chore: allow user invitation when SSO enforce is enabled#6958
Conversation
|
💬 Discussion in Slack: #pr-review-infisical-6958-thiago-as-eng-5115 Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
|
| Filename | Overview |
|---|---|
| backend/src/services/membership-user/org/org-membership-user-factory.ts | Core SSO invite logic added: domain validation guard, OIDC allowed-domain check, SSO redirect URL helper, and SSO email path in onCreateMembershipComplete. Contains a duplicate OIDC DB query across guard and URL helper. |
| backend/src/services/org/org-service.ts | Refactors token/email/orgId from template props to URL query params. resendOrgMemberInvitation and daily-reminder notifyInvitedUsers now have unhandled SSO-enforced orgs — both send a standard signup-token email instead of the SSO login URL for members in SSO-enforced orgs. |
| backend/src/services/smtp/emails/OrganizationInvitationTemplate.tsx | Simplifies template by moving token/email/orgId into the pre-built callback_url. The button now renders the full URL directly. |
| backend/src/services/super-admin/super-admin-service.ts | Mirrors the URL-param refactor for super-admin invite and reinvite paths — no logic changes. |
| backend/src/services/membership-user/membership-user-service.ts | Wires the three new DAL dependencies (emailDomainDAL, oidcConfigDAL, samlConfigDAL) into the org factory. |
| backend/src/server/routes/index.ts | Passes the new DALs through dependency injection to the membership user service. |
| frontend/src/pages/organization/AccessManagementPage/components/OrgMembersTab/components/OrgMembersSection/OrgMembersSection.tsx | Removes the frontend guard that blocked the invite modal for SSO-enforced orgs, allowing admins to open the modal and invite users. |
Comments Outside Diff (2)
-
backend/src/services/org/org-service.ts, line 918-987 (link)resendOrgMemberInvitationsends wrong link for SSO-enforced orgsBefore this PR, SSO-enforced orgs could never have members in
Invitedstatus, so this path was unreachable for them. Now that the new invite flow pre-creates memberships withInvitedstatus in SSO-enforced orgs, an admin who resends the invitation via this endpoint will email a standard/signupinvite?token=...link rather than the SSO login URL. The invited user clicks "Accept Invite," lands on the signup page, and is stuck because SSO enforcement blocks the credential-based signup flow.The fix mirrors
onCreateMembershipComplete: checkorg?.authEnforced, skip token creation, and send the SSO redirect URL instead. -
backend/src/services/org/org-service.ts, line 1280-1338 (link)Daily reminder emails send wrong link for SSO-enforced org members
notifyInvitedUserssends periodic reminder emails to all pending members using the standard/signupinvite?token=...URL. Now that users in SSO-enforced orgs can legitimately be inInvitedstatus, these reminders will direct them to the credential signup flow, which will fail under SSO enforcement. The function should skip (or redirect) these users to the SSO login URL, the same way the initial invite does inonCreateMembershipComplete.
Reviews (1): Last reviewed commit: "send individual emails" | Re-trigger Greptile
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a55628b77d
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
scott-ray-wilson
left a comment
There was a problem hiding this comment.
LGTM, tested with SAML and OIDC
Context
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).