Remove paid members from IAM manageable list (#182)

devksingh4 · web-flow · commit 96fbf62a48fd · 2025-06-29T18:02:54.000-05:00
Also, fix a long standing IAM audit logging issue.
diff --git a/src/api/routes/iam.ts b/src/api/routes/iam.ts
@@ -399,7 +399,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
               entry: {
                 module: Modules.IAM,
                 actor: request.username!,
-                target: request.body.add[i],
+                target: request.body.remove[i],
                 message: `remove target from group ID ${groupId}`,
                 requestId: request.id,
               },
@@ -412,20 +412,20 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
               entry: {
                 module: Modules.IAM,
                 actor: request.username!,
-                target: request.body.add[i],
+                target: request.body.remove[i],
                 message: `failed to remove target from group ID ${groupId}`,
                 requestId: request.id,
               },
             }),
           );
           if (result.reason instanceof EntraGroupError) {
             response.failure.push({
-              email: request.body.add[i],
+              email: request.body.remove[i],
               message: result.reason.message,
             });
           } else {
             response.failure.push({
-              email: request.body.add[i],
+              email: request.body.remove[i],
               message: "An unknown error occurred.",
             });
           }
@@ -597,7 +597,11 @@ No action is required from you at this time.
           entraIdToken,
           fastify.environmentConfig.EntraServicePrincipalId,
         )
-      ).filter((x) => !genericConfig.ProtectedEntraIDGroups.includes(x.id));
+      ).filter(
+        (x) =>
+          !genericConfig.ProtectedEntraIDGroups.includes(x.id) &&
+          x.id !== fastify.environmentConfig.PaidMemberGroupId,
+      );
       request.log.debug(
         "Got manageable groups from Entra ID, setting to cache.",
       );
diff --git a/tests/live/iam.test.ts b/tests/live/iam.test.ts
@@ -7,7 +7,7 @@ import {
 } from "../../src/common/types/iam.js";
 import { allAppRoles, AppRoles } from "../../src/common/roles.js";
 import { getBaseEndpoint } from "./utils.js";
-import { genericConfig } from "../../src/common/config.js";
+import { environmentConfig, genericConfig } from "../../src/common/config.js";
 
 const baseEndpoint = getBaseEndpoint();
 test("getting groups", async () => {
@@ -28,6 +28,9 @@ test("getting groups", async () => {
     expect(item["displayName"].length).greaterThan(0);
     expect(item["id"].length).greaterThan(0);
     expect(genericConfig.ProtectedEntraIDGroups).not.toContain(item["id"]);
+    expect(genericConfig.ProtectedEntraIDGroups).not.toStrictEqual(
+      environmentConfig["dev"].PaidMemberGroupId,
+    );
   }
 });
 
