From 23ff807a276d7ccc88f75415760e4225c22a08fa Mon Sep 17 00:00:00 2001
From: Steven Masley <Emyrk@users.noreply.github.com>
Date: Wed, 6 Mar 2024 07:29:28 -0600
Subject: [PATCH] chore: remove autocreate orgs on CreateUser (#12434)

New users must be explictly given an organization to join.
Organizations should not be auto created as a side effect of
creating a new user.
---
 coderd/userauth.go | 26 +++++++++-----------------
 coderd/users.go    | 33 ++++-----------------------------
 2 files changed, 13 insertions(+), 46 deletions(-)

diff --git a/coderd/userauth.go b/coderd/userauth.go
index a028ebf4c2..366f566c59 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -1351,20 +1351,16 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 		// This can happen if a user is a built-in user but is signing in
 		// with OIDC for the first time.
 		if user.ID == uuid.Nil {
-			var organizationID uuid.UUID
-			// Ignoring this error is a product of our unit tests. In prod this should never
-			// happen. Unit tests use this as a shortcut to making a new organization. We
-			// should really fix our unit tests and remove this.
+			// Until proper multi-org support, all users will be added to the default organization.
+			// The default organization should always be present.
 			//nolint:gocritic
-			organization, _ := tx.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))
-
-			// Add the user to the default organization.
-			// Once multi-organization we should check some configuration to see
-			// if we should add the user to a different organization.
-			organizationID = organization.ID
+			defaultOrganization, err := tx.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))
+			if err != nil {
+				return xerrors.Errorf("unable to fetch default organization: %w", err)
+			}
 
 			//nolint:gocritic
-			_, err := tx.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{
+			_, err = tx.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{
 				Username: params.Username,
 			})
 			if err == nil {
@@ -1402,13 +1398,9 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 				CreateUserRequest: codersdk.CreateUserRequest{
 					Email:          params.Email,
 					Username:       params.Username,
-					OrganizationID: organizationID,
+					OrganizationID: defaultOrganization.ID,
 				},
-				// All of the userauth tests depend on this being able to create
-				// the first organization. It shouldn't be possible in normal
-				// operation.
-				CreateOrganization: organizationID == uuid.Nil,
-				LoginType:          params.LoginType,
+				LoginType: params.LoginType,
 			})
 			if err != nil {
 				return xerrors.Errorf("create user: %w", err)
diff --git a/coderd/users.go b/coderd/users.go
index efdd351b51..cd5ee35037 100644
--- a/coderd/users.go
+++ b/coderd/users.go
@@ -201,8 +201,7 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
 			Password:       createUser.Password,
 			OrganizationID: defaultOrg.ID,
 		},
-		CreateOrganization: false,
-		LoginType:          database.LoginTypePassword,
+		LoginType: database.LoginTypePassword,
 	})
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
@@ -1231,8 +1230,7 @@ func (api *API) organizationByUserAndName(rw http.ResponseWriter, r *http.Reques
 
 type CreateUserRequest struct {
 	codersdk.CreateUserRequest
-	CreateOrganization bool
-	LoginType          database.LoginType
+	LoginType database.LoginType
 }
 
 func (api *API) CreateUser(ctx context.Context, store database.Store, req CreateUserRequest) (database.User, uuid.UUID, error) {
@@ -1245,32 +1243,9 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
 	var user database.User
 	return user, req.OrganizationID, store.InTx(func(tx database.Store) error {
 		orgRoles := make([]string, 0)
-		// If no organization is provided, create a new one for the user.
+		// Organization is required to know where to allocate the user.
 		if req.OrganizationID == uuid.Nil {
-			if !req.CreateOrganization {
-				return xerrors.Errorf("organization ID must be provided")
-			}
-
-			organization, err := tx.InsertOrganization(ctx, database.InsertOrganizationParams{
-				ID:          uuid.New(),
-				Name:        req.Username,
-				CreatedAt:   dbtime.Now(),
-				UpdatedAt:   dbtime.Now(),
-				Description: "",
-			})
-			if err != nil {
-				return xerrors.Errorf("create organization: %w", err)
-			}
-			req.OrganizationID = organization.ID
-			// TODO: When organizations are allowed to be created, we should
-			// come back to determining the default role of the person who
-			// creates the org. Until that happens, all users in an organization
-			// should be just regular members. Membership role is implied, and
-			// not required to be explicit.
-			_, err = tx.InsertAllUsersGroup(ctx, organization.ID)
-			if err != nil {
-				return xerrors.Errorf("create %q group: %w", database.EveryoneGroup, err)
-			}
+			return xerrors.Errorf("organization ID must be provided")
 		}
 
 		params := database.InsertUserParams{