fix(web): require User.email and reject SSO sign-ins without an email

Some User rows could be created with a null email — most commonly OAuth/OIDC
accounts created from an identity-provider profile that returned no email. These
rows crashed the Members and Pending Requests pages (`email.toLowerCase()` on a
null) and left unusable identities in the org.

- Make `User.email` required (`String @unique`) with a self-healing migration:
  backfill any existing null emails with a deterministic, unique, synthetic
  placeholder before applying NOT NULL, so the startup `migrate deploy` can never
  fail on instances that already have null rows.
- Reject any sign-in that arrives without an email in the `signIn` callback, so a
  null can never reach `createUser`.
- Drop the now-redundant `email!` assertions and tighten the public EE user API
  schemas (`email` is no longer nullable); regenerate the OpenAPI spec.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: brendan-kellam

docs/api-reference/sourcebot-public.openapi.json

@@ -1095,8 +1095,7 @@
             "nullable": true
           },
           "email": {
-            "type": "string",
-            "nullable": true
+            "type": "string"
           },
           "createdAt": {
             "type": "string",
@@ -1140,8 +1139,7 @@
             "nullable": true
           },
           "email": {
-            "type": "string",
-            "nullable": true
+            "type": "string"
           },
           "role": {
             "type": "string",

packages/db/prisma/migrations/20260616000000_make_user_email_required/migration.sql

@@ -0,0 +1,20 @@
+-- Make `User.email` required (NOT NULL).
+--
+-- This migration runs automatically on startup (`prisma migrate deploy`), so it must
+-- never fail on existing data. Some instances have legacy `User` rows with a NULL
+-- email — most commonly OAuth/OIDC accounts created from an identity-provider profile
+-- that returned no email. A bare `SET NOT NULL` would error on those rows and brick the
+-- upgrade, so we first backfill any NULL email with a deterministic, unique, obviously
+-- synthetic placeholder (the `.invalid` TLD is reserved and can never be a real address;
+-- keying off the row `id` guarantees uniqueness under the existing unique constraint).
+--
+-- Going forward, the `signIn` callback in `packages/web/src/auth.ts` rejects OAuth/OIDC
+-- sign-ins whose profile has no email, so no new NULL/placeholder rows are created.
+-- Operators can identify backfilled accounts with:
+--   SELECT id, email FROM "User" WHERE email LIKE 'placeholder-%@no-email.invalid';
+UPDATE "User"
+SET "email" = 'placeholder-' || "id" || '@no-email.invalid'
+WHERE "email" IS NULL;
+
+-- AlterTable
+ALTER TABLE "User" ALTER COLUMN "email" SET NOT NULL;

packages/db/prisma/schema.prisma

@@ -430,7 +430,7 @@ model Audit {
 model User {
   id              String                 @id @default(cuid())
   name            String?
-  email           String?                @unique
+  email           String                 @unique
   hashedPassword  String?
   emailVerified   DateTime?
   image           String?

packages/web/src/actions.ts

@@ -443,7 +443,7 @@ export const createAccountRequest = async () => sew(async () => {
                     baseUrl: deploymentUrl,
                     requestor: {
                         name: user.name ?? undefined,
-                        email: user.email!,
+                        email: user.email,
                         avatarUrl: user.image ?? undefined,
                     },
                     orgName: org.name,

packages/web/src/app/invite/actions.ts

@@ -195,12 +195,12 @@ export const getInviteInfo = async (inviteId: string) => sew(async () => {
         orgImageUrl: invite.org.imageUrl ?? undefined,
         host: {
             name: invite.host.name ?? undefined,
-            email: invite.host.email!,
+            email: invite.host.email,
             avatarUrl: invite.host.image ?? undefined,
         },
         recipient: {
             name: user.name ?? undefined,
-            email: user.email!,
+            email: user.email,
         }
     };
 });

packages/web/src/auth.ts

@@ -288,7 +288,7 @@ const nextAuthResult = NextAuth(async () => ({
         }
     },
     callbacks: {
-        async signIn({ account }) {
+        async signIn({ account, user }) {
             const matchingProvider = account
                 ? (await getProviders()).find((p) => p.id === account.provider)
                 : undefined;
@@ -318,6 +318,19 @@ const nextAuthResult = NextAuth(async () => ({
                 return false;
             }
 
