33 lines
1.3 KiB
TypeScript
33 lines
1.3 KiB
TypeScript
import { APIError } from "better-auth/api";
|
|
import type { GenericEndpointContext } from "better-auth";
|
|
import { logger } from "~/server/utils/logger";
|
|
import { extractProviderIdFromContext } from "~/server/modules/sso/utils/sso-context";
|
|
import { ssoService } from "~/server/modules/sso/sso.service";
|
|
|
|
export const requireSsoInvitation = async (userEmail: string, ctx: GenericEndpointContext | null) => {
|
|
if (!ctx) {
|
|
throw new APIError("BAD_REQUEST", { message: "Missing SSO context" });
|
|
}
|
|
|
|
const providerId = extractProviderIdFromContext(ctx);
|
|
if (!providerId) {
|
|
throw new APIError("BAD_REQUEST", { message: "Missing providerId in context" });
|
|
}
|
|
|
|
const provider = await ssoService.getSsoProviderById(providerId);
|
|
if (!provider) {
|
|
throw new APIError("NOT_FOUND", { message: "SSO provider not found" });
|
|
}
|
|
|
|
logger.debug("Checking for pending invitations", { organizationId: provider.organizationId });
|
|
|
|
const pendingInvitation = await ssoService.getPendingInvitation(provider.organizationId, userEmail);
|
|
|
|
logger.debug("Pending invitation result", { found: !!pendingInvitation, invitationId: pendingInvitation?.id });
|
|
|
|
if (!pendingInvitation) {
|
|
throw new APIError("FORBIDDEN", {
|
|
message: "Access denied. You must be invited to this organization before you can sign in with SSO.",
|
|
});
|
|
}
|
|
};
|