Merge branch 'dev' into local-emulator-image-optimization

Author: BilalG1

.github/workflows/db-migration-backwards-compatibility.yaml

@@ -200,7 +200,7 @@ jobs:
         uses: JarvusInnovations/background-action@v1.0.7
         if: ${{ hashFiles('apps/backend/scripts/run-cron-jobs.ts') != '' }}
         with:
-          run: pnpm -C apps/backend run with-env:dev tsx scripts/run-cron-jobs.ts --log-order=stream &
+          run: pnpm -C apps/backend run run-cron-jobs:test --log-order=stream &
           wait-on: |
             http://localhost:8102
           tail: true
@@ -394,7 +394,7 @@ jobs:
         uses: JarvusInnovations/background-action@v1.0.7
         if: ${{ hashFiles('apps/backend/scripts/run-cron-jobs.ts') != '' }}
         with:
-          run: pnpm -C apps/backend run with-env:dev tsx scripts/run-cron-jobs.ts --log-order=stream &
+          run: pnpm -C apps/backend run run-cron-jobs:test --log-order=stream &
           wait-on: |
             http://localhost:8102
           tail: true

.github/workflows/e2e-custom-base-port-api-tests.yaml

@@ -145,7 +145,7 @@ jobs:
       - name: Start run-cron-jobs in background
         uses: JarvusInnovations/background-action@v1.0.7
         with:
-          run: pnpm -C apps/backend run run-cron-jobs --log-order=stream &
+          run: pnpm -C apps/backend run run-cron-jobs:test --log-order=stream &
           wait-on: |
             http://localhost:6702
           tail: true

apps/backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/backend",
-  "version": "2.8.80",
+  "version": "2.8.81",
   "repository": "https://github.com/stack-auth/stack-auth",
   "private": true,
   "type": "module",

apps/backend/scripts/verify-data-integrity/clickhouse-sync-verifier.ts

@@ -18,7 +18,7 @@ const SORT_KEYS = {
   team_invitations: ["id"],
   email_outboxes: ["id"],
   project_permissions: ["user_id", "permission_id"],
-  notification_preferences: ["id"],
+  notification_preferences: ["user_id", "notification_category_id"],
   refresh_tokens: ["id"],
   connected_accounts: ["user_id", "provider", "provider_account_id"],
 } satisfies Record<keyof typeof DEFAULT_DB_SYNC_MAPPINGS, string[]>;

apps/backend/scripts/verify-data-integrity/index.ts

@@ -1,3 +1,4 @@
+import { syncExternalDatabases } from "@/lib/external-db-sync";
 import { DEFAULT_BRANCH_ID, getSoleTenancyFromProjectBranch } from "@/lib/tenancies";
 import { getPrismaClientForTenancy, globalPrismaClient } from "@/prisma-client";
 import type { OrganizationRenderedConfig } from "@stackframe/stack-shared/dist/config/schema";
@@ -228,6 +229,10 @@ async function main() {
 
       if (!shouldSkipClickhouse && clickhouseAvailable && tenancy) {
         await recurse("[clickhouse sync]", async (recurse) => {
+          // Flush any pending ClickHouse syncs by running a direct sync before verifying.
+          // This avoids race conditions where QStash hasn't delivered all sync callbacks yet.
+          await syncExternalDatabases(tenancy);
+
           await verifyClickhouseSync({
             tenancy,
             projectId,

apps/backend/src/lib/emailable.tsx

@@ -43,7 +43,7 @@ async function verifyWithRetries(verifyFn: () => Promise<unknown>, maxAttempts:
   for (let i = 0; i < maxAttempts; i++) {
     const res: any = await verifyFn();
     if (!("state" in res)) {
-      if ("message" in res && res.message.includes("Your request is taking longer than normal")) {
+      if ("message" in res && (res.message.includes("Your request is taking longer than normal") || res.message.includes("Your email is still being verified"))) {
         await wait((Math.random() + 0.5) * delayBaseMs * (2 ** i));
         continue;
       }

apps/backend/src/oauth/providers/base.tsx

@@ -47,6 +47,7 @@ export abstract class OAuthBaseProvider {
     public readonly defaultAccessTokenExpiresInMillis?: number,
     public readonly noPKCE?: boolean,
     public readonly openid?: boolean,
+    public readonly alternativeIssuers?: string[],
   ) {}
 
   protected static async createConstructorArgs(options:
@@ -59,6 +60,7 @@ export abstract class OAuthBaseProvider {
       defaultAccessTokenExpiresInMillis?: number,
       tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic",
       noPKCE?: boolean,
+      alternativeIssuers?: string[],
     }
     & (
       | ({
@@ -106,6 +108,7 @@ export abstract class OAuthBaseProvider {
       options.defaultAccessTokenExpiresInMillis,
       options.noPKCE,
       options.openid,
+      options.alternativeIssuers,
     ] as const;
   }
 
@@ -134,9 +137,22 @@ export abstract class OAuthBaseProvider {
     state: string,
   }): Promise<{ userInfo: OAuthUserInfo, tokenSet: TokenSet }> {
     let tokenSet;
+    const callbackParams = { ...options.callbackParams };
+
+    // If the authorization server returns an `iss` parameter (RFC 9207) that matches
+    // one of the known alternative issuers, rewrite it to the configured issuer so
+    // openid-client's validation accepts it.
+    if (
+      this.alternativeIssuers
+      && typeof callbackParams.iss === "string"
+      && this.alternativeIssuers.includes(callbackParams.iss)
+    ) {
+      callbackParams.iss = this.oauthClient.issuer.metadata.issuer;
+    }
+
     const params = [
       this.redirectUri,
-      options.callbackParams,
+      callbackParams,
       {
         code_verifier: this.noPKCE ? undefined : options.codeVerifier,
         state: options.state,

apps/backend/src/oauth/providers/github.tsx

@@ -17,6 +17,7 @@ export class GithubProvider extends OAuthBaseProvider {
   }) {
     return new GithubProvider(...await OAuthBaseProvider.createConstructorArgs({
       issuer: "https://github.com",
+      alternativeIssuers: ["https://github.com/login/oauth"],
       authorizationEndpoint: "https://github.com/login/oauth/authorize",
       tokenEndpoint: "https://github.com/login/oauth/access_token",
       userinfoEndpoint: "https://api.github.com/user",

apps/dashboard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/dashboard",
-  "version": "2.8.80",
+  "version": "2.8.81",
   "repository": "https://github.com/stack-auth/stack-auth",
   "private": true,
   "scripts": {