Use the config not the env var

fix: clarify IdP validation messages across policy flows
fix: allow default IdP validation in global mode policies
2026-06-23 15:51:49 +00:00 · 2026-06-22 10:24:16 -04:00 · 2026-06-16 23:46:51 +00:00 · 2026-06-16 23:43:36 +00:00 · 2026-06-16 23:39:01 +00:00 · 2026-06-15 01:35:51 +00:00
19 changed files with 2749 additions and 1912 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,42 +1,52 @@
 version: 2
-
 updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
-    open-pull-requests-limit: 1
    groups:
-      npm-dependencies:
-        patterns:
-          - "*"
-
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+          
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"
-    open-pull-requests-limit: 1
    groups:
-      docker-dependencies:
-        patterns:
-          - "*"
+      patch-updates:
+        update-types:
+          - "patch"
+      minor-updates:
+        update-types:
+          - "minor"

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
-    open-pull-requests-limit: 1
-    groups:
-      github-actions-dependencies:
-        patterns:
-          - "*"

  - package-ecosystem: "gomod"
    directory: "/install"
    schedule:
      interval: "daily"
-    open-pull-requests-limit: 1
    groups:
-      go-install-dependencies:
-        patterns:
-          - "*"
+      patch-updates:
+        update-types:
+          - "patch"
+      minor-updates:
+        update-types:
+          - "minor"
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -62,7 +62,7 @@ jobs:

        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Monitor storage space
              run: |
@@ -134,7 +134,7 @@ jobs:

        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Monitor storage space
              run: |
@@ -201,7 +201,7 @@ jobs:
        timeout-minutes: 30
        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Log in to Docker Hub
              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
@@ -256,7 +256,7 @@ jobs:

        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Extract tag name
              id: get-tag
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -21,7 +21,7 @@ jobs:
        runs-on: ubuntu-latest
        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Set up Node.js
              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -62,7 +62,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Build Docker image sqlite
        run: make dev-build-sqlite
@@ -71,7 +71,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Build Docker image pg
        run: make dev-build-pg
--- a/install/go.mod
+++ b/install/go.mod
@@ -5,7 +5,7 @@ go 1.25.0
 require (
 	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.44.0
+	golang.org/x/term v0.43.0
 	gopkg.in/yaml.v3 v3.0.1
 )

