Extract orgID from claim #321

ibrajer · 2026-03-23T18:45:48Z

Probably not needed now, but we will likely have to add support for machine-to-machine authentication via API key in the future

Yes, i looked into this but it's not relevant to the current feature and requires some more thought as the orgID cannot be extracted from the API_KEY

In that case, you need to call the verifyApiKey query on GQL and the orgID will be in the response payload. But you can add this in the follow-up ticket.

ibrajer · 2026-03-23T18:46:19Z

And where do we check organization_status?

Here: https://github.com/smartcontractkit/cre-cli/pull/321/changes#diff-3d8bb7e5e85c3aaa46dc91307ccab11b63766fb3f68ec968b5de6efcba9030bcL160

This comment preexists, it has just been moved

-Original file line number
+Diff line change
@@ Expand Up / @@ -105,42 +105,66 @@ func SaveCredentials(tokenSet *CreLoginTokenSet) error { @@
     	return nil
     }
-    // GetDeploymentAccessStatus returns the deployment access status for the organization.
-    // This can be used to check and display whether the user has deployment access.
-    func (c *Credentials) GetDeploymentAccessStatus() (*DeploymentAccess, error) {
-    	// API keys can only be generated on ungated organizations, so they always have access
-    	if c.AuthType == AuthTypeApiKey {
-    		return &DeploymentAccess{
-    			HasAccess: true,
-    			Status:    DeploymentAccessStatusFullAccess,
-    		}, nil
-    	}
-    	// For JWT bearer tokens, we need to parse the token and check the organization_status claim
+    // decodeJWTClaims extracts the claims map from the access token JWT payload.
+    func (c *Credentials) decodeJWTClaims() (map[string]interface{}, error) {
     	if c.Tokens == nil || c.Tokens.AccessToken == "" {
     		return nil, fmt.Errorf("no access token available")
     	}
-    	// Parse the JWT to extract claims
     	parts := strings.Split(c.Tokens.AccessToken, ".")
     	if len(parts) < 2 {
     		return nil, fmt.Errorf("invalid JWT token format")
     	}
-    	// Decode the payload (second part of the JWT)
     	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
     	if err != nil {
     		return nil, fmt.Errorf("failed to decode JWT payload: %w", err)
     	}
-    	// Parse claims into a map
     	var claims map[string]interface{}
     	if err := json.Unmarshal(payload, &claims); err != nil {
     		return nil, fmt.Errorf("failed to unmarshal JWT claims: %w", err)
     	}
-    	// Log all claims for debugging
     	c.log.Debug().Interface("claims", claims).Msg("JWT claims decoded")
+    	return claims, nil
+    }
+    // GetOrgID returns the organization ID from the access token.
+    func (c *Credentials) GetOrgID() (string, error) {
+    	if c.AuthType == AuthTypeApiKey {
+    		return "", fmt.Errorf("org_id is not available for API key authentication")
+    	}
+    	claims, err := c.decodeJWTClaims()
+    	if err != nil {
+    		return "", err
+    	}
+    	orgID, ok := claims["org_id"].(string)
+    	if !ok || orgID == "" {
+    		return "", fmt.Errorf("org_id claim not found in access token")
+    	}
+    	return orgID, nil
+    }
+    // GetDeploymentAccessStatus returns the deployment access status for the organization.
+    // This can be used to check and display whether the user has deployment access.
+    func (c *Credentials) GetDeploymentAccessStatus() (*DeploymentAccess, error) {
+    	// API keys can only be generated on ungated organizations, so they always have access
+    	if c.AuthType == AuthTypeApiKey {
+    		return &DeploymentAccess{
+    			HasAccess: true,
+    			Status:    DeploymentAccessStatusFullAccess,
+    		}, nil
+    	}
+    	// For JWT bearer tokens, we need to parse the token and check the organization_status claim
+    	claims, err := c.decodeJWTClaims()
+    	if err != nil {
+    		return nil, err
+    	}
     	// Dynamically find the organization_status claim by looking for any key ending with "organization_status"
