sourcebot/packages/web/src/lib/authUtils.ts

import type { User as AuthJsUser } from "next-auth";
import { env } from "@/env.mjs";
import { prisma } from "@/prisma";
import { OrgRole } from "@sourcebot/db";
import { SINGLE_TENANT_ORG_DOMAIN, SINGLE_TENANT_ORG_ID } from "@/lib/constants";
import { hasEntitlement } from "@sourcebot/shared";
import { isServiceError } from "@/lib/utils";
import { ServiceErrorException } from "@/lib/serviceError";
import { createAccountRequest } from "@/actions";
import { handleJITProvisioning } from "@/ee/features/sso/sso";
import { createLogger } from "@sourcebot/logger";
import { getAuditService } from "@/ee/features/audit/factory";

const logger = createLogger('web-auth-utils');
const auditService = getAuditService();

export const onCreateUser = async ({ user }: { user: AuthJsUser }) => {
    if (!user.id) {
        logger.error("User ID is undefined on user creation");
        await auditService.createAudit({
            action: "user.creation_failed",
            actor: {
                id: "undefined",
                type: "user"
            },
            target: {
                id: "undefined",
                type: "user"
            },
            orgId: SINGLE_TENANT_ORG_ID, // TODO(mt)
            metadata: {
                message: "User ID is undefined on user creation"
            }
        });
        throw new Error("User ID is undefined on user creation");
    }

    // In single-tenant mode, we assign the first user to sign
    // up as the owner of the default org.
    if (env.SOURCEBOT_TENANCY_MODE === 'single') {
        const defaultOrg = await prisma.org.findUnique({
            where: {
                id: SINGLE_TENANT_ORG_ID,
            },
            include: {
                members: {
                    where: {
                        role: {
                            not: OrgRole.GUEST,
                        }
                    }
                },
            }
        });

        if (defaultOrg === null) {
            await auditService.createAudit({
                action: "user.creation_failed",
                actor: {
                    id: user.id,
                    type: "user"
                },
                target: {
                    id: user.id,
                    type: "user"
                },
                orgId: SINGLE_TENANT_ORG_ID,
                metadata: {
                    message: "Default org not found on single tenant user creation"
                }
            });
            throw new Error("Default org not found on single tenant user creation");
        }

        // Only the first user to sign up will be an owner of the default org.
        const isFirstUser = defaultOrg.members.length === 0;
        if (isFirstUser) {
            await prisma.$transaction(async (tx) => {
                await tx.org.update({
                    where: {
                        id: SINGLE_TENANT_ORG_ID,
                    },
                    data: {
                        members: {
                            create: {
                                role: OrgRole.OWNER,
                                user: {
                                    connect: {
                                        id: user.id,
                                    }
                                }
                            }
                        }
                    }
                });

                await tx.user.update({
                    where: {
                        id: user.id,
                    },
                    data: {
                        pendingApproval: false,
                    }
                });
            });

            await auditService.createAudit({
                action: "user.owner_created",
                actor: {
                    id: user.id,
                    type: "user"
                },
                orgId: SINGLE_TENANT_ORG_ID,
                target: {
                    id: SINGLE_TENANT_ORG_ID.toString(),
                    type: "org"
                }
            });
        } else {
            // TODO(auth): handle multi tenant case
            if (env.AUTH_EE_ENABLE_JIT_PROVISIONING === 'true' && hasEntitlement("sso")) {
                const res = await handleJITProvisioning(user.id, SINGLE_TENANT_ORG_DOMAIN);
                if (isServiceError(res)) {
                    logger.error(`Failed to provision user ${user.id} for org ${SINGLE_TENANT_ORG_DOMAIN}: ${res.message}`);
                    await auditService.createAudit({
                        action: "user.jit_provisioning_failed",
                        actor: {
                            id: user.id,
                            type: "user"
                        },
                        target: {
                            id: SINGLE_TENANT_ORG_ID.toString(),
                            type: "org"
                        },
                        orgId: SINGLE_TENANT_ORG_ID,
                        metadata: {
                            message: `Failed to provision user ${user.id} for org ${SINGLE_TENANT_ORG_DOMAIN}: ${res.message}`
                        }
                    });
                    throw new ServiceErrorException(res);
                }

