fix: validate orgSlug before OIDC database query to prevent undefined binding error

[devin-ai-integration]

Context

Fixes a database error that occurs when the OIDC callback is invoked with an expired or invalid session. When the session data is missing, oidcOrgSlug is undefined, which was being passed directly to the database query causing:

Error: Undefined binding(s) detected when compiling FIRST. Undefined column(s): [slug] 
query: select * from "organizations" where "slug" = ? limit ?

This PR adds validation in both the router and service layer to check for undefined orgSlug before executing the database query, providing a clear error message instead of a cryptic database error.

Before: Users see a confusing database error when their OIDC session expires
After: Users see "OIDC session expired or invalid. Please try logging in again."

Steps to verify the change

1. Configure OIDC SSO for an organization
2. Start the OIDC login flow (/api/v1/sso/oidc/login?orgSlug=...)
3. Wait for the session to expire (or manually clear Redis session data)
4. Complete the IDP authentication and return to the callback
5. Verify you see the user-friendly error message instead of a database error

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

---

Link to Devin run: https://app.devin.ai/sessions/049a65b5187142259841898a8cd0375d
Requested by: @maidul98

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes a database error that occurred when OIDC callback was invoked with an expired or invalid session. The fix adds validation in both the router and service layer to check for undefined orgSlug before executing database queries.

Key Changes:

• Added validation in oidc-router.ts callback route to check if oidcOrgSlug exists in session before proceeding
• Added defensive validation in oidc-config-service.ts getOrgAuthStrategy function to prevent undefined orgSlug from reaching the database query
• Provides clear error message "OIDC session expired or invalid. Please try logging in again." instead of cryptic database error

Impact:

• Improves user experience by providing actionable error messages when sessions expire
• Prevents database errors from undefined bindings
• Follows defense-in-depth pattern with validation at both router and service layers

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it adds defensive validation to prevent database errors
• The fix properly handles an edge case where session data is missing, adds validation at appropriate layers (router and service), uses appropriate error types, and follows best practices for defensive programming. No breaking changes or security concerns introduced.
• No files require special attention

Important Files Changed

Filename	Overview
backend/src/ee/routes/v1/oidc-router.ts	Added validation to check for undefined oidcOrgSlug in callback route before passing to service layer
backend/src/ee/services/oidc/oidc-config-service.ts	Added defensive validation in getOrgAuthStrategy to prevent undefined orgSlug from reaching database query