[Domain Control] [Release 4] [BE] Create new UpdateDomainSecurityGroupForNewDot command

[allgandalf]

Part of #76750

Description

Create a new UpdateDomainSecurityGroupForNewDot command (Web-E) that passes through to a new UpdateDomainSecurityGroup Auth command, so NewDot can update security group settings using admin auth tokens (instead of domain auth tokens) with proper Onyx error routing under domainErrors_.

This consolidates the work from both child issues into a clean approach that doesn't touch the existing UpdateDomainSecurityGroup Web-E command used by OldDot.

Child Issues

• [Domain Control] [Release 4] [BE] Update UpdateSecurityGroup command for NewDot #80130 — Admin auth token support + move onyx writes to Auth
• [Domain Control][Release 4] [BE] Send Onyx error updates under domainErrors_ for UpdateDomainSecurityGroupForNewDot command #81720 — Onyx error routing under domainErrors_ via domainAccountID + settingsName

Plan

Prerequisites

• Auth #19398 must merge first — it adds the onyx update plumbing in NVP::set() for security group changes

Step 1: New Auth command UpdateDomainSecurityGroup

// UpdateDomainSecurityGroup.h
class UpdateDomainSecurityGroup : public AuthCommand
{
public:
    static const string name;
    UpdateDomainSecurityGroup(SQLiteCommand&& baseCommand, BedrockPlugin_Auth& auth)
        : AuthCommand(move(baseCommand), auth) {};

    virtual bool peek() override;
    virtual void process() override;

private:
    int64_t domainAccountID = 0;
    string nvpName;
    string nvpValue;
    string settingsName;
};

// UpdateDomainSecurityGroup.cpp
bool UpdateDomainSecurityGroup::peek()
{
    Request::verifyAttributeInt(request, "domainAccountID", 1);
    Request::verifyAttributeSize(request, "name", 1);

    const int64_t requestingAccountID = request.calc64("accountID");
    domainAccountID = request.calc64("domainAccountID");
    nvpName = request["name"];
    nvpValue = request["value"];
    settingsName = request["settingsName"];

    if (!SStartsWith(nvpName, NVP::DOMAIN_SECURITY_GROUP_PREFIX)) {
        STHROW("400 Bad Request - Not a security group NVP");
    }

    if (!Domain::isAdmin(db, domainAccountID, requestingAccountID)) {
        STHROW("401 Unauthorized");
    }

    return false;
}

void UpdateDomainSecurityGroup::process()
{
    // NVP::set() already handles queueing onyx updates
    // for security group changes (from Auth #19398)
    auth.nvp.set(db, domainAccountID, nvpName, nvpValue);
}

Step 2: New Web-E command UpdateDomainSecurityGroupForNewDot

A new entry in api.php — pure pass-through to Auth. The existing UpdateDomainSecurityGroup handler stays completely untouched for OldDot.

// New command — NewDot calls this
} elseif ($command === 'UpdateDomainSecurityGroupForNewDot') {
    API::write('UpdateDomainSecurityGroup', [
        'domainAccountID' => Request::getInt('domainAccountID'),
        'name' => Request::getString('name'),
        'value' => Request::getString('value', '{}'),
        'settingsName' => Request::getString('settingsName', ''),
    ]);

Step 3: Close stale PRs

• Close Web-E #50280
• Close Web-E #51064

OldDot Impact

None. OldDot continues calling UpdateDomainSecurityGroup → DomainAPI::updateSecurityGroup() via domain auth token. The existing handler and DomainAPI::updateSecurityGroup() method are completely untouched. NewDot calls the new UpdateDomainSecurityGroupForNewDot command instead.

---

Conversation: https://expensify.slack.com/archives/C0A1VKRKEE9/p1773990224163049
Doc section: https://docs.google.com/document/d/13ZgHapzyeDYny155suwlSRQUvdWqE1DkNNDRJ6Pk3i0/edit?tab=t.0#heading=h.o9k6thf1ehyq

Issue Owner

Current Issue Owner: @rayane-d

[allgandalf]

PR's are in review

[allgandalf]

I hope to get the Auth PR merged today

[allgandalf]

PR's raised:

• https://github.com/Expensify/Auth/pull/20673
• https://github.com/Expensify/Web-Expensify/pull/51651

[allgandalf]

PR's in review

[allgandalf]

same