sourcebot/packages/web/src/ee/features/permissionSyncing/actions.ts

'use server';

import { sew } from "@/actions";
import { createLogger } from "@sourcebot/logger";
import { withAuthV2, withMinimumOrgRole } from "@/withAuthV2";
import { loadConfig } from "@sourcebot/shared";
import { env } from "@/env.mjs";
import { OrgRole } from "@sourcebot/db";
import { cookies } from "next/headers";
import { OPTIONAL_PROVIDERS_LINK_SKIPPED_COOKIE_NAME } from "@/lib/constants";
import { LinkedAccountProviderState } from "@/ee/features/permissionSyncing/types";
import { auth } from "@/auth";

const logger = createLogger('web-ee-permission-syncing-actions');

export const getLinkedAccountProviderStates = async () => sew(() =>
    withAuthV2(async ({ prisma, role, user }) =>
        withMinimumOrgRole(role, OrgRole.MEMBER, async () => {
            const config = await loadConfig(env.CONFIG_PATH);
            const linkedAccountProviderConfigs = config.identityProviders ?? [];
            const linkedAccounts = await prisma.account.findMany({
                where: {
                    userId: user.id,
                    provider: {
                        in: linkedAccountProviderConfigs.map(p => p.provider)
                    }
                },
                select: {
                    provider: true,
                    providerAccountId: true
                }
            });

            // Fetch the session to get token errors
            const session = await auth();
            const providerErrors = session?.linkedAccountProviderErrors;

            const linkedAccountProviderState: LinkedAccountProviderState[] = [];
            for (const linkedAccountProviderConfig of linkedAccountProviderConfigs) {
                if (linkedAccountProviderConfig.purpose === "account_linking") {
                    const linkedAccount = linkedAccounts.find(
                        account => account.provider === linkedAccountProviderConfig.provider
                    );

                    const isLinked = !!linkedAccount;
                    const isRequired = linkedAccountProviderConfig.accountLinkingRequired ?? false;
                    const providerError = linkedAccount ? providerErrors?.[linkedAccount.providerAccountId] : undefined;

                    linkedAccountProviderState.push({
                        id: linkedAccountProviderConfig.provider,
                        required: isRequired,
                        isLinked,
                        linkedAccountId: linkedAccount?.providerAccountId,
                        error: providerError
                    } as LinkedAccountProviderState);
                }
            }

            return linkedAccountProviderState;
        })
    )
);


export const unlinkLinkedAccountProvider = async (provider: string) => sew(() =>
    withAuthV2(async ({ prisma, role, user }) =>
        withMinimumOrgRole(role, OrgRole.MEMBER, async () => {
            const config = await loadConfig(env.CONFIG_PATH);
            const identityProviders = config.identityProviders ?? [];

            const providerConfig = identityProviders.find(idp => idp.provider === provider)
            if (!providerConfig || providerConfig.purpose !== "account_linking") {
                throw new Error("Provider is not a linked account provider");
            }

            // Delete the account
            const result = await prisma.account.deleteMany({
                where: {
                    provider,
                    userId: user.id,
                },
            });

            logger.info(`Unlinked account provider ${provider} for user ${user.id}. Deleted ${result.count} account(s).`);

            // If we're unlinking a required identity provider then we want to wipe the optional skip cookie if it exists so that we give the
            // user the option of linking optional providers in the same link accounts screen
            const isRequired = providerConfig.accountLinkingRequired ?? false;
            if (isRequired) {
                const cookieStore = await cookies();
                cookieStore.delete(OPTIONAL_PROVIDERS_LINK_SKIPPED_COOKIE_NAME);
            }

            return { success: true, count: result.count };
        })
    )
);

export const skipOptionalProvidersLink = async () => sew(async () => {
    const cookieStore = await cookies();
    cookieStore.set(OPTIONAL_PROVIDERS_LINK_SKIPPED_COOKIE_NAME, 'true', {
        httpOnly: false, // Allow client-side access
        maxAge: 365 * 24 * 60 * 60, // 1 year in seconds
    });
    return true;
});
add logic for account link onboarding 2025-11-03 00:11:48 +00:00			`'use server';`

			`import { sew } from "@/actions";`
			`import { createLogger } from "@sourcebot/logger";`
			`import { withAuthV2, withMinimumOrgRole } from "@/withAuthV2";`
			`import { loadConfig } from "@sourcebot/shared";`
			`import { env } from "@/env.mjs";`
			`import { OrgRole } from "@sourcebot/db";`
			`import { cookies } from "next/headers";`
			`import { OPTIONAL_PROVIDERS_LINK_SKIPPED_COOKIE_NAME } from "@/lib/constants";`
feedback 2025-11-05 03:55:25 +00:00			`import { LinkedAccountProviderState } from "@/ee/features/permissionSyncing/types";`
support multiple token refresh 2025-11-04 03:39:12 +00:00			`import { auth } from "@/auth";`
add logic for account link onboarding 2025-11-03 00:11:48 +00:00
			`const logger = createLogger('web-ee-permission-syncing-actions');`

