From 68db9a7a8cb0e1bdd39da2ba635027d90a097327 Mon Sep 17 00:00:00 2001
From: Marie <51697796+ijreilly@users.noreply.github.com>
Date: Fri, 14 Feb 2025 17:48:06 +0100
Subject: [PATCH] (fix) throw if Access JWT does not have a userWorkspaceId
 (#10225)

After introducing userWorkspaceId into JWTs, we were wrongfully
executing
```
const userWorkspace = await this.userWorkspaceRepository.findOne({
      where: {
        id: payload.userWorkspaceId,
      },
    });
```

which would return a random userWorkpace if `payload.userWorkspaceId` is
undefined.

All generated JWTs have had a userWorkspaceId for more than a week now,
but in tests we had not modified the accessToken in use, which did not
have a userWorkspaceId, until [this
pr](https://github.com/twentyhq/twenty/pull/10204)
---
 .../core-modules/auth/strategies/jwt.auth.strategy.spec.ts | 3 ++-
 .../core-modules/auth/strategies/jwt.auth.strategy.ts      | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.spec.ts b/packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.spec.ts
index 192fbe176..345b6d946 100644
--- a/packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.spec.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.spec.ts
@@ -208,10 +208,11 @@ describe('JwtAuthStrategy', () => {
     }
   });
 
-  it('should be truthy if type is ACCESS, no jti, and user and userWorkspace exist', async () => {
+  it('should not throw if type is ACCESS, no jti, and user and userWorkspace exist', async () => {
     const payload = {
       sub: 'sub-default',
       type: 'ACCESS',
+      userWorkspaceId: 'userWorkspaceId',
     };
 
     workspaceRepository = {
diff --git a/packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.ts b/packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.ts
index d72cadb88..780a43775 100644
--- a/packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.ts
@@ -120,6 +120,13 @@ export class JwtAuthStrategy extends PassportStrategy(Strategy, 'jwt') {
       );
     }
 
+    if (!payload.userWorkspaceId) {
+      throw new AuthException(
+        'UserWorkspace not found',
+        AuthExceptionCode.USER_WORKSPACE_NOT_FOUND,
+      );
+    }
+
     const userWorkspace = await this.userWorkspaceRepository.findOne({
       where: {
         id: payload.userWorkspaceId,