feat(vercel): redirect SSO login to EU when resource not found in US#48650
Merged
feat(vercel): redirect SSO login to EU when resource not found in US#48650
Conversation
When Vercel sends an EU user to us.posthog.com/login/vercel/, the SSO code is single-use and cannot be proxied server-side. This adds a browser redirect to eu.posthog.com with all query params preserved when the resource_id does not exist in the US region. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
- Wrap Integration.objects.filter(pk=resource_id) in try/except for ValueError/TypeError when resource_id is non-numeric - Use request.query_params.urlencode() instead of urllib urlencode() to correctly handle multi-value query params - Add test for non-integer resource_id redirect Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix dispatch return type to HttpResponseBase (mypy) - Add nosemgrep for intentional cross-team Integration lookup - Parse resource_id as int before DB query to avoid ValueError - Non-integer resource_id proceeds normally instead of redirecting Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Change return type from HttpResponse to HttpResponseBase to match the actual return type of super().dispatch() and allow subclass overrides without mypy errors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
MattBro
requested review from
a team,
fercgomes and
rafaeelaudibert
and removed request for
a team
Keep VercelRegionProxyMixin.dispatch as HttpResponse to avoid breaking existing tests that access .content on the return value. Use type: ignore in the SSO viewset override instead. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
|
🎭 Playwright report · View test results →
These issues are not necessarily caused by your changes. |
Contributor
Query snapshots: Backend query snapshots updatedChanges: 1 snapshots (1 modified, 0 added, 0 deleted) What this means:
Next steps:
|
rafaeelaudibert
approved these changes
Feb 23, 2026
| resource_pk = int(resource_id) | ||
| except (ValueError, TypeError): | ||
| return False | ||
| # nosemgrep: idor-lookup-without-team — intentionally cross-team: checking if resource exists anywhere in this region |
Member
There was a problem hiding this comment.
Does this allow cross enumeration? Make sure we have proper rate limits
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a Vercel Marketplace EU user clicks SSO login, Vercel sends them to
us.posthog.com/login/vercel/with a single-use authorization code. The US region doesn't have the EU resource, so SSO fails. We can't proxy the request server-side because the SSO code is consumed on first use — it must be a browser redirect so the code reaches the correct region.Changes
VercelRegionProxyMixintoVercelSSOViewSetfor region detection (current_region,is_dev_env,EU_DOMAIN)dispatchto skip the mixin's server-side proxy behavior (SSO needs browser redirects, not proxying)_should_redirect_to_eu()check: redirects when US region + resource not found locallysso_redirect, before consuming the SSO code, checks if redirect is needed and returns 302 toeu.posthog.com/login/vercel/with all query params preservedHow did you test this code?
Automated tests — 6 new tests in
TestSSORegionRedirect:Manual testing — Used ngrok + cloudflared tunnels to simulate the full Vercel → US → EU redirect flow locally. Verified installation, plans endpoint, and SSO redirect all work through the tunnel infrastructure.
Changelog
Yes — Vercel Marketplace EU SSO login now works when the Configuration URL points to the US region.
🤖 Generated with Claude Code