Skip to content

feat(web): guard EE user deletion behind SCIM and unify user API shape#1425

Merged
brendan-kellam merged 2 commits into
mainfrom
brendan/ee-user-api-scim-and-unified-shape
Jul 7, 2026
Merged

feat(web): guard EE user deletion behind SCIM and unify user API shape#1425
brendan-kellam merged 2 commits into
mainfrom
brendan/ee-user-api-scim-and-unified-shape

Conversation

@brendan-kellam

@brendan-kellam brendan-kellam commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Hardens and unifies the enterprise user-management API (/api/ee/user and /api/ee/users).

DELETE /api/ee/user

  • Disabled while SCIM is enabled. When SCIM provisioning is on, the IdP is the source of truth for membership, so the endpoint now returns membershipManagedByIdpError (403) — matching the existing member-management server actions (removeMemberFromOrg, suspendMember, etc.).
  • Delegates to removeMember instead of a raw prisma.user.delete. This makes it an org-scoped membership removal that revokes the member's credentials and enforces last-owner protection, rather than a global account delete.
  • Removed the self-delete guardremoveMember's last-active-owner protection already covers the only risky case, and owners can otherwise remove themselves.

GET /api/ee/user + GET /api/ee/users

  • Identical response shape. Both now return the same user object via a shared toPublicUser mapper (in ee/utils.ts), so they can't drift. Unified shape:
    { id, name, email, role, suspendedAt, createdAt, updatedAt, lastActivityAt }. This only adds fields to each endpoint (non-breaking).
  • Singular GET is now org-scoped. It looks up UserToOrg membership (404 for non-members) instead of doing a global user.findUnique by id — required to source role/suspendedAt/lastActivityAt, and it closes a cross-org read.
  • lastActivityAt now comes from UserToOrg.lastActiveAt (the throttled "last seen" heartbeat the members table already displays) instead of a per-member audit.findFirst. This removes the list endpoint's N+1.

Docs

  • Consolidated PublicEeUser / PublicEeUserListItem schemas into a single PublicEeUser component; updated the OpenAPI descriptions and regenerated sourcebot-public.openapi.json.

Behavior changes to note

  • Singular GET /api/ee/user returns 404 for a user who isn't a member of the caller's org (previously any user id resolved globally).
  • DELETE /api/ee/user is org-membership removal, not global account deletion, and is blocked under SCIM.
  • lastActivityAt is null for suspended members (their lastActiveAt is reset on suspension) and can lag real activity by up to ~5 min (write throttle).

Testing

  • eslint clean on all changed files.
  • tsc --noEmit reports no errors in any changed file (pre-existing unrelated test-mock errors remain).
  • OpenAPI spec regenerates deterministically (no drift).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Organization user details now include membership role, status, and last activity in API responses.
    • User removal now follows organization membership rules, including protection for the last owner.
  • Bug Fixes

    • User lookup is now scoped to organization membership, so “not found” results are more accurate.
    • When account provisioning is managed externally, user deletion is now blocked with a clearer response.
  • Documentation

    • Updated API docs and changelog wording to match the revised user retrieval and removal behavior.

DELETE /api/ee/user now returns membershipManagedByIdpError when SCIM is
enabled (the IdP owns membership), matching the existing member-management
actions. It also delegates to removeMember, so it does an org-scoped
membership removal with last-owner protection and credential revocation
instead of a raw global user delete. The self-delete guard is removed;
removeMember's last-owner protection covers the risky case.

GET /api/ee/user and GET /api/ee/users now return an identical user shape
via a shared toPublicUser mapper. The singular GET is now scoped to org
membership (404 for non-members) instead of a global user lookup, and
lastActivityAt is sourced from UserToOrg.lastActiveAt (dropping a per-member
audit query / N+1).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mintlify

mintlify Bot commented Jul 7, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
sourcebot 🟢 Ready View Preview Jul 7, 2026, 1:45 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@github-actions

This comment has been minimized.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7debdd4f-0db8-4c85-9278-2503d9805530

📥 Commits

Reviewing files that changed from the base of the PR and between 11ef472 and 2be8286.