@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.46.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
--- a/install/go.sum
+++ b/install/go.sum
@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
-golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
-golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -35,7 +35,7 @@
        "@asteasolutions/zod-to-openapi": "8.5.0",
        "@devolutions/iron-remote-desktop": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
        "@devolutions/iron-remote-desktop-rdp": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
-        "@aws-sdk/client-s3": "3.1075.0",
+        "@aws-sdk/client-s3": "3.1056.0",
        "@headlessui/react": "2.2.10",
        "@hookform/resolvers": "5.4.0",
        "@monaco-editor/react": "4.7.0",
@@ -43,38 +43,38 @@
        "@novnc/novnc": "^1.7.0",
        "@oslojs/crypto": "1.0.1",
        "@oslojs/encoding": "1.1.0",
-        "@radix-ui/react-avatar": "1.2.0",
-        "@radix-ui/react-checkbox": "1.3.5",
-        "@radix-ui/react-collapsible": "1.1.14",
-        "@radix-ui/react-dialog": "1.1.17",
-        "@radix-ui/react-dropdown-menu": "2.1.18",
+        "@radix-ui/react-avatar": "1.1.11",
+        "@radix-ui/react-checkbox": "1.3.3",
+        "@radix-ui/react-collapsible": "1.1.12",
+        "@radix-ui/react-dialog": "1.1.15",
+        "@radix-ui/react-dropdown-menu": "2.1.16",
        "@radix-ui/react-icons": "1.3.2",
-        "@radix-ui/react-label": "2.1.10",
-        "@radix-ui/react-popover": "1.1.17",
-        "@radix-ui/react-progress": "1.1.10",
-        "@radix-ui/react-radio-group": "1.4.1",
-        "@radix-ui/react-scroll-area": "1.2.12",
-        "@radix-ui/react-select": "2.3.1",
-        "@radix-ui/react-separator": "1.1.10",
-        "@radix-ui/react-slot": "1.3.0",
-        "@radix-ui/react-switch": "1.3.1",
-        "@radix-ui/react-tabs": "1.1.15",
-        "@radix-ui/react-toast": "1.2.17",
-        "@radix-ui/react-tooltip": "1.2.10",
+        "@radix-ui/react-label": "2.1.8",
+        "@radix-ui/react-popover": "1.1.15",
+        "@radix-ui/react-progress": "1.1.8",
+        "@radix-ui/react-radio-group": "1.3.8",
+        "@radix-ui/react-scroll-area": "1.2.10",
+        "@radix-ui/react-select": "2.2.6",
+        "@radix-ui/react-separator": "1.1.8",
+        "@radix-ui/react-slot": "1.2.4",
+        "@radix-ui/react-switch": "1.2.6",
+        "@radix-ui/react-tabs": "1.1.13",
+        "@radix-ui/react-toast": "1.2.15",
+        "@radix-ui/react-tooltip": "1.2.8",
        "@react-email/body": "0.3.0",
        "@react-email/components": "1.0.12",
-        "@react-email/render": "2.0.9",
+        "@react-email/render": "2.0.8",
        "@react-email/tailwind": "2.0.7",
        "@simplewebauthn/browser": "13.3.0",
        "@simplewebauthn/server": "13.3.1",
        "@tailwindcss/forms": "0.5.11",
-        "@tanstack/react-query": "5.101.1",
+        "@tanstack/react-query": "5.100.14",
        "@tanstack/react-table": "8.21.3",
        "@xterm/addon-fit": "^0.11.0",
        "@xterm/addon-web-links": "^0.12.0",
        "@xterm/xterm": "^6.0.0",
        "arctic": "3.7.0",
-        "axios": "1.18.1",
+        "axios": "1.16.1",
        "better-sqlite3": "11.9.1",
        "canvas-confetti": "1.9.4",
        "class-variance-authority": "0.7.1",
@@ -91,40 +91,40 @@
        "helmet": "8.2.0",
        "http-errors": "2.0.1",
        "input-otp": "1.4.2",
-        "ioredis": "5.11.1",
+        "ioredis": "5.11.0",
        "jmespath": "0.16.0",
-        "js-yaml": "5.1.0",
+        "js-yaml": "4.1.1",
        "jsonwebtoken": "9.0.3",
-        "lucide-react": "1.21.0",
+        "lucide-react": "1.17.0",
        "maxmind": "5.0.6",
        "moment": "2.30.1",
-        "next": "16.2.9",
+        "next": "16.2.6",
        "next-intl": "4.13.0",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
-        "nodemailer": "9.0.1",
+        "nodemailer": "8.0.9",
        "oslo": "1.2.1",
-        "pg": "8.22.0",
-        "posthog-node": "5.38.3",
+        "pg": "8.21.0",
+        "posthog-node": "5.35.6",
        "qrcode.react": "4.2.0",
-        "react": "19.2.7",
-        "react-day-picker": "10.0.1",
-        "react-dom": "19.2.7",
+        "react": "19.2.6",
+        "react-day-picker": "9.14.0",
+        "react-dom": "19.2.6",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.80.0",
+        "react-hook-form": "7.76.1",
        "react-icons": "5.6.0",
-        "recharts": "3.9.0",
+        "recharts": "3.8.1",
        "reodotdev": "1.1.0",
-        "semver": "7.8.5",
+        "semver": "7.8.1",
        "sshpk": "1.18.0",
-        "stripe": "22.2.3",
+        "stripe": "22.2.0",
        "swagger-ui-express": "5.0.1",
        "tailwind-merge": "3.6.0",
        "topojson-client": "3.1.0",
        "tw-animate-css": "1.4.0",
        "use-debounce": "10.1.1",
-        "uuid": "14.0.1",
+        "uuid": "14.0.0",
        "vaul": "1.1.2",
        "visionscarto-world-atlas": "1.0.0",
        "winston": "3.19.0",
@@ -136,11 +136,11 @@
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.75.1",
+        "@dotenvx/dotenvx": "1.71.3",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/ui": "^6.6.4",
-        "@tailwindcss/postcss": "4.3.1",
-        "@tanstack/react-query-devtools": "5.101.1",
+        "@react-email/ui": "^6.6.0",
+        "@tailwindcss/postcss": "4.3.0",
+        "@tanstack/react-query-devtools": "5.101.0",
        "@types/better-sqlite3": "7.6.13",
        "@types/cookie-parser": "1.4.10",
        "@types/cors": "2.8.19",
@@ -151,35 +151,35 @@
        "@types/jmespath": "0.15.2",
        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "26.0.0",
-        "@types/nodemailer": "8.0.1",
+        "@types/node": "25.9.1",
+        "@types/nodemailer": "8.0.0",
        "@types/nprogress": "0.2.3",
        "@types/pg": "8.20.0",
-        "@types/react": "19.2.17",
+        "@types/react": "19.2.15",
        "@types/react-dom": "19.2.3",
        "@types/semver": "7.7.1",
-        "@types/sshpk": "1.17.5",
+        "@types/sshpk": "1.17.4",
        "@types/swagger-ui-express": "4.1.8",
        "@types/topojson-client": "3.1.5",
        "@types/ws": "8.18.1",
        "@types/yargs": "17.0.35",
        "babel-plugin-react-compiler": "1.0.0",
        "drizzle-kit": "0.31.10",
-        "esbuild": "0.28.1",
+        "esbuild": "0.28.0",
        "esbuild-node-externals": "1.23.1",
        "eslint": "10.5.0",
-        "eslint-config-next": "16.2.9",
+        "eslint-config-next": "16.2.6",
        "postcss": "8.5.15",
-        "prettier": "3.8.4",
-        "react-email": "6.6.4",
-        "tailwindcss": "4.3.1",
+        "prettier": "3.8.3",
+        "react-email": "6.6.0",
+        "tailwindcss": "4.3.0",
        "tsc-alias": "1.8.17",
-        "tsx": "4.22.4",
+        "tsx": "4.22.3",
        "typescript": "6.0.3",
-        "typescript-eslint": "8.62.0"
+        "typescript-eslint": "8.61.0"
    },
    "overrides": {
-        "esbuild": "0.28.1",
+        "esbuild": "0.28.0",
        "dompurify": "3.4.0",
        "postcss": "8.5.15"
    }
--- a/server/lib/blueprints/resourcePolicies.ts
+++ b/server/lib/blueprints/resourcePolicies.ts
@@ -23,6 +23,7 @@ import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "../billing/tierMatrix";
+import privateConfig from "@server/private/lib/config";

