npm - @oneuptime/common - Versions diffs - 11.0.3 → 11.0.4 - Mend

@oneuptime/common 11.0.3 → 11.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (167) hide show

package/Server/Services/GlobalOidcProjectService.ts ADDED Viewed

@@ -0,0 +1,85 @@
+import DatabaseService from "./DatabaseService";
+import Model from "../../Models/DatabaseModels/GlobalOidcProject";
+import Team from "../../Models/DatabaseModels/Team";
+import { LIMIT_PER_PROJECT } from "../../Types/Database/LimitMax";
+import ObjectID from "../../Types/ObjectID";
+import CreateBy from "../Types/Database/CreateBy";
+import { OnCreate, OnUpdate } from "../Types/Database/Hooks";
+import UpdateBy from "../Types/Database/UpdateBy";
+import CaptureSpan from "../Utils/Telemetry/CaptureSpan";
+import validateGlobalProviderProjectTeams, {
+  resolveAttachmentProjectId,
+} from "../Utils/ValidateGlobalProviderProjectTeams";
+export class Service extends DatabaseService<Model> {
+  public constructor() {
+    super(Model);
+  }
+  @CaptureSpan()
+  protected override async onBeforeCreate(
+    createBy: CreateBy<Model>,
+  ): Promise<OnCreate<Model>> {
+    /*
+     * The attach form submits the project via the `project` relation, so the
+     * `projectId` FK is not set yet. Resolve it and persist it (the column is
+     * required / NOT NULL) before validating the default teams against it.
+     */
+    const projectId: ObjectID | undefined = resolveAttachmentProjectId(
+      createBy.data,
+    );
+    if (projectId) {
+      createBy.data.projectId = projectId;
+    }
+    await validateGlobalProviderProjectTeams({
+      teams: createBy.data.teams,
+      projectId,
+    });
+    return { createBy, carryForward: null };
+  }
+  @CaptureSpan()
+  protected override async onBeforeUpdate(
+    updateBy: UpdateBy<Model>,
+  ): Promise<OnUpdate<Model>> {
+    // `updateBy.data` is a partial-entity shape; narrow the relation/id here.
+    const teams: Array<Team> | undefined = updateBy.data.teams as unknown as
+      | Array<Team>
+      | undefined;
+    if (teams && teams.length > 0) {
+      const explicitProjectId: ObjectID | undefined = updateBy.data
+        .projectId as unknown as ObjectID | undefined;
+      if (explicitProjectId) {
+        await validateGlobalProviderProjectTeams({
+          teams,
+          projectId: explicitProjectId,
+        });
+      } else {
+        // projectId is immutable here; resolve it from the row(s) being updated.
+        const rows: Array<Model> = await this.findBy({
+          query: updateBy.query,
+          select: { _id: true, projectId: true },
+          limit: LIMIT_PER_PROJECT,
+          skip: 0,
+          props: { isRoot: true },
+        });
+        for (const row of rows) {
+          await validateGlobalProviderProjectTeams({
+            teams,
+            projectId: row.projectId,
+          });
+        }
+      }
+    }
+    return { updateBy, carryForward: null };
+  }
+}
+export default new Service();

package/Server/Services/GlobalOidcService.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import DatabaseService from "./DatabaseService";
+import Model from "../../Models/DatabaseModels/GlobalOidc";
+export class Service extends DatabaseService<Model> {
+  public constructor() {
+    super(Model);
+  }
+}
+export default new Service();

