Skip to content

Team signup with invite codes + member-aware dashboard auth#1

Merged
durga710 merged 1 commit into
mainfrom
claude/charming-euler-mkocv9
Jun 10, 2026
Merged

Team signup with invite codes + member-aware dashboard auth#1
durga710 merged 1 commit into
mainfrom
claude/charming-euler-mkocv9

Conversation

@durga710

Copy link
Copy Markdown
Owner

Summary

Teammates can now create dashboard accounts with an invite code, and existing team members (like sishir.phuyal03@gmail.com, whose User row is already linked to his Supabase auth id) can sign in — previously every email except the owner's was rejected before the password was even checked.

  • Invite-code enrollment: AUTH_TEAM_INVITE_CODES (comma-separated) gates sign-up; the workspace owner (AUTH_ALLOWED_EMAIL) enrolls without a code. Sign-up upserts the local User row immediately so membership survives email-confirmation flows.
  • Member-aware authorization: new isAuthorizedDashboardAuthUser() permits the owner email OR an existing local User row (matched by Supabase auth id or email). Sign-in authorizes after authentication and signs out unauthorized sessions.
  • Middleware: protected routes check authentication only at the edge (membership needs the DB, enforced by requireUser() in the Node runtime). /sign-in?error=not-allowed stays reachable for authenticated sessions, fixing the redirect loop.
  • New src/lib/auth-route-policy.ts: edge-safe route classification shared by middleware, with unit tests.
  • UI: sign-up gains an invite-code field; copy updated for workspace/team access; error text now reads "That account is not approved for the dashboard."
  • Tests: new npm test script (node --import tsx --test) with tests/auth-policy.test.ts and tests/auth-route-policy.test.ts.

Verification

  • npm test — 22/22 pass
  • npm run type-check — clean
  • npm run lint — clean
  • npm run build — succeeds

Deployment note

Set AUTH_ALLOWED_EMAIL and AUTH_TEAM_INVITE_CODES in the deployed environment (e.g. Vercel project env vars) — without the invite codes variable, all non-owner signups are rejected in production.

https://claude.ai/code/session_013M57ExYGVz7k4pFXNMTBL9


Generated by Claude Code

Teammates can now create accounts with an invite code from
AUTH_TEAM_INVITE_CODES (comma-separated). Sign-up provisions a local
User row immediately, which doubles as the membership record; sign-in
and requireUser() authorize the owner email or any enrolled member
instead of a single hardcoded operator email.

- auth-policy: getTeamInviteCodes / isValidTeamInviteCode /
  canEnrollWithInvite helpers
- auth: isAuthorizedDashboardAuthUser() permits owner email or an
  existing local User row; getOptionalUser drops the owner-only gate
- actions: sign-in authorizes after authentication and signs out
  unauthorized sessions; sign-up gates on owner email OR invite code
  and upserts the membership row
- middleware: protected routes check authentication only (membership
  needs the DB and is enforced by requireUser); /sign-in?error=...
  stays reachable for authenticated sessions to avoid redirect loops
- new edge-safe auth-route-policy helper + unit tests (node:test/tsx)
- sign-in/sign-up copy updated for workspace/team access

https://claude.ai/code/session_013M57ExYGVz7k4pFXNMTBL9
@vercel

vercel Bot commented Jun 10, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ghim-tech Ready Ready Preview, Comment Jun 10, 2026 8:53pm

@durga710 durga710 marked this pull request as ready for review June 10, 2026 20:59
@durga710 durga710 merged commit 6e3752d into main Jun 10, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants