feat(auth): add organization context to JWT tokens and secure organization switching

samuelmbabhazi · samuelmbabhazi · commit 21eb59e79bc0 · 2025-12-24T16:44:40.000+02:00
- Add CHANGE_SELECTED_ORGANIZATION permission to EMPLOYEE role
- Add PermissionGuard to /switch-organization endpoint
- Add organizationId to JWT access token payload
- Add organizationId to JWT refresh token payload
- Update getAccessTokenFromRefreshToken to maintain organization context
- Secure RequestContext.currentOrganizationId() to read from JWT instead of headers

BREAKING CHANGE: JWT tokens now include organizationId field. Clients should handle the new token structure.
diff --git a/packages/core/src/lib/auth/auth.controller.ts b/packages/core/src/lib/auth/auth.controller.ts
@@ -18,7 +18,8 @@ import {
 	ISocialAccount,
 	ISocialAccountExistUser,
 	IUserSigninWorkspaceResponse,
-	LanguagesEnum
+	LanguagesEnum,
+	PermissionsEnum
 } from '@gauzy/contracts';
 import { Public } from '@gauzy/common';
 import { parseToBoolean } from '@gauzy/utils';
@@ -31,7 +32,8 @@ import {
 	WorkspaceSigninVerifyTokenCommand
 } from './commands';
 import { RequestContext } from '../core/context';
-import { AuthRefreshGuard, TenantPermissionGuard } from './../shared/guards';
+import { AuthRefreshGuard, PermissionGuard, TenantPermissionGuard } from './../shared/guards';
+import { Permissions } from './../shared/decorators';
 import { UseValidationPipe } from '../shared/pipes';
 import { ChangePasswordRequestDTO, ResetPasswordRequestDTO } from './../password-reset/dto';
 import { RegisterUserDTO, UserEmailDTO, UserLoginDTO, UserSigninWorkspaceDTO } from './../user/dto';
@@ -381,7 +383,8 @@ export class AuthController {
 	})
 	@HttpCode(HttpStatus.OK)
 	@Post('/switch-organization')
-	@UseGuards(TenantPermissionGuard)
+	@UseGuards(TenantPermissionGuard, PermissionGuard)
+	@Permissions(PermissionsEnum.CHANGE_SELECTED_ORGANIZATION)
 	@UseValidationPipe({ whitelist: true })
 	async switchOrganization(@Body() input: SwitchOrganizationDTO): Promise<IAuthResponse | null> {
 		return await this.authService.switchOrganization(input.organizationId);
diff --git a/packages/core/src/lib/auth/auth.service.ts b/packages/core/src/lib/auth/auth.service.ts
@@ -922,6 +922,7 @@ export class AuthService extends SocialAuthService {
 			const payload: JwtPayload = {
 				id: user.id,
 				tenantId: user.tenantId ?? null,
+				organizationId: organizationId ?? employee?.organizationId ?? null,
 				employeeId: employee ? employee.id : null,
 				role: user.role ? user.role.name : null,
 				permissions: user.role?.rolePermissions?.filter((rp) => rp.enabled).map((rp) => rp.permission) ?? null
@@ -945,21 +946,23 @@ export class AuthService extends SocialAuthService {
 	 * ID, email, tenant ID, and role. It then generates a refresh token based on this payload.
 	 *
 	 * @param user A partial IUser object containing at least the user's ID, email, and role.
+	 * @param organizationId Optional organization ID to include in the token.
 	 * @returns A Promise that resolves to a JWT refresh token string.
 	 * @throws Logs an error and throws an exception if the token generation fails.
 	 */
-	public async getJwtRefreshToken(user: Partial<IUser>) {
+	public async getJwtRefreshToken(user: Partial<IUser>, organizationId?: ID) {
 		try {
 			// Ensure the user object contains the necessary information
 			if (!user.id || !user.email) {
 				throw new Error('User ID or email is missing.');
 			}
 
