From 211dc7c21f36883a43a4c666c956357ea6ddd3a6 Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Tue, 7 Dec 2021 15:54:33 +0100
Subject: [PATCH] fix: add workaround for org check (if projection is not
 up-to-date) (#2800)

---
 internal/api/authz/context.go | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/internal/api/authz/context.go b/internal/api/authz/context.go
index 5855a13065..4015277c2f 100644
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@@ -2,6 +2,7 @@ package authz
 
 import (
 	"context"
+	"time"
 
 	"github.com/caos/zitadel/internal/api/grpc"
 	http_util "github.com/caos/zitadel/internal/api/http"
@@ -62,13 +63,6 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	if orgID != "" {
-		err = t.ExistsOrg(ctx, orgID)
-		if err != nil {
-			return CtxData{}, errors.ThrowPermissionDenied(nil, "AUTH-Bs7Ds", "Organisation doesn't exist")
-		}
-	}
-
 	userID, clientID, agentID, prefLang, resourceOwner, err := verifyAccessToken(ctx, token, t, method)
 	if err != nil {
 		return CtxData{}, err
@@ -87,6 +81,21 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To
 	if orgID == "" {
 		orgID = resourceOwner
 	}
+
+	err = t.ExistsOrg(ctx, orgID)
+	if err != nil {
+		for i := 0; i < 3; i++ { //TODO: workaround if org projection is not yet up-to-date
+			time.Sleep(500 * time.Millisecond)
+			err := t.ExistsOrg(ctx, orgID)
+			if err == nil {
+				break
+			}
+		}
+		if err != nil {
+			return CtxData{}, errors.ThrowPermissionDenied(nil, "AUTH-Bs7Ds", "Organisation doesn't exist")
+		}
+	}
+
 	return CtxData{
 		UserID:            userID,
 		OrgID:             orgID,