assigning uid2 support based on entra id group

ashleysmithTTD · ashleysmithTTD · commit 9bdd65321030 · 2026-02-17T21:40:31.000-07:00
diff --git a/keycloak/themes/uid2-theme/login/messages/messages_en.properties b/keycloak/themes/uid2-theme/login/messages/messages_en.properties
@@ -18,4 +18,8 @@ emailVerifyInstruction2=Haven’t received the verification email?
 confirmExecutionOfActions=Please do the following:
 proceedWithAction=Continue
 accountUpdatedMessage=Your account has been approved
-accountUpdatedInstruction=You can now log in to the UID2 Portal.
+accountUpdatedInstruction=You can now log in to the UID2 Portal.
+
+# Override default broker / IdP messages (more subtle when user does not exist)
+errorTitle=Unable to Sign In
+federatedIdentityUnavailableMessage=This email does not have portal access.
diff --git a/src/api/middleware/userRoleMiddleware.ts b/src/api/middleware/userRoleMiddleware.ts
@@ -1,7 +1,6 @@
 import { Handler, Request } from 'express';
 
 import { UserRoleId } from '../entities/UserRole';
-import { UserToParticipantRole } from '../entities/UserToParticipantRole';
 import { ParticipantRequest } from '../services/participantsService';
 import { findUserByEmail } from '../services/usersService';
 
@@ -24,19 +23,14 @@ export const isSuperUserCheck: Handler = async (req: ParticipantRequest, res, ne
 };
 
 // assign uid2 support if user is developer or developer-elevated in okta
+// assign uid2 support if user has prod-uid2.0-support in Microsoft Entra ID
 export const isUid2Support = async (req: Request) => {
-  const oktaGroups = (req.auth?.payload?.groups as string[] | undefined) ?? [];
-  if (isSuperUser(req) || oktaGroups.includes('developer')) {
+  const authGroups = (req.auth?.payload?.groups as string[] | undefined) ?? [];
+  if (isSuperUser(req) || authGroups.includes('developer') || authGroups.includes('prod-uid2.0-support')) {
     return true;
   }
 
-  const userEmail = req.auth?.payload?.email as string;
-  const user = await findUserByEmail(userEmail);
-  const userWithUid2SupportRole = await UserToParticipantRole.query()
-    .where('userId', user!.id)
-    .andWhere('userRoleId', UserRoleId.UID2Support)
-    .first();
-  return !!userWithUid2SupportRole;
+  return false;
 };
 
 export const isUid2SupportCheck: Handler = async (req: ParticipantRequest, res, next) => {
