Pull things in proper order

2026-06-05 07:16:24 +00:00 · 2026-06-03 14:52:36 -07:00
parent 2b402f8fec
commit 40125c717c
2 changed files with 31 additions and 18 deletions
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -199,12 +199,20 @@ export async function getResourceByDomain(
        return null;
    }

-    const effectivePolicyPincode =
-        result.sharedPolicyPincode ?? result.defaultPolicyPincode ?? null;
-    const effectivePolicyPassword =
-        result.sharedPolicyPassword ?? result.defaultPolicyPassword ?? null;
-    const effectivePolicyHeaderAuth =
-        result.sharedPolicyHeaderAuth ?? result.defaultPolicyHeaderAuth ?? null;
+    // If a shared (custom) policy is assigned to the resource, use ONLY
+    // its values — do not fall back to the default policy. The default
+    // policy is only consulted when no shared policy is assigned at all.
+    const hasSharedPolicy = result.sharedPolicy !== null;
+
+    const effectivePolicyPincode = hasSharedPolicy
+        ? result.sharedPolicyPincode
+        : (result.defaultPolicyPincode ?? null);
+    const effectivePolicyPassword = hasSharedPolicy
+        ? result.sharedPolicyPassword
+        : (result.defaultPolicyPassword ?? null);
+    const effectivePolicyHeaderAuth = hasSharedPolicy
+        ? result.sharedPolicyHeaderAuth
+        : (result.defaultPolicyHeaderAuth ?? null);

    return {
        resource: result.resources,
--- a/server/routers/resource/getResourceAuthInfo.ts
+++ b/server/routers/resource/getResourceAuthInfo.ts
@@ -180,19 +180,24 @@ export async function getResourceAuthInfo(
            );
        }

-        // Shared (custom) policy takes precedence over the default policy.
-        // For boolean fields (sso, whitelist), only fall back to defaultPolicy
-        // when there is no shared policy at all.
-        const effectivePolicyPincode =
-            result.sharedPolicyPincode ?? result.defaultPolicyPincode ?? null;
-        const effectivePolicyPassword =
-            result.sharedPolicyPassword ?? result.defaultPolicyPassword ?? null;
-        const effectivePolicyHeaderAuth =
-            result.sharedPolicyHeaderAuth ??
-            result.defaultPolicyHeaderAuth ??
-            null;
+        // If a shared (custom) policy is assigned to the resource, use ONLY
+        // its values — do not fall back to the default policy. The default
+        // policy is only consulted when no shared policy is assigned at all.
+        const hasSharedPolicy = result.sharedPolicy !== null;

-        const effectivePolicy = result.sharedPolicy ?? result.defaultPolicy;
+        const effectivePolicyPincode = hasSharedPolicy
+            ? result.sharedPolicyPincode
+            : (result.defaultPolicyPincode ?? null);
+        const effectivePolicyPassword = hasSharedPolicy
+            ? result.sharedPolicyPassword
+            : (result.defaultPolicyPassword ?? null);
+        const effectivePolicyHeaderAuth = hasSharedPolicy
+            ? result.sharedPolicyHeaderAuth
+            : (result.defaultPolicyHeaderAuth ?? null);
+
+        const effectivePolicy = hasSharedPolicy
+            ? result.sharedPolicy
+            : result.defaultPolicy;

        const pincode = effectivePolicyPincode ?? result.resourcePincode;
        const password = effectivePolicyPassword ?? result.resourcePassword;