 export type ResourcePoliciesResults = {
    resourcePolicyId: number;
@@ -74,20 +75,36 @@ export async function updateResourcePolicies(
            const [provider] = await trx
                .select()
                .from(idp)
-                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
-                .where(
-                    and(
-                        eq(idp.idpId, policyData["auto-login-idp"]),
-                        eq(idpOrg.orgId, orgId)
-                    )
-                )
+                .where(eq(idp.idpId, policyData["auto-login-idp"]))
                .limit(1);

            if (!provider) {
                throw new Error(
-                    `Identity provider not found for policy '${policyNiceId}' in this organization`
+                    `Identity provider not found for policy '${policyNiceId}'`
                );
            }
+
+            if (
+                privateConfig.getRawPrivateConfig().app
+                    .identity_provider_mode === "org"
+            ) {
+                const [providerOrg] = await trx
+                    .select()
+                    .from(idpOrg)
+                    .where(
+                        and(
+                            eq(idpOrg.idpId, policyData["auto-login-idp"]),
+                            eq(idpOrg.orgId, orgId)
+                        )
+                    )
+                    .limit(1);
+
+                if (!providerOrg) {
+                    throw new Error(
+                        `Identity provider not found for policy '${policyNiceId}' in this organization`
+                    );
+                }
+            }
        }

        // Look up the admin role
--- a/server/lib/pathMatch.ts
+++ b/server/lib/pathMatch.ts
@@ -1,74 +0,0 @@
-const MAX_RECURSION_DEPTH = 100;
-
-const segmentRegexCache = new Map<string, RegExp>();
-
-function getSegmentRegex(patternPart: string): RegExp {
-    let regex = segmentRegexCache.get(patternPart);
-    if (!regex) {
-        const regexPattern = patternPart
-            .replace(/[.+^${}()|[\]\\]/g, "\\$&")
-            .replace(/\*/g, ".*")
-            .replace(/\?/g, ".");
-        regex = new RegExp(`^${regexPattern}$`);
-        segmentRegexCache.set(patternPart, regex);
-    }
-    return regex;
-}
-
-export function isPathAllowed(pattern: string, path: string): boolean {
-    const normalize = (p: string) => p.split("/").filter(Boolean);
-    const patternParts = normalize(pattern);
-    const pathParts = normalize(path);
-
-    function matchSegments(
-        patternIndex: number,
-        pathIndex: number,
-        depth: number = 0
-    ): boolean {
-        if (depth > MAX_RECURSION_DEPTH) {
-            return false;
-        }
-
-        const currentPatternPart = patternParts[patternIndex];
-        const currentPathPart = pathParts[pathIndex];
-
-        if (patternIndex >= patternParts.length) {
-            return pathIndex >= pathParts.length;
-        }
-
-        if (pathIndex >= pathParts.length) {
-            return patternParts.slice(patternIndex).every((p) => p === "*");
-        }
-
-        if (currentPatternPart === "*") {
-            if (matchSegments(patternIndex + 1, pathIndex, depth + 1)) {
-                return true;
-            }
-            if (matchSegments(patternIndex, pathIndex + 1, depth + 1)) {
-                return true;
-            }
-            return false;
-        }
-
-        if (currentPatternPart.includes("*")) {
-            const regex = getSegmentRegex(currentPatternPart);
-
-            if (regex.test(currentPathPart)) {
-                return matchSegments(
-                    patternIndex + 1,
-                    pathIndex + 1,
-                    depth + 1
-                );
-            }
-            return false;
-        }
-
-        if (currentPatternPart !== currentPathPart) {
-            return false;
-        }
-
-        return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
-    }
-
-    return matchSegments(0, 0, 0);
-}
--- a/server/private/routers/policy/createResourcePolicy.ts
+++ b/server/private/routers/policy/createResourcePolicy.ts
@@ -38,6 +38,7 @@ import {
 } from "@server/lib/validators";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
+import privateConfig from "@server/private/lib/config";
 import HttpCode from "@server/types/HttpCode";
 import { and, eq, inArray, type InferInsertModel } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
@@ -207,18 +208,42 @@ export async function createResourcePolicy(
            const [provider] = await db
                .select()
                .from(idp)
-                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
-                .where(and(eq(idp.idpId, skipToIdpId), eq(idpOrg.orgId, orgId)))
+                .where(eq(idp.idpId, skipToIdpId))
                .limit(1);

