feat(api): add organization membership verification for device check-in

Author: carhartlewis

apps/portal/src/app/api/device-agent/check-in/route.ts

@@ -56,6 +56,19 @@ export async function POST(req: NextRequest) {
       return NextResponse.json({ error: 'Device not found' }, { status: 404 });
     }
 
+    // Verify the user is still an active member of the device's organization
+    const member = await db.member.findFirst({
+      where: {
+        userId: session.user.id,
+        organizationId: device.organizationId,
+        deactivated: false,
+      },
+    });
+
+    if (!member) {
+      return NextResponse.json({ error: 'Not an active member of this organization' }, { status: 403 });
+    }
+
     // Delete old checks for the same types and create new ones
     const checkTypes = checks.map((c) => c.checkType);
 

apps/portal/src/app/api/device-agent/register/route.ts

@@ -51,35 +51,80 @@ export async function POST(req: NextRequest) {
       return NextResponse.json({ error: 'Not a member of this organization' }, { status: 403 });
     }
 
-    // Upsert device: if same serial number + org exists, update; otherwise create
-    const device = await db.device.upsert({
-      where: {
-        serialNumber_organizationId: {
-          serialNumber: serialNumber ?? '',
+    // Branch on serialNumber to avoid collisions for serial-less devices.
+    // PostgreSQL treats NULLs as distinct in unique constraints, so devices
+    // without a serial number can safely coexist in the same org.
+    let device;
+
+    if (serialNumber) {
+      // Serial number present — upsert on the unique (serialNumber, organizationId) key
+      device = await db.device.upsert({
+        where: {
+          serialNumber_organizationId: {
+            serialNumber,
+            organizationId,
+          },
+        },
+        update: {
+          name,
+          hostname,
+          platform,
+          osVersion,
+          hardwareModel,
+          agentVersion,
+          userId: session.user.id,
+        },
+        create: {
+          name,
+          hostname,
+          platform,
+          osVersion,
+          serialNumber,
+          hardwareModel,
+          agentVersion,
+          userId: session.user.id,
           organizationId,
         },
-      },
-      update: {
-        name,
-        hostname,
-        platform,
-        osVersion,
-        hardwareModel,
-        agentVersion,
-        userId: session.user.id,
-      },
-      create: {
-        name,
-        hostname,
-        platform,
-        osVersion,
-        serialNumber,
-        hardwareModel,
-        agentVersion,
-        userId: session.user.id,
-        organizationId,
-      },
-    });
+      });
+    } else {
+      // No serial number — find by hostname + userId + org (same user re-registering
+      // the same machine), or create a new record with serialNumber = null.
+      const existing = await db.device.findFirst({
+        where: {
+          hostname,
+          userId: session.user.id,
+          organizationId,
+          serialNumber: null,
+        },
+      });
+
+      if (existing) {
+        device = await db.device.update({
+          where: { id: existing.id },
+          data: {
+            name,
+            platform,
+            osVersion,
+            hardwareModel,
+            agentVersion,
+          },
+        });
+      } else {
+        device = await db.device.create({
+          data: {
+            name,
+            hostname,
+            platform,
+            osVersion,
+            serialNumber: null,
+            hardwareModel,
+            agentVersion,
+            userId: session.user.id,
+            organizationId,
+          },
+        });
+      }
+    }
 
     return NextResponse.json({ deviceId: device.id });
   } catch (error) {

apps/portal/src/app/api/download-agent/token/route.ts

@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server';
 import type { DownloadAgentRequest, SupportedOS } from '../types';
 import { detectOSFromUserAgent, validateMemberAndOrg } from '../utils';
 
