fix(sso): ensure org provisioning when public profile is missing

[Dalanir]

Summary (AI generated)

• Ensure /private/sso/provision-user creates a missing public.users profile from auth.users before org assignment.
• Apply the same profile-ensure step in the SSO merge path before inserting org_users membership.
• Add a regression test covering SSO provisioning when public.users is missing.

Motivation (AI generated)

Some SSO users could authenticate successfully but still fail org association if their public.users row was missing at provisioning time. This left them in a broken post-login state and could redirect them into onboarding despite an existing SSO org.

Business Impact (AI generated)

This reduces failed enterprise SSO activations and prevents friction for first-time SSO logins, improving conversion and reducing support load around onboarding misroutes.

Test Plan (AI generated)

• Run frontend lint: bun lint
• Run backend lint: bun run lint:backend
• Run SSO backend tests: bun run supabase:with-env -- bunx vitest run tests/sso.test.ts
• Verify regression test passes: creates missing public.users profile before assigning org membership

Generated with AI

Summary by CodeRabbit

• New Features

  • Improved SSO provisioning to automatically ensure user profiles are created during login with default settings.

• Tests

  • Added integration test for SSO user provisioning workflow.

• Chores

  • Updated type declarations and component exports for internal consistency.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a new helper function ensurePublicUserProfileFromAuth that upserts missing public user profiles from auth user data during SSO provisioning, integrated at two points in the provisioning flow with error handling. It also includes test coverage, Vue auto-import declarations for role functions, and minor housekeeping changes.

Changes

Cohort / File(s)	Summary
SSO Provisioning Logic supabase/functions/_backend/private/sso/provision-user.ts	Added ensurePublicUserProfileFromAuth helper to upsert public user profiles from auth.users with defaults. Integrated into validation and merge paths with try/catch error handling and HTTP 500 responses on failure.
SSO Provisioning Tests tests/sso.test.ts	Added integration test for POST /private/sso/provision-user that verifies public profile creation when missing. Includes auth user setup, identity provider binding, resource cleanup, and post-condition assertions for user record and org membership.
Vue Auto-Import Declarations src/auto-imports.d.ts	Added global and component property declarations for role-checking functions: isAdminRole, isSuperAdminRole, and roleHasLegacyMinRight from stores/organization.
Component Declarations src/components.d.ts	Removed globally-declared Vue component IHeroiconsXMark from both declare module 'vue' and declare global sections.
Route Type Configuration src/route-map.d.ts	Updated ParamParsers type from never to `
Test Formatting tests/app.test.ts	Minor end-of-file formatting adjustment.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(sso): fix duplicate users and metadata urls #1824: Modifies the same SSO provisioning flow to handle user merging and auth→public user data syncing.
• fix(auth): merge duplicate SSO user into existing account #1775: Introduces merge paths in SSO provisioning that this PR integrates the new profile sync helper into.
• fix(sso): check providers array instead of provider for SSO auth #1833: Adjusts SSO provider detection/validation within the same provisioning flow.

Suggested labels

codex

Poem

🐰 A helper hops in, profiles now sync,
From auth to public, quick as a blink,
Error-wrapped wisely, two points they nest,
SSO provisioning, now at its best! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: ensuring public profile provisioning during SSO organization assignment.
Description check	✅ Passed	The description includes a summary, motivation, business impact, and a completed test plan with specific test commands, covering all critical sections from the template.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-sso-org-association-onboarding

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-sso-org-association-onboarding (1a04d5a) with main (da34ba7)}

[coderabbitai]

🧹 Nitpick comments (1)

tests/sso.test.ts (1)

492-610: Good regression test coverage.

The test correctly exercises the missing-profile scenario by:

1. Creating an auth user with SSO metadata
2. Explicitly deleting public.users (line 568) to simulate the edge case
3. Verifying both the profile sync and org membership postconditions

One minor suggestion: since this test creates fully isolated resources (unique IDs for org, stripe_info, provider, and user), it could use it.concurrent() to improve CI parallelism. Other tests in this file with similar isolation patterns also use it(), so this is a broader consistency consideration.

♻️ Optional: enable parallel execution

-  it('creates missing public.users profile before assigning org membership', async () => {
+  it.concurrent('creates missing public.users profile before assigning org membership', async () => {

As per coding guidelines: "Use it.concurrent() instead of it() when possible to run tests in parallel within the same file, maximizing parallelism for faster CI/CD"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/sso.test.ts` around lines 492 - 610, The test "creates missing
public.users profile before assigning org membership" is isolated and can run in
parallel; change the test declaration from it(...) to it.concurrent(...) to
enable parallel execution, i.e., locate the test block with the description
string "creates missing public.users profile before assigning org membership"
and replace the top-level it call with it.concurrent so the test runner executes
it concurrently like other isolated tests in this file.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/sso.test.ts`:
- Around line 492-610: The test "creates missing public.users profile before
assigning org membership" is isolated and can run in parallel; change the test
declaration from it(...) to it.concurrent(...) to enable parallel execution,
i.e., locate the test block with the description string "creates missing
public.users profile before assigning org membership" and replace the top-level
it call with it.concurrent so the test runner executes it concurrently like
other isolated tests in this file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0985acdc-3c0c-471a-9867-dd803b7e4f6c

📥 Commits

Reviewing files that changed from the base of the PR and between 999f95f and 6bd1400.

