add org policy check to verify session

2026-02-10 20:02:26 +00:00 · 2025-10-25 17:15:37 -07:00
parent 9ce81b34c9
commit 8973726f63
4 changed files with 113 additions and 5 deletions
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -37,6 +37,7 @@ import { getCountryCodeForIp } from "@server/lib/geoip";
 import { getOrgTierData } from "#dynamic/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { verifyPassword } from "@server/auth/password";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";

 // We'll see if this speeds anything up
 const cache = new NodeCache({
@@ -313,7 +314,8 @@ export async function verifyResourceSession(
                return allowed(res);
            }

-            if ( // we dont want to redirect if this is the only auth method and we did not pass here
+            if (
+                // we dont want to redirect if this is the only auth method and we did not pass here
                !sso &&
                !pincode &&
                !password &&
@@ -589,6 +591,18 @@ async function isUserAllowedToAccessResource(
        return null;
    }

+    const accessPolicy = await checkOrgAccessPolicy({
+        orgId: resource.orgId,
+        userId: user.userId,
+        sessionId: session.sessionId
+    });
+    if (!accessPolicy.allowed || accessPolicy.error) {
+        logger.debug(`User not allowed by org access policy because`, {
+            accessPolicy
+        });
+        return null;
+    }
+
    const roleResourceAccess = await getRoleResourceAccess(
        resource.resourceId,
        userOrgRole.roleId