refactor: scope by organizations (#166)

* Add organization to dashboard page

* feat(api): implement organization management functions including creation, deletion, and membership updates

* feat(api): add organization routes and query for listing organization memberships

* feat(api): add organization membership query endpoint for improved data retrieval

* refactor(api, web): add organizations settings page and format code

* refactor(api, web): remove organization handle from creation process and update UI accordingly

* refactor(api, web): remove membership-related functionality and simplify organization data structure

* feat(web): update sidebar to include organizations section and add navigation for administration

* refactor(web): streamline organization switcher component and clean up sidebar structure

* refactor(web): update routing and sidebar structure for organization management

* refactor(web): update dashboard routing to organization-specific paths and remove unused organization switcher component

* refactor(web): remove UsagePage and integrate usage credits into the dashboard, enhancing credit tracking and display

* refactor(web): update routing structure for organization dashboard, workflows, and datasets, enhancing navigation and page organization

* refactor(web): reorganize sidebar items and clean up component imports for improved navigation and code clarity

* refactor(web): consolidate dataset and deployment page imports, streamline routing structure for improved organization and clarity

* refactor(web): update routing paths for datasets and workflows to organization-specific structure, enhancing clarity and consistency

* refactor(web): reorganize sidebar items and enhance breadcrumb functionality for improved navigation and user experience

* refactor(web): move the collapse button at the bottom of the sidebar

* feat(web): add org handle to url

* feat(web): update organization switcher

---------

Co-authored-by: leonardcser <73912641+leonardcser@users.noreply.github.com>

Author: bchapuis

apps/api/src/auth.ts

@@ -10,11 +10,11 @@ import { ApiContext } from "./context";
 import {
   createDatabase,
   OrganizationRole,
-  organizations,
   saveUser,
   users,
   verifyApiKey,
 } from "./db";
+import { memberships, organizations } from "./db/schema";
 
 // Constants
 export const JWT_ACCESS_TOKEN_NAME = "access_token";
@@ -168,7 +168,7 @@ export const jwtMiddleware = async (
     c.env.JWT_SECRET
   )) as JWTTokenPayload | null;
 
-  if (!payload || !payload.organization?.id) {
+  if (!payload || !payload.sub) {
     return c.json({ error: "Invalid or expired token" }, 401);
   }
 
@@ -182,7 +182,38 @@ export const jwtMiddleware = async (
   }
 
   c.set("jwtPayload", payload);
-  c.set("organizationId", payload.organization.id);
+
+  const db = createDatabase(c.env.DB);
+  const organizationIdOrHandleFromUrl = c.req.param("organizationIdOrHandle");
+
+  let organizationId: string;
+
+  if (organizationIdOrHandleFromUrl) {
+    // Resolve organization from URL param
+    const userOrgs = await db
+      .select({ id: organizations.id, handle: organizations.handle })
+      .from(organizations)
+      .innerJoin(memberships, eq(memberships.organizationId, organizations.id))
+      .where(eq(memberships.userId, payload.sub));
+
+    const targetOrg = userOrgs.find(
+      (org) => org.handle === organizationIdOrHandleFromUrl
+    );
+
+    if (!targetOrg) {
+      return c.json({ error: "Organization not found or access denied" }, 403);
+    }
+
+    organizationId = targetOrg.id;
+  } else {
+    // Fallback to default org from token if no URL param
+    if (!payload.organization?.id) {
+      return c.json({ error: "Organization required" }, 400);
+    }
+    organizationId = payload.organization.id;
+  }
+
+  c.set("organizationId", organizationId);
   await next();
 };
 
@@ -277,8 +308,7 @@ export const apiKeyOrJwtMiddleware = async (
     return apiKeyMiddleware(c, next); // apiKeyMiddleware will handle org verification
   }
 
-  // Otherwise, try JWT auth (which might not need organizationIdOrHandleFromUrl explicitly here,
-  // as JWT payload should contain organization info if needed by downstream handlers)
+  // Otherwise, try JWT auth
   return jwtMiddleware(c, next);
 };