Skip to main content
Version: 0.5.0 (Previous)

🏢 Organization Validator Blocks

Organization validator blocks provide validation functions for organization-related operations in Nodeblocks applications. These validators ensure proper access control and data validation for organization management and membership operations.

🎯 Overview

Organization validator blocks are designed to:

  • Validate organization access based on membership and permissions
  • Ensure proper organization management with role-based access control
  • Support organization membership validation
  • Handle organization-specific validation logic for secure operations
  • Provide reusable validation for organization workflows

📋 Organization Validator Types

Access Control Validators

Validators that check user permissions for organization resources.

🔧 Available Organization Validators

hasOrgRole

Validates organization member role for access control based on allowed roles and organization ID in payload.

Purpose: Ensures the authenticated identity has one of the allowed roles in the target organization

Parameters:

  • allowedRoles: tuple of allowed organization roles (e.g. ['admin', 'owner'])
  • organizationIdPathInPayload: tuple path to organizationId in payload (e.g. ['params', 'requestParams', 'organizationId'])

Returns: void - Passes through if the member role matches allowed roles

Throws:

  • NodeblocksError (500) with message "db.organizations is not set"
  • NodeblocksError (500) with message "configuration.organization.roles is not set"
  • NodeblocksError (401) with message "Invalid token"
  • NodeblocksError (400) with message "Invalid organization ID"
  • NodeblocksError (403) with message "Failed to fetch organization"
  • NodeblocksError (403) with message "Identity is not a member of the organization"
  • NodeblocksError (403) with message "Identity is not authorized to access this organization"

Usage:

import { validators } from '@nodeblocks/backend-sdk';

const { hasOrgRole, some } = validators;

withRoute({
  -- snip --
  validators: [
    some(
      hasOrgRole(
        ['owner', 'admin', 'member'],
        ['params', 'requestParams', 'organizationId']
      )
    ),
  ],
});

validateOrganizationAccess

Validates organization access based on allowed subjects and token information.

Deprecated

This validator is deprecated.
Replacement: hasOrgRole.

Purpose: Ensures users have proper organization membership and permissions

Parameters:

  • allowedSubjects: string[] - Array of allowed user types/subjects
  • authenticate: Authenticator - Authentication function (optional, defaults to getBearerTokenInfo)
  • payload: RouteHandlerPayload - Contains request context and data

Returns: void - Passes through if user has appropriate permissions

Throws:

  • NodeblocksError (401) with message "App token is not valid"
  • NodeblocksError (401) with message "Identity token is not valid"
  • NodeblocksError (404) with message "Organization not found"
  • NodeblocksError (403) with message "Organization has no members"
  • NodeblocksError (403) with message "Identity does not belong to this organization"
  • NodeblocksError (403) with message "Identity is not authorized to access this organization"
  • NodeblocksError (401) with message "Token does not have a valid access type"

Supported Subjects:

  • 'admin' - Administrator access
  • 'member' - Organization member access
  • 'owner' - Organization owner access

Organization ID Sources (checked in order):

  • payload.context.data.organizationId
  • payload.params.requestParams.organizationId
  • payload.params.requestQuery.organizationId
  • payload.params.requestBody.organizationId

User Role Configuration (defaults):

{
  admin: 'admin',
  member: 'member',
  owner: 'owner'
}

Access Logic:

  • App tokens: Always pass if appId is valid
  • User tokens:
    • Verify organization exists
    • Verify organization has users
    • Verify user belongs to organization
    • Verify user role matches allowed subjects
    • At least one subject must match for access to be granted

Usage:

import { validators } from '@nodeblocks/backend-sdk';

const { validateOrganizationAccess } = validators;

// Organization member access
withRoute({
  -- snip --
  validators: [validateOrganizationAccess(['member'])]
});

// Organization admin or owner access
withRoute({
  -- snip --
  validators: [validateOrganizationAccess(['admin', 'owner'])]
});

// Any organization member access
withRoute({
  -- snip --
  validators: [validateOrganizationAccess(['admin', 'member', 'owner'])]
});

🔗 Related Documentation