[feat] Extend organizations (multi-orgs, verified domains, sso providers)

[junaway]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	Jan 8, 2026 7:57pm

To fix this problem, we should ensure that the redirect parameter is validated before being used in the redirection logic. There are two main approaches:

1. Whitelist: If the set of allowed redirect targets is known and finite, check that redirect matches one of these safe values.
2. Relative path validation: If arbitrary relative paths are allowed, ensure that redirect does NOT specify a full URL (with scheme/host), and is a local path.

For this code, since the usage is for paths within the frontend, the second approach is practical:

• Use Python's urllib.parse.urlparse to check that redirect does not contain a hostname or scheme.
• Remove any backslash characters (\) to prevent bypass.
• If validation fails, redirect to a safe default (e.g., /).

Specific changes:

• Add an import for urlparse from urllib.parse.
• Validate the redirect parameter before building supertokens_url:
  • Strip backslashes.
  • Ensure urlparse(redirect).netloc and urlparse(redirect).scheme are empty.
  • If the validation fails, set redirect to /.

All code changes are to occur within api/oss/src/apis/fastapi/auth/router.py in the block for /authorize/oidc.
No change to existing functionality except improved security for the redirection.

---

[Copilot]

Pull request overview

This PR adds Single Sign-On (SSO) via OpenID Connect (OIDC) support to Agenta. The implementation introduces a comprehensive authentication discovery system, dynamic OIDC provider configuration, user identity tracking, and organization-level authentication policies.

Key changes include:

• Frontend authentication flow refactored to support multiple auth methods with dynamic discovery
• Backend auth service with OIDC provider management, SuperTokens integration with custom overrides for dynamic providers
• New database tables for user identities and organization authentication policies (EE)

Reviewed changes

Copilot reviewed 32 out of 41 changed files in this pull request and generated 21 comments.

Show a summary per file

File	Description
web/oss/src/pages/auth/[[...path]].tsx	Refactored auth page to dynamically show/hide auth methods based on discovery endpoint and environment flags
web/oss/src/lib/helpers/dynamicEnv.ts	Added environment variables for email/OIDC auth feature flags
web/oss/src/components/pages/auth/SocialAuth/index.tsx	Added optional divider prop to conditionally show separator
web/entrypoint.sh	Added logic to derive AUTH_EMAIL_ENABLED and AUTH_OIDC_ENABLED from environment variables
api/oss/src/core/auth/supertokens_overrides.py	Implemented SuperTokens overrides for dynamic OIDC providers and custom session handling with user identities
api/oss/src/core/auth/service.py	Added AuthService with discovery, authentication, and authorization logic
api/oss/src/core/auth/oidc.py	Implemented OIDC client helper utilities for authorization and token exchange
api/oss/src/core/auth/middleware.py	Added organization policy enforcement middleware (EE)
api/oss/src/apis/fastapi/auth/router.py	Added /discover and /authorize/oidc endpoints
api/oss/src/dbs/postgres/users/*	Added user identities DAO, DBE, DBA, mappings, and types
api/oss/src/dbs/postgres/organizations/*	Added organization policies, domains, providers, invitations DAOs and models
api/oss/databases/postgres/migrations/*	Added migration for user_identities and organization tables
api/ee/src/dbs/postgres/organizations/*	EE-specific organization DBE/DBA classes
api/test-auth.http	Comprehensive HTTP test file documenting all auth endpoints and flows

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The DBA classes inherit from LegacyLifecycleDBA but the migration creates columns matching LifecycleDBA (which includes deleted_at, created_by_id, updated_by_id, and deleted_by_id). This mismatch between the migration and the model definition will cause runtime errors. These classes should inherit from LifecycleDBA instead of LegacyLifecycleDBA to match the migration schema.

[Copilot]

The code calls await self.domains_dao.get_by_id(provider.domain_id) but the OrganizationDomainsDAO class doesn't have a get_by_id method. It only has get_by_domain, list_by_organization, and mark_verified methods. This will cause an AttributeError at runtime.

