fix(access): allow apps to be defined multiple times#533
Merged
bheesham merged 1 commit intoMay 13, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the Auth0 post-login access rule evaluation so that a single client/application can appear multiple times in apps.yml (e.g., multiple dashboard tiles pointing at the same client_id) while still authorizing a user if any matching entry grants access.
Changes:
- Adjust access decision logic to defer the final “not in group/user” denial until after all matching app entries have been evaluated.
- Extend the test apps.yml fixture to include a duplicated
client_idwith different authorized groups. - Add Jest coverage to validate allow/deny behavior when a client is defined multiple times.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
tf/actions/accessRules.js |
Defers the final authorization denial until after iterating all matching app entries, enabling union-style authorization across duplicates. |
tf/tests/modules/apps.yml.js |
Adds fixture entries where the same client_id is defined twice with different authorized_groups. |
tf/tests/accessRules.test.js |
Adds tests proving users in either authorized group are allowed, while others are denied, for a duplicated client_id. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Because we need to support multiple tiles _for the same_ application, we need to assert authorization _after_ we've read all of the applications. Jira: IAM-1970
bheesham
force-pushed
the
allow-different-apps-to-define-multiple-groups
branch
from
993a992 to
07c045e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Because we need to support multiple tiles for the same application, we need to assert authorization after we've read all of the applications.
Jira: IAM-1970