Domain based auto join

.gitignore

@@ -48,6 +48,8 @@ cloudflare_workers_deno/.denoflare
 .dev.vars
 .vars
 src/types/supabase.types.ts
+src/typed-router.d.ts
+src/components.d.ts
 supabase/functions/_backend/utils/supabase.types.ts
 .env.alpha
 
@@ -85,3 +87,19 @@ internal/Certificates_p12.p12
 internal/AuthKey_8P7Y3V99PJ.p8
 internal/CICD.mobileprovision
 internal/Certificates.p12
+
+# PR helper files
+PR_CHECKLIST.md
+PR_DESCRIPTION_AUTO_JOIN.md
+PR_DESCRIPTION_FINAL.md
+PR_DESCRIPTION_SIMPLE.md
+PR_DESCRIPTION.md
+SSO_TEST_STATUS.md
+PR_DESCRIPTION_DOMAIN_AUTO_JOIN.md
+PR_DESCRIPTION_DOMAIN_FINAL.md
+PR_DESCRIPTION_DOMAIN_SIMPLE.md
+PR_TEMPLATE.md
+PR_TEMPLATE_DOMAIN.md
+PR_TEMPLATE_SSO.md
+PR_TEMPLATE_SSO_DOMAIN.md
+PR_TEMPLATE_SSO_DOMAIN_AUTO_JOIN.md

.typos.toml

@@ -29,7 +29,7 @@ extend-exclude = [
   # Database and Supabase
   "supabase/.branches/",
   "supabase/.temp/",
-  "supabase/schemas/prod.sql",
+  "supabase/schemas/",  # Auto-generated by `supabase db dump`
 
   # Assets and data files
   "*.json",
@@ -63,4 +63,5 @@ extend-exclude = [
 capgo = "capgo"
 forgr = "forgr"
 supabase = "supabase"
+pn = "pn"  # PostgreSQL alias for pg_namespace in auto-generated schemas
 # Add more project-specific terms as needed

cloudflare_workers/api/index.ts

@@ -1,12 +1,15 @@
 import { env } from 'node:process'
 import { app as admin_stats } from '../../supabase/functions/_backend/private/admin_stats.ts'
+import { app as check_auto_join_orgs } from '../../supabase/functions/_backend/private/check_auto_join_orgs.ts'
 import { app as config } from '../../supabase/functions/_backend/private/config.ts'
 import { app as create_device } from '../../supabase/functions/_backend/private/create_device.ts'
 import { app as credits } from '../../supabase/functions/_backend/private/credits.ts'
 import { app as deleted_failed_version } from '../../supabase/functions/_backend/private/delete_failed_version.ts'
 import { app as devices_priv } from '../../supabase/functions/_backend/private/devices.ts'
 import { app as events } from '../../supabase/functions/_backend/private/events.ts'
 import { app as log_as } from '../../supabase/functions/_backend/private/log_as.ts'
+import { app as organization_domains_get } from '../../supabase/functions/_backend/private/organization_domains_get.ts'
+import { app as organization_domains_put } from '../../supabase/functions/_backend/private/organization_domains_put.ts'
 import { app as plans } from '../../supabase/functions/_backend/private/plans.ts'
 import { app as publicStats } from '../../supabase/functions/_backend/private/public_stats.ts'
 import { app as stats_priv } from '../../supabase/functions/_backend/private/stats.ts'
@@ -77,6 +80,9 @@ appPrivate.route('/stripe_portal', stripe_portal)
 appPrivate.route('/delete_failed_version', deleted_failed_version)
 appPrivate.route('/create_device', create_device)
 appPrivate.route('/events', events)
+appPrivate.route('/check_auto_join_orgs', check_auto_join_orgs)
+appPrivate.route('/organization_domains_get', organization_domains_get)
+appPrivate.route('/organization_domains_put', organization_domains_put)
 
 // Triggers
 const functionNameTriggers = 'triggers'

cloudflare_workers/email/classifier.ts

@@ -149,8 +149,8 @@ Examples:
  */
 function parseClassificationResponse(response: string): ClassificationResult {
   try {
-    // Try to extract JSON from the response
-    const jsonMatch = response.match(/\{[\s\S]*\}/)
+    // Try to extract JSON from the response (non-greedy to prevent ReDoS)
+    const jsonMatch = response.match(/\{[\s\S]*?\}/)
     if (!jsonMatch) {
       throw new Error('No JSON found in response')
     }

cloudflare_workers/email/discord.ts

@@ -192,13 +192,20 @@ function truncateText(text: string, maxLength: number): string {
 
 /**
  * Basic HTML stripping (for simple cases)
+ *
+ * Removes all angle brackets to prevent any HTML injection, then normalizes whitespace.
+ * This is safe for Discord forum posts where we only need plain text content.
  */
 function stripHtml(html: string): string {
+  if (!html)
+    return ''
+
+  // Remove all angle brackets immediately to prevent HTML tag reconstruction
+  // (e.g., "<scr<script>ipt>" could become "<script>" after partial removal)
+  // This eliminates any possibility of incomplete sanitization
   return html
-    .replace(/<style[^>]*>.*?<\/style>/gis, '')
-    .replace(/<script[^>]*>.*?<\/script>/gis, '')
-    .replace(/<[^>]+>/g, ' ')
-    .replace(/\s+/g, ' ')
+    .replaceAll(/[<>]/g, ' ')
+    .replaceAll(/\s+/g, ' ')
     .trim()
 }
 

cloudflare_workers/email/email-parser.ts

@@ -125,7 +125,7 @@ function parseEmailBody(rawEmail: string | any): { text?: string, html?: string
   }
   else {
     // Simple plain text email
-    const bodyMatch = rawEmail.match(/\r?\n\r?\n([\s\S]+)$/)
+    const bodyMatch = rawEmail.match(/\r?\n\r?\n([\s\S]+?)$/)
     if (bodyMatch)
       body.text = bodyMatch[1].trim()
   }

cloudflare_workers/email/email-sender.ts

@@ -154,19 +154,19 @@ function markdownToPlainText(markdown: string): string {
       part = part.replace(/_([^_]+)_/g, '*$1*')
 
