Problem

One of the ways customers authenticate to v2 api is by providing platform oAuth client credentials via x-cal-client-id (includes oAuth client id) and x-cal-secret (includes oAuth client secret). The auth is handled by api-auth.strategy.ts oAuthClientStrategy function. The problem is that it finds the oAuth client, and then calls following function to find user who is associated with the platform aka the owner of the platform:

const platformCreatorId = await this.profilesRepository.getPlatformOwnerUserId(client.organizationId);

and getPlatformOwnerUserId code is:

async getPlatformOwnerUserId(organizationId: number) {
    const profile = await this.dbRead.prisma.profile.findFirst({
      where: {
        organizationId,
      },
      orderBy: {
        createdAt: "asc",
      },
    });

    return profile?.userId;
  }

The problem arises if the platform owner is removed from platform and then profile deletes, and then the .findFirst could potentially return a managed user which is our customer platform's user.