     	var orgStatus string
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     	return headerEncoded + "." + claimsEncoded + "." + signature
     }
+    func TestGetOrgID_BearerWithOrgID(t *testing.T) {
+    	logger := testutil.NewTestLogger()
+    	token := createTestJWT(t, map[string]interface{}{
+    		"sub":    "user123",
+    		"org_id": "org_abc123",
+    	})
+    	creds := &Credentials{
+    		AuthType: AuthTypeBearer,
+    		Tokens:   &CreLoginTokenSet{AccessToken: token},
+    		log:      logger,
+    	}
+    	orgID, err := creds.GetOrgID()
+    	if err != nil {
+    		t.Fatalf("expected no error, got: %v", err)
+    	}
+    	if orgID != "org_abc123" {
+    		t.Errorf("expected org_id %q, got %q", "org_abc123", orgID)
+    	}
+    }
+    func TestGetOrgID_MissingClaim(t *testing.T) {
+    	logger := testutil.NewTestLogger()
+    	token := createTestJWT(t, map[string]interface{}{
+    		"sub": "user123",
+    	})
+    	creds := &Credentials{
+    		AuthType: AuthTypeBearer,
+    		Tokens:   &CreLoginTokenSet{AccessToken: token},
+    		log:      logger,
+    	}
+    	_, err := creds.GetOrgID()
+    	if err == nil {
+    		t.Fatal("expected error for missing org_id claim, got nil")
+    	}
+    	if !strings.Contains(err.Error(), "org_id claim not found") {
+    		t.Errorf("expected org_id not found error, got: %v", err)
+    	}
+    }
+    func TestGetOrgID_EmptyClaim(t *testing.T) {
+    	logger := testutil.NewTestLogger()
+    	token := createTestJWT(t, map[string]interface{}{
+    		"sub":    "user123",
+    		"org_id": "",
+    	})
+    	creds := &Credentials{
+    		AuthType: AuthTypeBearer,
+    		Tokens:   &CreLoginTokenSet{AccessToken: token},
+    		log:      logger,
+    	}
+    	_, err := creds.GetOrgID()
+    	if err == nil {
+    		t.Fatal("expected error for empty org_id, got nil")
+    	}
+    }
+    func TestGetOrgID_APIKeyReturnsError(t *testing.T) {
+    	logger := testutil.NewTestLogger()
+    	creds := &Credentials{
+    		AuthType: AuthTypeApiKey,
+    		APIKey:   "test-key",
+    		log:      logger,
+    	}
+    	_, err := creds.GetOrgID()
+    	if err == nil {
+    		t.Fatal("expected error for API key auth, got nil")
+    	}
+    	if !strings.Contains(err.Error(), "not available for API key") {
+    		t.Errorf("expected API key error, got: %v", err)
+    	}
+    }
+    func TestGetOrgID_InvalidJWT(t *testing.T) {
+    	logger := testutil.NewTestLogger()
+    	creds := &Credentials{
+    		AuthType: AuthTypeBearer,
+    		Tokens:   &CreLoginTokenSet{AccessToken: "not-a-jwt"},
+    		log:      logger,
+    	}
+    	_, err := creds.GetOrgID()
+    	if err == nil {
+    		t.Fatal("expected error for invalid JWT, got nil")
+    	}
+    }
+    func TestGetOrgID_NoToken(t *testing.T) {
+    	logger := testutil.NewTestLogger()
+    	creds := &Credentials{
+    		AuthType: AuthTypeBearer,
+    		Tokens:   &CreLoginTokenSet{},
+    		log:      logger,
+    	}
+    	_, err := creds.GetOrgID()
+    	if err == nil {
+    		t.Fatal("expected error for empty token, got nil")
+    	}
+    }
     func TestCheckIsUngatedOrganization_APIKey(t *testing.T) {
     	logger := testutil.NewTestLogger()
     	creds := &Credentials{
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Extract orgID from claim #321

Diff view

Diff view

There are no files selected for viewing

ibrajer Mar 23, 2026

Uh oh!

timothyF95 Mar 23, 2026

Uh oh!

ibrajer Mar 23, 2026

Uh oh!

ibrajer Mar 23, 2026

Uh oh!

timothyF95 Mar 23, 2026

Uh oh!

Uh oh!

Extract orgID from claim #321

Extract orgID from claim #321

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

ibrajer Mar 23, 2026

Choose a reason for hiding this comment

Uh oh!

timothyF95 Mar 23, 2026

Choose a reason for hiding this comment

Uh oh!

ibrajer Mar 23, 2026

Choose a reason for hiding this comment

Uh oh!

ibrajer Mar 23, 2026

Choose a reason for hiding this comment

Uh oh!

timothyF95 Mar 23, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!