✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Greptile Summary

This PR addresses two related concerns: (1) a cross-org SSO account takeover vulnerability in LDAP, SAML, and OIDC login flows, and (2) missing MFA enforcement during the OAuth2 token exchange step. The security fix is well-motivated and follows established patterns in the codebase.

• Cross-org account takeover fix (LDAP, SAML, OIDC services): Before binding an SSO identity to an existing Infisical user found by email, the code now verifies that user already holds a membership in the target org. This prevents an attacker from configuring SSO on their org with a victim's email to hijack the victim's Infisical account. Note this is a behavioural breaking change for deployments that relied on SSO auto-provisioning of existing cross-org users — they will now receive a ForbiddenRequestError until explicitly invited.
• MFA enforcement during token exchange (auth-login-service.ts, sso-router.ts): oauth2TokenExchange now mirrors the selectOrganization MFA gate, issuing an MFA token and sending an email OTP when required. The server-side logic is correct.
• Frontend MFA handling (PasswordStep.tsx): The MFA success callback is set to handleExchange, which re-calls the stateless oauthTokenExchange endpoint. Because the endpoint unconditionally re-evaluates shouldCheckMfa against user/org settings (no MFA-verified session is observed), every subsequent call returns isMfaEnabled: true, creating an infinite MFA challenge loop for any OAuth user with MFA enabled.
• Type inconsistency (types.ts): OauthTokenExchangeRes.mfaMethod is typed as string instead of the MfaMethod enum, forcing an unsafe cast in the consumer.

Confidence Score: 2/5

• Not safe to merge — the infinite MFA loop in the frontend will break OAuth login entirely for any user or org with MFA enforced.
• The backend security fix (cross-org account takeover) and MFA gate in oauth2TokenExchange are solid. However, the frontend callback pattern in PasswordStep.tsx introduces a critical regression: setting handleExchange as the MFA success callback causes an infinite loop because oauthTokenExchange is fully stateless and always re-triggers MFA for MFA-enabled users. This breaks the primary OAuth login path for any user or organisation with MFA enabled, which is the scenario this PR is specifically trying to fix.
• frontend/src/pages/auth/LoginPage/components/PasswordStep/PasswordStep.tsx — the MFA success callback must be redesigned to avoid re-entering the exchange flow.

Important Files Changed

_{Reviews (1): Last reviewed commit: "fix: add better servicing" | Re-trigger Greptile}