package/Server/Services/GlobalSsoProjectService.ts ADDED Viewed

@@ -0,0 +1,85 @@
+import DatabaseService from "./DatabaseService";
+import Model from "../../Models/DatabaseModels/GlobalSsoProject";
+import Team from "../../Models/DatabaseModels/Team";
+import { LIMIT_PER_PROJECT } from "../../Types/Database/LimitMax";
+import ObjectID from "../../Types/ObjectID";
+import CreateBy from "../Types/Database/CreateBy";
+import { OnCreate, OnUpdate } from "../Types/Database/Hooks";
+import UpdateBy from "../Types/Database/UpdateBy";
+import CaptureSpan from "../Utils/Telemetry/CaptureSpan";
+import validateGlobalProviderProjectTeams, {
+  resolveAttachmentProjectId,
+} from "../Utils/ValidateGlobalProviderProjectTeams";
+export class Service extends DatabaseService<Model> {
+  public constructor() {
+    super(Model);
+  }
+  @CaptureSpan()
+  protected override async onBeforeCreate(
+    createBy: CreateBy<Model>,
+  ): Promise<OnCreate<Model>> {
+    /*
+     * The attach form submits the project via the `project` relation, so the
+     * `projectId` FK is not set yet. Resolve it and persist it (the column is
+     * required / NOT NULL) before validating the default teams against it.
+     */
+    const projectId: ObjectID | undefined = resolveAttachmentProjectId(
+      createBy.data,
+    );
+    if (projectId) {
+      createBy.data.projectId = projectId;
+    }
+    await validateGlobalProviderProjectTeams({
+      teams: createBy.data.teams,
+      projectId,
+    });
+    return { createBy, carryForward: null };
+  }
+  @CaptureSpan()
+  protected override async onBeforeUpdate(
+    updateBy: UpdateBy<Model>,
+  ): Promise<OnUpdate<Model>> {
+    // `updateBy.data` is a partial-entity shape; narrow the relation/id here.
+    const teams: Array<Team> | undefined = updateBy.data.teams as unknown as
+      | Array<Team>
+      | undefined;
+    if (teams && teams.length > 0) {
+      const explicitProjectId: ObjectID | undefined = updateBy.data
+        .projectId as unknown as ObjectID | undefined;
+      if (explicitProjectId) {
+        await validateGlobalProviderProjectTeams({
+          teams,
+          projectId: explicitProjectId,
+        });
+      } else {
+        // projectId is immutable here; resolve it from the row(s) being updated.
+        const rows: Array<Model> = await this.findBy({
+          query: updateBy.query,
+          select: { _id: true, projectId: true },
+          limit: LIMIT_PER_PROJECT,
+          skip: 0,
+          props: { isRoot: true },
+        });
+        for (const row of rows) {
+          await validateGlobalProviderProjectTeams({
+            teams,
+            projectId: row.projectId,
+          });
+        }
+      }
+    }
+    return { updateBy, carryForward: null };
+  }
+}
+export default new Service();

package/Server/Services/GlobalSsoService.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import DatabaseService from "./DatabaseService";
+import Model from "../../Models/DatabaseModels/GlobalSso";
+export class Service extends DatabaseService<Model> {
+  public constructor() {
+    super(Model);
+  }
+}
+export default new Service();

package/Server/Services/Index.ts CHANGED Viewed

@@ -106,6 +106,10 @@ import ProfileSampleService from "./ProfileSampleService";
 import ProjectSmtpConfigService from "./ProjectSmtpConfigService";
 import ProjectSsoService from "./ProjectSsoService";
 import ProjectOidcService from "./ProjectOidcService";
+import GlobalSsoService from "./GlobalSsoService";
+import GlobalOidcService from "./GlobalOidcService";
+import GlobalSsoProjectService from "./GlobalSsoProjectService";
+import GlobalOidcProjectService from "./GlobalOidcProjectService";
 import PromoCodeService from "./PromoCodeService";
 import EnterpriseLicenseService from "./EnterpriseLicenseService";
 import OpenSourceDeploymentService from "./OpenSourceDeploymentService";
@@ -343,6 +347,10 @@ const services: Array<BaseService> = [
   AIAgentTaskPullRequestService,
   ProjectSsoService,
   ProjectOidcService,
+  GlobalSsoService,
+  GlobalOidcService,
+  GlobalSsoProjectService,
+  GlobalOidcProjectService,
   ScheduledMaintenanceCustomFieldService,
   ScheduledMaintenanceInternalNoteService,

