
-      const org = await organizationManager.getOrganization({
-        organizationId: oidcIntegration.organizationId,
-      });
-
-      return {
-        selector: {
-          organizationSlug: org.slug,
-        },
-        organization: org,
-      };
-    }
-
-    return null;
-  }
-
   // This is the organization that got stored as an cookie
   // We make sure it actually exists before directing to it.
   if (previouslyVisitedOrganizationSlug) {

packages/services/api/src/shared/entities.ts

@@ -348,7 +348,6 @@ export interface User {
   provider: AuthProviderType;
   superTokensUserId: string | null;
   isAdmin: boolean;
-  oidcIntegrationId: string | null;
   zendeskId: string | null;
 }
 

packages/services/storage/src/index.ts

@@ -444,32 +444,50 @@ export async function createStorage(
 
       return UserModel.parse(record);
     },
+    getUserById: batch(async (input: { id: string }[]) => {
+      const userIds = input.map(i => i.id);
+      const records = await pool.any<unknown>(sql`/* getUserById */
+        SELECT
+          ${userFields(sql`"users".`, sql`"stu".`)}
+        FROM
+          "users"
+        LEFT JOIN "supertokens_thirdparty_users" AS "stu"
+          ON ("stu"."user_id" = "users"."supertoken_user_id")
+        WHERE
+          "users"."id" = ANY(${sql.array(userIds, 'uuid')})
+      `);
+
+      const mappings = new Map<string, UserType>();
+      for (const record of records) {
+        const user = UserModel.parse(record);
+        mappings.set(user.id, user);
+      }
+
+      return userIds.map(async id => mappings.get(id) ?? null);
+    }),
     async createUser(
       {
-        superTokensUserId,
         email,
         fullName,
         displayName,
-        oidcIntegrationId,
       }: {
-        superTokensUserId: string;
         email: string;
         fullName: string;
         displayName: string;
-        oidcIntegrationId: string | null;
       },
       connection: Connection,
     ) {
-      await connection.query<unknown>(
+      const { id } = await connection.oneFirst<{ id: string }>(
         sql`/* createUser */
           INSERT INTO users
-            ("email", "supertoken_user_id", "full_name", "display_name", "oidc_integration_id")
+            ("email", "full_name", "display_name")
           VALUES
-            (${email}, ${superTokensUserId}, ${fullName}, ${displayName}, ${oidcIntegrationId})
+            (${email}, ${fullName}, ${displayName})
+          RETURNING id
         `,
       );
 
-      const user = await this.getUserBySuperTokenId({ superTokensUserId }, connection);
+      const user = await shared.getUserById({ id });
       if (!user) {
         throw new Error('Something went wrong.');
       }
@@ -559,9 +577,7 @@ export async function createStorage(
   };
 
   function buildUserData(input: {
-    superTokensUserId: string;
     email: string;
-    oidcIntegrationId: string | null;
     firstName: string | null;
     lastName: string | null;
   }) {
@@ -572,11 +588,9 @@ export async function createStorage(
         : input.email.split('@')[0].slice(0, 25).padEnd(2, '1');
 
     return {
-      superTokensUserId: input.superTokensUserId,
       email: input.email,
       displayName: name,
       fullName: name,
-      oidcIntegrationId: input.oidcIntegrationId,
     };
   }
 
@@ -626,9 +640,7 @@ export async function createStorage(
         if (!internalUser) {
           internalUser = await shared.createUser(
             buildUserData({
-              superTokensUserId,
               email,
-              oidcIntegrationId: oidcIntegration?.id ?? null,
               firstName,
               lastName,
             }),
@@ -637,6 +649,16 @@ export async function createStorage(
           action = 'created';
         }
 
+        if (users.length === 1 && internalUser.superTokensUserId != null) {
+          await pool.query(sql`
+            UPDATE "users"
+            SET
+              "supertoken_user_id" = NULL,
+              "oidc_integration_id" = NULL
+            WHERE "id" = ${internalUser.id};
+          `);
+        }
+
         if (oidcIntegration !== null) {
           // Add user to OIDC linked integration
           await shared.addOrganizationMemberViaOIDCIntegrationId(
@@ -657,27 +679,9 @@ export async function createStorage(
     async getUserBySuperTokenId({ superTokensUserId }) {
       return shared.getUserBySuperTokenId({ superTokensUserId }, pool);
     },
-    getUserById: batch(async input => {
-      const userIds = input.map(i => i.id);
-      const records = await pool.any<unknown>(sql`/* getUserById */
-        SELECT
-          ${userFields(sql`"users".`, sql`"stu".`)}
-        FROM
-          "users"
-        LEFT JOIN "supertokens_thirdparty_users" AS "stu"
-          ON ("stu"."user_id" = "users"."supertoken_user_id")
-        WHERE
-          "users"."id" = ANY(${sql.array(userIds, 'uuid')})
-      `);
-
-      const mappings = new Map<string, UserType>();
-      for (const record of records) {
-        const user = UserModel.parse(record);
-        mappings.set(user.id, user);
-      }
-
-      return userIds.map(async id => mappings.get(id) ?? null);
-    }),
+    async getUserById({ id }) {
+      return shared.getUserById({ id });
+    },
     async updateUser({ id, displayName, fullName }) {
       await pool.one<users>(sql`/* updateUser */
         UPDATE "users"
@@ -5410,7 +5414,7 @@ export const UserModel = zod.object({
   createdAt: zod.string(),
   displayName: zod.string(),
   fullName: zod.string(),
-  superTokensUserId: zod.string(),
+  superTokensUserId: zod.string().nullable(),
   isAdmin: zod
     .boolean()
     .nullable()