feat: orgs integration with supertokens

[raghavyuva]

Summary by CodeRabbit

• New Features

  • Organization invites via passwordless magic links with a new public invite page and route.
  • Send/Resend invite API endpoints and frontend hooks; invite flow integrated into Team settings.
  • Organization users now surface roles and permissions in the UI.

• Improvements

  • Team management moved from local user creation to invite-based flow with simplified Add Member dialog.
  • RBAC enhancements: improved admin detection and exposure of roles/permissions to the UI.
  • Team creation now triggers an automatic refresh to update roles/permissions.

• Chores

  • Backend routing and organization endpoints enabled.

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
21355900	Triggered	Generic Password	371cd7b	api/internal/features/supertokens/auth.go	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[coderabbitai]

Walkthrough

Adds organization-scoped roles and invite flows: passwordless invites, SuperTokens org-bound role/permission handling, RBAC changes to require X-Organization-Id, new invite endpoints and frontend invite page, refactors organization service/storage/types/validation, removes legacy organization handlers, and wires routes/UI/Redux for invites and role management.

Changes

Cohort / File(s)	Summary
Version metadata api/api/versions.json	Updated v1 release_date timestamp.
Go module deps api/go.mod	Removed several indirect deps; added golang/mock, nyaruka/phonenumbers, twilio-go.
Auth registration api/internal/features/auth/service/register.go	Disabled organization-binding path and removed RoleId propagation; minor param rename.
Org controllers — removed/changed handlers Deleted: api/internal/features/organization/controller/add_user_organization.go Removed endpoints / updated: api/internal/features/organization/controller/get_resources.go, .../get_roles.go	Deleted AddUserToOrganization handler and removed GetResources and GetRoles endpoints; adjusted GetOrganizationUsers to call GetOrganizationUsersWithRoles; init now wires logger.
Org controllers — invite & role updates api/internal/features/organization/controller/invite.go, api/internal/features/organization/controller/create_organization.go, api/internal/features/organization/controller/remove_organization_user.go, api/internal/features/organization/controller/update_user_role.go, api/internal/features/organization/controller/get_organization_users.go	Added SendInvite/ResendInvite and link customization; createOrganization now creates org-scoped roles and assigns admin; remove handler simplified (validation + removal, removed notifications); update handler uses public UpdateUserRoleRequest and validates input; GetOrganizationUsers uses roles-aware service call.
Organization service (core) api/internal/features/organization/service/add_user_to_organization.go, .../remove_user_from_organization.go, .../update_user_role.go, .../get_organization_users.go, .../delete_organization.go	Implemented transactional add/remove/update flows with validations, SuperTokens role management (create/assign/remove org-scoped roles), cache invalidation, and enrichment of users with roles/permissions; added TODO in delete.
Organization service (deprecated namespace) api/internal/features/organization/service-deprecated/*	Added deprecated service files and stubs (no-op implementations) and renamed package to service_deprecated for legacy code.
Organization storage & types api/internal/features/organization/storage/store.go, api/internal/features/organization/types/organization.go, api/internal/types/organization.go, api/internal/features/organization/types/errors.go	Store now preloads only User relation; removed RoleId from AddUserToOrganizationRequest; added InviteSendRequest, InviteResendRequest, UpdateUserRoleRequest, OrganizationUsersWithRoles type, and ErrInvalidEmail.
Validation api/internal/features/organization/validation/validator.go	Added email validation and invite/update-specific validators; dispatch extended to new request types; validateAddUser no longer requires RoleId.
SuperTokens integration api/internal/features/supertokens/auth.go, api/internal/features/supertokens/passwordless_overrides.go	Added passwordless recipe and overrides, centralized permission getters (admin/member/viewer), org-scoped role creation & assignment, GetRolesAndPermissionsForUserInOrganization, and passwordless create/consume overrides to handle invites and provisioning.
RBAC middleware api/internal/middleware/rbac.go	Enforced X-Organization-Id header and org-scoped permission checks by filtering org-prefixed roles and validating permissions from session claims.
Routing & tests api/internal/routes.go, api/internal/tests/helper.go	Registered organization routes (with RBAC/Audit) and added GetCreateOrganizationURL test helper.
Frontend — invite UX and config view/app/auth/organization-invite/page.tsx, view/app/config/frontend.tsx, view/app/layout.tsx	New organization-invite page handling magic-link consumption and same/different-device flows; enabled PasswordlessReact in frontend recipes; added /auth/organization-invite to PUBLIC_ROUTES.
Frontend — team settings & components view/app/settings/hooks/use-team-settings.ts, .../components/AddMember.tsx, .../TeamMembers.tsx, .../TeamStats.tsx, view/app/settings/teams/page.tsx	Switched from create-user to invite flow (useSendInvite), adjusted newUser shape and UI, introduced RBAC usage, updated role/permission mappings and loading states, and propagated invite handlers to components.
Frontend — layout & team switcher view/components/layout/app-sidebar.tsx, .../dashboard-layout.tsx, view/components/ui/team-switcher.tsx, view/hooks/use-team-switcher.ts	Propagated addTeamModalOpen prop; adjusted TeamSwitcher props/UI; added reload after team creation to refresh roles/permissions.
Frontend RBAC util view/lib/rbac.ts	useRBAC now exposes roles, permissions, isAdmin and recognizes both plain and orgid_ prefixed admin roles.
Redux — endpoints and types view/redux/api-conf.ts, view/redux/services/users/userApi.ts, view/redux/types/orgs.ts	Added SEND_INVITE/RESEND_INVITE endpoints and hooks (useSendInviteMutation, useResendInviteMutation), added Invite request types, removed password reset hook export, updated org types to use roles[] and permissions[] and changed UpdateUserRoleRequest to role:string.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant FE as Frontend (Invite Page)
  participant ST as SuperTokens (Passwordless)
  participant API as API (Overrides)
  participant EM as Email Provider