package/Server/Services/ProjectService.ts CHANGED Viewed

@@ -103,6 +103,14 @@ export class ProjectService extends DatabaseService<Model> {
    */
   private requireSsoForLoginCache: InMemoryTTLCache<boolean> =
     new InMemoryTTLCache(10_000);
+  /*
+   * Caches the `requireSsoWithSsoProviderId` discriminator per project so the
+   * enforce-SSO middleware can require that the SSO token was issued by a
+   * specific provider. Stored as a string id (or null when unset). Populated
+   * alongside `getRequireSsoForLogin` so the common path stays a single query.
+   */
+  private requireSsoWithSsoProviderIdCache: InMemoryTTLCache<string | null> =
+    new InMemoryTTLCache(10_000);
   /*
    * Caches the current billing plan per project. `getCurrentPlan` is hit
    * by `CommonAPI.getDatabaseCommonInteractionProps` on every
@@ -351,6 +359,10 @@ export class ProjectService extends DatabaseService<Model> {
       this.requireSsoForLoginCache.clear();
     }
+    if (updateBy.data.requireSsoWithSsoProviderId !== undefined) {
+      this.requireSsoWithSsoProviderIdCache.clear();
+    }
     if (IsBillingEnabled) {
       if (
         updateBy.data.businessDetails ||
@@ -1338,7 +1350,7 @@ export class ProjectService extends DatabaseService<Model> {
     const project: Model | null = await this.findOneById({
       id: projectId,
-      select: { requireSsoForLogin: true },
+      select: { requireSsoForLogin: true, requireSsoWithSsoProviderId: true },
       props: { isRoot: true },
     });
@@ -1349,9 +1361,40 @@ export class ProjectService extends DatabaseService<Model> {
     const value: boolean = Boolean(project.requireSsoForLogin);
     this.requireSsoForLoginCache.set(key, value, 60_000);
+    this.requireSsoWithSsoProviderIdCache.set(
+      key,
+      project.requireSsoWithSsoProviderId
+        ? project.requireSsoWithSsoProviderId.toString()
+        : null,
+      60_000,
+    );
     return value;
   }
+  /**
+   * Returns the specific SSO provider id a project requires for SSO-enforced
+   * login, or null when any trusted provider is acceptable. Cached for 60s and
+   * populated by `getRequireSsoForLogin`, so the enforce path stays one query.
+   */
+  @CaptureSpan()
+  public async getRequireSsoWithSsoProviderId(
+    projectId: ObjectID,
+  ): Promise<ObjectID | null> {
+    const key: string = projectId.toString();
+    const cached: string | null | undefined =
+      this.requireSsoWithSsoProviderIdCache.get(key);
+    if (cached !== undefined) {
+      return cached ? new ObjectID(cached) : null;
+    }
+    // Populate both caches via the existing single-query path.
+    await this.getRequireSsoForLogin(projectId);
+    const populated: string | null | undefined =
+      this.requireSsoWithSsoProviderIdCache.get(key);
+    return populated ? new ObjectID(populated) : null;
+  }
   @CaptureSpan()
   public async getOwners(projectId: ObjectID): Promise<Array<User>> {
     if (!projectId) {

