fix(web): Support multiple IDPs of the same type

[brendan-kellam]

This PR adds support for multiple IDP providers of the same type. This is mostly useful in the scenario where you have code hosted in e.g., gitlab.com and a self-hosted gitlab instance and you want to use permission syncing. In this scenario, users need a mechanism of linking their account from gitlab.com and the self-hosted gitlab deployment.

Here's a example config:

"identityProviders": {
    "gitlab-self-hosted": {
        "provider": "gitlab",
        "purpose": "account_linking",
        "baseUrl": "https://gitlab.sourcebot.dev",
        "clientId": {
            "env": "GITLAB_SH_CLIENT_ID"
        },
        "clientSecret": {
            "env": "GITLAB_SH_CLIENT_SECRET"
        },
        "displayName": "GitLab Self Hosted"
    },
    "gitlab-dot-com": {
        "provider": "gitlab",
        "purpose": "account_linking",
        "clientId": {
            "env": "GITLAB_DOT_COM_CLIENT_ID"
        },
        "clientSecret": {
            "env": "GITLAB_DOT_COM_CLIENT_SECRET"
        },
        "displayName": "GitLab.com"
    }
}

Summary by CodeRabbit

• New Features

  • Optional custom display names for identity providers in the UI and toasts.
  • Config now accepts identity providers as an id-keyed map or as an array.
  • Sign-in and linked-accounts flows use provider types/IDs for consistent behavior.

• Bug Fixes

  • Fixed unexpected behavior when configuring multiple providers of the same type.
  • Improved reliability of linked-accounts, permission-sync, and token refresh flows.

• Documentation

  • Added guidance for configuring multiple providers of the same type.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR refactors identity-provider handling to support multiple instances of the same type by replacing a single provider field with providerId and providerType. Database schema, config contracts, shared helpers, authentication wiring, backend sync flows, and frontend UI were all updated to use the new identity model.