Suggested change

	domain_dto = await self.domains_dao.get_by_id(provider.domain_id)
	if hasattr(self.domains_dao, "get_by_id"):
	domain_dto = await self.domains_dao.get_by_id(provider.domain_id)
	elif hasattr(self.domains_dao, "get_by_domain"):
	domain_dto = await self.domains_dao.get_by_domain(domain)
	else:
	return False

[Copilot]

The DAO imports types from ee.src.core.organizations.types but this file is in the OSS directory (oss/src/dbs/postgres/organizations/dao.py). This creates a dependency on EE code from OSS code, which breaks the architectural separation. These types should either be defined in OSS or the DAO should only be used in EE. Based on the context, these organization-related features appear to be EE-only, so this DAO file should probably be in the EE directory.

[Copilot]

This file imports types from ee.src.core.organizations.types but is located in the OSS directory. This creates an improper dependency on EE code from OSS code, violating the architectural separation. Since organization policies, domains, providers, and invitations appear to be EE-only features, this mappings file should be located in the EE directory structure.

[Copilot]

The code uses a hardcoded placeholder org_slug = "org" instead of fetching the actual organization slug from the database. This means all SSO identities will be stored with the same generic org slug, making it impossible to distinguish between different organizations' SSO providers. The TODO comment indicates this is known incomplete work that needs to be addressed.

Suggested change

	# Format: oidc:{org_id}:{provider_slug} -> sso:{org_slug}:{provider_slug}
	parts = third_party_id.split(":")
	org_id_str, provider_slug = parts[1], parts[2]
	# TODO: Fetch org_slug from organization table
	org_slug = "org" # Placeholder
	method = f"sso:{org_slug}:{provider_slug}"
	# Format: oidc:{org_id}:{provider_slug} -> sso:{org_id}:{provider_slug}
	parts = third_party_id.split(":")
	org_id_str, provider_slug = parts[1], parts[2]
	method = f"sso:{org_id_str}:{provider_slug}"

[Copilot]

Import of 'List' is not used.
Import of 'Union' is not used.

Suggested change

	from typing import Dict, Any, List, Optional, Union
	from typing import Dict, Any, Optional

[Copilot]

Import of 'Provider' is not used.

[Copilot]

Import of 'User' is not used.

Suggested change

	from supertokens_python.types import User, RecipeUserId
	from supertokens_python.types import RecipeUserId

[Copilot]

This statement is unreachable.

Suggested change

	# For now, assume they are
	is_member = True
	if not is_member:
	return {
	"error": "NOT_A_MEMBER",
	"message": "You are not a member of this organization",
	}
	# For now, assume they are a member and proceed to policy checks

[Copilot]

This statement is unreachable.

Suggested change

	# For now, assume they are
	is_member = True
	if not is_member:
	return {
	"error": "NOT_A_MEMBER",
	"message": "You are not a member of this organization",
	}
	# For now, assume they are (no membership check implemented yet)

[Copilot]

Pull request overview

Copilot reviewed 57 out of 66 changed files in this pull request and generated 18 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The OSS version defines the same database models and migrations that appear in the EE version. This creates significant code duplication - the entire contents of dbas.py, dbes.py, mappings.py, and dao.py are duplicated. Since these are meant to be EE-only features (organization policies, SSO providers), they should only exist in the EE codebase. The OSS versions should either be removed or contain only stub/fallback implementations.

[Copilot]

The load_only optimization is imported but only partially applied. While line 65 adds optimization for the organization query in this batch processing migration, consider whether other queries in the migration could benefit from similar optimization to reduce memory usage during large data migrations.

[Copilot]

The showDivider prop defaults to true to maintain backward compatibility, but the calling code in the auth page explicitly passes the value on line 225. The prop could be made required instead of optional with a default, making the API more explicit and reducing ambiguity about when the divider appears.

