From 0143ef424c89a8833fa27c1f91261ad1b824bd25 Mon Sep 17 00:00:00 2001
From: Andrew Foote <afoote@mitre.org>
Date: Fri, 12 Jun 2026 13:23:30 -0400
Subject: [PATCH] Return authority validation errors

---
 src/repositories/baseOrgRepository.js         | 19 +++++++++++++++++++
 .../registry-org/registryOrgCRUDTest.js       | 17 +++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/src/repositories/baseOrgRepository.js b/src/repositories/baseOrgRepository.js
index d86a30e6b..a0a9e92f9 100644
--- a/src/repositories/baseOrgRepository.js
+++ b/src/repositories/baseOrgRepository.js
@@ -1042,8 +1042,23 @@ class BaseOrgRepository extends BaseRepository {
       return { isValid: false, errors: [{ instancePath: '/authority', message: 'authority is required' }] }
     }
 
+    const validAuthorityRoles = getConstants().ORG_ROLES
+    const authorityRoleError = instancePath => ({
+      isValid: false,
+      errors: [{
+        instancePath,
+        message: 'must be equal to one of the allowed values',
+        params: { allowedValues: validAuthorityRoles }
+      }]
+    })
+
     let validateObject = {}
     if (Array.isArray(org.authority)) {
+      const invalidAuthorityIndex = org.authority.findIndex(role => !validAuthorityRoles.includes(role))
+      if (invalidAuthorityIndex !== -1) {
+        return authorityRoleError(`/authority/${invalidAuthorityIndex}`)
+      }
+
       // User passed in an array, we need to decide how we handle this.
       if (org.authority.includes('SECRETARIAT')) {
         org.authority = ['SECRETARIAT']
@@ -1068,6 +1083,10 @@ class BaseOrgRepository extends BaseRepository {
         }
       }
     } else {
+      if (!validAuthorityRoles.includes(org.authority)) {
+        return authorityRoleError('/authority')
+      }
+
       if (org.authority === 'ADP') {
         validateObject = ADPOrgModel.validateOrg(org)
       }
diff --git a/test/integration-tests/registry-org/registryOrgCRUDTest.js b/test/integration-tests/registry-org/registryOrgCRUDTest.js
index 5c504b88c..19b2e8737 100644
--- a/test/integration-tests/registry-org/registryOrgCRUDTest.js
+++ b/test/integration-tests/registry-org/registryOrgCRUDTest.js
@@ -748,6 +748,23 @@ describe('Testing /registryOrg endpoints', () => {
             expect(res.body.message).to.equal('Parameters were invalid')
           })
       })
+      it('Fails to update a registry organization with lowercase authority and returns authority errors', async () => {
+        await chai.request(app)
+          .put('/api/registry/org/registry_org_test')
+          .set(secretariatHeaders)
+          .send({
+            ...createdOrg,
+            authority: ['cna']
+          })
+          .then((res) => {
+            expect(res).to.have.status(400)
+            expect(res.body.message).to.equal('Parameters were invalid')
+            expect(res.body.errors).to.be.an('array')
+            expect(res.body.errors[0].instancePath).to.equal('/authority/0')
+            expect(res.body.errors[0].message).to.equal('must be equal to one of the allowed values')
+            expect(res.body.errors[0].params.allowedValues).to.include('CNA')
+          })
+      })
       it('Fails to update a registry organization providing an invalid partner_role_type enum value', async () => {
         await chai.request(app)
           .put('/api/registry/org/registry_org_test')