Merge pull request #1734 from Infisical/daniel/fix-saml-invite-bug

Fix: SAML organization invite bug
2026-05-02 03:02:03 -04:00 · 2024-04-25 13:07:01 -04:00
parent 6da5f12855 93761f37ea
commit c414bf6c39
2 changed files with 28 additions and 4 deletions
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -340,11 +340,12 @@ export const samlConfigServiceFactory = ({
              orgId,
              inviteEmail: email,
              role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Accepted
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
            },
            tx
          );
-        } else if (orgMembership.status === OrgMembershipStatus.Invited) {
+          // Only update the membership to Accepted if the user account is already completed.
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
          await orgDAL.updateMembershipById(
            orgMembership.id,
            {
--- a/backend/src/services/auth/auth-signup-service.ts
+++ b/backend/src/services/auth/auth-signup-service.ts
@@ -4,6 +4,7 @@ import { OrgMembershipStatus } from "@app/db/schemas";
 import { convertPendingGroupAdditionsToGroupMemberships } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { isDisposableEmail } from "@app/lib/validator";
@@ -139,9 +140,11 @@ export const authSignupServiceFactory = ({
      throw new Error("Failed to complete account for complete user");
    }

-    let organizationId;
+    let organizationId: string | null = null;
+    let authMethod: AuthMethod | null = null;
    if (providerAuthToken) {
-      const { orgId } = validateProviderAuthToken(providerAuthToken, user.username);
+      const { orgId, authMethod: userAuthMethod } = validateProviderAuthToken(providerAuthToken, user.username);
+      authMethod = userAuthMethod;
      organizationId = orgId;
    } else {
      validateSignUpAuthorization(authorization, user.id);
@@ -165,6 +168,26 @@ export const authSignupServiceFactory = ({
        },
        tx
      );
+      // If it's SAML Auth and the organization ID is present, we should check if the user has a pending invite for this org, and accept it
+      if (isAuthMethodSaml(authMethod) && organizationId) {
+        const [pendingOrgMembership] = await orgDAL.findMembership({
+          inviteEmail: email,
+          userId: user.id,
+          status: OrgMembershipStatus.Invited,
+          orgId: organizationId
+        });
+
+        if (pendingOrgMembership) {
+          await orgDAL.updateMembershipById(
+            pendingOrgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        }
+      }
+
      return { info: us, key: userEncKey };
    });