  U->>FE: Open invite link (org_id, role, email)
  FE->>ST: consumeCode(userContext: org_id, role, email)
  ST-->>API: Invoke overrides (Create/Consume)
  API->>API: Upsert user, ensure org membership
  API->>API: Create org-scoped role (orgid_<org>_<role>) if needed
  API->>API: Assign role to user
  API-->>ST: Return success
  ST-->>FE: Session + claims updated
  FE-->>U: Redirect to /dashboard

  note over API,ST: Email magic link is sent via ST during CreateCode

Loading

sequenceDiagram
  autonumber
  participant C as Controller (UpdateUserRole)
  participant V as Validator
  participant S as OrgService
  participant ST as SuperTokens
  participant Cache as Cache

  C->>V: Validate UpdateUserRoleRequest
  V-->>C: OK or 400
  C->>S: UpdateUserRole(request)
  S->>S: Verify org, user, membership
  S->>ST: Remove old org-scoped roles
  S->>ST: Create/ensure role with permissions
  S->>ST: Add role to user
  S->>Cache: Invalidate org-membership cache
  S-->>C: Result

Loading

sequenceDiagram
  autonumber
  participant MW as RBAC Middleware
  participant Sess as Session
  participant API as Handler

  MW->>MW: Read X-Organization-Id
  MW->>Sess: Get roles/permissions claims
  MW->>MW: Filter roles by orgid_<org>_
  MW->>MW: Check required permission
  alt Allowed
    MW->>API: Proceed
  else Denied
    MW-->>API: 403 Forbidden
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• release v0.1.0-alpha.31 #428 — Updates the same api/api/versions.json v1 release_date field.
• v0.1.0-alpha.16 #361 — Also modifies api/api/versions.json v1 release_date, touching the same metadata.
• v0.1.0-alpha.11 #270 — Similar change to v1 release_date in api/api/versions.json.

Poem

I hop with a patch and a twitchy nose,
I bind roles to orgs where the wild wind blows.
Magic links sparkle and claims rearrange,
Headers checked, invites sent across the range.
Thump-thump — roles assigned, the teams grow close! 🐰✨

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/orgs_integration_with_supertokens

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7c0d15a and fffc2b7.

⛔ Files ignored due to path filters (1)

• api/go.sum is excluded by !**/*.sum

📒 Files selected for processing (48)

• api/api/versions.json (1 hunks)
• api/go.mod (3 hunks)
• api/internal/features/auth/service/register.go (1 hunks)
• api/internal/features/organization/controller/add_user_organization.go (0 hunks)
• api/internal/features/organization/controller/create_organization.go (3 hunks)
• api/internal/features/organization/controller/get_organization_users.go (1 hunks)
• api/internal/features/organization/controller/get_resources.go (0 hunks)
• api/internal/features/organization/controller/get_roles.go (0 hunks)
• api/internal/features/organization/controller/init.go (1 hunks)
• api/internal/features/organization/controller/invite.go (1 hunks)
• api/internal/features/organization/controller/remove_organization_user.go (2 hunks)
• api/internal/features/organization/controller/update_user_role.go (1 hunks)
• api/internal/features/organization/service-deprecated/add_user_to_organization.go (1 hunks)
• api/internal/features/organization/service-deprecated/get_roles.go (1 hunks)
• api/internal/features/organization/service-deprecated/init.go (1 hunks)
• api/internal/features/organization/service-deprecated/remove_user_from_org.go (1 hunks)
• api/internal/features/organization/service-deprecated/update_user_role.go (1 hunks)
• api/internal/features/organization/service/add_user_to_organization.go (1 hunks)
• api/internal/features/organization/service/delete_organization.go (1 hunks)
• api/internal/features/organization/service/get_organization_users.go (1 hunks)
• api/internal/features/organization/service/remove_user_from_organization.go (1 hunks)
• api/internal/features/organization/service/update_user_role.go (1 hunks)
• api/internal/features/organization/storage/store.go (0 hunks)
• api/internal/features/organization/types/errors.go (1 hunks)
• api/internal/features/organization/types/organization.go (1 hunks)
• api/internal/features/organization/validation/validator.go (4 hunks)
• api/internal/features/supertokens/auth.go (8 hunks)
• api/internal/features/supertokens/passwordless_overrides.go (1 hunks)
• api/internal/middleware/rbac.go (3 hunks)
• api/internal/routes.go (3 hunks)
• api/internal/tests/helper.go (1 hunks)
• api/internal/types/organization.go (1 hunks)
• view/app/auth/organization-invite/page.tsx (1 hunks)
• view/app/config/frontend.tsx (2 hunks)
• view/app/layout.tsx (1 hunks)
• view/app/settings/hooks/use-team-settings.ts (7 hunks)
• view/app/settings/teams/components/AddMember.tsx (1 hunks)
• view/app/settings/teams/components/TeamMembers.tsx (5 hunks)
• view/app/settings/teams/components/TeamStats.tsx (2 hunks)
• view/app/settings/teams/page.tsx (3 hunks)
• view/components/layout/app-sidebar.tsx (2 hunks)
• view/components/layout/dashboard-layout.tsx (3 hunks)
• view/components/ui/team-switcher.tsx (3 hunks)
• view/hooks/use-team-switcher.ts (1 hunks)
• view/lib/rbac.ts (2 hunks)
• view/redux/api-conf.ts (1 hunks)
• view/redux/services/users/userApi.ts (3 hunks)
• view/redux/types/orgs.ts (2 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[raghavyuva]

