Skip to content

Commit 0d22d83

Browse files
AlexTugarevsvenefftinge
AlexTugarev
and
svenefftinge
authored
[server] try to fix org membership on login (#18399)
* [server] try to fix org membership on login in case it didn't succeed on first attempt this might help during the following ones. * [server] allow call addOrUpdateMember w/o user --------- Co-authored-by: svenefftinge <[email protected]>
1 parent ded77f3 commit 0d22d83

File tree

2 files changed

+28
-13
lines changed

2 files changed

+28
-13
lines changed

components/server/src/iam/iam-session-app.ts

Lines changed: 24 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@ import { UserAuthentication } from "../user/user-authentication";
1212
import { OIDCCreateSessionPayload } from "./iam-oidc-create-session-payload";
1313
import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
1414
import { Identity, User } from "@gitpod/gitpod-protocol";
15-
import { BUILTIN_INSTLLATION_ADMIN_USER_ID } from "@gitpod/gitpod-db/lib";
1615
import { reportJWTCookieIssued } from "../prometheus-metrics";
1716
import { ApplicationError } from "@gitpod/gitpod-protocol/lib/messaging/error";
1817
import { OrganizationService } from "../orgs/organization-service";
@@ -98,17 +97,31 @@ export class IamSessionApp {
9897
let existingUser = await this.userAuthentication.findUserForLogin({
9998
candidate: this.mapOIDCProfileToIdentity(payload),
10099
});
101-
if (existingUser) {
102-
return existingUser;
100+
if (!existingUser) {
101+
// Organizational account lookup by email address
102+
existingUser = await this.userAuthentication.findOrgOwnedUser({
103+
organizationId: payload.organizationId,
104+
email: payload.claims.email,
105+
});
106+
if (existingUser) {
107+
log.info("Found Org-owned user by email.", { email: payload?.claims?.email });
108+
}
103109
}
104110

105-
// Organizational account lookup by email address
106-
existingUser = await this.userAuthentication.findOrgOwnedUser({
107-
organizationId: payload.organizationId,
108-
email: payload.claims.email,
109-
});
110-
if (existingUser) {
111-
log.info("Found Org-owned user by email.", { email: payload?.claims?.email });
111+
if (existingUser?.organizationId) {
112+
const members = await this.orgService.listMembers(existingUser.id, existingUser.organizationId);
113+
if (!members.some((m) => m.userId === existingUser?.id)) {
114+
// In case `createNewOIDCUser` failed to create a membership for this user,
115+
// let's try to fix the situation on the fly.
116+
// Also, if that step repeatedly fails, it would fail the login process earlier but
117+
// in a more consistent state.
118+
await this.orgService.addOrUpdateMember(
119+
undefined,
120+
existingUser.organizationId,
121+
existingUser.id,
122+
"member",
123+
);
124+
}
112125
}
113126

114127
return existingUser;
@@ -144,7 +157,7 @@ export class IamSessionApp {
144157
},
145158
});
146159

147-
await this.orgService.addOrUpdateMember(BUILTIN_INSTLLATION_ADMIN_USER_ID, organizationId, user.id, "member");
160+
await this.orgService.addOrUpdateMember(undefined, organizationId, user.id, "member");
148161
return user;
149162
}
150163
}

components/server/src/orgs/organization-service.ts

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -179,12 +179,14 @@ export class OrganizationService {
179179
}
180180

181181
public async addOrUpdateMember(
182-
userId: string,
182+
userId: string | undefined, // undefined means it is a system call, not a user call
183183
orgId: string,
184184
memberId: string,
185185
role: OrgMemberRole,
186186
): Promise<void> {
187-
await this.auth.checkPermissionOnOrganization(userId, "write_members", orgId);
187+
if (userId) {
188+
await this.auth.checkPermissionOnOrganization(userId, "write_members", orgId);
189+
}
188190
if (role !== "owner") {
189191
const members = await this.teamDB.findMembersByTeam(orgId);
190192
if (!members.some((m) => m.userId !== memberId && m.role === "owner")) {

0 commit comments

Comments
 (0)