[Copilot]

The expires_at field in the migration is correctly defined as TIMESTAMP, but the DBA model defines it as UUID (lines 125-128 in dbas.py). This mismatch between the migration and the model will cause runtime errors. The DBA model should be updated to use TIMESTAMP type.

[Copilot]

The in-memory StateStore is not suitable for production use, especially in multi-instance deployments where state needs to be shared. The TODO comment acknowledges this, but using this in production would cause OIDC flows to fail when requests hit different instances. Consider implementing Redis-backed storage before deploying to production, or add validation to prevent deployment with in-memory state.

[Copilot]

Import of 'Optional' is not used.

[Copilot]

Import of 'List' is not used.

[Copilot]

Import of 'User' is not used.

[Copilot]

This statement is unreachable.

Suggested change

	is_member = True
	if not is_member:
	return {
	"error": "NOT_A_MEMBER",
	"message": "You are not a member of this organization",
	}

[Copilot]

This statement is unreachable.

[Copilot]

Pull request overview

Copilot reviewed 60 out of 69 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Inconsistent base class usage: OSS uses LifecycleDBA while EE uses LegacyLifecycleDBA. This inconsistency may lead to differences in table schemas and lifecycle field behavior between OSS and EE editions for the same tables.

[Copilot]

The variable invite_link is referenced in the f-string but is not defined in this diff section. This will cause a NameError. Check if invite_link is defined earlier in the function or if it should be constructed here.

[Copilot]

This statement is unreachable.

Suggested change

	# Get user ID and check membership
	user_id = session.get_user_id()
	# TODO: Check if user is a member of organization
	# For now, assume they are
	is_member = True
	if not is_member:
	return {
	"error": "NOT_A_MEMBER",
	"message": "You are not a member of this organization",
	}
	# Get user ID (membership enforcement not yet implemented)
	# TODO: Enforce that user is a member of the organization before applying policy
	user_id = session.get_user_id()

[Copilot]

This statement is unreachable.

[Copilot]

Pull request overview

Copilot reviewed 62 out of 71 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Variable user_id is not used.

Suggested change

user_id = session.get_user_id()

[Copilot]

This statement is unreachable.

[Copilot]

Pull request overview

Copilot reviewed 95 out of 104 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (4)

web/entrypoint.sh:1

• The order of NEXT_PUBLIC_AGENTA_WEB_URL and NEXT_PUBLIC_AGENTA_API_URL has been swapped compared to the original, but the surrounding code context suggests this was intentional. However, this creates an inconsistency with the removed lines that had AGENTA_API_URL first. Verify this order change is intentional and doesn't break existing configurations that depend on the original ordering.
  api/oss/src/utils/env.py:1
• Hardcoding a default PostHog API key in production code is a security risk. This key should only be used in development/demo environments. Consider making this explicitly conditional on environment (e.g., only default in demo mode) or removing the default entirely to force explicit configuration.
  api/oss/src/utils/env.py:1
• Defaulting critical security keys to 'replace-me' is dangerous. These should fail loudly if not set in production rather than falling back to insecure defaults. Consider raising an exception when these are not configured in non-development environments.
  api/oss/src/services/organization_service.py:1
• The error message 'No existing invitation found for the user' is misleading when an existing_role exists but no existing_invitation. The user may have been previously invited (thus having a role) but the invitation record is missing. Consider a more accurate message like 'User has no active invitation or existing role in this organization'.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Adding load_only() to limit columns fetched is good, but verify that no other attributes of OrganizationDB are accessed elsewhere in this migration that aren't included in this list. If other attributes are accessed, this could cause additional queries or errors.

Suggested change

.options(load_only(OrganizationDB.id, OrganizationDB.owner))

[Copilot]

Pull request overview

Copilot reviewed 153 out of 520 changed files in this pull request and generated 5 comments.

Files not reviewed (1)

• docs/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Changed from 'owner' to 'owner_id', but the database model expects a UUID type. Verify that user_db.id is already a UUID and not a string to avoid type mismatches.

