Team signup with invite codes + member-aware dashboard auth#1
Merged
Conversation
Teammates can now create accounts with an invite code from AUTH_TEAM_INVITE_CODES (comma-separated). Sign-up provisions a local User row immediately, which doubles as the membership record; sign-in and requireUser() authorize the owner email or any enrolled member instead of a single hardcoded operator email. - auth-policy: getTeamInviteCodes / isValidTeamInviteCode / canEnrollWithInvite helpers - auth: isAuthorizedDashboardAuthUser() permits owner email or an existing local User row; getOptionalUser drops the owner-only gate - actions: sign-in authorizes after authentication and signs out unauthorized sessions; sign-up gates on owner email OR invite code and upserts the membership row - middleware: protected routes check authentication only (membership needs the DB and is enforced by requireUser); /sign-in?error=... stays reachable for authenticated sessions to avoid redirect loops - new edge-safe auth-route-policy helper + unit tests (node:test/tsx) - sign-in/sign-up copy updated for workspace/team access https://claude.ai/code/session_013M57ExYGVz7k4pFXNMTBL9
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Teammates can now create dashboard accounts with an invite code, and existing team members (like
sishir.phuyal03@gmail.com, whoseUserrow is already linked to his Supabase auth id) can sign in — previously every email except the owner's was rejected before the password was even checked.AUTH_TEAM_INVITE_CODES(comma-separated) gates sign-up; the workspace owner (AUTH_ALLOWED_EMAIL) enrolls without a code. Sign-up upserts the localUserrow immediately so membership survives email-confirmation flows.isAuthorizedDashboardAuthUser()permits the owner email OR an existing localUserrow (matched by Supabase auth id or email). Sign-in authorizes after authentication and signs out unauthorized sessions.requireUser()in the Node runtime)./sign-in?error=not-allowedstays reachable for authenticated sessions, fixing the redirect loop.src/lib/auth-route-policy.ts: edge-safe route classification shared by middleware, with unit tests.npm testscript (node --import tsx --test) withtests/auth-policy.test.tsandtests/auth-route-policy.test.ts.Verification
npm test— 22/22 passnpm run type-check— cleannpm run lint— cleannpm run build— succeedsDeployment note
Set
AUTH_ALLOWED_EMAILandAUTH_TEAM_INVITE_CODESin the deployed environment (e.g. Vercel project env vars) — without the invite codes variable, all non-owner signups are rejected in production.https://claude.ai/code/session_013M57ExYGVz7k4pFXNMTBL9
Generated by Claude Code