-			// Construct the JWT payload
+			// Construct the JWT payload with organization context
 			const payload: JwtPayload = {
 				id: user.id,
 				email: user.email,
 				tenantId: user.tenantId || null,
+				organizationId: organizationId || user.lastOrganizationId || null,
 				role: user.role ? user.role.name : null
 			};
 
@@ -975,6 +978,9 @@ export class AuthService extends SocialAuthService {
 	/**
 	 * Get JWT access token from JWT refresh token
 	 *
+	 * Extracts the organization context from the refresh token to maintain
+	 * the user's organization selection across token refreshes.
+	 *
 	 * @returns {Promise<{ token: string } | null>}
 	 */
 	async getAccessTokenFromRefreshToken(): Promise<{ token: string } | null> {
@@ -985,8 +991,12 @@ export class AuthService extends SocialAuthService {
 			// If no user is found, return null
 			if (!user) return null;
 
-			// Get and return the JWT access token for the user
-			const token = await this.getJwtAccessToken(user);
+			// Extract organizationId from the current token (refresh token context)
+			// This ensures the new access token maintains the organization context
+			const organizationId = RequestContext.currentOrganizationId() || user.lastOrganizationId;
+
+			// Get and return the JWT access token for the user with organization context
+			const token = await this.getJwtAccessToken(user, organizationId);
 			return { token };
 		} catch (error) {
 			// Use console.error for error logging with more descriptive context
@@ -1686,7 +1696,7 @@ export class AuthService extends SocialAuthService {
 			// Generate new access and refresh tokens with the new organization context
 			const [access_token, refresh_token] = await Promise.all([
 				this.getJwtAccessToken(user, organizationId),
-				this.getJwtRefreshToken(user)
+				this.getJwtRefreshToken(user, organizationId)
 			]);
 
 			// Store the current refresh token with the user
diff --git a/packages/core/src/lib/core/context/request-context.ts b/packages/core/src/lib/core/context/request-context.ts
@@ -194,14 +194,32 @@ export class RequestContext {
 	}
 
 	/**
-	 * Retrieves the current organization ID from the request headers.
+	 * Retrieves the current organization ID from the JWT token.
+	 * This is secure because it reads from the authenticated token, not from client headers.
 	 * Returns the organization ID if available, otherwise returns null.
 	 *
 	 * @returns {ID | null} - The current organization ID or null if not available.
 	 */
 	static currentOrganizationId(): ID | null {
-		const req = RequestContext.currentRequest();
-		return (req?.headers?.['organization-id'] as ID) || null;
+		const requestContext = RequestContext.currentRequestContext();
+		if (requestContext) {
+			try {
+				const token = this.currentToken();
+				if (token) {
+					const jwtPayload = verify(token, env.JWT_SECRET) as {
+						id: string;
+						organizationId: ID;
+					};
+					return jwtPayload.organizationId ?? null;
+				}
+			} catch (error) {
+				if (error instanceof JsonWebTokenError) {
+					return null;
+				}
+				throw error;
+			}
+		}
+		return null;
 	}
 
 	/**
diff --git a/packages/core/src/lib/role-permission/default-role-permissions.ts b/packages/core/src/lib/role-permission/default-role-permissions.ts
@@ -489,6 +489,7 @@ export const DEFAULT_ROLE_PERMISSIONS = [
 			PermissionsEnum.PROJECT_MANAGEMENT_DASHBOARD,
 			PermissionsEnum.TIME_TRACKING_DASHBOARD,
 			PermissionsEnum.HUMAN_RESOURCE_DASHBOARD,
+			PermissionsEnum.CHANGE_SELECTED_ORGANIZATION,
 			PermissionsEnum.ORG_PROPOSALS_VIEW,
 			PermissionsEnum.ORG_PROPOSALS_EDIT,
 			PermissionsEnum.ORG_PROPOSAL_TEMPLATES_VIEW,
