feat: s2s endpoint for org state

Author: evansims

crates/infera-management-api/src/handlers/organizations.rs

@@ -10,9 +10,9 @@ use infera_management_types::{
         DeleteInvitationResponse, DeleteOrganizationResponse, GetOrganizationResponse,
         InvitationResponse, ListInvitationsResponse, ListMembersResponse,
         ListOrganizationsResponse, OrganizationMemberResponse, OrganizationResponse,
-        RemoveMemberResponse, TransferOwnershipRequest, TransferOwnershipResponse,
-        UpdateMemberRoleRequest, UpdateMemberRoleResponse, UpdateOrganizationRequest,
-        UpdateOrganizationResponse,
+        OrganizationServerResponse, OrganizationStatus, RemoveMemberResponse,
+        TransferOwnershipRequest, TransferOwnershipResponse, UpdateMemberRoleRequest,
+        UpdateMemberRoleResponse, UpdateOrganizationRequest, UpdateOrganizationResponse,
     },
     entities::{
         Organization, OrganizationInvitation, OrganizationMember, OrganizationRole,
@@ -215,6 +215,46 @@ pub async fn get_organization(
     }))
 }
 
+/// Get organization by ID (server-to-server endpoint)
+///
+/// GET /v1/organizations/:org
+/// Auth: Session or Server JWT (dual authentication)
+///
+/// This endpoint is used by the server to verify organization status.
+/// Unlike `get_organization`, this does not require organization context
+/// and returns minimal information (no user role).
+///
+/// Returns organization status as Active, Suspended, or Deleted.
+/// Currently only Active and Deleted states are implemented.
+pub async fn get_organization_by_id(
+    State(state): State<AppState>,
+    Path(org_id): Path<i64>,
+) -> Result<Json<OrganizationServerResponse>> {
+    let repos = RepositoryContext::new((*state.storage).clone());
+
+    // Get organization
+    let org = repos
+        .org
+        .get(org_id)
+        .await?
+        .ok_or_else(|| CoreError::NotFound("Organization not found".to_string()))?;
+
+    // Determine status based on deleted_at field
+    // Currently we only have Active and Deleted states
+    // Suspended state would require adding a new field to the Organization entity
+    let status = if org.is_deleted() {
+        OrganizationStatus::Deleted
+    } else {
+        OrganizationStatus::Active
+    };
+
+    Ok(Json(OrganizationServerResponse {
+        id: org.id,
+        name: org.name,
+        status,
+    }))
+}
+
 /// Update organization
 ///
 /// PATCH /v1/organizations/:org

crates/infera-management-api/src/routes.rs

@@ -3,8 +3,7 @@ use crate::handlers::{
     organizations, sessions, teams, tokens, users, vaults, AppState,
 };
 use crate::middleware::{
-    logging_middleware, require_organization_member, require_session,
-    require_session_or_server_jwt,
+    logging_middleware, require_organization_member, require_session, require_session_or_server_jwt,
 };
 use axum::{
     middleware,
@@ -254,7 +253,10 @@ pub fn create_router_with_state(state: AppState) -> axum::Router {
     // Routes that accept EITHER session auth OR server JWT (for server-to-server)
     let dual_auth = Router::new()
         // Organization GET endpoint - used by users and by server for verification
-        .route("/v1/organizations/{org}", get(organizations::get_organization))
+        .route(
+            "/v1/organizations/{org}",
+            get(organizations::get_organization_by_id),
+        )
         // Vault GET endpoint - used by users and by server for vault ownership verification
         .route("/v1/vaults/{vault}", get(vaults::get_vault_by_id))
         .with_state(state.clone())
@@ -303,9 +305,9 @@ pub fn create_router_with_state(state: AppState) -> axum::Router {
             get(jwks::get_org_jwks),
         )
         .with_state(state)
-        .merge(dual_auth)
-        .merge(protected)
         .merge(org_scoped)
+        .merge(protected)
+        .merge(dual_auth)
         // Add logging middleware to log all requests
         .layer(middleware::from_fn(logging_middleware))
 }

crates/infera-management-types/src/dto/mod.rs

@@ -45,9 +45,10 @@ pub use organizations::{
     CreateInvitationResponse, CreateOrganizationRequest, CreateOrganizationResponse,
     DeleteInvitationResponse, DeleteOrganizationResponse, GetOrganizationResponse,
     InvitationResponse, ListInvitationsResponse, ListMembersResponse, ListOrganizationsResponse,
-    OrganizationMemberResponse, OrganizationResponse, RemoveMemberResponse,
-    TransferOwnershipRequest, TransferOwnershipResponse, UpdateMemberRoleRequest,
-    UpdateMemberRoleResponse, UpdateOrganizationRequest, UpdateOrganizationResponse,
+    OrganizationMemberResponse, OrganizationResponse, OrganizationServerResponse,
+    OrganizationStatus, RemoveMemberResponse, TransferOwnershipRequest,
+    TransferOwnershipResponse, UpdateMemberRoleRequest, UpdateMemberRoleResponse,
+    UpdateOrganizationRequest, UpdateOrganizationResponse,
 };
 
 pub use sessions::{ListSessionsResponse, RevokeSessionResponse, SessionInfo};

crates/infera-management-types/src/dto/organizations.rs

@@ -199,3 +199,33 @@ pub struct TransferOwnershipResponse {
     /// Success message
     pub message: String,
 }
+
+// ============================================================================
+// Server-to-Server Organization Info
+// ============================================================================
+
+/// Organization status for server-to-server communication
+/// This mirrors the server's OrgStatus enum for compatibility
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum OrganizationStatus {
+    /// Organization is active
+    Active,
+    /// Organization is suspended
+    Suspended,
+    /// Organization is deleted
+    Deleted,
+}
+
+/// Organization information for server-to-server endpoints
+/// This response format is specifically for the server API to verify
+/// organization status without requiring user session context.
+#[derive(Debug, Serialize, Deserialize)]
+pub struct OrganizationServerResponse {
+    /// Organization ID
+    pub id: i64,
+    /// Organization name
+    pub name: String,
+    /// Organization status (Active, Suspended, or Deleted)
+    pub status: OrganizationStatus,
+}