Feature/sso 05 docs #1381
Feature/sso 05 docs #1381
Conversation
Consolidates 12 incremental SSO migrations (20251224022658 through 20260106000000) into a single comprehensive migration. Schema includes: - Tables: org_saml_connections, saml_domain_mappings, sso_audit_logs - Functions: check_org_sso_configured, lookup_sso_provider_*, auto_join_* - Triggers: auto_join_sso_user_trigger, check_sso_domain_on_signup_trigger - RLS policies for all tables - Indexes for performance - Single SSO per org constraint (UNIQUE org_id, entity_id) - auto_join_enabled flag for controlling enrollment This is PR #1 of the SSO feature split (schema foundation only). No backend endpoints, no frontend, no tests included yet. Related: feature/sso-saml-authentication
|
Warning Rate limit exceeded@jokabuyasina has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 6 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (100)
📝 WalkthroughWalkthroughIntroduces comprehensive SSO documentation and operational tooling for Okta SAML integration. Adds setup guides, production deployment procedures, mock testing workflows, and helper scripts for managing SAML-enabled authentication containers and verifying route registrations. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @restart-auth-with-saml-v2.sh:
- Line 28: Add a clear DEVELOPMENT-ONLY banner and shebang at the top (e.g.,
"#!/bin/bash" and a prominent warning comment) and replace the hardcoded
GOTRUE_DB_DATABASE_URL and GOTRUE_JWT_SECRET values by sourcing them from
environment variables with safe development-only fallbacks; specifically, change
the inline literal
"GOTRUE_DB_DATABASE_URL=postgresql://supabase_auth_admin:postgres@..." and the
placeholder JWT secret to use "${GOTRUE_DB_DATABASE_URL:-<dev-default>}" and
"${GOTRUE_JWT_SECRET:-<dev-default>}" patterns, and ensure you include "set -e"
to fail fast—document that the defaults are for local/dev only and must not be
used in production.
- Around line 8-14: The temp base64 files /tmp/saml-key-b64.txt and
/tmp/saml-cert-b64.txt leak sensitive keys; remove them by either avoiding
intermediate files (populate SAML_KEY_B64 and SAML_CERT_B64 directly via command
substitution from /tmp/saml-key-pkcs1.pem and /tmp/saml-cert.pem) or, if you
must keep the files, register a cleanup trap (e.g., trap on EXIT) to rm -f those
two temp files; update the script around the SAML_KEY_B64 and SAML_CERT_B64
assignments to implement one of these fixes and ensure no temporary base64 files
persist after the script exits.
🧹 Nitpick comments (8)
docs/MOCK_SSO_TESTING.md (1)
47-47: Consider adding blank lines around tables for markdown compliance.Static analysis flagged missing blank lines around tables. While this doesn't affect functionality, adding blank lines improves markdown portability across different renderers.
📝 Proposed markdown formatting fix
For line 47 (before the table in Test Scenarios):
### Test 1: First-Time SSO User +Email: [email protected]
Similar adjustments for line 98 and other table locations. </details> Also applies to: 98-98 </blockquote></details> <details> <summary>docs/sso-production.md (1)</summary><blockquote> `520-522`: **Consider formatting bare URLs as markdown links.** Bare URLs in the Common Resources section could be formatted as proper markdown links for better portability. <details> <summary>📝 Proposed formatting</summary> ```diff -- **Capgo Dashboard**: https://capgo.app -- **Support Email**: [email protected] -- **Status Page**: https://status.capgo.app +- **Capgo Dashboard**: [https://capgo.app](https://capgo.app) +- **Support Email**: [[email protected]](mailto:[email protected]) +- **Status Page**: [https://status.capgo.app](https://status.capgo.app)verify-sso-routes.sh (1)
1-17: Consider adding error handling and output validation.The script could be more robust by:
- Checking if target files exist before grepping
- Validating that all expected routes were found
- Exiting with appropriate status codes for CI/CD integration
♻️ Enhanced version with error handling
#!/bin/bash +set -e + # Verify SSO routes are correctly registered +EXIT_CODE=0 + +check_routes() { + local file=$1 + local label=$2 + + echo "Checking $label routes..." + if [ ! -f "$file" ]; then + echo "ERROR: File not found: $file" + EXIT_CODE=1 + return + fi + + grep -n "route('/sso/" "$file" || { + echo "WARNING: No SSO routes found in $file" + EXIT_CODE=1 + } + echo "" +} -echo "Checking Supabase function routes..." -grep -n "route('/sso/" supabase/functions/private/index.ts - -echo "" -echo "Checking Cloudflare worker routes..." -grep -n "route('/sso/" cloudflare_workers/api/index.ts +check_routes "supabase/functions/private/index.ts" "Supabase function" +check_routes "cloudflare_workers/api/index.ts" "Cloudflare worker" -echo "" echo "Expected routes:" echo " /private/sso/configure (POST)" echo " /private/sso/update (PUT)" echo " /private/sso/remove (DELETE)" echo " /private/sso/status (GET)" echo " /private/sso/test (POST)" + +exit $EXIT_CODEdocs/sso-setup.md (2)
93-93: Consider hyphenating "Sign on URL" for consistency.Static analysis suggests using "Sign-on URL" (with hyphen) for grammatical consistency, as this is a compound modifier.
