Add apiauth.convex.dev as an allowed issuer (#40149)

GitOrigin-RevId: c99bbf811616cdb8a4651c6294bb518aaa0a7d1c

Author: atrakh

crates/authentication/src/lib.rs

@@ -737,6 +737,9 @@ where
         ))
     })?;
 
+    // TODO(ari): This can be cleaned up into one if statement, but I was lazy for
+    // the moment. Once the migration is done, there will be only one issuer to
+    // check
     if issuer.contains("api.workos.com") {
         anyhow::ensure!(
             *issuer
@@ -761,6 +764,18 @@ where
                 format!("Issuer {} does not match WorkOS client ID", issuer)
             )
         )
+    } else if issuer.contains("apiauth.convex.dev") {
+        anyhow::ensure!(
+            *issuer
+                == format!(
+                    "https://apiauth.convex.dev/user_management/{}",
+                    workos_client_id
+                ),
+            ErrorMetadata::unauthenticated(
+                "AccessTokenInvalid",
+                format!("Issuer {} does not match WorkOS client ID", issuer)
+            )
+        )
     } else {
         anyhow::ensure!(
             workos_auth_urls.iter().any(|url| {