Changes

Identity provider model and flow migration

Layer / File(s)	Summary
Identity provider contracts and schema surface packages/schemas/src/v3/index.type.ts, packages/schemas/src/v3/identityProvider.type.ts, packages/schemas/src/v3/identityProvider.schema.ts, schemas/v3/identityProvider.json, schemas/v3/index.json, docs/snippets/schemas/v3/identityProvider.schema.mdx	Type definitions, TypeScript schemas, and JSON schemas now allow object-keyed identityProviders (mapping config id to IdentityProviderConfig) and add an optional displayName field across all 11 provider types (GitHub, GitLab, Google, Okta, Keycloak, Microsoft Entra ID, GCP IAP, Bitbucket Cloud, Authentik, JumpCloud, Bitbucket Server) in both definitions and top-level oneOf entries.
Account persistence model and database migration packages/db/prisma/schema.prisma, packages/db/prisma/migrations/20260610025101_add_provider_id_and_type_to_account/migration.sql	Account table replaces provider: String with providerId: String and adds new required providerType: String, updating the uniqueness constraint from (provider, providerAccountId) to (providerId, providerAccountId). Migration renames the column, adds and backfills providerType, and enforces it as NOT NULL.
Shared config normalization and helper exports packages/shared/src/constants.ts, packages/shared/src/env.server.ts, packages/shared/src/index.server.ts	New helpers normalize identityProviders into an id-keyed map (getIdentityProviderConfigs, getIdentityProviderConfig) and expose doesIdpSupportPermissionSyncing(providerType) as a typed helper; supported permission-sync providers are now a readonly tuple with a type-guard helper.
Auth adapter and token persistence with provider remapping packages/web/src/lib/encryptedPrismaAdapter.ts, packages/web/src/auth.ts	EncryptedPrismaAdapter now overrides linkAccount, getUserByAccount, and unlinkAccount to map Auth.js account.provider into Prisma providerId and resolved providerType via getIdentityProviderConfig; NextAuth provider wiring now stores the underlying provider factory under __provider and includes explicit id/type metadata for providers.
Provider registry construction and NextAuth wiring packages/web/src/ee/features/sso/sso.ts	getEEIdentityProviders builds providers from getIdentityProviderConfigs() as an id-keyed map, passing configured id to all factory helpers; provider factory functions now accept an id parameter; env-var fallback executes only when map is empty.
Permission sync and account lookup refactor packages/backend/src/api.ts, packages/backend/src/ee/accountPermissionSyncer.ts, packages/backend/src/ee/repoPermissionSyncer.ts	Account selection and permission-sync queries now filter by providerType in the supported identity providers list; syncers load identity-provider config by providerId, use idpConfig.baseUrl for OAuth clients, and conditionally constrain repo lookups by external_codeHostUrl when account.issuerUrl is present; logging updated to use providerId/providerType.
OAuth token refresh with provider type dispatch packages/backend/src/ee/tokenRefresh.ts	Token refresh flow now requires/validates providerType (type-guard), loads identity-provider config by providerId, refactors refreshOAuthToken to accept (providerId, providerType, refreshToken), and selects token endpoints by providerType.
Frontend auth provider info and linked account type updates packages/web/src/lib/utils.ts, packages/web/src/lib/identityProviders.ts, packages/web/src/ee/features/sso/actions.ts, packages/web/src/ee/features/sso/components/connectAccountsCard.tsx, packages/web/src/ee/features/sso/components/linkedAccountProviderCard.tsx, packages/web/src/app/(app)/settings/linked-accounts/page.tsx	getAuthProviderInfo now accepts providerType; IdentityProviderMetadata exposes type and optional displayName; LinkedAccount splits into providerId and providerType with optional displayName; linked-account UI uses providerId keys and displayName fallbacks.
Login form and auth method selector type-based behavior packages/web/src/app/components/authMethodSelector.tsx, packages/web/src/app/login/components/loginForm.tsx, packages/web/src/app/api/(server)/ee/permissionSyncStatus/api.ts	AuthMethodSelector filters by provider.type; LoginForm resolves analytics event names from provider type using useIdentityProviders; permission-sync status query now constrains providerType using the shared supported providers constant.
Changelog entry for fix CHANGELOG.md	Added entry under ## [Unreleased] → ### Fixed documenting that multiple identity providers of the same type no longer cause unexpected behavior.

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#938: Related Bitbucket Server permission-sync and provider changes overlapping repo/account sync logic.
• sourcebot-dev/sourcebot#1000: Related token-refresh work affecting OAuth refresh flow and provider config usage.
• sourcebot-dev/sourcebot#945: Adds trigger-account-permission-sync flow; touches backend eligibility and scheduling also updated here.

Suggested reviewers

• msukkari

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding support for multiple identity providers of the same type, which is the core objective of this PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bkellam/multi-idp

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[brendan-kellam]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

packages/backend/src/ee/tokenRefresh.ts (1)

154-257: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use providerId when building the GitLab refresh callback.

The refresh path still hardcodes redirect_uri to /api/auth/callback/gitlab. After this PR, secondary GitLab providers authorize against /api/auth/callback/<providerId>, and GitLab expects refreshes to reuse that same URI. Custom-id GitLab accounts will stop refreshing once their access token expires.

Proposed fix

 const refreshOAuthToken = async (
     providerId: string,
     providerType: SupportedProviderType,
     refreshToken: string,
 ): Promise<OAuthTokenResponse | null> => {
@@
-                const result = await tryRefreshToken(providerType, refreshToken, envCredentials);
+                const result = await tryRefreshToken(providerId, providerType, refreshToken, envCredentials);
@@
-        const result = await tryRefreshToken(providerType, refreshToken, { clientId, clientSecret, baseUrl });
+        const result = await tryRefreshToken(providerId, providerType, refreshToken, { clientId, clientSecret, baseUrl });
@@
 const tryRefreshToken = async (
+    providerId: string,
     providerType: SupportedProviderType,
     refreshToken: string,
     credentials: ProviderCredentials,
 ): Promise<OAuthTokenResponse | null> => {
@@
     if (providerType === 'gitlab') {
-        bodyParams.redirect_uri = new URL('/api/auth/callback/gitlab', env.AUTH_URL).toString();
+        bodyParams.redirect_uri = new URL(`/api/auth/callback/${providerId}`, env.AUTH_URL).toString();
     }