package/Server/Utils/Cookie.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import StatusPagePrivateUser from "../../Models/DatabaseModels/StatusPagePrivate
 import OneUptimeDate from "../../Types/Date";
 import PositiveNumber from "../../Types/PositiveNumber";
 import CookieName from "../../Types/CookieName";
+import SsoProviderType from "../../Types/SSO/SsoProviderType";
 import {
   MASTER_PASSWORD_COOKIE_IDENTIFIER,
   MASTER_PASSWORD_COOKIE_MAX_AGE_IN_DAYS,
@@ -38,15 +39,24 @@ export default class CookieUtil {
     return cookies;
   }
+  /*
+   * Builds a per-project SSO token. The optional `ssoProviderId` /
+   * `ssoProviderType` discriminator records WHICH identity provider issued the
+   * token, so a project that enforces SSO can require a specific provider
+   * (e.g. its own Project SSO, or an instance-wide Global SSO). Used by both
+   * the cookie flow (web) and the deep-link flow (mobile) so the token shape
+   * stays identical.
+   */
   @CaptureSpan()
-  public static setSSOCookie(data: {
+  public static getSSOToken(data: {
     user: User;
     projectId: ObjectID;
-    expressResponse: ExpressResponse;
-  }): void {
-    const { user, projectId, expressResponse: res } = data;
+    ssoProviderId?: ObjectID | undefined;
+    ssoProviderType?: SsoProviderType | undefined;
+  }): string {
+    const { user, projectId } = data;
-    const ssoToken: string = JSONWebToken.sign({
+    return JSONWebToken.sign({
       data: {
         userId: user.id!,
         projectId: projectId,
@@ -54,9 +64,33 @@ export default class CookieUtil {
         email: user.email,
         isMasterAdmin: false,
         isGeneralLogin: false,
+        ssoProviderId: data.ssoProviderId
+          ? data.ssoProviderId.toString()
+          : undefined,
+        ssoProviderType: data.ssoProviderType
+          ? data.ssoProviderType.toString()
+          : undefined,
       },
       expiresInSeconds: OneUptimeDate.getSecondsInDays(new PositiveNumber(30)),
     });
+  }
+  @CaptureSpan()
+  public static setSSOCookie(data: {
+    user: User;
+    projectId: ObjectID;
+    expressResponse: ExpressResponse;
+    ssoProviderId?: ObjectID | undefined;
+    ssoProviderType?: SsoProviderType | undefined;
+  }): void {
+    const { projectId, expressResponse: res } = data;
+    const ssoToken: string = CookieUtil.getSSOToken({
+      user: data.user,
+      projectId: projectId,
+      ssoProviderId: data.ssoProviderId,
+      ssoProviderType: data.ssoProviderType,
+    });
     CookieUtil.setCookie(res, CookieUtil.getUserSSOKey(projectId), ssoToken, {
       maxAge: OneUptimeDate.getMillisecondsInDays(new PositiveNumber(30)),

package/Server/Utils/JsonWebToken.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import JSONFunctions from "../../Types/JSONFunctions";
 import JSONWebTokenData from "../../Types/JsonWebTokenData";
 import Name from "../../Types/Name";
 import ObjectID from "../../Types/ObjectID";
+import SsoProviderType from "../../Types/SSO/SsoProviderType";
 import Timezone from "../../Types/Timezone";
 import StatusPagePrivateUser from "../../Models/DatabaseModels/StatusPagePrivateUser";
 import User from "../../Models/DatabaseModels/User";
@@ -139,6 +140,12 @@ class JSONWebToken {
         sessionId: decoded["sessionId"]
           ? new ObjectID(decoded["sessionId"] as string)
           : undefined,
+        ssoProviderId: decoded["ssoProviderId"]
+          ? new ObjectID(decoded["ssoProviderId"] as string)
+          : undefined,
+        ssoProviderType: decoded["ssoProviderType"]
+          ? (decoded["ssoProviderType"] as SsoProviderType)
+          : undefined,
       };
     } catch (e) {
       logger.error(e);

