fix: add workaround for org check (if projection is not up-to-date) (#2800)

internal/api/authz/context.go

@@ -2,6 +2,7 @@ package authz
 
 import (
 	"context"
+	"time"
 
 	"github.com/caos/zitadel/internal/api/grpc"
 	http_util "github.com/caos/zitadel/internal/api/http"
@@ -62,13 +63,6 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	if orgID != "" {
-		err = t.ExistsOrg(ctx, orgID)
-		if err != nil {
-			return CtxData{}, errors.ThrowPermissionDenied(nil, "AUTH-Bs7Ds", "Organisation doesn't exist")
-		}
-	}
-
 	userID, clientID, agentID, prefLang, resourceOwner, err := verifyAccessToken(ctx, token, t, method)
 	if err != nil {
 		return CtxData{}, err
@@ -87,6 +81,21 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID string, t *To
 	if orgID == "" {
 		orgID = resourceOwner
 	}
+
+	err = t.ExistsOrg(ctx, orgID)
+	if err != nil {
+		for i := 0; i < 3; i++ { //TODO: workaround if org projection is not yet up-to-date
+			time.Sleep(500 * time.Millisecond)
+			err := t.ExistsOrg(ctx, orgID)
+			if err == nil {
+				break
+			}
+		}
+		if err != nil {
+			return CtxData{}, errors.ThrowPermissionDenied(nil, "AUTH-Bs7Ds", "Organisation doesn't exist")
+		}
+	}
+
 	return CtxData{
 		UserID:            userID,
 		OrgID:             orgID,