[Copilot]

Function name _merge_session_identities uses a leading underscore suggesting it's private/internal, but it's not a method of a class. Consider removing the underscore or organizing it as a class method if appropriate.

[Copilot]

The replace_map initialization at line 913 is immediately overwritten at line 915 if operations.columns.replace exists. Consider removing the initial empty dict assignment or combining the logic.

Suggested change

	replace_map = {}
	if operations.columns.replace:
	replace_map = {old: new for old, new in operations.columns.replace}
	replace_map = {old: new for old, new in (operations.columns.replace or [])}

[Copilot]

Using print() for logging throughout this file instead of the log object imported at the top. Replace print statements with proper logging calls (e.g., log.info(), log.debug()) for consistency with the rest of the codebase.

[Copilot]

Comment explains the change but the original code used 'id' for UUID7. Verify that all blob IDs in the system are indeed UUID5 (content-hashed) and not UUID7, as mixing ordering strategies could cause inconsistent pagination.

[Copilot]

Pull request overview

Copilot reviewed 152 out of 520 changed files in this pull request and generated 8 comments.

Files not reviewed (1)

• docs/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The else clause raises a 404 when there's no existing invitation OR role, but the function is called 'resend_user_organization_invite'. If the user was never invited, this should probably return a different error indicating that there's no invitation to resend, rather than proceeding to create a new invitation with an undefined role.

[Copilot]

The comment explains the change from 'id' to 'created_at' for ordering, but this breaks cursor-based pagination semantics if multiple blobs have the same timestamp. Consider documenting this limitation or using a composite key (created_at, id) for stable ordering.

Suggested change

	attribute="created_at", # Blob IDs are content-hashed (UUID5), use timestamp for ordering
	# Blob IDs are content-hashed (UUID5), so they are not suitable for
	# chronological ordering. We therefore use `created_at` as the primary
	# sort key for windowing. Note: using `created_at` alone means that
	# cursor-based pagination is not strictly stable if multiple blobs share
	# the same timestamp, because there is no secondary tie-breaker in the
	# ORDER BY clause (e.g. `(created_at, id)`). Callers should be aware of
	# this limitation when relying on pagination semantics.
	attribute="created_at",

[Copilot]

The owner_id field is required (no Optional), but in the Organization model it's not marked as required. This could cause serialization issues if owner_id is None in the database. Consider making it Optional[UUID] to match the database schema's nullable constraint pattern, or ensure it's always set during creation.

Suggested change

	owner_id: UUID
	owner_id: Optional[UUID] = None

[Copilot]

The generic error message 'Custom code execution failed' doesn't provide enough context for debugging. Consider including the status code in the error message, e.g., f'Custom code execution failed with status {response.status.code}: {error_message}'.

Suggested change

	raise RuntimeError(error_message)
	raise RuntimeError(
	f"Custom code execution failed with status {response.status.code}: {error_message}"
	)

[Copilot]

This domain extraction doesn't validate that there's exactly one '@' symbol. An email like 'user@@example.com' would extract '@example.com' as the domain. Use email.count('@') == 1 in the condition or validate email format first.

Suggested change

	"""
	print(f"[DISCOVERY] Starting discovery for email: {email}")
	# Extract domain from email (if provided)
	domain = email.split("@")[1] if email and "@" in email else None
	print(f"[DISCOVERY] Extracted domain: {domain}")
	# Check if user exists only when email looks valid
	user = None
	# Extract domain from email (if provided and structurally valid)
	domain = email.split("@")[1] if email and email.count("@") == 1 else None
	print(f"[DISCOVERY] Extracted domain: {domain}")
	# Check if user exists only when email looks valid
	user = None
	user_exists = False
	user_id = None
	if email and email.count("@") == 1:

[Copilot]

The healthcheck uses hardcoded username 'username' instead of the ${POSTGRES_USER} variable. This will fail if POSTGRES_USER is set to a different value. Use 'pg_isready -U ${POSTGRES_USER:-username} -d agenta_oss_core' to respect the environment variable.