package/Server/Utils/ValidateGlobalProviderProjectTeams.ts ADDED Viewed

@@ -0,0 +1,119 @@
+import { LIMIT_PER_PROJECT } from "../../Types/Database/LimitMax";
+import BadDataException from "../../Types/Exception/BadDataException";
+import ObjectID from "../../Types/ObjectID";
+import Project from "../../Models/DatabaseModels/Project";
+import Team from "../../Models/DatabaseModels/Team";
+import QueryHelper from "../Types/Database/QueryHelper";
+import TeamService from "../Services/TeamService";
+/*
+ * The Admin Dashboard attach form submits the chosen project via the `project`
+ * relation, not the `projectId` FK: the entity dropdown sets the related
+ * Project (as a model with only `_id`), so `createBy.data.projectId` is
+ * undefined at create-hook time. Resolve the FK from either shape so the hook
+ * can populate the NOT NULL `projectId` column and validate teams against it.
+ */
+export const resolveAttachmentProjectId: (data: {
+  projectId?: ObjectID | undefined;
+  project?: Project | undefined;
+}) => ObjectID | undefined = (data: {
+  projectId?: ObjectID | undefined;
+  project?: Project | undefined;
+}): ObjectID | undefined => {
+  if (data.projectId) {
+    return data.projectId;
+  }
+  const project: (Project & { _id?: string }) | undefined = data.project as
+    | (Project & { _id?: string })
+    | undefined;
+  if (!project) {
+    return undefined;
+  }
+  const idString: string | undefined =
+    project._id?.toString() || (project.id ? project.id.toString() : undefined);
+  return idString ? new ObjectID(idString) : undefined;
+};
+/*
+ * Guards a Global SSO / Global OIDC project-attachment: every default team
+ * selected for the attachment MUST belong to the same project the attachment
+ * targets.
+ *
+ * Without this guard, an admin (or a direct API call) could attach a team that
+ * lives in project B to an attachment that targets project A. The SSO/OIDC
+ * login fan-out (see App/FeatureSet/Identity/API/GlobalSSO.ts) provisions a
+ * TeamMember with `projectId = attachment.projectId` but `teamId = team.id`,
+ * and because that path runs with `ignoreHooks: true` no service-level
+ * validation would catch the mismatch — producing a corrupt, cross-project
+ * membership row. This is the server-side backstop for the project-scoped team
+ * picker in the Admin Dashboard.
+ */
+type ValidateGlobalProviderProjectTeamsFunction = (data: {
+  teams: Array<Team> | undefined;
+  projectId: ObjectID | undefined;
+}) => Promise<void>;
+const validateGlobalProviderProjectTeams: ValidateGlobalProviderProjectTeamsFunction =
+  async (data: {
+    teams: Array<Team> | undefined;
+    projectId: ObjectID | undefined;
+  }): Promise<void> => {
+    const teams: Array<Team> | undefined = data.teams;
+    if (!teams || teams.length === 0) {
+      // No default teams selected: nothing to validate.
+      return;
+    }
+    if (!data.projectId) {
+      throw new BadDataException(
+        "A project must be selected before choosing default teams.",
+      );
+    }
+    const projectId: string = data.projectId.toString();
+    const teamIds: Array<string> = teams
+      .map((team: Team) => {
+        return (
+          team.id?.toString() ||
+          (team as { _id?: string })._id?.toString() ||
+          undefined
+        );
+      })
+      .filter((id: string | undefined): id is string => {
+        return Boolean(id);
+      });
+    if (teamIds.length === 0) {
+      return;
+    }
+    const foundTeams: Array<Team> = await TeamService.findBy({
+      query: { _id: QueryHelper.any(teamIds) },
+      select: { _id: true, projectId: true },
+      limit: LIMIT_PER_PROJECT,
+      skip: 0,
+      props: { isRoot: true },
+    });
+    if (foundTeams.length !== teamIds.length) {
+      throw new BadDataException(
+        "One or more selected teams could not be found.",
+      );
+    }
+    for (const team of foundTeams) {
+      if (team.projectId?.toString() !== projectId) {
+        throw new BadDataException(
+          "All selected teams must belong to the project this provider is attached to.",
+        );
+      }
+    }
+  };
+export default validateGlobalProviderProjectTeams;

