From d6016da8ffacacf079caac634cc7684ab9dc7b45 Mon Sep 17 00:00:00 2001
From: Vadym Samoilenko <vadymsamoilenko@oliver.agency>
Date: Tue, 28 Apr 2026 19:26:46 +0100
Subject: [PATCH] vault backup: 2026-04-28 19:26:46

---
 .../oliver-sales-ops-platform/Oliver Sales Ops Platform.md   | 5 +++++
 99 Daily/2026-04-28.md                                       | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/01 Projects/oliver-sales-ops-platform/Oliver Sales Ops Platform.md b/01 Projects/oliver-sales-ops-platform/Oliver Sales Ops Platform.md
index 211c5cd..958d018 100644
--- a/01 Projects/oliver-sales-ops-platform/Oliver Sales Ops Platform.md	
+++ b/01 Projects/oliver-sales-ops-platform/Oliver Sales Ops Platform.md	
@@ -24,6 +24,10 @@ created: 2026-04-28
 - **Local path:** `/Volumes/SSD/Projects/Oliver/oliver-sales-ops-platform`
 
 ## Sessions
+### 2026-04-28 – How should SSO user access control
+**Asked:** How should SSO user access control be implemented — separate Azure environment or backend allowlist with allowed emails?
+**Done:** Implemented backend-based SSO access control with allowlist verification, redirect URL configured to https://optical-dev.oliver.solutions/oliver-sales-ops-platform/
+
 ### 2026-04-28 – How should SSO user access restrictions
 **Asked:** How should SSO user access restrictions be implemented — separate Azure environment or backend allowlist validation?
 **Done:** Confirmed backend allowlist approach is viable; reviewed AuthProvider.tsx and updated docstring in _upsert_app_user for clarity.
@@ -32,6 +36,7 @@ created: 2026-04-28
 ## Change Log
 | Date | Requested | Changed | Files |
 |------|-----------|---------|-------|
+| 2026-04-28 | SSO access control | Created allowlist service, added auth middleware with email verification, configured redirect URL | config/allowed_users.yaml, backend/app/services/allowlist.py, backend/app/middleware/auth.py |
 | 2026-04-28 | SSO user restrictions | AuthProvider logic review, _upsert_app_user docstring update | AuthProvider.tsx, _upsert_app_user |
 
 ## Related
diff --git a/99 Daily/2026-04-28.md b/99 Daily/2026-04-28.md
index 2836b8f..27a86e8 100644
--- a/99 Daily/2026-04-28.md	
+++ b/99 Daily/2026-04-28.md	
@@ -110,3 +110,6 @@ tags: [daily]
 - 19:24 | `oliver-sales-ops-platform`
   - **Asked:** How should SSO user access restrictions be implemented — separate Azure environment or backend allowlist validation?
   - **Done:** Confirmed backend allowlist approach is viable; reviewed AuthProvider.tsx and updated docstring in _upsert_app_user for clarity.
+- 19:25 | `oliver-sales-ops-platform`
+  - **Asked:** How should SSO user access control be implemented — separate Azure environment or backend allowlist with allowed emails?
+  - **Done:** Implemented backend-based SSO access control with allowlist verification, redirect URL configured to https://optical-dev.oliver.solutions/oliver-sales-ops-platform/