From 546d0d50c4b651ca7c3ee5d6c9ad729c758dfb8d Mon Sep 17 00:00:00 2001
From: sean-brydon <55134778+sean-brydon@users.noreply.github.com>
Date: Sat, 17 Sep 2022 22:09:06 +0100
Subject: [PATCH] Impersonation fix (#4521)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Impersonation fix

* Update packages/features/ee/impersonation/lib/ImpersonationProvider.ts

Co-authored-by: Omar López <zomars@me.com>

* Fix zod schema

* Early returns

Co-authored-by: Omar López <zomars@me.com>
Co-authored-by: Leo Giovanetti <hello@leog.me>
---
 apps/web/pages/api/auth/[...nextauth].tsx              |  2 +-
 .../ee/impersonation/lib/ImpersonationProvider.ts      | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/apps/web/pages/api/auth/[...nextauth].tsx b/apps/web/pages/api/auth/[...nextauth].tsx
index 60837493de..720c5e8270 100644
--- a/apps/web/pages/api/auth/[...nextauth].tsx
+++ b/apps/web/pages/api/auth/[...nextauth].tsx
@@ -115,7 +115,7 @@ const providers: Provider[] = [
       };
     },
   }),
-  // ImpersonationProvider,
+  ImpersonationProvider,
 ];
 
 if (IS_GOOGLE_LOGIN_ENABLED) {
diff --git a/packages/features/ee/impersonation/lib/ImpersonationProvider.ts b/packages/features/ee/impersonation/lib/ImpersonationProvider.ts
index d7c541736c..b452eed9d1 100644
--- a/packages/features/ee/impersonation/lib/ImpersonationProvider.ts
+++ b/packages/features/ee/impersonation/lib/ImpersonationProvider.ts
@@ -1,10 +1,13 @@
 import { User } from "@prisma/client";
 import CredentialsProvider from "next-auth/providers/credentials";
 import { getSession } from "next-auth/react";
+import { z } from "zod";
 
 import prisma from "@calcom/prisma";
 
-import { asNumberOrThrow } from "@lib/asStringOrNull";
+const teamIdschema = z.object({
+  teamId: z.number(),
+});
 
 const auditAndReturnNextUser = async (
   impersonatedUser: Pick<User, "id" | "username" | "email" | "name" | "role">,
@@ -50,7 +53,8 @@ const ImpersonationProvider = CredentialsProvider({
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore need to figure out how to correctly type this
     const session = await getSession({ req });
-    const teamId = creds?.teamId ? asNumberOrThrow(creds.teamId) : undefined;
+    // If teamId is present -> parse the teamId and throw error itn ot number. If not present teamId is set to undefined
+    const teamId = creds?.teamId ? teamIdschema.parse(creds).teamId : undefined;
 
     if (session?.user.username === creds?.username) {
       throw new Error("You cannot impersonate yourself.");
@@ -102,6 +106,8 @@ const ImpersonationProvider = CredentialsProvider({
       return auditAndReturnNextUser(impersonatedUser, session?.user.id as number);
     }
 
+    if (!teamId) throw new Error("You do not have permission to do this.");
+
     // Check session
     const sessionUserFromDb = await prisma.user.findUnique({
       where: {