Fix OAuth integration created in wrong org for non-default organizations

bchapuis · claude · bchapuis · commit 65b2d38350af · 2026-03-22T23:54:23.000+01:00
The OAuth route (/oauth/:provider/connect) had no organizationId in the URL
path, so jwtMiddleware always fell back to the default org from the JWT token.
Frontend now passes the current org as a query parameter, and a new middleware
validates membership before overriding the context.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/apps/api/src/routes/oauth.ts b/apps/api/src/routes/oauth.ts
@@ -1,12 +1,52 @@
+import { and, eq } from "drizzle-orm";
+import type { Context } from "hono";
 import { Hono } from "hono";
 
 import { jwtMiddleware } from "../auth";
 import { ApiContext } from "../context";
+import { createDatabase } from "../db";
+import { memberships } from "../db/schema";
 import { getProvider, OAuthError } from "../oauth";
 
 // Create a new Hono instance for OAuth endpoints
 const oauthRoutes = new Hono<ApiContext>();
 
+/**
+ * Middleware to override organization context from query parameter.
+ * Used during OAuth initiation when the frontend passes the current org.
+ * Validates membership before accepting the override.
+ */
+const resolveOrgFromQuery = async (
+  c: Context<ApiContext>,
+  next: () => Promise<void>
+) => {
+  const orgIdFromQuery = c.req.query("organizationId");
+  if (orgIdFromQuery) {
+    const payload = c.get("jwtPayload");
+    if (!payload) {
+      return c.json({ error: "Not authenticated" }, 401);
+    }
+    const db = createDatabase(c.env.DB);
+
+    const [membership] = await db
+      .select({ organizationId: memberships.organizationId })
+      .from(memberships)
+      .where(
+        and(
+          eq(memberships.userId, payload.sub),
+          eq(memberships.organizationId, orgIdFromQuery)
+        )
+      );
+
+    if (!membership) {
+      return c.json({ error: "Organization not found or access denied" }, 403);
+    }
+
+    c.set("organizationId", membership.organizationId);
+  }
+  await next();
+};
+
 /**
  * GET /oauth/:provider/connect
  *
@@ -16,59 +56,66 @@ const oauthRoutes = new Hono<ApiContext>();
  *
  * Supported providers: google-mail, google-calendar, discord, linkedin, reddit, github
  */
-oauthRoutes.get("/:provider/connect", jwtMiddleware, async (c) => {
-  const providerName = c.req.param("provider");
+oauthRoutes.get(
+  "/:provider/connect",
+  jwtMiddleware,
+  resolveOrgFromQuery,
+  async (c) => {
+    const providerName = c.req.param("provider");
 
-  try {
-    const provider = getProvider(providerName);
-    const code = c.req.query("code");
+    try {
+      const provider = getProvider(providerName);
+      const code = c.req.query("code");
 
-    // Callback flow - provider redirected back with authorization code
-    if (code) {
-      const stateParam = c.req.query("state");
-      const error = c.req.query("error");
+      // Callback flow - provider redirected back with authorization code
+      if (code) {
+        const stateParam = c.req.query("state");
+        const error = c.req.query("error");
 
-      // Check for authorization errors from provider
-      if (error) {
-        return c.redirect(`${c.env.WEB_HOST}/integrations?error=${error}`);
-      }
+        // Check for authorization errors from provider
+        if (error) {
+          return c.redirect(`${c.env.WEB_HOST}/integrations?error=${error}`);
+        }
 
-      // State parameter is required for CSRF protection
-      if (!stateParam) {
-        return c.redirect(`${c.env.WEB_HOST}/integrations?error=oauth_failed`);
-      }
+        // State parameter is required for CSRF protection
+        if (!stateParam) {
+          return c.redirect(
+            `${c.env.WEB_HOST}/integrations?error=oauth_failed`
+          );
+        }
 
-      // Let the provider handle the complete callback flow:
-      // 1. Validate state (CSRF + organization membership)
-      // 2. Exchange code for access token
-      // 3. Fetch user information
-      // 4. Create integration in database
-      const { orgId } = await provider.handleCallback(c, code, stateParam);
+        // Let the provider handle the complete callback flow:
+        // 1. Validate state (CSRF + organization membership)
+        // 2. Exchange code for access token
+        // 3. Fetch user information
+        // 4. Create integration in database
+        const { orgId } = await provider.handleCallback(c, code, stateParam);
 
-      return c.redirect(
-        `${c.env.WEB_HOST}/org/${orgId}/integrations?success=${providerName}_connected`
-      );
-    }
+        return c.redirect(
+          `${c.env.WEB_HOST}/org/${orgId}/integrations?success=${providerName}_connected`
+        );
+      }
 
-    // Initiation flow - no code parameter, start OAuth flow
-    // Provider will:
-    // 1. Validate organization context
-    // 2. Create secure state with nonce
-    // 3. Build authorization URL with correct parameters
-    const authUrl = await provider.initiateAuth(c);
-    return c.redirect(authUrl);
-  } catch (error) {
-    // Handle OAuth-specific errors with user-friendly redirects
-    if (error instanceof OAuthError) {
-      return c.redirect(
-        `${c.env.WEB_HOST}/integrations?error=${error.redirectError}`
-      );
-    }
+      // Initiation flow - no code parameter, start OAuth flow
+      // Provider will:
+      // 1. Validate organization context
+      // 2. Create secure state with nonce
+      // 3. Build authorization URL with correct parameters
+      const authUrl = await provider.initiateAuth(c);
+      return c.redirect(authUrl);
+    } catch (error) {
+      // Handle OAuth-specific errors with user-friendly redirects
+      if (error instanceof OAuthError) {
+        return c.redirect(
+          `${c.env.WEB_HOST}/integrations?error=${error.redirectError}`
+        );
+      }
 
-    // Log unexpected errors and show generic error
-    console.error(`OAuth error for ${providerName}:`, error);
-    return c.redirect(`${c.env.WEB_HOST}/integrations?error=oauth_failed`);
+      // Log unexpected errors and show generic error
+      console.error(`OAuth error for ${providerName}:`, error);
+      return c.redirect(`${c.env.WEB_HOST}/integrations?error=oauth_failed`);
+    }
   }
-});
+);
 
 export default oauthRoutes;
diff --git a/apps/app/src/integrations/hooks/use-integration-actions.ts b/apps/app/src/integrations/hooks/use-integration-actions.ts
@@ -46,16 +46,24 @@ export function useIntegrationActions(): IntegrationActionsResult {
   const { mutate } = useIntegrations();
   const [isProcessing, setIsProcessing] = useState(false);
 
-  const connectOAuth = useCallback((provider: IntegrationProvider) => {
-    const providerConfig = getProvider(provider);
-    if (!providerConfig?.oauthEndpoint) {
-      toast.error("OAuth not supported for this provider");
-      return;
-    }
+  const connectOAuth = useCallback(
+    (provider: IntegrationProvider) => {
+      const providerConfig = getProvider(provider);
+      if (!providerConfig?.oauthEndpoint) {
+        toast.error("OAuth not supported for this provider");
+        return;
+      }
+
+      if (!organization?.id) {
+        toast.error("No organization selected");
+        return;
+      }
 
-    const apiBaseUrl = getApiBaseUrl();
-    window.location.href = `${apiBaseUrl}${providerConfig.oauthEndpoint}`;
-  }, []);
+      const apiBaseUrl = getApiBaseUrl();
+      window.location.href = `${apiBaseUrl}${providerConfig.oauthEndpoint}?organizationId=${organization.id}`;
+    },
+    [organization?.id]
+  );
 
   const createManual = useCallback(
     async (
