Fix import paths and inline authorization logic for build compatibility

Copilot · karpikpl · Copilot · commit 0077bba9d755 · 2025-08-07T18:36:25.000Z
Co-authored-by: karpikpl &lt;3539908+karpikpl@users.noreply.github.com&gt;
diff --git a/server/routes/auth/github.get.ts b/server/routes/auth/github.get.ts
@@ -1,5 +1,4 @@
 import type { FetchError } from 'ofetch'
-import { requireAuthorization } from '~/server/modules/authorization'
 
 export default defineOAuthGitHubEventHandler({
   config: {
@@ -22,9 +21,36 @@ export default defineOAuthGitHubEventHandler({
       }
     })
 
-    // Check authorization after setting user session
-    if (config.githubAppId || config.authorizedUsers) {
-      await requireAuthorization(event)
+    // Check authorization if configured
+    if ((config.githubAppId || config.authorizedUsers) && config.authorizedUsers && config.authorizedUsers.trim() !== '') {
+      const { user: sessionUser } = await getUserSession(event)
+      
+      if (!sessionUser) {
+        throw createError({
+          statusCode: 401,
+          statusMessage: 'Authentication required'
+        })
+      }
+
+      const username = sessionUser.login || sessionUser.name || sessionUser.githubId?.toString()
+      if (!username) {
+        throw createError({
+          statusCode: 401,
+          statusMessage: 'Unable to determine user identity'
+        })
+      }
+
+      const authorizedUsers = config.authorizedUsers
+        .split(',')
+        .map(user => user.trim().toLowerCase())
+        .filter(user => user.length > 0)
+
+      if (authorizedUsers.length > 0 && !authorizedUsers.includes(username.toLowerCase())) {
+        throw createError({
+          statusCode: 403,
+          statusMessage: 'Access denied. User not authorized to access this application.'
+        })
+      }
     }
 
     // need to check if this is public app (no default org/team/ent)
diff --git a/server/routes/auth/google.get.ts b/server/routes/auth/google.get.ts
@@ -1,7 +1,7 @@
-import { requireAuthorization } from '~/server/modules/authorization'
-
 export default defineOAuthGoogleEventHandler({
   async onSuccess(event, { user, tokens }) {
+    const config = useRuntimeConfig(event)
+    
     await setUserSession(event, {
       user: {
         googleId: user.sub,
@@ -15,8 +15,37 @@ export default defineOAuthGoogleEventHandler({
       }
     })
 
-    // Check authorization after setting user session
-    await requireAuthorization(event)
+    // Check authorization if configured
+    if (config.authorizedUsers && config.authorizedUsers.trim() !== '') {
+      const { user: sessionUser } = await getUserSession(event)
+      
+      if (!sessionUser) {
+        throw createError({
+          statusCode: 401,
+          statusMessage: 'Authentication required'
+        })
+      }
+
+      const username = sessionUser.login || sessionUser.name || sessionUser.email || sessionUser.googleId?.toString()
+      if (!username) {
+        throw createError({
+          statusCode: 401,
+          statusMessage: 'Unable to determine user identity'
+        })
+      }
+
+      const authorizedUsers = config.authorizedUsers
+        .split(',')
+        .map(user => user.trim().toLowerCase())
+        .filter(user => user.length > 0)
+
+      if (authorizedUsers.length > 0 && !authorizedUsers.includes(username.toLowerCase())) {
+        throw createError({
+          statusCode: 403,
+          statusMessage: 'Access denied. User not authorized to access this application.'
+        })
+      }
+    }
 
     return sendRedirect(event, '/')
   },
diff --git a/server/routes/auth/microsoft.get.ts b/server/routes/auth/microsoft.get.ts
@@ -1,7 +1,7 @@
-import { requireAuthorization } from '~/server/modules/authorization'
-
 export default defineOAuthMicrosoftEventHandler({
   async onSuccess(event, { user, tokens }) {
+    const config = useRuntimeConfig(event)
+    
     await setUserSession(event, {
       user: {
         microsoftId: user.id,
@@ -15,8 +15,37 @@ export default defineOAuthMicrosoftEventHandler({
       }
     })
 
-    // Check authorization after setting user session
-    await requireAuthorization(event)
+    // Check authorization if configured
+    if (config.authorizedUsers && config.authorizedUsers.trim() !== '') {
+      const { user: sessionUser } = await getUserSession(event)
+      
+      if (!sessionUser) {
+        throw createError({
+          statusCode: 401,
+          statusMessage: 'Authentication required'
+        })
+      }
+
+      const username = sessionUser.login || sessionUser.name || sessionUser.email || sessionUser.microsoftId?.toString()
+      if (!username) {
+        throw createError({
+          statusCode: 401,
+          statusMessage: 'Unable to determine user identity'
+        })
+      }
+
+      const authorizedUsers = config.authorizedUsers
+        .split(',')
+        .map(user => user.trim().toLowerCase())
+        .filter(user => user.length > 0)
+
+      if (authorizedUsers.length > 0 && !authorizedUsers.includes(username.toLowerCase())) {
+        throw createError({
+          statusCode: 403,
+          statusMessage: 'Access denied. User not authorized to access this application.'
+        })
+      }
+    }
 
     return sendRedirect(event, '/')
   },
