social-reporting-tool/v2/server/auth/upsert-user.ts

// V2 SSO persistence: every Azure sign-in upserts a user row and ensures
// the user has at least one team (personal team auto-created on first sign-in).
import { upsertSsoUser, setSuperAdmin, type UserRow } from '../db/users.js';
import { createTeam, getTeamBySlug } from '../db/teams.js';
import { addMembership, userHasAnyMembership } from '../db/memberships.js';
import { envStr } from '../lib/env.js';

function emailToSlug(email: string): string {
  const local = email.split('@')[0] ?? 'user';
  const base = local.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/(^-|-$)/g, '');
  return base || 'user';
}

async function uniquePersonalSlug(email: string): Promise<string> {
  const base = emailToSlug(email);
  let candidate = `${base}-personal`;
  let i = 1;
  while (await getTeamBySlug(candidate)) {
    i += 1;
    candidate = `${base}-personal-${i}`;
  }
  return candidate;
}

export interface SsoLandingResult {
  user: UserRow;
  active_team_id: string;
  bootstrapped_super_admin: boolean;
}

/**
 * Single entry point for SSO sign-in persistence.
 * 1. Upsert user keyed on Azure oid.
 * 2. Promote to super-admin if email matches BOOTSTRAP_SUPER_ADMIN_EMAIL.
 * 3. If user has no team memberships, create a personal team and add them as owner.
 * 4. Pick an active team for the session.
 */
export async function landSsoUser(input: {
  oid: string;
  email: string;
  display_name: string;
}): Promise<SsoLandingResult> {
  let user = await upsertSsoUser(input);

  // Bootstrap super-admin from env on first sign-in (sticky once true).
  let bootstrapped = false;
  const bootstrapEmail = envStr('BOOTSTRAP_SUPER_ADMIN_EMAIL').toLowerCase();
  if (bootstrapEmail && !user.is_super_admin && user.email.toLowerCase() === bootstrapEmail) {
    user = await setSuperAdmin(user.id, true);
    bootstrapped = true;
    console.log(`[auth] Bootstrapped super-admin: ${user.email}`);
  }

  // Ensure at least one team membership.
  const hasTeam = await userHasAnyMembership(user.id);
  let activeTeamId: string;
  if (!hasTeam) {
    const slug = await uniquePersonalSlug(user.email);
    const personalTeam = await createTeam({
      slug,
      name: `${user.display_name || user.email}'s workspace`,
      isPersonal: true,
    });
    await addMembership({ teamId: personalTeam.id, userId: user.id, role: 'owner', addedBy: null });
    activeTeamId = personalTeam.id;
  } else {
    // Pick the user's first team as the default active team.
    const { sql } = await import('../db/client.js');
    const [row] = await sql<{ team_id: string }[]>`
      SELECT team_id FROM team_memberships WHERE user_id = ${user.id}
      ORDER BY added_at ASC LIMIT 1
    `;
    if (!row) throw new Error('landSsoUser: user has membership but no row returned');
    activeTeamId = row.team_id;
  }

  return { user, active_team_id: activeTeamId, bootstrapped_super_admin: bootstrapped };
}