+            // Reject any sign-in that arrives without an email. `email` is a required
+            // column, so a null would otherwise fail the `createUser` insert at the
+            // database; historically these rows also crashed the members list and other
+            // surfaces that assume an email is present. Returning false surfaces the auth
+            // error page instead. In practice only OAuth/OIDC profiles can lack an email
+            // (credentials and email providers always carry one), but the check is left
+            // unconditional so any future provider or edge case is covered too. `user` is
+            // always defined in the signIn callback, so it needs no guard.
+            // @see 20260616000000_make_user_email_required/migration.sql
+            if (!user.email) {
+                return false;
+            }
+
             return true;
         },
         // Restrict post-auth redirects (sign-in / sign-out, `callbackUrl`,

packages/web/src/features/userManagement/actions.ts

@@ -233,15 +233,15 @@ export const approveAccountRequest = async (requestId: string) => sew(async () =
                     baseUrl: env.AUTH_URL,
                     user: {
                         name: request.requestedBy.name ?? undefined,
-                        email: request.requestedBy.email!,
+                        email: request.requestedBy.email,
                         avatarUrl: request.requestedBy.image ?? undefined,
                     },
                     orgName: org.name,
                 }));
 
                 const transport = createTransport(smtpConnectionUrl);
                 const result = await transport.sendMail({
-                    to: request.requestedBy.email!,
+                    to: request.requestedBy.email,
                     from: env.EMAIL_FROM_ADDRESS,
                     subject: `Your request to join ${org.name} has been approved`,
                     html,
@@ -391,7 +391,7 @@ export const createInvites = async (emails: string[]): Promise<{ success: boolea
                         baseUrl: env.AUTH_URL,
                         host: {
                             name: user.name ?? undefined,
-                            email: user.email!,
+                            email: user.email,
                             avatarUrl: user.image ?? undefined,
                         },
                         recipient: {
@@ -481,7 +481,7 @@ export const getOrgMembers = async () => sew(() =>
 
             return members.map((member) => ({
                 id: member.userId,
-                email: member.user.email!,
+                email: member.user.email,
                 name: member.user.name ?? undefined,
                 avatarUrl: member.user.image ?? undefined,
                 role: member.role,
@@ -520,7 +520,7 @@ export const getOrgAccountRequests = async () => sew(() =>
 
             return requests.map((request) => ({
                 id: request.id,
-                email: request.requestedBy.email!,
+                email: request.requestedBy.email,
                 createdAt: request.createdAt,
                 name: request.requestedBy.name ?? undefined,
                 image: request.requestedBy.image ?? undefined,

packages/web/src/lib/authUtils.ts

@@ -260,7 +260,7 @@ export const addUserToOrganization = async (userId: string, orgId: number): Prom
         // Delete any invites that may exist for this user since we've added them to the org
         const invites = await tx.invite.findMany({
             where: {
-                recipientEmail: user.email!,
+                recipientEmail: user.email,
                 orgId: org.id,
             },
         })

packages/web/src/lib/encryptedPrismaAdapter.ts

@@ -53,9 +53,8 @@ export function EncryptedPrismaAdapter(prisma: PrismaClient): Adapter {
                 },
                 include: { user: true },
             });
-            // Cast: Prisma's User.email is nullable but AdapterUser.email is
-            // typed as `string`. The base PrismaAdapter performs the same
-            // implicit widening; we mirror it here.
+            // Cast to AdapterUser to satisfy next-auth's adapter return type;
+            // the base PrismaAdapter returns the user row directly, and we mirror it.
             return (account?.user ?? null) as AdapterUser | null;
         },
         async unlinkAccount({ provider, providerAccountId }) {

packages/web/src/openapi/publicApiSchemas.ts

@@ -67,15 +67,15 @@ export const publicHealthResponseSchema = z.object({
 // EE: User Management
 export const publicEeUserSchema = z.object({
     name: z.string().nullable(),
-    email: z.string().nullable(),
+    email: z.string(),
     createdAt: z.string().datetime(),
     updatedAt: z.string().datetime(),
 }).openapi('PublicEeUser');
 
 export const publicEeUserListItemSchema = z.object({
     id: z.string(),
     name: z.string().nullable(),
-    email: z.string().nullable(),
+    email: z.string(),
     role: z.enum(['OWNER', 'MEMBER']),
     createdAt: z.string().datetime(),
     lastActivityAt: z.string().datetime().nullable(),