            if (!provider) {
                return next(
                    createHttpError(
                        HttpCode.INTERNAL_SERVER_ERROR,
-                        "Identity provider not found in this organization"
+                        "Identity provider not found"
                    )
                );
            }
+
+            if (
+                privateConfig.getRawPrivateConfig().app
+                    .identity_provider_mode === "org"
+            ) {
+                const [providerOrg] = await db
+                    .select()
+                    .from(idpOrg)
+                    .where(
+                        and(
+                            eq(idpOrg.idpId, skipToIdpId),
+                            eq(idpOrg.orgId, orgId)
+                        )
+                    )
+                    .limit(1);
+
+                if (!providerOrg) {
+                    return next(
+                        createHttpError(
+                            HttpCode.INTERNAL_SERVER_ERROR,
+                            "Identity provider not found in this organization"
+                        )
+                    );
+                }
+            }
        }

        const adminRole = await db
--- a/server/routers/badger/verifySession.test.ts
+++ b/server/routers/badger/verifySession.test.ts
@@ -1,6 +1,5 @@
 import { assertEquals } from "@test/assert";
 import { REGIONS } from "@server/db/regions";
-import { isPathAllowed } from "@server/lib/pathMatch";

 function isIpInRegion(
    ipCountryCode: string | undefined,
@@ -34,6 +33,76 @@ function isIpInRegion(
    return false;
 }

+function isPathAllowed(pattern: string, path: string): boolean {
+    // Normalize and split paths into segments
+    const normalize = (p: string) => p.split("/").filter(Boolean);
+    const patternParts = normalize(pattern);
+    const pathParts = normalize(path);
+
+    // Recursive function to try different wildcard matches
+    function matchSegments(patternIndex: number, pathIndex: number): boolean {
+        const indent = "  ".repeat(pathIndex); // Indent based on recursion depth
+        const currentPatternPart = patternParts[patternIndex];
+        const currentPathPart = pathParts[pathIndex];
+
+        // If we've consumed all pattern parts, we should have consumed all path parts
+        if (patternIndex >= patternParts.length) {
+            const result = pathIndex >= pathParts.length;
+            return result;
+        }
+
+        // If we've consumed all path parts but still have pattern parts
+        if (pathIndex >= pathParts.length) {
+            // The only way this can match is if all remaining pattern parts are wildcards
+            const remainingPattern = patternParts.slice(patternIndex);
+            const result = remainingPattern.every((p) => p === "*");
+            return result;
+        }
+
+        // For full segment wildcards, try consuming different numbers of path segments
+        if (currentPatternPart === "*") {
+            // Try consuming 0 segments (skip the wildcard)
+            if (matchSegments(patternIndex + 1, pathIndex)) {
+                return true;
+            }
+
+            // Try consuming current segment and recursively try rest
+            if (matchSegments(patternIndex, pathIndex + 1)) {
+                return true;
+            }
+
+            return false;
+        }
+
+        // Check for in-segment wildcard (e.g., "prefix*" or "prefix*suffix")
+        if (currentPatternPart.includes("*")) {
+            // Convert the pattern segment to a regex pattern
+            const regexPattern = currentPatternPart
+                .replace(/\*/g, ".*") // Replace * with .* for regex wildcard
+                .replace(/\?/g, "."); // Replace ? with . for single character wildcard if needed
+
+            const regex = new RegExp(`^${regexPattern}$`);
+
+            if (regex.test(currentPathPart)) {
+                return matchSegments(patternIndex + 1, pathIndex + 1);
+            }
+
+            return false;
+        }
+
+        // For regular segments, they must match exactly
+        if (currentPatternPart !== currentPathPart) {
+            return false;
+        }
+
+        // Move to next segments in both pattern and path
+        return matchSegments(patternIndex + 1, pathIndex + 1);
+    }
+
+    const result = matchSegments(0, 0);
+    return result;
+}
+
 function runTests() {
    console.log("Running path matching tests...");

@@ -239,121 +308,6 @@ function runTests() {
    console.log("All path matching tests passed!");
 }