📒 Files selected for processing (7)
  • CHANGELOG.md
  • docs/api-reference/sourcebot-public.openapi.json
  • packages/web/src/app/api/(server)/ee/user/route.ts
  • packages/web/src/app/api/(server)/ee/users/route.ts
  • packages/web/src/app/api/(server)/ee/utils.ts
  • packages/web/src/openapi/publicApiDocument.ts
  • packages/web/src/openapi/publicApiSchemas.ts

Walkthrough

This PR refactors EE user endpoints to use organization membership (UserToOrg) records instead of direct user records. A new toPublicUser utility maps memberships to public user objects. DELETE now enforces SCIM-managed restrictions via removeMember, replacing direct deletion. OpenAPI schemas and docs are updated accordingly.

Changes

EE User Membership Refactor

Layer / File(s) Summary
toPublicUser membership utility
packages/web/src/app/api/(server)/ee/utils.ts
New MembershipWithUser type and toPublicUser function map a membership record (with user) to a public user object with role, suspension, and timestamp fields.
GET /api/ee/user membership lookup
packages/web/src/app/api/(server)/ee/user/route.ts
GET handler queries prisma.userToOrg.findUnique scoped to org/user instead of prisma.user, and returns toPublicUser(membership).
DELETE /api/ee/user SCIM guard and removeMember
packages/web/src/app/api/(server)/ee/user/route.ts
DELETE handler adds an isScimEnabled guard returning membershipManagedByIdpError(), delegates removal to removeMember, and removes prior self-deletion/audit/direct-delete logic.
GET /api/ee/users list mapping
packages/web/src/app/api/(server)/ee/users/route.ts
Users list endpoint replaces per-user audit-based lastActivityAt enrichment with a direct toPublicUser mapping over memberships.
Public API schema updates
packages/web/src/openapi/publicApiSchemas.ts
publicEeUserSchema gains nullable lastActivityAt; publicEeUsersResponseSchema uses publicEeUserSchema array; publicEeUserListItemSchema export removed.
OpenAPI docs, generated spec, and changelog
packages/web/src/openapi/publicApiDocument.ts, docs/api-reference/sourcebot-public.openapi.json, CHANGELOG.md
Descriptions and required fields updated for GET/DELETE /api/ee/user and PublicEeUser/PublicEeUsersResponse schemas; changelog documents removal semantics and response unification.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant UserRoute
  participant Prisma
  Client->>UserRoute: GET /api/ee/user
  UserRoute->>Prisma: userToOrg.findUnique(orgId, userId)
  Prisma-->>UserRoute: membership record (or null)
  alt membership found
    UserRoute->>UserRoute: toPublicUser(membership)
    UserRoute-->>Client: public user response
  else not found
    UserRoute-->>Client: 404 not a member
  end
Loading
sequenceDiagram
  participant Client
  participant UserRoute
  participant SCIMCheck
  participant RemoveMember
  Client->>UserRoute: DELETE /api/ee/user
  UserRoute->>SCIMCheck: isScimEnabled(org)
  alt SCIM enabled
    SCIMCheck-->>UserRoute: true
    UserRoute-->>Client: membershipManagedByIdpError()
  else SCIM disabled
    UserRoute->>RemoveMember: removeMember(org.id, userId, actor)
    RemoveMember-->>UserRoute: result or service error
    UserRoute-->>Client: success or error response
  end
Loading

Possibly related PRs

  • sourcebot-dev/sourcebot#940: Both PRs modify the same EE user route handlers (ee/user/route.ts, ee/users/route.ts), changing authorization gating and the returned user payload shape.
  • sourcebot-dev/sourcebot#1066: Both PRs touch the same EE user OpenAPI spec entries (GET/DELETE /api/ee/user, /api/ee/users) in sourcebot-public.openapi.json.
  • sourcebot-dev/sourcebot#1165: The main PR's removeMember(...)-based deletion path aligns with this PR's org member removal/leave audit event additions.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly captures the two main changes: SCIM-gated EE user deletion and unifying the user API response shape.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch brendan/ee-user-api-scim-and-unified-shape

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@brendan-kellam brendan-kellam merged commit 94b2af6 into main Jul 7, 2026
11 checks passed
@brendan-kellam brendan-kellam deleted the brendan/ee-user-api-scim-and-unified-shape branch July 7, 2026 01:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant