feat(auth): surface SSO membership and gate team management#471
feat(auth): surface SSO membership and gate team management#471ben-fornefeld wants to merge 6 commits into
Conversation
Derive isSso/organizationId on AuthUser from the Kratos identity's organization_id (first-class field, not a trait). SSO-managed users have their membership driven by their identity provider, so: - hide "Create new team" in the team switcher - disable "Add new member" with a tooltip pointing teammates to SSO sign-in Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryLow Risk Overview The sidebar team switcher only shows Create new team when .gitignore adds a Reviewed by Cursor Bugbot for commit db52ffc. Bugbot is set up for automated code reviews on this repo. Configure here. |
Address PR review: - read organization_id directly (`identity.organization_id || null`) instead of trimming/typeof-guarding an Ory-assigned UUID that never carries whitespace; drop the readOrganizationId helper - trim comments to non-obvious context only Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
Invites to SSO teams are now allowed and validated server-side (the invitee must be an org account), so the dialog needs no team-SSO knowledge — back to the plain button. The create-team gate (user.isSso) stays. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Drop the temporary sso_debug:* logs added while debugging organization_id resolution (identity.ts, session.ts, kratos-session-edge.ts). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
b4b8ec0 to
db52ffc
Compare
What
Surfaces SSO membership on
AuthUserand gates team-management UI for SSO-managed users. Pairs with the infra/dashboard-apiPR (server-side enforcement + org→team mapping).Changes
AuthUser.isSso+organizationIdderived from the Kratos identity'sorganization_id(a first-class Ory identity field, not a trait or JWT claim), populated in bothfromKratosSessionIdentityandfromOryIdentity.These are UX guards; the authoritative enforcement is server-side in
dashboard-api.Tests / checks
tsc --noEmitclean for the changed files (pre-existing unrelated errors only);biome lintclean on changed files.🤖 Generated with Claude Code