refactor: centralize org member additions via membership package

cmd/serve.go

@@ -432,6 +432,9 @@ func buildAPIDependencies(
 		authnService, policyService, preferenceService, auditRecordRepository, roleService)
 
 	membershipService := membership.NewService(logger, policyService, relationService, roleService, organizationService, userService, auditRecordRepository)
+	// Setter injection: org → membership is circular (membership needs org for validation,
+	// org needs membership for Create/AdminCreate). Break the cycle with a post-init setter.
+	organizationService.SetMembershipService(membershipService)
 
 	orgKycRepository := postgres.NewOrgKycRepository(dbc)
 	orgKycService := kyc.NewService(orgKycRepository)
@@ -467,7 +470,7 @@ func buildAPIDependencies(
 	userProjectsService := userprojects.NewService(userProjectsRepository)
 
 	domainRepository := postgres.NewDomainRepository(logger, dbc)
-	domainService := domain.NewService(logger, domainRepository, userService, organizationService)
+	domainService := domain.NewService(logger, domainRepository, userService, organizationService, membershipService)
 
 	metaschemaRepository := postgres.NewMetaSchemaRepository(logger, dbc)
 	metaschemaService := metaschema.NewService(metaschemaRepository)
@@ -495,8 +498,8 @@ func buildAPIDependencies(
 	)
 
 	invitationService := invitation.NewService(mailDialer, postgres.NewInvitationRepository(logger, dbc),
-		organizationService, groupService, userService, relationService, policyService, preferenceService,
-		auditRecordRepository)
+		organizationService, groupService, userService, relationService, preferenceService,
+		auditRecordRepository, membershipService)
 
 	if GetStripeClientFunc == nil {
 		// allow to override the stripe client creation function in tests

core/domain/service.go

@@ -4,11 +4,13 @@ import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"net"
 	"strings"
 	"time"
 
+	"github.com/raystack/frontier/core/membership"
 	"github.com/raystack/frontier/core/organization"
 	"github.com/raystack/frontier/pkg/utils"
 
@@ -25,17 +27,21 @@ type UserService interface {
 }
 
 type OrgService interface {
-	ListByUser(ctx context.Context, principal authenticate.Principal, filter organization.Filter) ([]organization.Organization, error)
-	AddMember(ctx context.Context, orgID, relationName string, principal authenticate.Principal) error
 	Get(ctx context.Context, id string) (organization.Organization, error)
+	ListByUser(ctx context.Context, principal authenticate.Principal, filter organization.Filter) ([]organization.Organization, error)
+}
+
+type MembershipService interface {
+	AddOrganizationMember(ctx context.Context, orgID, principalID, principalType, roleID string) error
 }
 
 type Service struct {
-	repository  Repository
-	userService UserService
-	orgService  OrgService
-	cron        *cron.Cron
-	log         log.Logger
+	repository        Repository
+	userService       UserService
+	orgService        OrgService
+	membershipService MembershipService
+	cron              *cron.Cron
+	log               log.Logger
 }
 
 const (
@@ -45,13 +51,14 @@ const (
 	refreshTime        = "0 0 * * *"        // Once a day at midnight (UTC)
 )
 
-func NewService(logger log.Logger, repository Repository, userService UserService, orgService OrgService) *Service {
+func NewService(logger log.Logger, repository Repository, userService UserService, orgService OrgService, membershipService MembershipService) *Service {
 	return &Service{
-		repository:  repository,
-		userService: userService,
-		orgService:  orgService,
-		cron:        cron.New(),
-		log:         logger,
+		repository:        repository,
+		userService:       userService,
+		orgService:        orgService,
+		membershipService: membershipService,
+		cron:              cron.New(),
+		log:               logger,
 	}
 }
 
@@ -133,21 +140,6 @@ func (s Service) Join(ctx context.Context, orgID string, userId string) error {
 		return err
 	}
 
-	// check if user is already a member of the organization. if yes, do nothing and return nil
-	userOrgs, err := s.orgService.ListByUser(ctx, authenticate.Principal{
-		ID:   currUser.ID,
-		Type: schema.UserPrincipal,
-	}, organization.Filter{})
-	if err != nil {
-		return err
-	}
-
-	for _, org := range userOrgs {
-		if org.ID == orgResp.ID {
-			return nil
-		}
-	}
-
 	userDomain := utils.ExtractDomainFromEmail(currUser.Email)
 	if userDomain == "" {
 		return user.ErrInvalidEmail
@@ -164,10 +156,10 @@ func (s Service) Join(ctx context.Context, orgID string, userId string) error {
 
 	for _, dmn := range orgTrustedDomains {
 		if userDomain == dmn.Name {
-			if err = s.orgService.AddMember(ctx, orgResp.ID, schema.MemberRelationName, authenticate.Principal{
-				ID:   currUser.ID,
-				Type: schema.UserPrincipal,
-			}); err != nil {
+			// AddOrganizationMember checks if user is already a member and
+			// returns ErrAlreadyMember — treat that as success (nothing to do)
+			err = s.membershipService.AddOrganizationMember(ctx, orgResp.ID, currUser.ID, schema.UserPrincipal, schema.RoleOrganizationViewer)
+			if err != nil && !errors.Is(err, membership.ErrAlreadyMember) {
 				return err
 			}
 			return nil