🏢 Organization Validator Blocks

Organization validator blocks provide validation functions for organization-related operations in Nodeblocks applications. These validators ensure proper access control and data validation for organization management and membership operations.

---

🎯 Overview

Organization validator blocks are designed to:

• Validate organization access based on membership and permissions
• Ensure proper organization management with role-based access control
• Support organization membership validation
• Handle organization-specific validation logic for secure operations
• Provide reusable validation for organization workflows

---

📋 Organization Validator Types

Access Control Validators

Validators that check user permissions for organization resources.

---

🔧 Available Organization Validators

hasOrgRole

Validates organization member role for access control based on allowed roles and organization ID in payload.

Purpose: Ensures the authenticated identity has one of the allowed roles in the target organization

Parameters:

• allowedRoles: tuple of allowed organization roles (e.g. ['admin', 'owner'])
• organizationIdPathInPayload: tuple path to organizationId in payload (e.g. ['params', 'requestParams', 'organizationId'])

Returns: void - Passes through if the member role matches allowed roles

Throws:

• NodeblocksError (500) with message "db.organizations is not set"
• NodeblocksError (500) with message "configuration.organization.roles is not set"
• NodeblocksError (401) with message "Invalid token"
• NodeblocksError (400) with message "Invalid organization ID"
• NodeblocksError (403) with message "Failed to fetch organization"
• NodeblocksError (403) with message "Identity is not a member of the organization"
• NodeblocksError (403) with message "Identity is not authorized to access this organization"

Usage:

import { validators } from '@nodeblocks/backend-sdk';

const { hasOrgRole, some } = validators;

withRoute({
  -- snip --
  validators: [
    some(
      hasOrgRole(
        ['owner', 'admin', 'member'],
        ['params', 'requestParams', 'organizationId']
      )
    ),
  ],
});

---

validateOrganizationAccess

Validates organization access based on allowed subjects and token information.

Deprecated

This validator is deprecated.
Replacement: hasOrgRole.

Purpose: Ensures users have proper organization membership and permissions

Parameters:

• allowedSubjects: string[] - Array of allowed user types/subjects
• authenticate: Authenticator - Authentication function (optional, defaults to getBearerTokenInfo)
• payload: RouteHandlerPayload - Contains request context and data

Returns: void - Passes through if user has appropriate permissions

Throws:

• NodeblocksError (401) with message "App token is not valid"
• NodeblocksError (401) with message "Identity token is not valid"
• NodeblocksError (404) with message "Organization not found"
• NodeblocksError (403) with message "Organization has no members"
• NodeblocksError (403) with message "Identity does not belong to this organization"
• NodeblocksError (403) with message "Identity is not authorized to access this organization"
• NodeblocksError (401) with message "Token does not have a valid access type"

Supported Subjects:

• 'admin' - Administrator access
• 'member' - Organization member access
• 'owner' - Organization owner access

Organization ID Sources (checked in order):

• payload.context.data.organizationId
• payload.params.requestParams.organizationId
• payload.params.requestQuery.organizationId
• payload.params.requestBody.organizationId

User Role Configuration (defaults):

{
  admin: 'admin',
  member: 'member',
  owner: 'owner'
}

Access Logic:

• App tokens: Always pass if appId is valid
• User tokens:
  • Verify organization exists
  • Verify organization has users
  • Verify user belongs to organization
  • Verify user role matches allowed subjects
  • At least one subject must match for access to be granted

Usage:

import { validators } from '@nodeblocks/backend-sdk';

const { validateOrganizationAccess } = validators;

// Organization member access
withRoute({
  -- snip --
  validators: [validateOrganizationAccess(['member'])]
});

// Organization admin or owner access
withRoute({
  -- snip --
  validators: [validateOrganizationAccess(['admin', 'owner'])]
});

// Any organization member access
withRoute({
  -- snip --
  validators: [validateOrganizationAccess(['admin', 'member', 'owner'])]
});

---

🔗 Related Documentation

• Organization Schema Blocks - Organization data validation and contracts
• Organization Handler Blocks - Organization business logic functions
• Organization Route Blocks - Organization HTTP endpoint definitions
• Organization Feature Blocks - Organization composed features