-function runSpecialCharacterTests() {
-    console.log("\nRunning special character tests...");
-
-    let threw = false;
-    try {
-        isPathAllowed("(api*", "anything");
-        isPathAllowed("a(b*", "a(bc");
-        isPathAllowed("c[d*", "c[de");
-        isPathAllowed("x{2}*", "x{2}y");
-        isPathAllowed("a|b*", "a|bc");
-        isPathAllowed("back\\slash*", "back\\slashed");
-    } catch (e) {
-        threw = true;
-        console.error(
-            "Patterns accepted by isValidUrlGlobPattern crashed the matcher:",
-            e instanceof Error ? e.message : e
-        );
-    }
-    assertEquals(
-        threw,
-        false,
-        "Patterns with regex metacharacters must not throw"
-    );
-
-    assertEquals(
-        isPathAllowed("(api*", "(api-v1"),
-        true,
-        "Parenthesis should be treated as a literal character"
-    );
-    assertEquals(
-        isPathAllowed("(api*", "xapi-v1"),
-        false,
-        "Parenthesis should not match other characters"
-    );
-    assertEquals(
-        isPathAllowed("a(b)*", "a(b)c"),
-        true,
-        "Parentheses pair should be treated as literal characters"
-    );
-
-    assertEquals(
-        isPathAllowed("*.png", "image.png"),
-        true,
-        "Dot should match a literal dot"
-    );
-    assertEquals(
-        isPathAllowed("*.png", "imageXpng"),
-        false,
-        "Dot should not act as a regex wildcard"
-    );
-    assertEquals(
-        isPathAllowed("v1.0*", "v1.0.1"),
-        true,
-        "Version-like literal should match itself"
-    );
-    assertEquals(
-        isPathAllowed("v1.0*", "v1x0-beta"),
-        false,
-        "Version-like literal should not match arbitrary characters"
-    );
-
-    assertEquals(
-        isPathAllowed("a+b*", "a+bc"),
-        true,
-        "Plus should be treated as a literal character"
-    );
-    assertEquals(
-        isPathAllowed("a+b*", "aaabc"),
-        false,
-        "Plus should not act as a regex quantifier"
-    );
-
-    assertEquals(
-        isPathAllowed("$ref*", "$refs"),
-        true,
-        "Dollar sign should be treated as a literal character"
-    );
-    assertEquals(
-        isPathAllowed("price$*", "price$100"),
-        true,
-        "Dollar sign mid-pattern should be treated as a literal character"
-    );
-
-    assertEquals(
-        isPathAllowed("^start*", "^started"),
-        true,
-        "Caret should be treated as a literal character"
-    );
-
-    assertEquals(
-        isPathAllowed("a|b*", "a|bc"),
-        true,
-        "Pipe should be treated as a literal character"
-    );
-    assertEquals(
-        isPathAllowed("a|b*", "a"),
-        false,
-        "Pipe should not act as regex alternation"
-    );
-
-    assertEquals(
-        isPathAllowed("file?*", "fileX"),
-        true,
-        "Question mark should still act as a single-character wildcard"
-    );
-
-    assertEquals(
-        isPathAllowed("api/*", "api/" + "x/".repeat(50)),
-        true,
-        "Deeply nested paths should still match"
-    );
-
-    console.log("All special character tests passed!");
-}
-
 function runRegionTests() {
    console.log("\nRunning isIpInRegion tests...");

@@ -413,7 +367,6 @@ function runRegionTests() {
 // Run all tests
 try {
    runTests();
-    runSpecialCharacterTests();
    runRegionTests();
    console.log("\n✅ All tests passed!");
 } catch (error) {
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -25,7 +25,6 @@ import {
 } from "@server/db";
 import config from "@server/lib/config";
 import { isIpInCidr, stripPortFromHost } from "@server/lib/ip";
-import { isPathAllowed } from "@server/lib/pathMatch";
 import { response } from "@server/lib/response";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
@@ -1091,7 +1090,143 @@ async function checkRules(
    return;
 }

