Skip to content

fix(db): preserve legacy SSO verified domains#35

Open
BunsDev wants to merge 1 commit into
mainfrom
codex/propose-fix-for-sso-domain-vulnerability
Open

fix(db): preserve legacy SSO verified domains#35
BunsDev wants to merge 1 commit into
mainfrom
codex/propose-fix-for-sso-domain-vulnerability

Conversation

@BunsDev
Copy link
Copy Markdown
Member

@BunsDev BunsDev commented Jun 5, 2026

Motivation

  • The flattened migration created the sso_verified_domain table but dropped the data backfill that moved legacy settings.auth_config.ssoOidc.domain + ssoOidc.enforced into the new table, which can silently disable workspace SSO hard-binding after upgrade.

Description

  • Add a legacy backfill to packages/db/drizzle/0056_admin_auth_settings.sql that inserts any auth_config.ssoOidc.domain rows into sso_verified_domain, preserving verified_at and the workspace ssoOidc.enforced value as the per-row enforced flag and using ON CONFLICT to merge safely.
  • Generate a fallback verification_token for legacy rows when none exists and use gen_random_uuid() for the new row id to match existing conventions.
  • Strip the legacy ssoOidc.domain and ssoOidc.enforced JSON keys after the table-backed rows are created, relying on the migration's existing final auth_config_version bump to trigger cache invalidation.

Testing

  • Ran a static migration check script that verified the presence of the INSERT INTO "sso_verified_domain" backfill, preservation of enforced via EXCLUDED."enforced", and the JSON key stripping, and it passed.
  • Ran git diff --check to ensure no whitespace/patch issues and it passed.
  • Attempted unit tests with bun test for auth-related suites but they could not run due to missing dependencies (zod) in the environment, so the test run failed for environmental reasons.
  • Attempted bun install --frozen-lockfile to populate deps but the environment's registry access returned HTTP 403, so installation and full test runs were blocked.

Codex Task

Copilot AI review requested due to automatic review settings June 5, 2026 23:57
Copilot AI reviewed Jun 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the 0056_admin_auth_settings migration to preserve legacy workspace SSO domain verification/enforcement state by backfilling it into the new sso_verified_domain table before removing the legacy JSON keys from settings.auth_config.

Changes:

  • Add a legacy backfill that inserts auth_config.ssoOidc.domain (and ssoOidc.enforced) into sso_verified_domain, merging on domain name.
  • Generate a fallback verification_token for legacy rows and assign new row IDs during the backfill.
  • Strip the legacy ssoOidc.domain and ssoOidc.enforced keys from settings.auth_config after the backfill.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/db/drizzle/0056_admin_auth_settings.sql Outdated
Comment thread packages/db/drizzle/0056_admin_auth_settings.sql
@BunsDev BunsDev self-assigned this Jun 6, 2026
@BunsDev BunsDev force-pushed the codex/propose-fix-for-sso-domain-vulnerability branch from 4672d66 to 7b0f413 Compare June 6, 2026 23:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@BunsDev BunsDev

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BunsDev