Suggested change

	test: ["CMD-SHELL", "pg_isready -U username -d agenta_oss_core"]
	test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-username} -d agenta_oss_core"]

[Copilot]

There are 17 consecutive lines of empty comments (lines 453-469) at the end of the file before the networks section. These appear to be placeholder or accidentally committed. Consider removing them to clean up the file.

[Copilot]

The pydantic email extra is added but there's no comment explaining why. Since this PR adds email validation in multiple places (domain extraction, user identities), consider adding a comment explaining that this enables EmailStr validators.

Suggested change

	fastapi = ">=0.127"
	fastapi = ">=0.127"
	# Enable Pydantic's email validators (e.g. EmailStr) used for email/domain validation.

To fix the problem, we should stop returning the raw exception message (str(e)) to the client and instead return a generic, user-safe error message while optionally logging the original exception on the server side. This aligns with the recommendation to keep detailed error information only in logs and not in user-facing responses.

The best minimal-impact fix here is:

• In the except ValueError as e: block, log the exception using the existing logging facility (get_module_logger) and then return a generic, but still user-meaningful 400 response, such as “Invalid organization update payload.” or a similar non-sensitive message.
• Do not change the semantics of when we return 400 vs 500; maintain the 400 status code for validation-like errors.
• Avoid introducing new dependencies; use the already-imported logging utility.

Concretely:

• At the top of api/ee/src/routers/organization_router.py, after router = APIRouter(), define a module-level logger with logger = get_module_logger(__name__).
• In the except ValueError as e: block, replace the return that uses str(e) with:
  • a call to logger.warning(...) or logger.error(...) including the exception, and
  • a JSONResponse whose "detail" string is generic and not derived from e.

No new external libraries are needed; we only use the already-present get_module_logger.

In general, the fix is to stop returning the raw exception message to the client and instead return a generic, user‑safe error message while logging the exception details (including stack trace) on the server side. This preserves debuggability for developers while preventing unintentionally sensitive information from leaking to API consumers.

For this file, the best targeted fix is:

1. Use the module logger (which is already imported via get_module_logger) to log exceptions in both except blocks.
2. Replace {"detail": str(e)} payloads with generic, stable messages, e.g.:
   • For the ValueError in transfer_organization_ownership, something like "Unable to transfer organization ownership" (optionally more specific but not including str(e)).
   • For the generic Exception in both endpoints, a generic "Internal server error" or similar.
3. Avoid inlining import traceback inside exception handlers; instead, import traceback once at the top and use log.exception(...) or traceback.format_exc() with log.error(...). log.exception already records the stack trace and is a good fit here.

Concretely:

• Near the top of organization_router.py, create a log = get_module_logger(__name__) if it does not already exist in the omitted lines, and add an import traceback if we choose to keep explicit traceback formatting. However, we’re constrained to only edit shown snippets; the top snippet shows imports but no logger definition, and the later code uses log.info(...) already, which implies log must be defined somewhere in the omitted portion. To keep behavior consistent, we should not redefine log; instead, just call log.exception(...) in the catch blocks (no new imports needed because log.exception doesn’t require traceback).
• In the except ValueError as e: block at lines 336‑341, stop using str(e) in the response body. Replace it with a fixed message.
• In the except Exception as e: block for transfer_organization_ownership, remove import traceback, remove traceback.print_exc(), call log.exception("Error transferring organization ownership"), and raise an HTTPException with a generic detail string.
• In the except Exception as e: block for create_collaborative_organization, similarly remove the inline traceback import/print, call log.exception("Error creating collaborative organization"), and raise an HTTPException with a generic detail string.

This approach keeps HTTP status codes and overall control flow the same, but removes exposure of raw exception messages and prints stack traces only to logs.

---