-export { isPathAllowed };
+export function isPathAllowed(pattern: string, path: string): boolean {
+    logger.debug(`\nMatching path "${path}" against pattern "${pattern}"`);
+
+    // Normalize and split paths into segments
+    const normalize = (p: string) => p.split("/").filter(Boolean);
+    const patternParts = normalize(pattern);
+    const pathParts = normalize(path);
+
+    logger.debug(`Normalized pattern parts: [${patternParts.join(", ")}]`);
+    logger.debug(`Normalized path parts: [${pathParts.join(", ")}]`);
+
+    // Maximum recursion depth to prevent stack overflow and memory issues
+    const MAX_RECURSION_DEPTH = 100;
+
+    // Recursive function to try different wildcard matches
+    function matchSegments(
+        patternIndex: number,
+        pathIndex: number,
+        depth: number = 0
+    ): boolean {
+        // Check recursion depth limit
+        if (depth > MAX_RECURSION_DEPTH) {
+            logger.warn(
+                `Path matching exceeded maximum recursion depth (${MAX_RECURSION_DEPTH}) for pattern "${pattern}" and path "${path}"`
+            );
+            return false;
+        }
+
+        const indent = "  ".repeat(depth); // Indent based on recursion depth
+        const currentPatternPart = patternParts[patternIndex];
+        const currentPathPart = pathParts[pathIndex];
+
+        logger.debug(
+            `${indent}Checking patternIndex=${patternIndex} (${currentPatternPart || "END"}) vs pathIndex=${pathIndex} (${currentPathPart || "END"}) [depth=${depth}]`
+        );
+
+        // If we've consumed all pattern parts, we should have consumed all path parts
+        if (patternIndex >= patternParts.length) {
+            const result = pathIndex >= pathParts.length;
+            logger.debug(
+                `${indent}Reached end of pattern, remaining path: ${pathParts.slice(pathIndex).join("/")} -> ${result}`
+            );
+            return result;
+        }
+
+        // If we've consumed all path parts but still have pattern parts
+        if (pathIndex >= pathParts.length) {
+            // The only way this can match is if all remaining pattern parts are wildcards
+            const remainingPattern = patternParts.slice(patternIndex);
+            const result = remainingPattern.every((p) => p === "*");
+            logger.debug(
+                `${indent}Reached end of path, remaining pattern: ${remainingPattern.join("/")} -> ${result}`
+            );
+            return result;
+        }
+
+        // For full segment wildcards, try consuming different numbers of path segments
+        if (currentPatternPart === "*") {
+            logger.debug(
+                `${indent}Found wildcard at pattern index ${patternIndex}`
+            );
+
+            // Try consuming 0 segments (skip the wildcard)
+            logger.debug(
+                `${indent}Trying to skip wildcard (consume 0 segments)`
+            );
+            if (matchSegments(patternIndex + 1, pathIndex, depth + 1)) {
+                logger.debug(
+                    `${indent}Successfully matched by skipping wildcard`
+                );
+                return true;
+            }
+
+            // Try consuming current segment and recursively try rest
+            logger.debug(
+                `${indent}Trying to consume segment "${currentPathPart}" for wildcard`
+            );
+            if (matchSegments(patternIndex, pathIndex + 1, depth + 1)) {
+                logger.debug(
+                    `${indent}Successfully matched by consuming segment for wildcard`
+                );
+                return true;
+            }
+
+            logger.debug(`${indent}Failed to match wildcard`);
+            return false;
+        }
+
+        // Check for in-segment wildcard (e.g., "prefix*" or "prefix*suffix")
+        if (currentPatternPart.includes("*")) {
+            logger.debug(
+                `${indent}Found in-segment wildcard in "${currentPatternPart}"`
+            );
+
+            // Convert the pattern segment to a regex pattern
+            const regexPattern = currentPatternPart
+                .replace(/\*/g, ".*") // Replace * with .* for regex wildcard
+                .replace(/\?/g, "."); // Replace ? with . for single character wildcard if needed
+
+            const regex = new RegExp(`^${regexPattern}$`);
+
+            if (regex.test(currentPathPart)) {
+                logger.debug(
+                    `${indent}Segment with wildcard matches: "${currentPatternPart}" matches "${currentPathPart}"`
+                );
+                return matchSegments(
+                    patternIndex + 1,
+                    pathIndex + 1,
+                    depth + 1
+                );
+            }
+
+            logger.debug(
+                `${indent}Segment with wildcard mismatch: "${currentPatternPart}" doesn't match "${currentPathPart}"`
+            );
+            return false;
+        }
+
+        // For regular segments, they must match exactly
+        if (currentPatternPart !== currentPathPart) {
+            logger.debug(
+                `${indent}Segment mismatch: "${currentPatternPart}" != "${currentPathPart}"`
+            );
+            return false;
+        }
+
+        logger.debug(
+            `${indent}Segments match: "${currentPatternPart}" = "${currentPathPart}"`
+        );
+        // Move to next segments in both pattern and path
+        return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
+    }
+
+    const result = matchSegments(0, 0, 0);
+    logger.debug(`Final result: ${result}`);
+    return result;
+}

 async function isIpInGeoIP(
    ipCountryCode: string | undefined,
--- a/server/routers/idp/createIdpOrgPolicy.ts
+++ b/server/routers/idp/createIdpOrgPolicy.ts
@@ -11,6 +11,7 @@ import { OpenAPITags, registry } from "@server/openApi";
 import config from "@server/lib/config";
 import { eq, and } from "drizzle-orm";
 import { idp, idpOrg } from "@server/db";
+import privateConfig from "@server/private/lib/config";

 const paramsSchema = z.strictObject({
    idpId: z.coerce.number<number>(),
@@ -25,7 +26,6 @@ const bodySchema = z.strictObject({
 export type CreateIdpOrgPolicyResponse = {};
 const CreateIdpOrgPolicyResponseDataSchema = z.object({});