feedback 2025-11-05 03:55:25 +00:00			`export const getLinkedAccountProviderStates = async () => sew(() =>`
add logic for account link onboarding 2025-11-03 00:11:48 +00:00			`withAuthV2(async ({ prisma, role, user }) =>`
			`withMinimumOrgRole(role, OrgRole.MEMBER, async () => {`
			`const config = await loadConfig(env.CONFIG_PATH);`
feedback 2025-11-05 03:55:25 +00:00			`const linkedAccountProviderConfigs = config.identityProviders ?? [];`
refactor ui 2025-11-04 01:21:04 +00:00			`const linkedAccounts = await prisma.account.findMany({`
			`where: {`
			`userId: user.id,`
			`provider: {`
feedback 2025-11-05 03:55:25 +00:00			`in: linkedAccountProviderConfigs.map(p => p.provider)`
add logic for account link onboarding 2025-11-03 00:11:48 +00:00			`}`
refactor ui 2025-11-04 01:21:04 +00:00			`},`
			`select: {`
			`provider: true,`
			`providerAccountId: true`
add logic for account link onboarding 2025-11-03 00:11:48 +00:00			`}`
refactor ui 2025-11-04 01:21:04 +00:00			`});`
add logic for account link onboarding 2025-11-03 00:11:48 +00:00
support multiple token refresh 2025-11-04 03:39:12 +00:00			`// Fetch the session to get token errors`
			`const session = await auth();`
feedback 2025-11-05 03:55:25 +00:00			`const providerErrors = session?.linkedAccountProviderErrors;`
support multiple token refresh 2025-11-04 03:39:12 +00:00
feedback 2025-11-05 03:55:25 +00:00			`const linkedAccountProviderState: LinkedAccountProviderState[] = [];`
			`for (const linkedAccountProviderConfig of linkedAccountProviderConfigs) {`
			`if (linkedAccountProviderConfig.purpose === "account_linking") {`
refactor ui 2025-11-04 01:21:04 +00:00			`const linkedAccount = linkedAccounts.find(`
feedback 2025-11-05 03:55:25 +00:00			`account => account.provider === linkedAccountProviderConfig.provider`
refactor ui 2025-11-04 01:21:04 +00:00			`);`

			`const isLinked = !!linkedAccount;`
feedback 2025-11-05 03:55:25 +00:00			`const isRequired = linkedAccountProviderConfig.accountLinkingRequired ?? false;`
			`const providerError = linkedAccount ? providerErrors?.[linkedAccount.providerAccountId] : undefined;`
support multiple token refresh 2025-11-04 03:39:12 +00:00
feedback 2025-11-05 03:55:25 +00:00			`linkedAccountProviderState.push({`
			`id: linkedAccountProviderConfig.provider,`
refactor ui 2025-11-04 01:21:04 +00:00			`required: isRequired,`
			`isLinked,`
support multiple token refresh 2025-11-04 03:39:12 +00:00			`linkedAccountId: linkedAccount?.providerAccountId,`
			`error: providerError`
feedback 2025-11-05 03:55:25 +00:00			`} as LinkedAccountProviderState);`
add logic for account link onboarding 2025-11-03 00:11:48 +00:00			`}`
			`}`

feedback 2025-11-05 03:55:25 +00:00			`return linkedAccountProviderState;`
add logic for account link onboarding 2025-11-03 00:11:48 +00:00			`})`
			`)`
			`);`

refactor ui 2025-11-04 01:21:04 +00:00
feedback 2025-11-05 03:55:25 +00:00			`export const unlinkLinkedAccountProvider = async (provider: string) => sew(() =>`
add logic for account link onboarding 2025-11-03 00:11:48 +00:00			`withAuthV2(async ({ prisma, role, user }) =>`
			`withMinimumOrgRole(role, OrgRole.MEMBER, async () => {`
			`const config = await loadConfig(env.CONFIG_PATH);`
			`const identityProviders = config.identityProviders ?? [];`

refactor ui 2025-11-04 01:21:04 +00:00			`const providerConfig = identityProviders.find(idp => idp.provider === provider)`
feedback 2025-11-05 03:55:25 +00:00			`if (!providerConfig \|\| providerConfig.purpose !== "account_linking") {`
			`throw new Error("Provider is not a linked account provider");`
add logic for account link onboarding 2025-11-03 00:11:48 +00:00			`}`

			`// Delete the account`
			`const result = await prisma.account.deleteMany({`
			`where: {`
			`provider,`
			`userId: user.id,`
			`},`
			`});`

feedback 2025-11-05 03:55:25 +00:00			logger.info(`Unlinked account provider ${provider} for user ${user.id}. Deleted ${result.count} account(s).`);
add logic for account link onboarding 2025-11-03 00:11:48 +00:00
refactor ui 2025-11-04 01:21:04 +00:00			`// If we're unlinking a required identity provider then we want to wipe the optional skip cookie if it exists so that we give the`
			`// user the option of linking optional providers in the same link accounts screen`
feedback 2025-11-05 03:55:25 +00:00			`const isRequired = providerConfig.accountLinkingRequired ?? false;`
refactor ui 2025-11-04 01:21:04 +00:00			`if (isRequired) {`
			`const cookieStore = await cookies();`
			`cookieStore.delete(OPTIONAL_PROVIDERS_LINK_SKIPPED_COOKIE_NAME);`
			`}`

add logic for account link onboarding 2025-11-03 00:11:48 +00:00			`return { success: true, count: result.count };`
			`})`
			`)`
			`);`

			`export const skipOptionalProvidersLink = async () => sew(async () => {`
			`const cookieStore = await cookies();`
			`cookieStore.set(OPTIONAL_PROVIDERS_LINK_SKIPPED_COOKIE_NAME, 'true', {`
			`httpOnly: false, // Allow client-side access`
			`maxAge: 365 * 24 * 60 * 60, // 1 year in seconds`
			`});`
			`return true;`
wip refresh oauth tokens 2025-11-04 02:27:13 +00:00			`});`