package/Tests/Server/Middleware/UserAuthorization.test.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import ProjectMiddleware from "../../../Server/Middleware/ProjectAuthorization";
 import UserMiddleware from "../../../Server/Middleware/UserAuthorization";
 import AccessTokenService from "../../../Server/Services/AccessTokenService";
+import GlobalConfigService from "../../../Server/Services/GlobalConfigService";
 import ProjectService from "../../../Server/Services/ProjectService";
 import TeamMemberService from "../../../Server/Services/TeamMemberService";
 import UserService from "../../../Server/Services/UserService";
@@ -26,7 +27,6 @@ import {
   UserGlobalAccessPermission,
   UserTenantAccessPermission,
 } from "../../../Types/Permission";
-import Project from "../../../Models/DatabaseModels/Project";
 import {
   describe,
   expect,
@@ -44,6 +44,7 @@ jest.mock("../../../Server/Middleware/ProjectAuthorization");
 jest.mock("../../../Server/Utils/JsonWebToken");
 jest.mock("../../../Server/Services/UserService");
 jest.mock("../../../Server/Services/AccessTokenService");
+jest.mock("../../../Server/Services/GlobalConfigService");
 jest.mock("../../../Server/Utils/Response");
 jest.mock("../../../Server/Services/ProjectService");
 jest.mock("../../../Server/Services/TeamMemberService");
@@ -56,7 +57,6 @@ describe("UserMiddleware", () => {
   const mockedAccessToken: string = ObjectID.generate().toString();
   const projectId: ObjectID = ObjectID.generate();
   const userId: ObjectID = ObjectID.generate();
-  const mockedProject: Project = { _id: projectId.toString() } as Project;
   beforeEach(() => {
     jest.clearAllMocks();
@@ -590,15 +590,32 @@ describe("UserMiddleware", () => {
       ProjectService,
       "getRequireSsoForLogin",
     );
+    const spyGetRequireSsoWithSsoProviderId: jest.SpyInstance = getJestSpyOn(
+      ProjectService,
+      "getRequireSsoWithSsoProviderId",
+    );
     const spyDoesSsoTokenForProjectExist: jest.SpyInstance = getJestSpyOn(
       UserMiddleware,
       "doesSsoTokenForProjectExist",
     );
+    const spyGetGlobalRequireSsoForLogin: jest.SpyInstance = getJestSpyOn(
+      GlobalConfigService,
+      "getRequireSsoForLogin",
+    );
     afterEach(() => {
       jest.clearAllMocks();
     });
+    /*
+     * By default no project requires a specific SSO provider (discriminator),
+     * and the instance-wide "Require SSO for Login" flag is off.
+     */
+    beforeEach(() => {
+      spyGetRequireSsoWithSsoProviderId.mockResolvedValue(null);
+      spyGetGlobalRequireSsoForLogin.mockResolvedValue(false);
+    });
     test("should throw 'Invalid tenantId' error, when project is not found for the tenantId", async () => {
       spyGetRequireSsoForLogin.mockRejectedValueOnce(
         new BadDataException("Project not found"),
@@ -630,6 +647,7 @@ describe("UserMiddleware", () => {
         req,
         projectId,
         userId,
+        undefined,
       );
     });
@@ -688,16 +706,37 @@ describe("UserMiddleware", () => {
       projectId,
     } as UserTenantAccessPermission;
-    const spyFindBy: jest.SpyInstance = getJestSpyOn(ProjectService, "findBy");
+    const spyGetProjectRequireSsoForLogin: jest.SpyInstance = getJestSpyOn(
+      ProjectService,
+      "getRequireSsoForLogin",
+    );
+    const spyGetRequireSsoWithSsoProviderId: jest.SpyInstance = getJestSpyOn(
+      ProjectService,
+      "getRequireSsoWithSsoProviderId",
+    );
     const spyDoesSsoTokenForProjectExist: jest.SpyInstance = getJestSpyOn(
       UserMiddleware,
       "doesSsoTokenForProjectExist",
     );
