add OIDC integration check on access policy check

XiNiHa · XiNiHa · commit e2671c8dcb6a · 2025-12-08T22:41:03.000+09:00
diff --git a/packages/services/api/src/modules/auth/lib/supertokens-strategy.ts b/packages/services/api/src/modules/auth/lib/supertokens-strategy.ts
@@ -63,7 +63,12 @@ export class SuperTokensCookieBasedSession extends Session {
       user.id,
       organizationId,
     );
-    const organization = await this.storage.getOrganization({ organizationId });
+    const [organization, oidcIntegration] = await Promise.all([
+      this.storage.getOrganization({ organizationId }),
+      this.storage.getOIDCIntegrationForOrganization({
+        organizationId,
+      }),
+    ]);
     const organizationMembership = await this.organizationMembers.findOrganizationMembership({
       organization,
       userId: user.id,
@@ -108,6 +113,10 @@ export class SuperTokensCookieBasedSession extends Session {
       ];
     }
 
+    if (oidcIntegration?.oidcUserAccessOnly && this.oidcIntegrationId !== oidcIntegration.id) {
+      return [];
+    }
+
     this.logger.debug(
       'Translate organization role assignments to policy statements. (userId=%s, organizationId=%s)',
       user.id,
