Fix types & lint

Author: N2D4

apps/backend/src/lib/oauth.tsx

@@ -4,7 +4,7 @@ import { createOrUpgradeAnonymousUserWithRules, SignUpRuleOptions } from "@/lib/
 import { PrismaClientTransaction } from "@/prisma-client";
 import { UsersCrud } from "@stackframe/stack-shared/dist/interface/crud/users";
 import { KnownErrors } from "@stackframe/stack-shared/dist/known-errors";
-import { StackAssertionError, captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { captureError, StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 
 /**
  * Find an existing OAuth account for sign-in.

apps/backend/src/lib/sign-up-rules.ts

@@ -25,16 +25,17 @@ export type SignUpRuleAction = {
 /**
  * A sign-up rule from the config.
  * Type definition for the signUpRules field in auth config.
+ * Note: All fields except metadata are required after config defaults are applied.
  */
 type SignUpRuleConfig = {
-  enabled?: boolean,
-  displayName?: string,
-  priority?: number,
-  condition?: string,
-  action?: {
-    type?: 'allow' | 'reject' | 'restrict' | 'log' | 'add_metadata',
-    message?: string,
-    metadata?: Record<string, SignUpRuleMetadataEntry>,
+  enabled: boolean,
+  displayName: string | undefined,
+  priority: number,
+  condition: string | undefined,
+  action: {
+    type: 'allow' | 'reject' | 'restrict' | 'log' | 'add_metadata',
+    message: string | undefined,
+    metadata: Record<string, SignUpRuleMetadataEntry> | undefined,
   },
 };
 
@@ -123,21 +124,21 @@ export async function evaluateSignUpRules(
   const sortedRuleEntries = Object.entries(rules)
     .filter(([, rule]) => rule.enabled)
     .sort((a, b) => {
-      const priorityA = a[1].priority ?? 0;
-      const priorityB = b[1].priority ?? 0;
+      const priorityA = a[1].priority;
+      const priorityB = b[1].priority;
       if (priorityA !== priorityB) return priorityA - priorityB;
       return stringCompare(a[0], b[0]);
     });
 
   // Evaluate each rule in order
   for (const [ruleId, rule] of sortedRuleEntries) {
-    if (!rule.condition || !rule.action) continue;
+    if (!rule.condition) continue;
 
     try {
       const matches = evaluateCelExpression(rule.condition, context);
       if (matches) {
         const action: SignUpRuleAction = {
-          type: rule.action.type ?? 'allow',
+          type: rule.action.type,
           metadata: rule.action.metadata,
           message: rule.action.message,
         };
@@ -178,7 +179,8 @@ export function applySignUpRuleAction(result: SignUpRuleResult): {
   switch (result.action.type) {
     case 'reject': {
       // Throw an error to reject the signup
-      // Don't include the custom rule message to avoid helping users evade rules
+      // Note: We intentionally don't pass the custom message to avoid helping users evade rules
+      // The custom message is only for internal logging/analytics purposes
       throw new KnownErrors.SignUpRejected();
     }
     case 'restrict': {

apps/backend/src/lib/users.tsx

@@ -1,9 +1,9 @@
 import { usersCrudHandlers } from "@/app/api/latest/users/crud";
 import { UsersCrud } from "@stackframe/stack-shared/dist/interface/crud/users";
 import { KeyIntersect } from "@stackframe/stack-shared/dist/utils/types";
-import { Tenancy } from "./tenancies";
 import { createSignUpRuleContext } from "./cel-evaluator";
-import { evaluateAndApplySignUpRules, SignUpRuleMetadataEntry } from "./sign-up-rules";
+import { evaluateAndApplySignUpRules } from "./sign-up-rules";
+import { Tenancy } from "./tenancies";
 
 /**
  * Options for sign-up rule evaluation context.

apps/e2e/tests/backend/endpoints/api/v1/auth/sign-up-rules.test.ts

@@ -84,7 +84,7 @@ describe("sign-up rules", () => {
     });
   });
 
-  it("should use custom rejection message from rule", async ({ expect }) => {
+  it("should reject sign-up when rule with custom message matches (message is for internal use only)", async ({ expect }) => {
     await Project.createAndSwitch({
       config: {
         credential_enabled: true,
@@ -101,6 +101,7 @@ describe("sign-up rules", () => {
         condition: 'emailDomain == "blocked-domain.com"',
         action: {
           type: 'reject',
+          // Note: This message is for internal logging/analytics only, not shown to users
           message: customMessage,
         },
       },
@@ -119,8 +120,9 @@ describe("sign-up rules", () => {
     expect(response.status).toBe(403);
     expect(response.body).toMatchObject({
       code: 'SIGN_UP_REJECTED',
-      error: customMessage,
     });
+    // Custom message is intentionally NOT exposed to users to avoid helping evade rules
+    expect(response.body.error).not.toContain(customMessage);
   });
 
   // ==========================================