From ebf4da9bea59590eaa6820c6b00b3a1cf1d8c083 Mon Sep 17 00:00:00 2001
From: NGPixel <github@ngpixel.com>
Date: Sat, 17 Sep 2022 17:54:11 -0400
Subject: [PATCH] fix: oidc auth groups relate / unrelate

---
 .../modules/authentication/oidc/authentication.js  | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/server/modules/authentication/oidc/authentication.js b/server/modules/authentication/oidc/authentication.js
index 5f9d0269..ae381111 100644
--- a/server/modules/authentication/oidc/authentication.js
+++ b/server/modules/authentication/oidc/authentication.js
@@ -31,12 +31,14 @@ module.exports = {
           })
           if (conf.mapGroups) {
             const groups = _.get(profile, '_json.' + conf.groupsClaim)
-            if (groups) {
-              const groupIDs = Object.values(WIKI.auth.groups)
-                .filter(g => groups.includes(g.name))
-                .map(g => g.id)
-              for (let groupID of groupIDs) {
-                await user.$relatedQuery('groups').relate(groupID)
+            if (groups && _.isArray(groups)) {
+              const currentGroups = (await user.$relatedQuery('groups').select('groups.id')).groups.map(g => g.id)
+              const expectedGroups = Object.values(WIKI.auth.groups).filter(g => groups.includes(g.name)).map(g => g.id)
+              for (const groupId of _.difference(expectedGroups, currentGroups)) {
+                await user.$relatedQuery('groups').relate(groupId)
+              }
+              for (const groupId of _.difference(currentGroups, expectedGroups)) {
+                await user.$relatedQuery('groups').unrelate(groupId)
               }
             }
           }