Based on the PR objective and stack context that auth callbacks now use configured provider ids.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/ee/tokenRefresh.ts` around lines 154 - 257, The GitLab
redirect_uri is hardcoded to "/api/auth/callback/gitlab" in tryRefreshToken;
change tryRefreshToken to accept providerId (add parameter providerId: string)
and update both call sites in refreshOAuthToken (the envCredentials branch and
the idpConfig branch) to pass providerId into tryRefreshToken; then build
redirect_uri using `/api/auth/callback/${providerId}` when providerType ===
'gitlab' so secondary/custom-id GitLab providers reuse their provider-specific
callback. Ensure the updated tryRefreshToken signature is applied wherever it’s
called.

packages/web/src/app/login/components/loginForm.tsx (1)

46-65: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Unhandled provider types are being tracked as GitHub logins.

The default branch now records every unsupported providerType as wa_login_with_github, so providers like authentik, bitbucket-cloud, and bitbucket-server will be misattributed in analytics. Please add explicit mappings for the supported OAuth types here, or fall back to a neutral/unknown event instead of GitHub.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/app/login/components/loginForm.tsx` around lines 46 - 65,
The function getLoginEventName currently maps unknown providerType values to
"wa_login_with_github", causing misattribution; update getLoginEventName to add
explicit cases for additional supported providers (e.g., "authentik",
"bitbucket-cloud", "bitbucket-server") mapping to distinct analytics event
names, and change the default fallback to a neutral/unknown event (e.g.,
"wa_login_with_unknown") instead of GitHub so unsupported providers aren’t
tracked as GitHub; locate and modify the switch inside getLoginEventName to add
the new case labels and adjust the default return accordingly.

🧹 Nitpick comments (3)

packages/web/src/lib/encryptedPrismaAdapter.ts (2)

49-60: 💤 Low value

Ensure linkAccount handles async errors gracefully.

resolveProviderType can fail if config loading throws (e.g., disk error, malformed YAML). The current implementation does not wrap the call in try-catch, so an exception will propagate and fail the OAuth flow. Consider whether this is the desired behavior or if a fallback is needed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/lib/encryptedPrismaAdapter.ts` around lines 49 - 60, Wrap
the resolveProviderType(account.provider) call in a try/catch inside linkAccount
so async failures don’t bubble out and break the OAuth flow; on error capture
the original error, log it (e.g., console.error or your logger), set a safe
fallback value for providerType (e.g., 'unknown' or null), then continue to call
encryptAccountTokens(account) and prisma.account.create(...) as before;
alternatively, if you prefer failing fast, rethrow a new Error that includes
context and the original error to make the failure explicit.

---

28-35: Cache the config-derived provider mapping in resolveProviderType

• packages/web/src/lib/encryptedPrismaAdapter.ts calls loadConfig(env.CONFIG_PATH) inside resolveProviderType, so every linkAccount triggers config fetch/readFile, JSON parse, and AJV validation.
• packages/shared/src/env.server.ts loadConfig has no module-scope memoization; it directly reads from the config path each time, so concurrent OAuth callbacks can cause repeated I/O/CPU.
• Cache the normalized identityProviders (or the resolved config) behind a module-scope promise (optionally with TTL/invalidation if the config can change at runtime).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/lib/encryptedPrismaAdapter.ts` around lines 28 - 35,
resolveProviderType currently calls loadConfig(env.CONFIG_PATH) on every
invocation causing repeated I/O/parse/validation; introduce a module-scope
cached promise or variable (e.g., cachedConfigPromise or
cachedIdentityProviders) that loads and normalizes config.identityProviders once
and is reused by resolveProviderType (falling back to providerId if mapping
missing); ensure the cache is populated by calling loadConfig(env.CONFIG_PATH)
once and storing either the full resolved config or a mapping, and optionally
add a TTL/invalidate function if runtime config changes must be supported.

packages/web/src/ee/features/sso/actions.ts (1)

33-35: 🏗️ Heavy lift

Move getLinkedAccounts out of the server-action module.