-- **Sign on URL**: `https://capgo.app/login` +- **Sign-on URL**: `https://capgo.app/login`
520-522: Consider formatting bare URLs as markdown links.Same formatting suggestion as in sso-production.md for better markdown portability.
📝 Proposed formatting
-- **Capgo Dashboard**: https://capgo.app -- **Support Email**: [email protected] -- **Status Page**: https://status.capgo.app +- **Capgo Dashboard**: [https://capgo.app](https://capgo.app) +- **Support Email**: [[email protected]](mailto:[email protected]) +- **Status Page**: [https://status.capgo.app](https://status.capgo.app)restart-auth-with-saml.sh (1)
9-10: Consider validating source file existence before encoding.The script assumes SAML key files exist in
/tmpbefore base64 encoding. Adding validation would provide clearer error messages if files are missing.♻️ Add file existence checks
+# Validate SAML key files exist +if [ ! -f /tmp/saml-key-pkcs1.pem ]; then + echo "ERROR: /tmp/saml-key-pkcs1.pem not found" + echo "Generate SAML keys first: openssl genrsa -out /tmp/saml-key-pkcs1.pem 2048" + exit 1 +fi + +if [ ! -f /tmp/saml-cert.pem ]; then + echo "ERROR: /tmp/saml-cert.pem not found" + echo "Generate certificate first: openssl req -new -x509 -key /tmp/saml-key-pkcs1.pem -out /tmp/saml-cert.pem -days 365" + exit 1 +fi + # Create base64 encoded keys in files (single line) cat /tmp/saml-key-pkcs1.pem | base64 | tr -d '\n' > /tmp/saml-key-b64.txt cat /tmp/saml-cert.pem | base64 | tr -d '\n' > /tmp/saml-cert-b64.txtrestart-auth-with-saml-v2.sh (2)
1-6: Consider validating required files before proceeding.The cleanup logic is sound, but the script assumes SAML PEM files exist in
/tmp. Consider adding validation before processing:# Validate required files exist for file in /tmp/saml-key-pkcs1.pem /tmp/saml-cert.pem; do if [[ ! -f "$file" ]]; then echo "❌ Required file not found: $file" exit 1 fi doneThis will provide clearer error messages if prerequisites are missing.
