lazy migration of issuerUrl

brendan-kellam · brendan-kellam · commit 41d89cec5a58 · 2026-03-11T10:38:01.000-07:00
diff --git a/docs/docs/features/permission-syncing.mdx b/docs/docs/features/permission-syncing.mdx
@@ -176,10 +176,6 @@ These flags are useful when you want different enforcement behavior across conne
 }
 ```
 
-<Warning>
-If you set `enforcePermissionsForPublicRepos` to true on an existing deployment, users who are already signed in will need to sign out and sign back in before the flag takes effect for their account.
-</Warning>
-
 The table below shows when permissions are enforced based on the combination of `PERMISSION_SYNC_ENABLED`, `enforcePermissions`, and `enforcePermissionsForPublicRepos`:
 
 | `PERMISSION_SYNC_ENABLED` | `enforcePermissions` | `enforcePermissionsForPublicRepos` | Private repos enforced? | Public repos enforced? |
diff --git a/packages/web/src/auth.ts b/packages/web/src/auth.ts
@@ -159,18 +159,13 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
             // This is necessary to update the access token when the user
             // re-authenticates.
             // NOTE: Tokens are encrypted before storage for security
-            if (account && account.provider && account.provider !== 'credentials' && account.providerAccountId) {
-
-                // Find the matching provider for the account
-                const providers = getProviders();
-                const matchingProvider = providers.find((provider) => {
-                    if (typeof provider.provider === "function") {
-                        const providerInfo = provider.provider();
-                        return providerInfo.id === account.provider;
-                    } else {
-                        return provider.provider.id === account.provider;
-                    }
-                });
+            if (
+                account &&
+                account.provider &&
+                account.provider !== 'credentials' &&
+                account.providerAccountId
+            ) {
+                const issuerUrl = await getIssuerUrlForAccount(account);
 
                 await prisma.account.update({
                     where: {
@@ -186,7 +181,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
                         token_type: account.token_type,
                         scope: account.scope,
                         id_token: account.id_token,
-                        issuerUrl: matchingProvider?.issuerUrl,
+                        issuerUrl,
                     })
                 })
             }
@@ -233,6 +228,34 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
                 token.userId = user.id;
             }
 
+            // @note The following performs a lazy migration of the issuerUrl
+            // in the user's accounts. The issuerUrl was introduced in v4.15.4
+            // and will not be present for accounts created prior to this version.
+            //
+            // @see https://github.com/sourcebot-dev/sourcebot/pull/993
+            if (token.userId) {
+                const accountsWithoutIssuerUrl = await prisma.account.findMany({
+                    where: {
+                        userId: token.userId,
+                        issuerUrl: null,
+                    },
+                });
+
+                for (const account of accountsWithoutIssuerUrl) {
+                    const issuerUrl = await getIssuerUrlForAccount(account);
+                    if (issuerUrl) {
+                        await prisma.account.update({
+                            where: {
+                                id: account.id,
+                            },
+                            data: {
+                                issuerUrl,
+                            },
+                        });
+                    }
+                }
+            }
+
             // Refresh expiring tokens and capture any errors.
             if (hasEntitlement('sso') && token.userId) {
                 const errors = await refreshLinkedAccountTokens(token.userId);
@@ -265,3 +288,19 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
         // verifyRequest: "/login/verify",
     }
 });
+
+/**
+ * Returns the issuer URL for a given auth.js account
+ */
+const getIssuerUrlForAccount = async (account: { provider: string; }) => {
+    const providers = getProviders();
+    const matchingProvider = providers.find((provider) => {
+        if (typeof provider.provider === "function") {
+            const providerInfo = provider.provider();
+            return providerInfo.id === account.provider;
+        } else {
+            return provider.provider.id === account.provider;
+        }
+    });
+    return matchingProvider?.issuerUrl;
+}

Original file line number	Diff line number	Diff line change
`@@ -176,10 +176,6 @@ These flags are useful when you want different enforcement behavior across conne`
`176`	`176`	`}`
`177`	`177`	```
`178`	`178`
`179`		`-<Warning>`
`180`		-If you set `enforcePermissionsForPublicRepos` to true on an existing deployment, users who are already signed in will need to sign out and sign back in before the flag takes effect for their account.
`181`		`-</Warning>`
`182`		`-`
`183`	`179`	The table below shows when permissions are enforced based on the combination of `PERMISSION_SYNC_ENABLED`, `enforcePermissions`, and `enforcePermissionsForPublicRepos`:
`184`	`180`
`185`	`181`	\| `PERMISSION_SYNC_ENABLED` \| `enforcePermissions` \| `enforcePermissionsForPublicRepos` \| Private repos enforced? \| Public repos enforced? \|