Fix: Remove org ID from JWT

2025-03-28 15:29:21 +00:00 · 2024-02-26 23:27:30 +01:00
parent bbceb37d06
commit 2032063c24
4 changed files with 5 additions and 31 deletions
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@ -121,10 +121,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
    switch (authMode) {
      // May or may not have an orgId. If it doesn't have an org ID, it's likely because the token is from an org that doesn't enforce org-level auth.
      case AuthMode.JWT: {
-        const { user, tokenVersionId, orgId } = await server.services.authToken.fnValidateJwtIdentity(
-          token,
-          req.headers?.["x-infisical-organization-id"]
-        );
+        const { user, tokenVersionId, orgId } = await server.services.authToken.fnValidateJwtIdentity(token);
        req.auth = { authMode: AuthMode.JWT, user, userId: user.id, tokenVersionId, actor, orgId };
        break;
      }
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -264,7 +264,7 @@ export const registerRoutes = async (
    queueService
  });

-  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL, orgDAL });
+  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
  const userService = userServiceFactory({ userDAL });
  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService });
  const passwordService = authPaswordServiceFactory({
--- a/backend/src/services/auth-token/auth-token-service.ts
+++ b/backend/src/services/auth-token/auth-token-service.ts
@ -7,7 +7,6 @@ import { getConfig } from "@app/lib/config/env";
 import { UnauthorizedError } from "@app/lib/errors";

 import { AuthModeJwtTokenPayload } from "../auth/auth-type";
-import { TOrgDALFactory } from "../org/org-dal";
 import { TUserDALFactory } from "../user/user-dal";
 import { TTokenDALFactory } from "./auth-token-dal";
 import { TCreateTokenForUserDTO, TIssueAuthTokenDTO, TokenType, TValidateTokenForUserDTO } from "./auth-token-types";
@ -15,7 +14,6 @@ import { TCreateTokenForUserDTO, TIssueAuthTokenDTO, TokenType, TValidateTokenFo
 type TAuthTokenServiceFactoryDep = {
  tokenDAL: TTokenDALFactory;
  userDAL: Pick<TUserDALFactory, "findById">;
-  orgDAL: Pick<TOrgDALFactory, "findMembership">;
 };
 export type TAuthTokenServiceFactory = ReturnType<typeof tokenServiceFactory>;

@ -56,7 +54,7 @@ export const getTokenConfig = (tokenType: TokenType) => {
  }
 };

-export const tokenServiceFactory = ({ tokenDAL, userDAL, orgDAL }: TAuthTokenServiceFactoryDep) => {
+export const tokenServiceFactory = ({ tokenDAL, userDAL }: TAuthTokenServiceFactoryDep) => {
  const createTokenForUser = async ({ type, userId, orgId }: TCreateTokenForUserDTO) => {
    const { token, ...tkCfg } = getTokenConfig(type);
    const appCfg = getConfig();
@ -132,7 +130,7 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgDAL }: TAuthTokenSer
  const revokeAllMySessions = async (userId: string) => tokenDAL.deleteTokenSession({ userId });

  // to parse jwt identity in inject identity plugin
-  const fnValidateJwtIdentity = async (token: AuthModeJwtTokenPayload, organizationIdHeader?: string | string[]) => {
+  const fnValidateJwtIdentity = async (token: AuthModeJwtTokenPayload) => {
    const session = await tokenDAL.findOneTokenSession({
      id: token.tokenVersionId,
      userId: token.userId
@ -143,22 +141,7 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgDAL }: TAuthTokenSer
    const user = await userDAL.findById(session.userId);
    if (!user || !user.isAccepted) throw new UnauthorizedError({ name: "Token user not found" });

-    let orgId = token.organizationId;
-    if (!token.organizationId && organizationIdHeader) {
-      // If the token doesn't have an organization ID, but an organization ID is provided in the header, we need to check if the user is a member of the organization before concluding the organization ID is valid.
-      const userMembership = (
-        await orgDAL.findMembership({
-          userId: user.id,
-          orgId: organizationIdHeader as string
-        })
-      )[0];
-
-      if (!userMembership) throw new UnauthorizedError({ name: "User not a member of the organization" });
-
-      orgId = userMembership.orgId;
-    }
-
-    return { user, tokenVersionId: token.tokenVersionId, orgId };
+    return { user, tokenVersionId: token.tokenVersionId, orgId: token.organizationId };
  };

  return {
--- a/frontend/src/config/request.ts
+++ b/frontend/src/config/request.ts
@ -15,14 +15,8 @@ apiRequest.interceptors.request.use((config) => {
  const mfaTempToken = getMfaTempToken();
  const token = getAuthToken();
  const providerAuthToken = SecurityClient.getProviderAuthToken();
-  const organizationId = localStorage.getItem("orgData.id");

  if (config.headers) {
-    if (organizationId) {
-      // eslint-disable-next-line no-param-reassign
-      config.headers["x-infisical-organization-id"] = organizationId;
-    }
-
    if (signupTempToken) {
      // eslint-disable-next-line no-param-reassign
      config.headers.Authorization = `Bearer ${signupTempToken}`;