Guard against scope nesting

Hawxy · Hawxy · commit a411eb0cb048 · 2026-04-02T22:53:02.000+08:00
diff --git a/README.md b/README.md
@@ -201,12 +201,14 @@ public async Task CreateUserAsync(User user, string orgId)
   
 ```
 
+ALWAYS ensure you dispose of the scope when finished.
+
 There's a few limitations if you're using this functionality, as it uses `AsyncLocal` internally:
 
-- Never use multiple client scopes at the same time, either with the same or different client types.
-- Never call any other client that utilizes `.AddAccessToken` within a client scope.
+- Never use multiple client scopes at the same time, either with the same or different client types. This will throw an exception.
+- Never call any other client that utilizes `.AddAccessToken` within a client scope. This may cause the wrong Organization ID/Name being used for a given request.
 
-Doing any of the above is likely to result in hard to debug behaviour and may cause the wrong Organization ID/Name being used for a given request.
+If you have a use-case for either of these items, please open an issue with an example.
 
 This functionality is marked as experimental, and you must `#pragma warning disable AUTH0_EXPERIMENTAL` to use it. 
 
diff --git a/src/Auth0Net.DependencyInjection/Organizations/OrganizationScopeFactory.cs b/src/Auth0Net.DependencyInjection/Organizations/OrganizationScopeFactory.cs
@@ -48,6 +48,13 @@ public OrganizationScopeFactory(TClient client, HttpClientOrganizationAccessor a
     /// </returns>
     public OrganizationScope<TClient> CreateScope(string organization)
     {
+#if NET8_0_OR_GREATER
+        ArgumentNullException.ThrowIfNull(organization);
+#endif
+        if (!string.IsNullOrEmpty(_accessor.Organization))
+            throw new InvalidOperationException(
+                "Attempted to create a nested organization scope. This is unsupported. Please open an issue if you'd find this useful.");
+        
         _accessor.Organization = organization;
         return new OrganizationScope<TClient>(_client, _accessor);
     }
diff --git a/tests/Auth0Net.DependencyInjection.Tests/OrganizationScopeFactoryTests.cs b/tests/Auth0Net.DependencyInjection.Tests/OrganizationScopeFactoryTests.cs
@@ -6,7 +6,7 @@
 using Xunit;
 
 namespace Auth0Net.DependencyInjection.Tests;
-
+#pragma warning disable AUTH0_EXPERIMENTAL
 public class OrganizationScopeFactoryTests
 {
     [Fact]
@@ -15,10 +15,9 @@ public void OrganizationScopeFactory_ThrowsForAuthenticationApiClient()
         var client = A.Fake<IAuthenticationApiClient>();
         var accessor = new HttpClientOrganizationAccessor();
 
-#pragma warning disable AUTH0_EXPERIMENTAL
         Assert.Throws<InvalidOperationException>(() =>
             new OrganizationScopeFactory<IAuthenticationApiClient>(client, accessor));
-#pragma warning restore AUTH0_EXPERIMENTAL
+
     }
 
     [Fact]
@@ -27,10 +26,22 @@ public void OrganizationScopeFactory_ThrowsForManagementApiClient()
         var client = A.Fake<IManagementApiClient>();
         var accessor = new HttpClientOrganizationAccessor();
 
-#pragma warning disable AUTH0_EXPERIMENTAL
         Assert.Throws<InvalidOperationException>(() =>
             new OrganizationScopeFactory<IManagementApiClient>(client, accessor));
-#pragma warning restore AUTH0_EXPERIMENTAL
+    }
+    
+    [Fact]
+    public void OrganizationScopeFactory_CreateScope_ThrowsInNestedScope()
+    {
+        var client = new TestClient();
+        var accessor = new HttpClientOrganizationAccessor();
+
+        var factory = new OrganizationScopeFactory<TestClient>(client, accessor);
+        var scope = factory.CreateScope("org-123");
+        Assert.Throws<InvalidOperationException>(() => factory.CreateScope("org-123"));
+        
+        scope.Dispose();
+        Assert.Null(accessor.Organization);
     }
 
     [Fact]
@@ -39,17 +50,17 @@ public void OrganizationScopeFactory_CreateScope_SetsOrganizationOnAccessorAndEx
         var client = new TestClient();
         var accessor = new HttpClientOrganizationAccessor();
 
-#pragma warning disable AUTH0_EXPERIMENTAL
         var factory = new OrganizationScopeFactory<TestClient>(client, accessor);
         var scope = factory.CreateScope("org-123");
-#pragma warning restore AUTH0_EXPERIMENTAL
-
+        
         Assert.Equal("org-123", accessor.Organization);
         Assert.Same(client, scope.Client);
         
         scope.Dispose();
         Assert.Null(accessor.Organization);
     }
     
+    
+    
     private sealed class TestClient { }
 }

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,13 @@ public OrganizationScopeFactory(TClient client, HttpClientOrganizationAccessor a`
`48`	`48`	`/// </returns>`
`49`	`49`	`public OrganizationScope<TClient> CreateScope(string organization)`
`50`	`50`	`{`
	`51`	`+#if NET8_0_OR_GREATER`
	`52`	`+ ArgumentNullException.ThrowIfNull(organization);`
	`53`	`+#endif`
	`54`	`+ if (!string.IsNullOrEmpty(_accessor.Organization))`
	`55`	`+ throw new InvalidOperationException(`
	`56`	`+ "Attempted to create a nested organization scope. This is unsupported. Please open an issue if you'd find this useful.");`
	`57`	`+`
`51`	`58`	`_accessor.Organization = organization;`
`52`	`59`	`return new OrganizationScope<TClient>(_client, _accessor);`
`53`	`60`	`}`