                await auditService.createAudit({
                    action: "user.jit_provisioned",
                    actor: {
                        id: user.id,
                        type: "user"
                    },
                    target: {
                        id: SINGLE_TENANT_ORG_ID.toString(),
                        type: "org"
                    },
                    orgId: SINGLE_TENANT_ORG_ID,
                });
            } else {
                const res = await createAccountRequest(user.id, SINGLE_TENANT_ORG_DOMAIN);
                if (isServiceError(res)) {
                    logger.error(`Failed to provision user ${user.id} for org ${SINGLE_TENANT_ORG_DOMAIN}: ${res.message}`);
                    await auditService.createAudit({
                        action: "user.join_request_creation_failed",
                        actor: {
                            id: user.id,
                            type: "user"
                        },
                        target: {
                            id: SINGLE_TENANT_ORG_ID.toString(),
                            type: "org"
                        },
                        orgId: SINGLE_TENANT_ORG_ID,
                        metadata: {
                            message: res.message
                        }
                    });
                    throw new ServiceErrorException(res);
                }

                await auditService.createAudit({
                    action: "user.join_requested",
                    actor: {
                        id: user.id,
                        type: "user"
                    },
                    orgId: SINGLE_TENANT_ORG_ID,
                    target: {
                        id: SINGLE_TENANT_ORG_ID.toString(),
                        type: "org"
                    },
                });
            }
        }
    }
};
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`import type { User as AuthJsUser } from "next-auth";`
			`import { env } from "@/env.mjs";`
			`import { prisma } from "@/prisma";`
			`import { OrgRole } from "@sourcebot/db";`
			`import { SINGLE_TENANT_ORG_DOMAIN, SINGLE_TENANT_ORG_ID } from "@/lib/constants";`
fix(search-contexts): Fix issue where a repository would not appear in a search context if it was created after the search context was created (#354) ## Problem If a repository is added after a search context (e.g., a new repository is synced from the code host), then it will never be added to the context even if it should be included. The workaround is to restart the instance. ## Solution This PR adds a call to re-sync all search contexts whenever a connection is successfully synced. This PR adds the `@sourcebot/shared` package that contains `syncSearchContexts.ts` (previously in web) and it's dependencies (namely the entitlements system). ## Why another package? Because the `syncSearchContexts` call is now called from: 1. `initialize.ts` in web - handles syncing search contexts on startup and whenever the config is modified in watch mode. This is the same as before. 2. `connectionManager.ts` in backend - syncs the search contexts whenever a connection is successfully synced. ## Follow-up devex work Two things: 1. We have several very thin shared packages (i.e., `crypto`, `error`, and `logger`) that we can probably fold into this "general" shared package. `schemas` and `db` _feels_ like they should remain separate (mostly because they are "code-gen" packages). 2. When running `yarn dev`, any changes made to the shared package will only get picked if you `ctrl+c` and restart the instance. Would be nice if we have watch mode work across package dependencies in the monorepo. 2025-06-17 21:04:25 +00:00			`import { hasEntitlement } from "@sourcebot/shared";`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`import { isServiceError } from "@/lib/utils";`
			`import { ServiceErrorException } from "@/lib/serviceError";`
			`import { createAccountRequest } from "@/actions";`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`import { handleJITProvisioning } from "@/ee/features/sso/sso";`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`import { createLogger } from "@sourcebot/logger";`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`import { getAuditService } from "@/ee/features/audit/factory";`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00
			`const logger = createLogger('web-auth-utils');`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`const auditService = getAuditService();`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00
			`export const onCreateUser = async ({ user }: { user: AuthJsUser }) => {`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`if (!user.id) {`
			`logger.error("User ID is undefined on user creation");`
			`await auditService.createAudit({`
			`action: "user.creation_failed",`
			`actor: {`
			`id: "undefined",`
			`type: "user"`
			`},`
			`target: {`
			`id: "undefined",`
			`type: "user"`
			`},`
			`orgId: SINGLE_TENANT_ORG_ID, // TODO(mt)`
			`metadata: {`
			`message: "User ID is undefined on user creation"`
			`}`
			`});`
			`throw new Error("User ID is undefined on user creation");`
			`}`

Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`// In single-tenant mode, we assign the first user to sign`
			`// up as the owner of the default org.`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`if (env.SOURCEBOT_TENANCY_MODE === 'single') {`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`const defaultOrg = await prisma.org.findUnique({`
			`where: {`
			`id: SINGLE_TENANT_ORG_ID,`
			`},`
			`include: {`
			`members: {`
			`where: {`
			`role: {`
			`not: OrgRole.GUEST,`
			`}`
			`}`
			`},`
			`}`
			`});`

feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`if (defaultOrg === null) {`
			`await auditService.createAudit({`
			`action: "user.creation_failed",`
			`actor: {`
			`id: user.id,`
			`type: "user"`
			`},`
			`target: {`
			`id: user.id,`
			`type: "user"`
			`},`
			`orgId: SINGLE_TENANT_ORG_ID,`
			`metadata: {`
			`message: "Default org not found on single tenant user creation"`
			`}`
			`});`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`throw new Error("Default org not found on single tenant user creation");`
			`}`