91-97: Use more robust container verification.The
grepapproach can match partial container names. Use Docker's native filtering for more precise verification:♻️ Proposed refactor
-if docker ps | grep -q supabase_auth_capgo-app; then +if docker ps --filter "name=^/supabase_auth_capgo-app$" --format '{{.Names}}' | grep -q .; then echo "✅ Auth container running with SAML enabled!" docker logs supabase_auth_capgo-app 2>&1 | tail -5 else echo "❌ Auth container failed to start" docker logs supabase_auth_capgo-app 2>&1 | tail -10 exit 1 fiAlternatively, use
docker inspect:if docker inspect supabase_auth_capgo-app --format '{{.State.Running}}' 2>/dev/null | grep -q true; then
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (8)
docs/MOCK_SSO_TESTING.mddocs/sso-production.mddocs/sso-setup.mdrestart-auth-with-saml-v2.shrestart-auth-with-saml.shsrc/types/supabase.types.tssupabase/functions/_backend/utils/supabase.types.tsverify-sso-routes.sh
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-12-23T02:53:12.055Z
Learnt from: CR
Repo: Cap-go/capgo PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-12-23T02:53:12.055Z
Learning: Test accounts available after `supabase db reset`: `testcapgo.app` / `testtest` (demo user) and `admincapgo.app` / `adminadmin` (admin user)
Applied to files:
docs/sso-setup.md
📚 Learning: 2025-12-27T03:51:23.575Z
Learnt from: CR
Repo: Cap-go/capgo PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-27T03:51:23.575Z
Learning: Investigate failing Supabase tests by reviewing Docker container logs and relevant service logs before retrying
Applied to files:
restart-auth-with-saml-v2.sh
📚 Learning: 2025-12-23T02:53:12.055Z
Learnt from: CR
Repo: Cap-go/capgo PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-12-23T02:53:12.055Z
Learning: Applies to supabase/functions/_backend/**/*.{ts,js} : Backend code must be placed in `supabase/functions/_backend/` as shared code deployed to Cloudflare Workers (API/Plugin/Files workers), Supabase Edge Functions, and other platforms
Applied to files:
verify-sso-routes.sh
🪛 Gitleaks (8.30.0)
docs/sso-production.md
[high] 24-24: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 27-27: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
🪛 LanguageTool
docs/sso-setup.md
[grammar] ~93-~93: Use a hyphen to join words.
Context: ...pabase.co/auth/v1/sso/saml/acs- **Sign on URL**:https://capgo.app/login` ###...
(QB_NEW_EN_HYPHEN)
🪛 markdownlint-cli2 (0.18.1)
docs/sso-setup.md
47-47: Tables should be surrounded by blank lines
(MD058, blanks-around-tables)
98-98: Tables should be surrounded by blank lines
(MD058, blanks-around-tables)
520-520: Bare URL used
(MD034, no-bare-urls)
521-521: Bare URL used
(MD034, no-bare-urls)
522-522: Bare URL used
(MD034, no-bare-urls)
docs/MOCK_SSO_TESTING.md
47-47: Tables should be surrounded by blank lines
(MD058, blanks-around-tables)
98-98: Tables should be surrounded by blank lines
(MD058, blanks-around-tables)
docs/sso-production.md
47-47: Tables should be surrounded by blank lines
(MD058, blanks-around-tables)
98-98: Tables should be surrounded by blank lines
(MD058, blanks-around-tables)
520-520: Bare URL used
(MD034, no-bare-urls)
521-521: Bare URL used
(MD034, no-bare-urls)
522-522: Bare URL used
(MD034, no-bare-urls)
🔇 Additional comments (8)
docs/MOCK_SSO_TESTING.md (1)
1-210: LGTM! Comprehensive mock SSO testing guide.The documentation provides excellent coverage of the mock SSO testing workflow, including prerequisites, step-by-step testing procedures, multiple test scenarios, debugging guidance, and a clear comparison between production and mock flows. The structure is logical and the content is thorough.
docs/sso-production.md (2)
1-574: LGTM! Excellent production deployment guide.This is a comprehensive and well-structured production deployment guide covering all critical aspects: prerequisites, security configuration, monitoring, disaster recovery, cost management, compliance, and rollback procedures. The inclusion of concrete examples, SQL queries, and checklists makes this highly actionable.
24-24: Note: Example JWT tokens are appropriate for documentation.Static analysis flagged these as potential secrets, but they are clearly example/placeholder values for documentation purposes (the "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." pattern is a standard JWT header). This is the correct way to document environment variable configuration.
Also applies to: 27-27
docs/sso-setup.md (1)
1-534: LGTM! Comprehensive and well-organized SSO setup guide.This documentation provides excellent coverage of SSO setup across multiple identity providers (Okta, Azure AD, Google Workspace), domain management, security best practices, troubleshooting, monitoring, and API reference. The step-by-step instructions with specific configuration details make this highly valuable for implementation.
restart-auth-with-saml.sh (1)
1-83: LGTM! Well-structured local development script.This script effectively restarts the authentication container with SAML enabled for local testing. The use of
set -efor error handling, graceful cleanup of existing containers, and comprehensive environment configuration is appropriate for a development utility.The hardcoded secrets (JWT token, database credentials) are appropriate for local development and align with Supabase's local development defaults.
verify-sso-routes.sh (1)
5-9: The target file paths are valid, but the script searches for non-existent SSO routes.Both
supabase/functions/private/index.tsandcloudflare_workers/api/index.tsexist and correctly follow the project's architecture by importing fromsupabase/functions/_backend/. However, the SSO routes listed in the expected routes (e.g.,/private/sso/configure,/private/sso/update,/private/sso/remove,/private/sso/status,/private/sso/test) are not currently implemented in the codebase. This script will always return no matches unless these routes are added to the backend code.restart-auth-with-saml-v2.sh (2)
86-86: The pinned version v2.184.0 is actually newer than the latest documented GoTRUE release (v2.182.1 as of Nov 5, 2025), and no known security vulnerabilities or CVEs were found for this version. SAML 2.0 support is confirmed in GoTRUE. The version choice appears sound unless this is a pre-release build; verify the release channel with the team if needed.Likely an incorrect or invalid review comment.
81-83: GoTRUE doesn't support file-based SAML key configuration; remove the suggested alternative.GoTRUE only accepts base64-encoded SAML keys via
GOTRUE_SAML_PRIVATE_KEYandGOTRUE_SAML_SIGNING_CERTenvironment variables—the_FILEsuffix pattern is not supported. Since this is a local development/testing script, using environment variables with base64-encoded keys is the correct and documented approach. For production deployments, use Docker secrets or Kubernetes secrets management to securely populate these environment variables rather than file-based paths.Likely an incorrect or invalid review comment.
| # Create base64 single-line encoded keys | ||
| cat /tmp/saml-key-pkcs1.pem | base64 | tr -d '\n' > /tmp/saml-key-b64.txt | ||
| cat /tmp/saml-cert.pem | base64 | tr -d '\n' > /tmp/saml-cert-b64.txt | ||
|
|
||
| # Read into variables | ||
| SAML_KEY_B64=$(cat /tmp/saml-key-b64.txt) | ||
| SAML_CERT_B64=$(cat /tmp/saml-cert-b64.txt) |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major
Clean up temporary base64 files.
The temporary files /tmp/saml-key-b64.txt and /tmp/saml-cert-b64.txt containing sensitive SAML credentials are never removed, creating a security exposure.
♻️ Proposed refactor to eliminate intermediate files
-# Create base64 single-line encoded keys
-cat /tmp/saml-key-pkcs1.pem | base64 | tr -d '\n' > /tmp/saml-key-b64.txt
-cat /tmp/saml-cert.pem | base64 | tr -d '\n' > /tmp/saml-cert-b64.txt
-
-# Read into variables
-SAML_KEY_B64=$(cat /tmp/saml-key-b64.txt)
-SAML_CERT_B64=$(cat /tmp/saml-cert-b64.txt)
+# Create base64 single-line encoded keys directly
+SAML_KEY_B64=$(cat /tmp/saml-key-pkcs1.pem | base64 | tr -d '\n')
+SAML_CERT_B64=$(cat /tmp/saml-cert.pem | base64 | tr -d '\n')Alternatively, if you retain the intermediate files, add cleanup:
trap 'rm -f /tmp/saml-key-b64.txt /tmp/saml-cert-b64.txt' EXIT🤖 Prompt for AI Agents
In @restart-auth-with-saml-v2.sh around lines 8 - 14, The temp base64 files
/tmp/saml-key-b64.txt and /tmp/saml-cert-b64.txt leak sensitive keys; remove
them by either avoiding intermediate files (populate SAML_KEY_B64 and
SAML_CERT_B64 directly via command substitution from /tmp/saml-key-pkcs1.pem and
/tmp/saml-cert.pem) or, if you must keep the files, register a cleanup trap
(e.g., trap on EXIT) to rm -f those two temp files; update the script around the
SAML_KEY_B64 and SAML_CERT_B64 assignments to implement one of these fixes and
ensure no temporary base64 files persist after the script exits.
| -e GOTRUE_API_HOST=0.0.0.0 \ | ||
| -e GOTRUE_API_PORT=9999 \ | ||
| -e GOTRUE_DB_DRIVER=postgres \ | ||
| -e "GOTRUE_DB_DATABASE_URL=postgresql://supabase_auth_admin:postgres@supabase_db_capgo-app:5432/postgres" \ |
There was a problem hiding this comment.