This is still a read path inside a 'use server' actions file. Repo guidance reserves server actions for mutations, so this fetch should live in a plain server helper (or an API route if the client needs it), while this module stays focused on mutating actions.

As per coding guidelines, packages/web/src/**/*.ts: "Server actions should be used for mutations (POST/PUT/DELETE operations), not for data fetching."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/ee/features/sso/actions.ts` around lines 33 - 35,
getLinkedAccounts is a read-only data fetch currently defined in the
server-actions module; move it out into a plain server helper (or an API route)
so 'use server' actions remain mutation-only. Create a new non-action module and
export the function there, preserving the implementation that wraps
sew/withAuth/withMinimumOrgRole (references: getLinkedAccounts, sew, withAuth,
withMinimumOrgRole, OrgRole.MEMBER), then update any imports that consume
getLinkedAccounts to point to the new helper and remove it from the actions file
so the actions module contains only mutation functions.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Around line 53-54: Move the changelog entry "- Fixed issue where using
multiple identity providers of the same type (e.g., gitlab) would result in
unexpected behaviours.
[`#1177`](https://github.com/sourcebot-dev/sourcebot/pull/1177)" out of the
historical "4.17.2" release block and append it to the bottom of the
"[Unreleased]" section; ensure it remains under the "### Fixed" subsection
within that “[Unreleased]” header so the PR entry follows the repository's
changelog placement rules.

In `@packages/backend/src/ee/accountPermissionSyncer.ts`:
- Around line 245-251: syncAccountPermissions currently throws when
config.identityProviders[account.providerId] is missing, breaking installs that
rely on legacy auth env vars; change the lookup for idpConfig in
syncAccountPermissions to fall back to the existing legacy method used by
ensureFreshAccountToken (reuse the same fallback logic/path) so that when
config.identityProviders is undefined or does not contain account.providerId you
use the legacy env-var-based IDP config instead of throwing; modify the
idpConfig resolution (the variable named idpConfig and its lookup of
config.identityProviders[account.providerId]) to attempt the config.json value
first and then the legacy fallback used elsewhere, preserving the thrown error
only if both are absent.

In `@packages/web/src/ee/features/sso/actions.ts`:
- Around line 77-88: The loop in the SSO action that iterates over
Object.entries(config.identityProviders ?? {}) is adding all unlinked providers
to the result; change it to only consider providers intended for account linking
by filtering where providerConfig.purpose === 'account_linking' before pushing
into result (i.e., restrict the iteration or add an if that skips
non-account_linking providers), keeping the existing fields (providerId,
providerType, displayName, isLinked, isAccountLinkingProvider, required,
supportsPermissionSync) and preserving the required =
providerConfig.accountLinkingRequired fallback logic and permission sync check
via doesIdpSupportPermissionSyncing.

---

Outside diff comments:
In `@packages/backend/src/ee/tokenRefresh.ts`:
- Around line 154-257: The GitLab redirect_uri is hardcoded to
"/api/auth/callback/gitlab" in tryRefreshToken; change tryRefreshToken to accept
providerId (add parameter providerId: string) and update both call sites in
refreshOAuthToken (the envCredentials branch and the idpConfig branch) to pass
providerId into tryRefreshToken; then build redirect_uri using
`/api/auth/callback/${providerId}` when providerType === 'gitlab' so
secondary/custom-id GitLab providers reuse their provider-specific callback.
Ensure the updated tryRefreshToken signature is applied wherever it’s called.

