fix: correctly check app state on authentication (#8630)

# Which Problems Are Solved In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. # How the Problems Are Solved - Correctly check the status of the organization and related project. (Corresponding functions have been renamed to `Active...`) (cherry picked from commit d01bd1c51a)
2025-08-12 10:57:35 +00:00 · 2024-09-17 13:34:14 +02:00
parent 6210239ed5
commit f1a5c0fc76
13 changed files with 299 additions and 146 deletions
--- a/internal/query/introspection_client_by_id.sql
+++ b/internal/query/introspection_client_by_id.sql
@@ -20,6 +20,7 @@ keys as (
 )
 select config.app_id, config.client_id, config.client_secret, config.app_type, apps.project_id, apps.resource_owner, p.project_role_assertion, keys.public_keys
 from config
-join projections.apps7 apps on apps.id = config.app_id and apps.instance_id = config.instance_id
-join projections.projects4 p on p.id = apps.project_id and p.instance_id = $1
+join projections.apps7 apps on apps.id = config.app_id and apps.instance_id = config.instance_id and apps.state = 1
+join projections.projects4 p on p.id = apps.project_id and p.instance_id = $1 and p.state = 1
+join projections.orgs1 o on o.id = p.resource_owner and o.instance_id = config.instance_id and o.org_state = 1
 left join keys on keys.client_id = config.client_id;