chore: v2 dont allow mixing platform teams/users with non-platform (calcom#20296)

* chore: v2 dont allow mixing platform teams/users with non-platform

* chore: finish main merge

* test: e2e

* refactor: simplify can add user to team logic

* refactor: fetch only needed oauth data

* refactor: cleanup

Author: supalarry

apps/api/v2/src/modules/oauth-clients/oauth-client.repository.ts

@@ -119,6 +119,15 @@ export class OAuthClientRepository {
     });
   }
 
+  async getByOrgId(organizationId: number) {
+    return this.dbRead.prisma.platformOAuthClient.findMany({
+      where: {
+        organizationId,
+      },
+      select: { id: true },
+    });
+  }
+
   async getByEventTypeHosts(eventTypeId: number) {
     const hostWithUserPlatformClient = await this.dbRead.prisma.host.findFirst({
       select: {

apps/api/v2/src/modules/organizations/memberships/services/organizations-membership.service.ts

@@ -1,17 +1,23 @@
+import { OAuthClientRepository } from "@/modules/oauth-clients/oauth-client.repository";
 import { CreateOrgMembershipDto } from "@/modules/organizations/memberships/inputs/create-organization-membership.input";
 import { OrganizationsMembershipRepository } from "@/modules/organizations/memberships/organizations-membership.repository";
-import { Injectable, NotFoundException } from "@nestjs/common";
+import { BadRequestException, Injectable, NotFoundException } from "@nestjs/common";
 
 import { TeamService } from "@calcom/platform-libraries";
 
 import { UpdateOrgMembershipDto } from "../inputs/update-organization-membership.input";
 import { OrganizationsMembershipOutputService } from "./organizations-membership-output.service";
 
+export const PLATFORM_USER_BEING_ADDED_TO_REGULAR_ORG_ERROR = `Can't add user to organization - the user is platform managed user but organization is not because organization probably was not created using OAuth credentials.`;
+export const REGULAR_USER_BEING_ADDED_TO_PLATFORM_ORG_ERROR = `Can't add user to organization - the user is not platform managed user but organization is platform managed. Both have to be created using OAuth credentials.`;
+export const MANAGED_USER_AND_MANAGED_ORG_CREATED_WITH_DIFFERENT_OAUTH_CLIENTS_ERROR = `Can't add user to organization - managed user and organization were created using different OAuth clients.`;
+
 @Injectable()
 export class OrganizationsMembershipService {
   constructor(
     private readonly organizationsMembershipRepository: OrganizationsMembershipRepository,
-    private readonly organizationsMembershipOutputService: OrganizationsMembershipOutputService
+    private readonly organizationsMembershipOutputService: OrganizationsMembershipOutputService,
+    private readonly oAuthClientsRepository: OAuthClientRepository
   ) {}
 
   async getOrgMembership(organizationId: number, membershipId: number) {
@@ -95,7 +101,33 @@ export class OrganizationsMembershipService {
   }
 
   async createOrgMembership(organizationId: number, data: CreateOrgMembershipDto) {
+    await this.canUserBeAddedToOrg(data.userId, organizationId);
     const membership = await this.organizationsMembershipRepository.createOrgMembership(organizationId, data);
     return this.organizationsMembershipOutputService.getOrgMembershipOutput(membership);
   }
+
+  async canUserBeAddedToOrg(userId: number, orgId: number) {
+    const [userOAuthClient, orgOAuthClients] = await Promise.all([
+      this.oAuthClientsRepository.getByUserId(userId),
+      this.oAuthClientsRepository.getByOrgId(orgId),
+    ]);
+
+    if (!userOAuthClient && orgOAuthClients.length === 0) {
+      return true;
+    }
+
+    if (userOAuthClient && orgOAuthClients.some((orgClient) => orgClient.id === userOAuthClient.id)) {
+      return true;
+    }
+
+    if (!userOAuthClient) {
+      throw new BadRequestException(REGULAR_USER_BEING_ADDED_TO_PLATFORM_ORG_ERROR);
+    }
+
+    if (orgOAuthClients.length === 0) {
+      throw new BadRequestException(PLATFORM_USER_BEING_ADDED_TO_REGULAR_ORG_ERROR);
+    }
+
+    throw new BadRequestException(MANAGED_USER_AND_MANAGED_ORG_CREATED_WITH_DIFFERENT_OAUTH_CLIENTS_ERROR);
+  }
 }

apps/api/v2/src/modules/organizations/organizations.module.ts

@@ -13,7 +13,8 @@ import { ZoomVideoService } from "@/modules/conferencing/services/zoom-video.ser
 import { CredentialsRepository } from "@/modules/credentials/credentials.repository";
 import { EmailModule } from "@/modules/email/email.module";
 import { EmailService } from "@/modules/email/email.service";
-import { MembershipsRepository } from "@/modules/memberships/memberships.repository";
+import { MembershipsModule } from "@/modules/memberships/memberships.module";
+import { OAuthClientRepository } from "@/modules/oauth-clients/oauth-client.repository";
 import { UserOOORepository } from "@/modules/ooo/repositories/ooo.repository";
 import { UserOOOService } from "@/modules/ooo/services/ooo.service";
 import { OrganizationsAttributesController } from "@/modules/organizations/attributes/index/controllers/organizations-attributes.controller";
@@ -65,6 +66,8 @@ import { RedisModule } from "@/modules/redis/redis.module";
 import { RedisService } from "@/modules/redis/redis.service";
 import { StripeModule } from "@/modules/stripe/stripe.module";
 import { TeamsEventTypesModule } from "@/modules/teams/event-types/teams-event-types.module";
+import { TeamsMembershipsService } from "@/modules/teams/memberships/services/teams-memberships.service";
+import { TeamsMembershipsRepository } from "@/modules/teams/memberships/teams-memberships.repository";
 import { TeamsSchedulesService } from "@/modules/teams/schedules/services/teams-schedules.service";
 import { TeamsModule } from "@/modules/teams/teams/teams.module";
 import { TokensRepository } from "@/modules/tokens/tokens.repository";
@@ -93,6 +96,7 @@ import { Module } from "@nestjs/common";
     OrganizationsOrganizationsModule,
     OrganizationsStripeModule,
     OrganizationsTeamsRoutingFormsModule,
+    MembershipsModule,
     OrganizationsConferencingModule,
     EventTypesPrivateLinksModule,
   ],
@@ -101,7 +105,6 @@ import { Module } from "@nestjs/common";
     OrganizationsTeamsRepository,
     OrganizationsService,
     OrganizationsTeamsService,
-    MembershipsRepository,
     OrganizationsSchedulesService,
     OrganizationsUsersRepository,
     OrganizationsUsersService,
@@ -147,6 +150,9 @@ import { Module } from "@nestjs/common";
     TeamsSchedulesService,
     SchedulesService_2024_06_11,
     InputSchedulesService_2024_06_11,
+    TeamsMembershipsService,
+    TeamsMembershipsRepository,
+    OAuthClientRepository,
   ],
   exports: [
     OrganizationsService,