       // Inline code: `code` -> "code"
-      part = part.replace(/`([^`]+)`/g, '"$1"')
+      part = part.replace(/`([^`]+?)`/g, '"$1"')
 
       // Links: [text](url) -> text (url)
-      part = part.replace(/\[([^\]]+)\]\(([^)]+)\)/g, '$1 ($2)')
+      part = part.replace(/\[([^\]]+?)\]\(([^)]+?)\)/g, '$1 ($2)')
 
       // Headers: # Header -> Header (match at start of line)
-      part = part.replace(/^(#{1,6}) +(.+)$/gm, '$2')
+      part = part.replace(/^(#{1,6}) +(.+?)$/gm, '$2')
 
       // Bullet lists: - item or * item -> • item
-      part = part.replace(/^[*-] +(.+)$/gm, '• $1')
+      part = part.replace(/^[*-] +(.+?)$/gm, '• $1')
 
       // Blockquotes: > quote -> | quote
-      part = part.replace(/^> +(.+)$/gm, '| $1')
+      part = part.replace(/^> +(.+?)$/gm, '| $1')
 
       // Horizontal rules: --- or *** -> ────────
       part = part.replace(/^[*-]{3,}$/gm, '────────')

src/components/tables/AppTable.vue

@@ -255,8 +255,8 @@ const filteredApps = computed(() => {
         @add="emit('addApp')"
         @reload="emit('reload')"
         @reset="emit('reset')"
-        @update:current-page="(page) => emit('update:currentPage', page)"
-        @update:search="(val) => emit('update:search', val)"
+        @update:current-page="(page: number) => emit('update:currentPage', page)"
+        @update:search="(val: string) => emit('update:search', val)"
       />
     </div>
   </div>

src/constants/organizationTabs.ts

@@ -6,10 +6,12 @@ import IconCredits from '~icons/heroicons/currency-dollar'
 import IconWebhook from '~icons/heroicons/globe-alt'
 import IconInfo from '~icons/heroicons/information-circle'
 import IconSecurity from '~icons/heroicons/shield-check'
+import IconUserPlus from '~icons/heroicons/user-plus'
 import IconUsers from '~icons/heroicons/users'
 
 export const organizationTabs: Tab[] = [
   { label: 'general', key: '/settings/organization', icon: IconInfo },
+  { label: 'autojoin', key: '/settings/organization/autojoin', icon: IconUserPlus },
   { label: 'members', key: '/settings/organization/members', icon: IconUsers },
   // Security tab is added dynamically in settings.vue for super_admins only
   { label: 'security', key: '/settings/organization/security', icon: IconSecurity },

src/modules/auth.ts

@@ -78,6 +78,15 @@ async function updateUser(
   }
 }
 
+/**
+ * Route guard that enforces authentication, MFA requirements, account-disabled status, auto-join checks, and admin access control before allowing navigation.
+ *
+ * Performs these checks and actions as needed: redirects to login when unauthenticated, redirects to an account-disabled page if the account is marked disabled, prevents navigation when MFA level escalation is required, triggers a non-blocking auto-join check for organizations, ensures public user/profile data and plans/admin status are loaded for newly authenticated users, and restricts access to admin routes for non-admin users.
+ *
+ * @param next - Navigation continuation function; call with a route or nothing to proceed.
+ * @param to - Target route for the navigation.
+ * @param from - Current route being navigated away from.
+ */
 async function guard(
   next: NavigationGuardNext,
   to: RouteLocationNormalized,
@@ -128,6 +137,23 @@ async function guard(
       console.error('Error checking if account is disabled:', error)
     }
 
+    // Check for auto-join to organizations based on email domain
+    try {
+      const config = getLocalConfig()
+      await fetch(`${config.hostWeb}/private/check_auto_join_orgs`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'authorization': `Bearer ${(await supabase.auth.getSession()).data.session?.access_token}`,
+        },
+        body: JSON.stringify({ user_id: auth.user.id }),
+      })
+    }
+    catch (error) {
+      // Non-blocking: log error but don't prevent login
+      console.error('Error checking auto-join organizations:', error)
+    }
+
     if (!main.user) {
       await updateUser(main, supabase)
     }

src/pages/app/[package].bundle.[bundle].history.vue

@@ -7,7 +7,7 @@ import IconAlertCircle from '~icons/lucide/alert-circle'
 import { useSupabase } from '~/services/supabase'
 import { useDisplayStore } from '~/stores/display'
 
-const route = useRoute('/app/[package].bundle.[bundle].history')
+const route = useRoute()
 const router = useRouter()
 const displayStore = useDisplayStore()
 const { t } = useI18n()
@@ -48,13 +48,14 @@ async function getVersion() {
 watchEffect(async () => {
   if (route.path.includes('/bundle/') && route.path.includes('/history')) {
     loading.value = true
-    packageId.value = route.params.package as string
-    id.value = Number(route.params.bundle as string)
+    const params = route.params as Record<string, string>
+    packageId.value = params.package
+    id.value = Number(params.bundle)
     await getVersion()
     loading.value = false
     if (!version.value?.name)
       displayStore.NavTitle = t('bundle')
-    displayStore.defaultBack = `/app/${route.params.package}/bundles`
+    displayStore.defaultBack = `/app/${params.package}/bundles`
   }
 })
 </script>