Umbrella MCP Server

#!/usr/bin/env node /** * CUSTOMER DETECTION AUTH METHOD BUG ANALYSIS * ============================================= * * Investigation into the customer detection bug where MSP functionality * only works for 'cognito' authMethod but OAuth sessions use 'keycloak' authMethod. */ console.log('🔍 CUSTOMER DETECTION AUTH METHOD BUG ANALYSIS'); console.log('='.repeat(60)); console.log('\n📋 ISSUE SUMMARY:'); console.log('- OAuth sessions show authMethod: "keycloak"'); console.log('- Customer detection only runs for authMethod: "cognito"'); console.log('- Account 24223 "Allcloud-AWS-Reseller-329 - BL Test Env" exists but customer detection never runs'); console.log('- MSP functionality is broken for OAuth users'); console.log('\n🔍 EVIDENCE FROM CODEBASE:'); console.log('\n1. DUAL-AUTH.TS - HOW authMethod IS DETERMINED:'); console.log(' Line 78: this.userManagementInfo = { isKeycloak: true, authMethod: "keycloak" };'); console.log(' Line 98: this.userManagementInfo = { isKeycloak: false, authMethod: "cognito" };'); console.log(''); console.log(' LOGIC:'); console.log(' - detectUserManagementSystem() checks /user-management/users/user-realm endpoint'); console.log(' - If user has a realm → authMethod = "keycloak"'); console.log(' - If no realm found → authMethod = "cognito"'); console.log(' - OAuth flow calls this detection and sets authMethod accordingly'); console.log('\n2. SERVER.TS - WHERE THE BUG OCCURS:'); console.log(' Line 768: if (currentSession?.isAuthenticated && currentSession.auth.getUserManagementInfo()?.authMethod === "cognito")'); console.log(' Line 1287: if (session.auth.getUserManagementInfo()?.authMethod !== "cognito")'); console.log(''); console.log(' PROBLEM:'); console.log(' - MSP customer detection only runs for authMethod === "cognito"'); console.log(' - But OAuth sessions are correctly detected as authMethod === "keycloak"'); console.log(' - This means OAuth MSP users never get customer detection!'); console.log('\n3. USER-SESSION-MANAGER.TS - OAUTH AUTH METHOD DETECTION:'); console.log(' Line 117: const userManagementInfo = await auth.detectUserManagementSystem(tokenData.userEmail);'); console.log(' Line 119: (auth as any).userManagementInfo = userManagementInfo;'); console.log(''); console.log(' FLOW:'); console.log(' - OAuth sessions properly detect user management system'); console.log(' - For david+allcloud@umbrellacost.com → detects keycloak realm → authMethod = "keycloak"'); console.log(' - This authMethod is correctly stored but breaks customer detection'); console.log('\n📊 HISTORICAL LOGIC ANALYSIS:'); console.log('\nFrom the codebase evidence:'); console.log('- Multiple files show "MSP users (cognito auth method indicates MSP)"'); console.log('- david+allcloud@umbrellacost.com is consistently used as MSP test account'); console.log('- AllCloud is clearly an MSP (Managed Service Provider) with multiple sub-customers'); console.log('- But the assumption that "cognito = MSP" is now WRONG due to Keycloak migration'); console.log('\n💡 ROOT CAUSE:'); console.log('The logic was written when:'); console.log('- MSP users were on Cognito (Old UM)'); console.log('- Direct users were on some other system'); console.log('- So authMethod === "cognito" correctly identified MSP users'); console.log(''); console.log('BUT NOW:'); console.log('- MSP users have been migrated to Keycloak (UM 2.0)'); console.log('- authMethod === "keycloak" for MSP users'); console.log('- The customer detection logic was never updated!'); console.log('\n🔧 POSSIBLE SOLUTIONS:'); console.log('\nOPTION A: Change check to authMethod === "keycloak"'); console.log(' PROS: Simple one-line fix'); console.log(' CONS: Assumes ALL Keycloak users are MSP (may not be true)'); console.log(' RISK: Could break if non-MSP users are also on Keycloak'); console.log('\nOPTION B: Support both "cognito" AND "keycloak"'); console.log(' PROS: More robust, handles migration period'); console.log(' CONS: Still assumes auth method correlates with MSP status'); console.log(' IMPLEMENTATION: authMethod === "cognito" || authMethod === "keycloak"'); console.log('\nOPTION C: Add explicit MSP detection based on account data'); console.log(' PROS: Most accurate, future-proof'); console.log(' CONS: Requires additional API calls'); console.log(' IMPLEMENTATION: Check if user has multiple accounts/sub-customers'); console.log('\n🎯 RECOMMENDED SOLUTION:'); console.log(''); console.log('OPTION B (Short-term) + OPTION C (Long-term):'); console.log(''); console.log('1. IMMEDIATE FIX: Change line 1287 from:'); console.log(' if (session.auth.getUserManagementInfo()?.authMethod !== "cognito")'); console.log(' TO:'); console.log(' if (!["cognito", "keycloak"].includes(session.auth.getUserManagementInfo()?.authMethod))'); console.log(''); console.log('2. Also update line 768 similarly for consistency'); console.log(''); console.log('3. LONG-TERM: Implement proper MSP detection based on account structure'); console.log(' rather than authentication method'); console.log('\n📝 FILES TO UPDATE:'); console.log('1. /Users/david/Downloads/MCP/UmbrellaMCP/src/server.ts (lines 768, 1287)'); console.log('2. /Users/david/Downloads/MCP/UmbrellaMCP/src/server-with-auth.ts (similar lines)'); console.log('3. Any other files with "authMethod === \'cognito\'" checks'); console.log('\n✅ VERIFICATION STEPS:'); console.log('1. Test OAuth with david+allcloud@umbrellacost.com'); console.log('2. Verify authMethod is "keycloak" in session'); console.log('3. Confirm customer detection runs for "Bank Leumi" queries'); console.log('4. Test that account 24223 gets proper customer detection'); console.log('\n🔍 CONCLUSION:'); console.log('This is a classic migration bug where authentication system changed'); console.log('but business logic assumptions were not updated. The fix is straightforward'); console.log('but reveals deeper architectural issue of coupling MSP detection to auth method.'); console.log('\n' + '='.repeat(60)); console.log('Analysis complete. Ready to implement fix.');