cameleer/cameleer-saas
2
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: merge global + org-scoped token scopes in OrgResolver
All checks were successful
CI / build (push) Successful in 50s
Details
CI / docker (push) Successful in 40s
Details

Browse Source 
Vendor's platform:admin scope comes from a global Logto role, which is
only present in the non-org-scoped token. OrgResolver now fetches both
the global token and the org-scoped token, merging their scopes. This
ensures vendor users see platform:admin and land on the vendor console.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-09 23:33:30 +02:00
parent 4087ce8f29
commit c674785c82
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
ui/src/auth/OrgResolver.tsx
View File

@@ -66,12 +66,21 @@ export function OrgResolver({ children }: { children?: React.ReactNode }) {
};
try {
const token = await (currentOrgId
? getAccessToken(config.logtoResource, currentOrgId)
: getAccessToken(config.logtoResource)
).catch(() => undefined);
// Always fetch the global (non-org) token — it contains global role scopes
// like platform:admin from the saas-vendor role.
const globalToken = await getAccessToken(config.logtoResource).catch(() => undefined);
const globalScopes = extractScopes(globalToken);
setScopes(new Set(extractScopes(token)));
// If an org is selected, also fetch org-scoped token for org-level scopes
// (tenant:manage, apps:manage, etc.)
let orgScopes: string[] = [];
if (currentOrgId) {
const orgToken = await getAccessToken(config.logtoResource, currentOrgId).catch(() => undefined);
orgScopes = extractScopes(orgToken);
}
// Merge both scope sets
setScopes(new Set([...globalScopes, ...orgScopes]));
} catch {
setScopes(new Set());
}