In `@packages/web/src/app/login/components/loginForm.tsx`:
- Around line 46-65: The function getLoginEventName currently maps unknown
providerType values to "wa_login_with_github", causing misattribution; update
getLoginEventName to add explicit cases for additional supported providers
(e.g., "authentik", "bitbucket-cloud", "bitbucket-server") mapping to distinct
analytics event names, and change the default fallback to a neutral/unknown
event (e.g., "wa_login_with_unknown") instead of GitHub so unsupported providers
aren’t tracked as GitHub; locate and modify the switch inside getLoginEventName
to add the new case labels and adjust the default return accordingly.

---

Nitpick comments:
In `@packages/web/src/ee/features/sso/actions.ts`:
- Around line 33-35: getLinkedAccounts is a read-only data fetch currently
defined in the server-actions module; move it out into a plain server helper (or
an API route) so 'use server' actions remain mutation-only. Create a new
non-action module and export the function there, preserving the implementation
that wraps sew/withAuth/withMinimumOrgRole (references: getLinkedAccounts, sew,
withAuth, withMinimumOrgRole, OrgRole.MEMBER), then update any imports that
consume getLinkedAccounts to point to the new helper and remove it from the
actions file so the actions module contains only mutation functions.

In `@packages/web/src/lib/encryptedPrismaAdapter.ts`:
- Around line 49-60: Wrap the resolveProviderType(account.provider) call in a
try/catch inside linkAccount so async failures don’t bubble out and break the
OAuth flow; on error capture the original error, log it (e.g., console.error or
your logger), set a safe fallback value for providerType (e.g., 'unknown' or
null), then continue to call encryptAccountTokens(account) and
prisma.account.create(...) as before; alternatively, if you prefer failing fast,
rethrow a new Error that includes context and the original error to make the
failure explicit.
- Around line 28-35: resolveProviderType currently calls
loadConfig(env.CONFIG_PATH) on every invocation causing repeated
I/O/parse/validation; introduce a module-scope cached promise or variable (e.g.,
cachedConfigPromise or cachedIdentityProviders) that loads and normalizes
config.identityProviders once and is reused by resolveProviderType (falling back
to providerId if mapping missing); ensure the cache is populated by calling
loadConfig(env.CONFIG_PATH) once and storing either the full resolved config or
a mapping, and optionally add a TTL/invalidate function if runtime config
changes must be supported.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5ba93271-72e6-4824-972b-bbe591dcc18b

📥 Commits

Reviewing files that changed from the base of the PR and between ded4282 and 1732ec4.

📒 Files selected for processing (30)

• CHANGELOG.md
• docs/snippets/schemas/v3/identityProvider.schema.mdx
• docs/snippets/schemas/v3/index.schema.mdx
• packages/backend/src/api.ts
• packages/backend/src/ee/accountPermissionSyncer.ts
• packages/backend/src/ee/repoPermissionSyncer.ts
• packages/backend/src/ee/tokenRefresh.ts
• packages/db/prisma/migrations/20260530203443_add_provider_id_and_type_to_account/migration.sql
• packages/db/prisma/schema.prisma
• packages/schemas/src/v3/identityProvider.schema.ts
• packages/schemas/src/v3/identityProvider.type.ts
• packages/schemas/src/v3/index.schema.ts
• packages/schemas/src/v3/index.type.ts
• packages/shared/src/constants.ts
• packages/shared/src/env.server.ts
• packages/shared/src/index.server.ts
• packages/web/src/app/(app)/settings/linked-accounts/page.tsx
• packages/web/src/app/api/(server)/ee/permissionSyncStatus/api.ts
• packages/web/src/app/components/authMethodSelector.tsx
• packages/web/src/app/login/components/loginForm.tsx
• packages/web/src/auth.ts
• packages/web/src/ee/features/sso/actions.ts
• packages/web/src/ee/features/sso/components/connectAccountsCard.tsx
• packages/web/src/ee/features/sso/components/linkedAccountProviderCard.tsx
• packages/web/src/ee/features/sso/sso.ts
• packages/web/src/lib/encryptedPrismaAdapter.ts
• packages/web/src/lib/identityProviders.ts
• packages/web/src/lib/utils.ts
• schemas/v3/identityProvider.json
• schemas/v3/index.json

