admin route reconciliation

Author: icecrasher321

apps/sim/app/_shell/providers/session-provider.tsx

@@ -2,6 +2,7 @@
 
 import type React from 'react'
 import { createContext, useCallback, useEffect, useMemo, useState } from 'react'
+import { createLogger } from '@sim/logger'
 import { useQueryClient } from '@tanstack/react-query'
 import { client } from '@/lib/auth/auth-client'
 import { extractSessionDataFromAuthClientResult } from '@/lib/auth/session-response'
@@ -34,6 +35,8 @@ export type SessionHookResult = {
 
 export const SessionContext = createContext<SessionHookResult | null>(null)
 
+const logger = createLogger('SessionProvider')
+
 export function SessionProvider({ children }: { children: React.ReactNode }) {
   const [data, setData] = useState<AppSession>(null)
   const [isPending, setIsPending] = useState(true)
@@ -49,14 +52,18 @@ export function SessionProvider({ children }: { children: React.ReactNode }) {
         : await client.getSession()
       const session = extractSessionDataFromAuthClientResult(res) as AppSession
       setData(session)
+      return session
     } catch (e) {
       setError(e instanceof Error ? e : new Error('Failed to fetch session'))
+      return null
     } finally {
       setIsPending(false)
     }
   }, [])
 
   useEffect(() => {
+    let isCancelled = false
+
     // Check if user was redirected after plan upgrade
     const params = new URLSearchParams(window.location.search)
     const wasUpgraded = params.get('upgraded') === 'true'
@@ -69,12 +76,51 @@ export function SessionProvider({ children }: { children: React.ReactNode }) {
       window.history.replaceState({}, '', newUrl)
     }
 
-    loadSession(wasUpgraded).then(() => {
-      if (wasUpgraded) {
-        queryClient.invalidateQueries({ queryKey: ['organizations'] })
-        queryClient.invalidateQueries({ queryKey: ['subscription'] })
+    const initializeSession = async () => {
+      const session = await loadSession(wasUpgraded)
+
+      if (!wasUpgraded || isCancelled) {
+        return
       }
-    })
+
+      queryClient.invalidateQueries({ queryKey: ['organizations'] })
+      queryClient.invalidateQueries({ queryKey: ['subscription'] })
+
+      const activeOrganizationId = session?.session?.activeOrganizationId ?? null
+      if (activeOrganizationId) {
+        return
+      }
+
+      try {
+        const response = await fetch('/api/organizations')
+        if (!response.ok) {
+          return
+        }
+
+        const orgData = (await response.json()) as {
+          organizations?: Array<{ id: string }>
+        }
+        const organizationId = orgData.organizations?.[0]?.id
+
+        if (!organizationId || isCancelled) {
+          return
+        }
+
+        await client.organization.setActive({ organizationId })
+
+        if (!isCancelled) {
+          await loadSession(true)
+        }
+      } catch (error) {
+        logger.warn('Failed to activate organization after subscription upgrade', { error })
+      }
+    }
+
+    void initializeSession()
+
+    return () => {
+      isCancelled = true
+    }
   }, [loadSession, queryClient])
 
   useEffect(() => {
@@ -100,9 +146,13 @@ export function SessionProvider({ children }: { children: React.ReactNode }) {
       .catch(() => {})
   }, [data, isPending])
 
+  const refetch = useCallback(async () => {
+    await loadSession()
+  }, [loadSession])
+
   const value = useMemo<SessionHookResult>(
-    () => ({ data, isPending, error, refetch: loadSession }),
-    [data, isPending, error, loadSession]
+    () => ({ data, isPending, error, refetch }),
+    [data, isPending, error, refetch]
   )
 
   return <SessionContext.Provider value={value}>{children}</SessionContext.Provider>

apps/sim/app/api/auth/[...all]/route.test.ts

@@ -39,7 +39,7 @@ vi.mock('@/lib/core/config/feature-flags', () => ({
   },
 }))
 
-import { GET } from '@/app/api/auth/[...all]/route'
+import { GET, POST } from '@/app/api/auth/[...all]/route'
 
 describe('auth catch-all route (DISABLE_AUTH get-session)', () => {
   beforeEach(() => {
@@ -95,3 +95,49 @@ describe('auth catch-all route (DISABLE_AUTH get-session)', () => {
     expect(json).toEqual({ data: { ok: true } })
   })
 })
+
+describe('auth catch-all route organization mutations', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('blocks Better Auth organization mutation endpoints that bypass app lifecycle rules', async () => {
+    const req = createMockRequest(
+      'POST',
+      undefined,
+      {},
+      'http://localhost:3000/api/auth/organization/create'
+    )
+
+    const res = await POST(req as any)
+    const json = await res.json()
+
+    expect(res.status).toBe(404)
+    expect(handlerMocks.betterAuthPOST).not.toHaveBeenCalled()
+    expect(json).toEqual({
+      error: 'Organization mutations are handled by application API routes.',
+    })
+  })
+
+  it('allows safe Better Auth organization session endpoints', async () => {
+    const { NextResponse } = await import('next/server')
+    handlerMocks.betterAuthPOST.mockResolvedValueOnce(
+      new NextResponse(JSON.stringify({ data: { ok: true } }), {
+        headers: { 'content-type': 'application/json' },
+      }) as any
+    )
+
+    const req = createMockRequest(
+      'POST',
+      undefined,
+      {},
+      'http://localhost:3000/api/auth/organization/set-active'
+    )
+
+    const res = await POST(req as any)
+    const json = await res.json()
+
+    expect(handlerMocks.betterAuthPOST).toHaveBeenCalledTimes(1)
+    expect(json).toEqual({ data: { ok: true } })
+  })
+})

apps/sim/app/api/auth/[...all]/route.ts

@@ -7,6 +7,11 @@ import { isAuthDisabled } from '@/lib/core/config/feature-flags'
 export const dynamic = 'force-dynamic'
 
 const { GET: betterAuthGET, POST: betterAuthPOST } = toNextJsHandler(auth.handler)
+const SAFE_ORGANIZATION_POST_PATHS = new Set(['organization/check-slug', 'organization/set-active'])
+
+function isBlockedOrganizationMutationPath(path: string): boolean {
+  return path.startsWith('organization/') && !SAFE_ORGANIZATION_POST_PATHS.has(path)
+}
 
 export async function GET(request: NextRequest) {
   const url = new URL(request.url)
@@ -20,4 +25,16 @@ export async function GET(request: NextRequest) {
   return betterAuthGET(request)
 }
 
-export const POST = betterAuthPOST
+export async function POST(request: NextRequest) {
+  const url = new URL(request.url)
+  const path = url.pathname.replace('/api/auth/', '')
+
+  if (isBlockedOrganizationMutationPath(path)) {
+    return NextResponse.json(
+      { error: 'Organization mutations are handled by application API routes.' },
+      { status: 404 }
+    )
+  }
+
+  return betterAuthPOST(request)
+}