+    const spyGetGlobalRequireSsoForLogin: jest.SpyInstance = getJestSpyOn(
+      GlobalConfigService,
+      "getRequireSsoForLogin",
+    );
     afterEach(() => {
       jest.clearAllMocks();
     });
+    /*
+     * By default neither a project's own nor the instance-wide "Require SSO for
+     * Login" flag is on, and no project requires a specific SSO provider.
+     */
+    beforeEach(() => {
+      spyGetProjectRequireSsoForLogin.mockResolvedValue(false);
+      spyGetRequireSsoWithSsoProviderId.mockResolvedValue(null);
+      spyGetGlobalRequireSsoForLogin.mockResolvedValue(false);
+    });
     test("should return null, when projectIds length is zero", async () => {
       const result: Dictionary<UserTenantAccessPermission> | null =
         await UserMiddleware.getUserTenantAccessPermissionForMultiTenant(
@@ -707,14 +746,12 @@ describe("UserMiddleware", () => {
         );
       expect(result).toBeNull();
-      expect(spyFindBy).not.toBeCalled();
+      expect(spyGetProjectRequireSsoForLogin).not.toBeCalled();
     });
     test("should return default tenant access permission, when project for a projectId is found, sso is required for login, but sso token does not exist for that projectId", async () => {
       spyDoesSsoTokenForProjectExist.mockReturnValueOnce(false);
-      spyFindBy.mockResolvedValueOnce([
-        { ...mockedProject, requireSsoForLogin: true },
-      ]);
+      spyGetProjectRequireSsoForLogin.mockResolvedValueOnce(true);
       const spyGetDefaultUserTenantAccessPermission: jest.SpyInstance =
         getJestSpyOn(
@@ -736,6 +773,7 @@ describe("UserMiddleware", () => {
         req,
         projectId,
         userId,
+        undefined,
       );
       expect(spyGetDefaultUserTenantAccessPermission).toHaveBeenCalledWith(
         projectId,
@@ -743,8 +781,6 @@ describe("UserMiddleware", () => {
     });
     test("should return user tenant access permission, when project for a projectId is found, sso is not required for login and project level permission exist for the projectId", async () => {
-      spyFindBy.mockResolvedValueOnce([mockedProject]);
       const spyGetUserTenantAccessPermission: jest.SpyInstance = getJestSpyOn(
         AccessTokenService,
         "getUserTenantAccessPermission",
@@ -768,8 +804,6 @@ describe("UserMiddleware", () => {
     });
     test("should return null, when project for a projectId is found, sso is not required for login but project level permission does not exist for the projectId", async () => {
-      spyFindBy.mockResolvedValueOnce([mockedProject]);
       const spyGetUserTenantAccessPermission: jest.SpyInstance = getJestSpyOn(
         AccessTokenService,
         "getUserTenantAccessPermission",
@@ -790,7 +824,9 @@ describe("UserMiddleware", () => {
     });
     test("should return user tenant access permission, when project for a projectId is not found, but project level permission exist for the projectId", async () => {
-      spyFindBy.mockResolvedValueOnce([]);
+      spyGetProjectRequireSsoForLogin.mockRejectedValueOnce(
+        new BadDataException("Project not found"),
+      );
       getJestSpyOn(
         AccessTokenService,
@@ -810,7 +846,9 @@ describe("UserMiddleware", () => {
     });
     test("should return null, when project for a projectId is not found, and project level permission does not exist for the projectId", async () => {
-      spyFindBy.mockResolvedValueOnce([]);
+      spyGetProjectRequireSsoForLogin.mockRejectedValueOnce(
+        new BadDataException("Project not found"),
+      );
       const spyGetUserTenantAccessPermission: jest.SpyInstance = getJestSpyOn(
         AccessTokenService,