			`// Only the first user to sign up will be an owner of the default org.`
			`const isFirstUser = defaultOrg.members.length === 0;`
			`if (isFirstUser) {`
			`await prisma.$transaction(async (tx) => {`
			`await tx.org.update({`
			`where: {`
			`id: SINGLE_TENANT_ORG_ID,`
			`},`
			`data: {`
			`members: {`
			`create: {`
			`role: OrgRole.OWNER,`
			`user: {`
			`connect: {`
			`id: user.id,`
			`}`
			`}`
			`}`
			`}`
			`}`
			`});`

			`await tx.user.update({`
			`where: {`
			`id: user.id,`
			`},`
			`data: {`
			`pendingApproval: false,`
			`}`
			`});`
			`});`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00
			`await auditService.createAudit({`
			`action: "user.owner_created",`
			`actor: {`
			`id: user.id,`
			`type: "user"`
			`},`
			`orgId: SINGLE_TENANT_ORG_ID,`
			`target: {`
			`id: SINGLE_TENANT_ORG_ID.toString(),`
			`type: "org"`
			`}`
			`});`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`} else {`
			`// TODO(auth): handle multi tenant case`
			`if (env.AUTH_EE_ENABLE_JIT_PROVISIONING === 'true' && hasEntitlement("sso")) {`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`const res = await handleJITProvisioning(user.id, SINGLE_TENANT_ORG_DOMAIN);`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`if (isServiceError(res)) {`
			logger.error(`Failed to provision user ${user.id} for org ${SINGLE_TENANT_ORG_DOMAIN}: ${res.message}`);
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`await auditService.createAudit({`
			`action: "user.jit_provisioning_failed",`
			`actor: {`
			`id: user.id,`
			`type: "user"`
			`},`
			`target: {`
			`id: SINGLE_TENANT_ORG_ID.toString(),`
			`type: "org"`
			`},`
			`orgId: SINGLE_TENANT_ORG_ID,`
			`metadata: {`
			message: `Failed to provision user ${user.id} for org ${SINGLE_TENANT_ORG_DOMAIN}: ${res.message}`
			`}`
			`});`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`throw new ServiceErrorException(res);`
			`}`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00
			`await auditService.createAudit({`
			`action: "user.jit_provisioned",`
			`actor: {`
			`id: user.id,`
			`type: "user"`
			`},`
			`target: {`
			`id: SINGLE_TENANT_ORG_ID.toString(),`
			`type: "org"`
			`},`
			`orgId: SINGLE_TENANT_ORG_ID,`
			`});`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`} else {`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`const res = await createAccountRequest(user.id, SINGLE_TENANT_ORG_DOMAIN);`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`if (isServiceError(res)) {`
			logger.error(`Failed to provision user ${user.id} for org ${SINGLE_TENANT_ORG_DOMAIN}: ${res.message}`);
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00			`await auditService.createAudit({`
			`action: "user.join_request_creation_failed",`
			`actor: {`
			`id: user.id,`
			`type: "user"`
			`},`
			`target: {`
			`id: SINGLE_TENANT_ORG_ID.toString(),`
			`type: "org"`
			`},`
			`orgId: SINGLE_TENANT_ORG_ID,`
			`metadata: {`
			`message: res.message`
			`}`
			`});`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`throw new ServiceErrorException(res);`
			`}`
feat(audit-logging): Adds audit logging support (#355) * add audit factory skeleton * add additional audit events * add more audit logs * delete account join request when redeeming an invite * add audit event for account request removed * wip api to fetch audits * add check for audit with public access and entitlement * fix issues with merge * add docs for audit logs * add proper audit log for audit fetch and proper handling of api key hash in audit * format nit * feedback 2025-06-18 17:50:36 +00:00
			`await auditService.createAudit({`
			`action: "user.join_requested",`
			`actor: {`
			`id: user.id,`
			`type: "user"`
			`},`
			`orgId: SINGLE_TENANT_ORG_ID,`
			`target: {`
			`id: SINGLE_TENANT_ORG_ID.toString(),`
			`type: "org"`
			`},`
			`});`
Add support for GCP IAP JIT account provisioning (#330) * initial gcp iap implementation * gcp iap working * add docs for gcp iap * feedback * changelog 2025-06-04 02:28:38 +00:00			`}`
			`}`
			`}`
			`};`