-
 registry.registerPath({
    method: "put",
    path: "/idp/{idpId}/org/{orgId}",
@@ -46,7 +46,9 @@ registry.registerPath({
            description: "Successful response",
            content: {
                "application/json": {
-                    schema: createApiResponseSchema(CreateIdpOrgPolicyResponseDataSchema)
+                    schema: createApiResponseSchema(
+                        CreateIdpOrgPolicyResponseDataSchema
+                    )
                }
            }
        }
@@ -82,7 +84,10 @@ export async function createIdpOrgPolicy(
        const { idpId, orgId } = parsedParams.data;
        const { roleMapping, orgMapping } = parsedBody.data;

-        if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+        if (
+            privateConfig.getRawPrivateConfig().app.identity_provider_mode ===
+            "org"
+        ) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
--- a/server/routers/idp/createOidcIdp.ts
+++ b/server/routers/idp/createOidcIdp.ts
@@ -12,6 +12,7 @@ import { idp, idpOidcConfig, idpOrg, orgs } from "@server/db";
 import { generateOidcRedirectUrl } from "@server/lib/idp/generateRedirectUrl";
 import { encrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
+import privateConfig from "@server/private/lib/config";

 const paramsSchema = z.strictObject({});

@@ -39,7 +40,6 @@ const CreateIdpResponseDataSchema = z.object({
    redirectUrl: z.string()
 });

-
 registry.registerPath({
    method: "put",
    path: "/idp/oidc",
@@ -98,7 +98,8 @@ export async function createOidcIdp(
        } = parsedBody.data;

        if (
-            process.env.IDENTITY_PROVIDER_MODE === "org"
+            privateConfig.getRawPrivateConfig().app.identity_provider_mode ===
+            "org"
        ) {
            return next(
                createHttpError(
--- a/server/routers/idp/updateIdpOrgPolicy.ts
+++ b/server/routers/idp/updateIdpOrgPolicy.ts
@@ -10,6 +10,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { eq, and } from "drizzle-orm";
 import { idp, idpOrg } from "@server/db";
+import privateConfig from "@server/private/lib/config";

 const paramsSchema = z.strictObject({
    idpId: z.coerce.number<number>(),
@@ -24,7 +25,6 @@ const bodySchema = z.strictObject({
 export type UpdateIdpOrgPolicyResponse = {};
 const UpdateIdpOrgPolicyResponseDataSchema = z.object({});

-
 registry.registerPath({
    method: "post",
    path: "/idp/{idpId}/org/{orgId}",
@@ -45,7 +45,9 @@ registry.registerPath({
            description: "Successful response",
            content: {
                "application/json": {
-                    schema: createApiResponseSchema(UpdateIdpOrgPolicyResponseDataSchema)
+                    schema: createApiResponseSchema(
+                        UpdateIdpOrgPolicyResponseDataSchema
+                    )
                }
            }
        }
@@ -81,7 +83,10 @@ export async function updateIdpOrgPolicy(
        const { idpId, orgId } = parsedParams.data;
        const { roleMapping, orgMapping } = parsedBody.data;

-        if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+        if (
+            privateConfig.getRawPrivateConfig().app.identity_provider_mode ===
+            "org"
+        ) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
--- a/server/routers/idp/updateOidcIdp.ts
+++ b/server/routers/idp/updateOidcIdp.ts
@@ -12,6 +12,7 @@ import { idp, idpOidcConfig } from "@server/db";
 import { eq } from "drizzle-orm";
 import { encrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
+import privateConfig from "@server/private/lib/config";

 const paramsSchema = z
    .object({
@@ -43,7 +44,6 @@ const UpdateIdpResponseDataSchema = z.object({
    idpId: z.number()
 });

-
 registry.registerPath({
    method: "post",
    path: "/idp/{idpId}/oidc",
@@ -115,7 +115,10 @@ export async function updateOidcIdp(
            variant
        } = parsedBody.data;

-        if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+        if (
+            privateConfig.getRawPrivateConfig().app.identity_provider_mode ===
+            "org"
+        ) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -17,6 +17,7 @@ import {
    verifyApiKey,
    verifyApiKeyOrgAccess,
    verifyApiKeyHasAction,
+    verifyApiKeyCanSetUserOrgRoles,
    verifyApiKeySiteAccess,
    verifyApiKeyResourceAccess,
    verifyApiKeyTargetAccess,
@@ -973,13 +974,6 @@ authenticated.get(
    idp.getIdp
 );

-authenticated.delete(
-    "/idp/:idpId",
-    verifyApiKeyIsRoot,
-    verifyApiKeyHasAction(ActionsEnum.deleteIdp),
-    idp.deleteIdp
-);
-
 authenticated.put(
    "/idp/:idpId/org/:orgId",
    verifyApiKeyIsRoot,
--- a/server/routers/policy/setResourcePolicyAccessControl.ts
+++ b/server/routers/policy/setResourcePolicyAccessControl.ts
@@ -18,6 +18,7 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { and, eq, inArray, ne } from "drizzle-orm";
 import { OpenAPITags, registry } from "@server/openApi";
+import privateConfig from "@server/private/lib/config";