-const SUPPORTED_OSES: SupportedOS[] = ['macos', 'macos-intel', 'windows'];
+const SUPPORTED_OSES: SupportedOS[] = ['macos', 'macos-intel', 'windows', 'linux'];
 
 const isSupportedOS = (value: unknown): value is SupportedOS =>
   typeof value === 'string' && SUPPORTED_OSES.includes(value as SupportedOS);

apps/portal/src/app/api/download-agent/types.ts

@@ -1,4 +1,4 @@
-export type SupportedOS = 'macos' | 'windows' | 'macos-intel';
+export type SupportedOS = 'macos' | 'windows' | 'macos-intel' | 'linux';
 
 export interface DownloadAgentRequest {
   orgId: string;

apps/portal/src/app/api/download-agent/utils.ts

@@ -6,11 +6,13 @@ import type { SupportedOS } from './types';
  * Detects the operating system (and for macOS, the CPU architecture) from a User-Agent string.
  *
  * Returns:
+ * - 'linux' for Linux OS (excluding Android)
  * - 'windows' for Windows OS
  * - 'macos' for Apple Silicon (ARM-based) Macs
  * - 'macos-intel' for Intel-based Macs
  *
  * Examples of User-Agent strings:
+ * - Linux: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36"
  * - Windows: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
  * - macOS (Intel): "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36"
  * - macOS (Apple Silicon): "Mozilla/5.0 (Macintosh; ARM Mac OS X 11_2_3) AppleWebKit/537.36"
@@ -30,6 +32,11 @@ export function detectOSFromUserAgent(userAgent: string | null): SupportedOS | n
 
   const ua = userAgent.toLowerCase();
 
+  // Check Linux before Windows/Mac — exclude Android which also contains 'linux'
+  if (ua.includes('linux') && !ua.includes('android')) {
+    return 'linux';
+  }
+
   if (ua.includes('windows') || ua.includes('win32') || ua.includes('win64')) {
     return 'windows';
   }

packages/device-agent/src/main/auth.ts

@@ -79,9 +79,7 @@ export async function performLogin(deviceInfo: DeviceInfo): Promise<StoredAuth |
         const authData = await extractAuthAndRegisterAll(deviceInfo, authWindow);
         if (authData) {
           setAuth(authData);
-          log(
-            `Auth complete: ${authData.organizations.length} org(s) registered`,
-          );
+          log(`Auth complete: ${authData.organizations.length} org(s) registered`);
           finish(authData);
         }
         // If null, don't close — might be intermediate navigation
@@ -122,8 +120,7 @@ async function extractAuthAndRegisterAll(
   const cookies = await session.defaultSession.cookies.get({ url: portalUrl });
   const sessionCookie = cookies.find(
     (c) =>
-      c.name === 'better-auth.session_token' ||
-      c.name === '__Secure-better-auth.session_token',
+      c.name === 'better-auth.session_token' || c.name === '__Secure-better-auth.session_token',
   );
 
   if (!sessionCookie) {
@@ -236,6 +233,7 @@ async function extractAuthAndRegisterAll(
 
   return {
     sessionToken,
+    cookieName: sessionCookie.name,
     userId,
     organizations: registrations,
   };

packages/device-agent/src/main/reporter.ts

@@ -22,7 +22,8 @@ export async function reportCheckResults(checks: CheckResult[]): Promise<ReportR
   }
 
   const portalUrl = getPortalUrl();
-  const cookieHeader = `better-auth.session_token=${auth.sessionToken}`;
+  const cookieName = auth.cookieName ?? 'better-auth.session_token';
+  const cookieHeader = `${cookieName}=${auth.sessionToken}`;
 
   let allSucceeded = true;
   let anyNonCompliant = false;

packages/device-agent/src/shared/types.ts

@@ -73,6 +73,8 @@ export interface OrgRegistration {
 /** Stored authentication data — supports multiple organizations */
 export interface StoredAuth {
   sessionToken: string;
+  /** The cookie name used by the server (e.g. 'better-auth.session_token' or '__Secure-better-auth.session_token') */
+  cookieName: string;
   userId: string;
   organizations: OrgRegistration[];
 }