@coderabbitai summary and title

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get PR details including changed files
gh pr view 453 --json title,body,files,additions,deletions

# Get the diff to understand the changes
gh pr diff 453

Unrecoverable error: Sandbox execution failed: max_buffer, terminated

---

🏁 Script executed:

#!/bin/bash
# Get basic PR details
gh pr view 453 --json title,body,additions,deletions,changedFiles

# Get list of files changed with stats
gh pr diff 453 --name-status

# Get a summary of changes by file
git diff --stat origin/main...HEAD

Length of output: 670

---

🏁 Script executed:

#!/bin/bash
# Get list of changed files
gh pr diff 453 --name-only

# Get a sample of the diff (first 500 lines)
gh pr diff 453 | head -n 500

Length of output: 268653

---

@raghavyuva, I'll generate a summary and update the title for this PR.

Suggested Title

feat: add multi-tenant organization management with SuperTokens integration

Summary

This PR implements comprehensive multi-tenant organization functionality integrated with SuperTokens for authentication and authorization. The changes span both backend API and frontend UI to provide a complete team management system.

Backend Changes (API)

Organization Management:

• Added full CRUD operations for organizations (create, read, update, delete)
• Implemented organization user management endpoints
• Created role-based access control (RBAC) middleware
• Added organization-specific resource filtering

SuperTokens Integration:

• Integrated SuperTokens for multi-tenant authentication
• Implemented passwordless authentication overrides
• Updated registration flow to support organization context
• Added organization-aware session management

Invitation System:

• Created email invitation system for organization members
• Added invite send/resend functionality
• Implemented role assignment during invitation
• Added organization user removal capabilities

API Endpoints Added:

• POST /api/v1/organizations - Create organization
• GET /api/v1/organizations - Get organization details
• PUT /api/v1/organizations - Update organization
• DELETE /api/v1/organizations - Delete organization
• GET /api/v1/organizations/all - List all organizations
• GET /api/v1/organizations/users - Get organization users
• POST /api/v1/organizations/invite/send - Send user invitation
• POST /api/v1/organizations/invite/resend - Resend invitation
• POST /api/v1/organizations/remove-user - Remove user from organization
• POST /api/v1/organizations/update-user-role - Update user role

Frontend Changes (View)

Team Settings UI:

• Added team switcher component for organization selection
• Implemented team members list with role display
• Created add member dialog with invitation flow
• Added team statistics dashboard
• Integrated organization management into app sidebar

State Management:

• Added Redux services for organization API calls
• Created organization types and interfaces
• Implemented team settings hooks
• Added RBAC helper functions

Components:

• TeamMembers.tsx - Display and manage team members
• AddMember.tsx - Invite new members to organization
• TeamStats.tsx - Show organization metrics
• TeamSwitcher.tsx - Switch between organizations
• Updated app-sidebar.tsx and dashboard-layout.tsx for org context

Infrastructure

• Updated OpenAPI specification with new organization endpoints
• Added organization-related Go dependencies
• Created organization validation and error handling
• Implemented organization-scoped data access patterns

This implementation provides a foundation for multi-tenant SaaS functionality with proper authentication, authorization, and user management capabilities.

---

Files Changed: 50 files (+1,811 / -676 lines)

✅ Actions performed

Summary regeneration triggered.

[raghavyuva]

@coderabbitai summary

[coderabbitai]

✅ Actions performed

Summary regeneration triggered.