 const setResourcePolicyAcccessControlBodySchema = z.strictObject({
    sso: z.boolean(),
@@ -107,20 +108,42 @@ export async function setResourcePolicyAccessControl(
            const [provider] = await db
                .select()
                .from(idp)
-                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
-                .where(
-                    and(eq(idp.idpId, idpId), eq(idpOrg.orgId, policy.orgId))
-                )
+                .where(eq(idp.idpId, idpId))
                .limit(1);

            if (!provider) {
                return next(
                    createHttpError(
                        HttpCode.INTERNAL_SERVER_ERROR,
-                        "Identity provider not found in this organization"
+                        "Identity provider not found"
                    )
                );
            }
+
+            if (
+                privateConfig.getRawPrivateConfig().app
+                    .identity_provider_mode === "org"
+            ) {
+                const [providerOrg] = await db
+                    .select()
+                    .from(idpOrg)
+                    .where(
+                        and(
+                            eq(idpOrg.idpId, idpId),
+                            eq(idpOrg.orgId, policy.orgId)
+                        )
+                    )
+                    .limit(1);
+
+                if (!providerOrg) {
+                    return next(
+                        createHttpError(
+                            HttpCode.INTERNAL_SERVER_ERROR,
+                            "Identity provider not found in this organization"
+                        )
+                    );
+                }
+            }
        }

        // Check if any of the roleIds are admin roles
Author	SHA1	Message	Date
Owen	d7cfffd92d	Use the config not the env var	2026-06-22 10:24:16 -04:00
copilot-swe-agent[bot]	3b68139873	fix: clarify IdP validation messages across policy flows	2026-06-16 23:46:51 +00:00
copilot-swe-agent[bot]	ad1c8113ea	fix: allow default IdP validation in global mode policies	2026-06-16 23:43:36 +00:00
copilot-swe-agent[bot]	fec0fea766	Initial plan	2026-06-16 23:39:01 +00:00
dependabot[bot]	43d1b8ca82	Bump the dev-minor-updates group across 1 directory with 7 updates Bumps the dev-minor-updates group with 7 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [@dotenvx/dotenvx](https://github.com/dotenvx/dotenvx) \| `1.69.1` \| `1.71.3` \| \| [@react-email/ui](https://github.com/resend/react-email/tree/HEAD/packages/ui) \| `6.5.0` \| `6.6.0` \| \| [@tanstack/react-query-devtools](https://github.com/TanStack/query/tree/HEAD/packages/react-query-devtools) \| `5.100.14` \| `5.101.0` \| \| [esbuild-node-externals](https://github.com/pradel/esbuild-node-externals) \| `1.22.0` \| `1.23.1` \| \| [eslint](https://github.com/eslint/eslint) \| `10.4.0` \| `10.5.0` \| \| [react-email](https://github.com/resend/react-email/tree/HEAD/packages/react-email) \| `6.5.0` \| `6.6.0` \| \| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) \| `8.60.0` \| `8.61.0` \| Updates `@dotenvx/dotenvx` from 1.69.1 to 1.71.3 - [Release notes](https://github.com/dotenvx/dotenvx/releases) - [Changelog](https://github.com/dotenvx/dotenvx/blob/main/CHANGELOG.md) - [Commits](https://github.com/dotenvx/dotenvx/compare/v1.69.1...v1.71.3) Updates `@react-email/ui` from 6.5.0 to 6.6.0 - [Release notes](https://github.com/resend/react-email/releases) - [Changelog](https://github.com/resend/react-email/blob/canary/packages/ui/CHANGELOG.md) - [Commits](https://github.com/resend/react-email/commits/@react-email/ui@6.6.0/packages/ui) Updates `@tanstack/react-query-devtools` from 5.100.14 to 5.101.0 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query-devtools/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query-devtools@5.101.0/packages/react-query-devtools) Updates `esbuild-node-externals` from 1.22.0 to 1.23.1 - [Release notes](https://github.com/pradel/esbuild-node-externals/releases) - [Commits](https://github.com/pradel/esbuild-node-externals/compare/esbuild-node-externals-v1.22.0...esbuild-node-externals-v1.23.1) Updates `eslint` from 10.4.0 to 10.5.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v10.4.0...v10.5.0) Updates `react-email` from 6.5.0 to 6.6.0 - [Release notes](https://github.com/resend/react-email/releases) - [Changelog](https://github.com/resend/react-email/blob/canary/packages/react-email/CHANGELOG.md) - [Commits](https://github.com/resend/react-email/commits/react-email@6.6.0/packages/react-email) Updates `typescript-eslint` from 8.60.0 to 8.61.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.0/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@dotenvx/dotenvx" dependency-version: 1.71.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: "@react-email/ui" dependency-version: 6.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: "@tanstack/react-query-devtools" dependency-version: 5.101.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: esbuild-node-externals dependency-version: 1.23.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: eslint dependency-version: 10.5.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: react-email dependency-version: 6.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: typescript-eslint dependency-version: 8.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-15 01:35:51 +00:00