[brendan-kellam]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/shared/src/env.server.ts`:
- Around line 118-120: getIdentityProviderConfigs (and the per-lookup
getIdentityProviderConfig) currently reloads/parses/validates the config on
every call; memoize the normalized IDP config in a module-level cache (store
either the normalized object or a Promise resolving to it) so loadConfig/env
normalization runs once, then have getIdentityProviderConfigs return the cached
value and have getIdentityProviderConfig read from that cached map. Implement
the cache as a top-level variable (e.g., identityProviderConfigCache or
identityProviderConfigPromise) and ensure both getIdentityProviderConfigs and
getIdentityProviderConfig reference it (initializing it on first call) to avoid
repeated file/network reads.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 914f2998-bd09-49a4-bf8b-e3f6804fd059

📥 Commits

Reviewing files that changed from the base of the PR and between 97666d0 and 8f1b5ac.

📒 Files selected for processing (7)

• packages/backend/src/ee/accountPermissionSyncer.ts
• packages/backend/src/ee/tokenRefresh.ts
• packages/shared/src/env.server.ts
• packages/shared/src/index.server.ts
• packages/web/src/ee/features/sso/actions.ts
• packages/web/src/ee/features/sso/sso.ts
• packages/web/src/lib/encryptedPrismaAdapter.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/backend/src/ee/accountPermissionSyncer.ts
• packages/web/src/ee/features/sso/actions.ts
• packages/backend/src/ee/tokenRefresh.ts
• packages/web/src/ee/features/sso/sso.ts

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docs/docs/configuration/idp.mdx (1)

649-657: ⚡ Quick win

Rewrite the opening paragraph in second person for docs-style compliance.

The new section opens in third person (“By default, each provider...”), which conflicts with the docs guideline to write in second person and present tense.

As per coding guidelines, "Write documentation in second person ('you') and present tense. Keep sentences short and direct. Lead with what the user needs to know."

Suggested edit

-By default, each provider in the `identityProviders` array is identified by an **id** equal to its `provider` value. This id determines the provider's OAuth **callback URL** (sometimes called the redirect URL):
+By default, you identify each provider in the `identityProviders` array by an **id** equal to its `provider` value. That id determines the OAuth **callback URL** (sometimes called the redirect URL):

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/docs/configuration/idp.mdx` around lines 649 - 657, Rewrite the opening
paragraph to address the reader in second person and present tense: start by
telling the user what they need to know about the identityProviders array (that
each provider is identified by an id equal to its provider value), explain that
this id determines the OAuth callback URL format
(<sourcebot_url>/api/auth/callback/<id>), and note that the array form supports
only one instance per provider type; keep sentences short, direct, and lead with
the key action (how to configure multiple instances by switching
identityProviders to the object form and assigning unique ids).

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/docs/configuration/idp.mdx`:
- Line 13: The sentence currently implies the top-level identityProviders in the
config file must be an array; update the phrasing to state that the top-level
identityProviders supports both array and object forms (e.g., an array of
providers or an object keyed by provider id). Edit the line referencing "[config
file] ... in the top-level `identityProviders` array" to instead mention "in the
top-level `identityProviders` (supports array or object forms)" and ensure the
term `identityProviders` is used exactly so readers can find examples elsewhere
in the docs.

---

Nitpick comments:
In `@docs/docs/configuration/idp.mdx`:
- Around line 649-657: Rewrite the opening paragraph to address the reader in
second person and present tense: start by telling the user what they need to
know about the identityProviders array (that each provider is identified by an
id equal to its provider value), explain that this id determines the OAuth
callback URL format (<sourcebot_url>/api/auth/callback/<id>), and note that the
array form supports only one instance per provider type; keep sentences short,
direct, and lead with the key action (how to configure multiple instances by
switching identityProviders to the object form and assigning unique ids).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ad42bb71-ba66-41bc-b293-d6f3c6aeb90c

📥 Commits

Reviewing files that changed from the base of the PR and between 8f1b5ac and a1d1fa4.

📒 Files selected for processing (1)

• docs/docs/configuration/idp.mdx