fix(oauth): bake tenantId and tier into grant props at mint (closes #34)#41
Open
stackbilt-admin wants to merge 1 commit intomainfrom
Open
fix(oauth): bake tenantId and tier into grant props at mint (closes #34)#41stackbilt-admin wants to merge 1 commit intomainfrom
stackbilt-admin wants to merge 1 commit intomainfrom
Conversation
Both completeAuthorization call sites (auto-approve + consent-approve) now call provisionTenant once at grant mint and thread tenantId + tier through props, so resolveAuth reads them directly instead of re-calling AUTH_SERVICE on every request. Eliminates the grant-time vs. session-time tier drift that silently downgraded pro/enterprise callers to blessed templates on scaffold_create. Legacy grants that predate this change keep working — resolveAuth falls through to the provisionTenant call when props carry neither tenantId nor tier. A provisionTenant failure during mint is logged and the grant is minted without the fields, leaving the legacy fallback to cover it so a transient AUTH_SERVICE blip can't block OAuth consent. Regression guards: oauth-handler.test.ts asserts both mint sites bake the fields in and survive provisionTenant failure; gateway.test.ts asserts resolveAuth skips the provisionTenant call when props carry the baked values and still invokes it for the legacy cohort. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
completeAuthorizationcall sites insrc/oauth-handler.tsnow callprovisionTenantonce at grant mint and baketenantId+tierinto grant props.resolveAuthinsrc/gateway.tsreadstenantId/tierdirectly from props when present, skipping the per-requestprovisionTenantround trip. Legacy grants (neither field in props) keep falling through to the existingprovisionTenantpath.provisionTenantfailure at mint time, the helper logs and returns{}so the grant is still minted —resolveAuth's legacy fallback covers the drop.Why this matters
Closes #34 (severity:medium). Surfaced during the img-forge
stackbilt_creditsinvestigation: D1 showedtenant-admin-defaultatteamtier while freshscaffold_createreceipts returnedtier: "free". Root cause was grant-time vs. session-time drift — with only{userId, email, name, scopes}in props, every request re-resolved tier viaprovisionTenantand any divergence silently downgraded pro/enterprise callers toblessedengine templates atsrc/rest-scaffold.ts:148.Test plan
npm run typecheck— cleannpm run test— 181 / 181 passing (5 new)oauth-handler.test.ts— auto-approve bakes fields / consent-approve bakes fields / graceful degradation onprovisionTenantfailuregateway.test.ts—resolveAuthskipsprovisionTenantwhen props carrytenantId+tier/ falls back for legacy cohortscaffold_createreceipt returns the user's actual tier (notfree), and thatprovisionTenantcall volume drops (observability signal for the fix landing)🤖 Generated with Claude Code