Hardcoded credentials present a security risk.
The script contains hardcoded database credentials (supabase_auth_admin:postgres) and a placeholder JWT secret. While the localhost URLs suggest this is for development/testing, these credentials should be:
- Clearly documented as development-only in comments
- Sourced from environment variables or a secure configuration file for any non-local use
- Never used in production environments
Consider adding a prominent comment at the top of the script:
#!/bin/bash
# ⚠️ DEVELOPMENT/TESTING ONLY - Contains hardcoded credentials
# DO NOT use in production environments
set -eAlso applies to: 36-36
🤖 Prompt for AI Agents
In @restart-auth-with-saml-v2.sh at line 28, Add a clear DEVELOPMENT-ONLY banner
and shebang at the top (e.g., "#!/bin/bash" and a prominent warning comment) and
replace the hardcoded GOTRUE_DB_DATABASE_URL and GOTRUE_JWT_SECRET values by
sourcing them from environment variables with safe development-only fallbacks;
specifically, change the inline literal
"GOTRUE_DB_DATABASE_URL=postgresql://supabase_auth_admin:postgres@..." and the
placeholder JWT secret to use "${GOTRUE_DB_DATABASE_URL:-<dev-default>}" and
"${GOTRUE_JWT_SECRET:-<dev-default>}" patterns, and ensure you include "set -e"
to fail fast—document that the defaults are for local/dev only and must not be
used in production.
…undefined fix(migrations): remove redundant revoke on get_customer_counts for service_role
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* fix: make is_allowed_capgkey support hashed API keys Update is_allowed_capgkey and get_user_id functions to support both plain-text and hashed API keys using find_apikey_by_value(). Add expiration checks to prevent expired keys from passing validation. Add comprehensive tests for hashed key validation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <[email protected]> * refactor: use find_apikey_by_value RPC in checkKey Refactor checkKey function to use the find_apikey_by_value SQL function instead of duplicating the hashing logic in JavaScript. This ensures consistent key lookup behavior between SQL functions and TypeScript code. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <[email protected]> * refactor: remove isSafeAlphanumeric check from checkKey Remove the isSafeAlphanumeric validation as it's no longer needed for security. The RPC call to find_apikey_by_value uses parameterized queries, which prevents SQL injection regardless of input characters. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <[email protected]> * refactor: remove isSafeAlphanumeric function Remove the isSafeAlphanumeric validation function as it's no longer needed. Both Supabase RPC calls and Drizzle ORM use parameterized queries which prevent SQL injection regardless of input characters. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <[email protected]> * refactor: use find_apikey_by_value in checkKeyPg Refactor checkKeyPg to use the find_apikey_by_value SQL function instead of manually hashing and querying. This ensures consistent key lookup behavior between all code paths. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <[email protected]> * perf: optimize find_apikey_by_value to use single query Replace sequential two-query approach with a single query using OR. This reduces database round-trips and allows PostgreSQL to potentially use index union optimization. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <[email protected]> * refactor: merge find_apikey_by_value optimization into main migration Consolidate the find_apikey_by_value query optimization (single query with OR instead of two sequential queries) into the original migration file for cleaner PR history. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]> * fix: add index signature to FindApikeyByValueResult type Drizzle's execute method requires the generic type to satisfy Record<string, unknown>, so added intersection with index signature. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]> --------- Co-authored-by: Claude Haiku 4.5 <[email protected]>
…es across components and stores
- Introduced new keys for allowing and helping with bundle previews in Japanese, Korean, Polish, Brazilian Portuguese, Russian, Turkish, Vietnamese, and Simplified Chinese. - Added error messages for changing preview settings across all supported languages. - Included success messages for changing preview settings in all relevant languages. - Updated device names and other related strings to enhance user experience in the respective languages.
…oints - Updated password compliance validation to use authenticated Supabase client. - Refactored app deletion logic to utilize API key-based access for data queries. - Modified build request handling to enforce RLS with API key authentication. - Enhanced organization member management to ensure proper access control. - Streamlined webhook operations to leverage API key authentication for data access. - Improved statistics retrieval to support authenticated access based on user roles. - Adjusted tests to ensure proper error handling and access control scenarios.
Add comprehensive test coverage for CLI operations using hashed API keys. Tests verify that all core SDK operations (upload, list, channel management) work correctly with hashed API keys stored as SHA-256 hashes in the database. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Haiku 4.5 <[email protected]>
* security: remove passwords from all logs Ensure passwords are never logged to Cloudflare, Supabase, or Discord by: - Removing password field from cloudlog calls in accept_invitation and validate_password_compliance - Sanitizing Discord alerts to completely remove password field and partially redact other sensitive fields 🤖 Generated with Claude Code Co-Authored-By: Claude Haiku 4.5 <[email protected]> * fix: move password redaction after validation to handle null body Address PR feedback - if a client sends JSON null, destructuring before validation throws TypeError (500) instead of returning 400. Move cloudlog calls after safeParse validation to ensure body is valid before destructuring. 🤖 Generated with Claude Code Co-Authored-By: Claude Haiku 4.5 <[email protected]> * chore: remove deno.lock from commit 🤖 Generated with Claude Code Co-Authored-By: Claude Haiku 4.5 <[email protected]> --------- Co-authored-by: Claude Haiku 4.5 <[email protected]>
- Add Webhook type alias to webhooks store and Vue components - Fix apikey.key null check in build/start.ts
The generateEncryptionKeysSDK() function was modifying the project's capacitor.config.ts without cleanup. The SDK asynchronously writes the public key to the config during key generation, which was leaving the test environment dirty. Now we back up and restore the config in a finally block to ensure clean state regardless of test outcome. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Haiku 4.5 <[email protected]>
This adds a dynamic link to the Supabase dashboard for each Stripe customer, allowing easy navigation from Stripe to the customer's org record in Supabase. The link is parameterized with the SUPABASE_URL environment variable and supports both production and local Supabase instances. 🤖 Generated with Claude Code Co-authored-by: Claude Haiku 4.5 <[email protected]>
- Refactored webhook GET, POST, and PUT functions to utilize the capgkey from the context instead of the API key for authenticated client access. - Added new RLS policies to support anon role for webhooks and webhook deliveries, allowing API key-based authentication. - Updated seed data to include dedicated users and API keys for testing, ensuring isolation between tests. - Enhanced tests for CLI hashed API keys and RLS to prevent interference with other tests, using dedicated test data.
Add comprehensive SSO documentation and helper scripts: - SSO setup guide with configuration steps - Production deployment guide - Mock SSO testing guide - Auth restart scripts for testing - Route verification script This is PR #5 of SSO split (docs and utilities).
jokabuyasina
force-pushed
the
feature/sso-05-docs
branch
from
b04497b to
90108f8
Compare
Replace v_domain IS NULL OR v_domain = empty string checks with idiomatic NULLIF(v_domain, empty string) IS NULL pattern in: - check_org_has_sso_for_domain - lookup_sso_provider_by_domain - lookup_sso_provider_for_email - auto_join_user_to_orgs_by_email This avoids direct empty string comparisons and treats empty strings as NULL
- Restore src/types/supabase.types.ts from bcb1d02 - Copy types to supabase/functions/_backend/utils/supabase.types.ts - Fix Organization type inference with explicit GetOrgsV7 extraction - Add type annotations to fix implicit any errors in organization.ts - Fix globalThis.Deno typing in sso-management.test.ts
|
Description
This PR adds comprehensive documentation and utility scripts for SSO setup, deployment, and testing.
This is PR #5 of 5 in the SSO feature split (documentation and utilities).
Summary by CodeRabbit
Documentation
Chores
✏️ Tip: You can customize this high-level summary in your review settings.