📒 Files selected for processing (2)

• supabase/functions/_backend/private/sso/provision-user.ts
• tests/sso.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/app.test.ts`:
- Around line 5-10: The helper is too permissive because
isDuplicateAppCreationError currently treats a generic 'cannot_create_app' as a
duplicate; change it so duplicates are only detected by explicit duplicate
signals: 'app_id_already_exists', supabaseError.code === '23505', or
moreInfo.constraint === 'apps_pkey'; if you keep 'cannot_create_app' include it
only when paired with one of those DB indicators (e.g., require
body?.cannot_create_app && (body?.supabaseError?.code === '23505' ||
body?.moreInfo?.constraint === 'apps_pkey' || body?.error ===
'app_id_already_exists')), and update any tests that relied on the previous
broad behavior.

🪄 Autofix (Beta)

✅ Autofix completed

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9807b98b-4e25-4743-ab5e-13f9ef502d2d

📥 Commits

Reviewing files that changed from the base of the PR and between 6bd1400 and b3b416e.

📒 Files selected for processing (2)

• tests/app.test.ts
• tests/plan-usage-org-rpc-access.test.ts

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 4 file(s) based on 1 unresolved review comment.

Files modified:

• src/auto-imports.d.ts
• src/components.d.ts
• src/route-map.d.ts
• tests/app.test.ts

Commit: ebd0dc3f9d324da3246cbff77afe672456b10f54

The changes have been pushed to the codex/fix-sso-org-association-onboarding branch.

Time taken: 7m 33s

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/auto-imports.d.ts (1)

48-55: Align generated declaration imports with the ~/ alias convention.

The new declarations on Line 48, Line 55, Line 101, Line 395, Line 402, and Line 447 use ./stores/organization. Please update the auto-import generator config so emitted .d.ts imports use ~/stores/organization to stay consistent with TS import rules in this repo.

As per coding guidelines "**/*.ts: Use path alias ~/ to map to src/ for cleaner imports".

Also applies to: 101-101, 395-402, 447-447

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/auto-imports.d.ts` around lines 48 - 55, The generated declarations
import './stores/organization' for symbols like isAdminRole and
isSuperAdminRole; update the auto-import generator configuration (e.g., your
unplugin-auto-import or equivalent config used to emit src/auto-imports.d.ts) so
that emitted imports use the repo path alias '~/stores/organization' instead of
relative './stores/organization' — either change the import entries for those
symbols to '~/stores/organization' or add an alias/mapping in the generator so
all resolved imports under src/ map to the '~/...' form when writing the .d.ts
file.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/app.test.ts`:
- Line 365: The file ends with the closing test block token "})" and is missing
a trailing newline; add a single newline character after the final "})" in
tests/app.test.ts so the file ends with an EOF newline and satisfies the
style/eol-last lint rule.

---

Nitpick comments:
In `@src/auto-imports.d.ts`:
- Around line 48-55: The generated declarations import './stores/organization'
for symbols like isAdminRole and isSuperAdminRole; update the auto-import
generator configuration (e.g., your unplugin-auto-import or equivalent config
used to emit src/auto-imports.d.ts) so that emitted imports use the repo path
alias '~/stores/organization' instead of relative './stores/organization' —
either change the import entries for those symbols to '~/stores/organization' or
add an alias/mapping in the generator so all resolved imports under src/ map to
the '~/...' form when writing the .d.ts file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a11884bc-dacf-4b2d-beed-ca98f044f4f1

📥 Commits

Reviewing files that changed from the base of the PR and between b3b416e and ebd0dc3.

📒 Files selected for processing (4)

• src/auto-imports.d.ts
• src/components.d.ts
• src/route-map.d.ts
• tests/app.test.ts

💤 Files with no reviewable changes (1)

• src/components.d.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix EOF newline to satisfy lint.

Line 365 is missing a trailing newline, which currently fails style/eol-last.

🔧 Proposed fix

 })
+

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	})
	})

🧰 Tools

🪛 ESLint

[error] 365-365: Newline required at end of file but not found.

(style/eol-last)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/app.test.ts` at line 365, The file ends with the closing test block
token "})" and is missing a trailing newline; add a single newline character
after the final "})" in tests/app.test.ts so the file ends with an EOF newline
and satisfies the style/eol-last lint rule.

[coderabbitai]

♻️ Duplicate comments (1)

tests/app.test.ts (1)

374-374: ⚠️ Potential issue | 🟡 Minor

Add the missing EOF newline to pass lint.

Line 374 currently leaves the file without a trailing newline, which fails style/eol-last.

🔧 Proposed fix

 })
+

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/app.test.ts` at line 374, The file ends with the closing test block
"})" but is missing a trailing newline; add a single newline character after the
final "})" (end of file) so the file terminates with an EOF newline to satisfy
the style/eol-last lint rule.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@tests/app.test.ts`:
- Line 374: The file ends with the closing test block "})" but is missing a
trailing newline; add a single newline character after the final "})" (end of
file) so the file terminates with an EOF newline to satisfy the style/eol-last
lint rule.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e7a642e2-c261-4e7b-8ebd-b032c990411a

📥 Commits

Reviewing files that changed from the base of the PR and between ebd0dc3 and c6318a5.

📒 Files selected for processing (1)

• tests/app.test.ts

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud