From 5805ba087e777befca6f8d35d244b6ed82cfdf45 Mon Sep 17 00:00:00 2001
From: Mark Wylde <markwylde@users.noreply.github.com>
Date: Tue, 10 Mar 2026 18:27:50 +0000
Subject: [PATCH] fix(api): preserve otp enforcement during force_otp migration

---
 packages/api/drizzle/0015_org_force_otp.sql | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/packages/api/drizzle/0015_org_force_otp.sql b/packages/api/drizzle/0015_org_force_otp.sql
index 0e44ef5..718938d 100644
--- a/packages/api/drizzle/0015_org_force_otp.sql
+++ b/packages/api/drizzle/0015_org_force_otp.sql
@@ -1,6 +1,16 @@
 ALTER TABLE "organizations"
 ADD COLUMN IF NOT EXISTS "force_otp" boolean NOT NULL DEFAULT false;
 --> statement-breakpoint
+UPDATE "organizations" o
+SET "force_otp" = true
+WHERE EXISTS (
+  SELECT 1
+  FROM "organization_members" om
+  INNER JOIN "organization_member_roles" omr ON omr."organization_member_id" = om."id"
+  INNER JOIN "roles" r ON r."id" = omr."role_id"
+  WHERE om."organization_id" = o."id" AND r."key" = 'otp_required'
+);
+--> statement-breakpoint
 DELETE FROM "organization_member_roles" omr
 USING "roles" r
 WHERE omr."role_id" = r."id" AND r."key" = 'otp_required';