Merge branch 'main' into feature/add-ref-to-search-results

Amresh-01 · web-flow · commit df90ef47a633 · 2026-06-17T19:04:16.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [5.0.3] - 2026-06-17
+
 ### Changed
 - Changed the workspace "Access" page to a "Security" page. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
 
@@ -16,6 +18,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Validated that `SOURCEBOT_ENCRYPTION_KEY` is exactly 32 characters at startup, failing fast with an actionable message instead of a runtime encryption error. [#1305](https://github.com/sourcebot-dev/sourcebot/pull/1305)
+- Fixed the web UI crashing when anonymous access is enabled and a request omits the `User-Agent` header (e.g. proxy or health-check probes). [#1309](https://github.com/sourcebot-dev/sourcebot/pull/1309)
+- Fixed the Members page crashing when a `User` had a null email. `User.email` is now required (with a backfilling migration), and SSO sign-ins without an email are rejected. [#1310](https://github.com/sourcebot-dev/sourcebot/pull/1310)
 
 ## [5.0.2] - 2026-06-11
 
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -22,7 +22,7 @@ services:
       - CONFIG_PATH=/data/config.json
       - AUTH_URL=${AUTH_URL:-http://localhost:3000}
       - AUTH_SECRET=${AUTH_SECRET:-000000000000000000000000000000000} # CHANGEME: generate via `openssl rand -base64 33`
-      - SOURCEBOT_ENCRYPTION_KEY=${SOURCEBOT_ENCRYPTION_KEY:-000000000000000000000000000000000} # CHANGEME: generate via `openssl rand -base64 24`
+      - SOURCEBOT_ENCRYPTION_KEY=${SOURCEBOT_ENCRYPTION_KEY:-00000000000000000000000000000000} # CHANGEME: generate via `openssl rand -base64 24`
       - DATABASE_URL=${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/postgres} # CHANGEME
       - REDIS_URL=${REDIS_URL:-redis://redis:6379} # CHANGEME
 
diff --git a/docs/api-reference/sourcebot-public.openapi.json b/docs/api-reference/sourcebot-public.openapi.json
@@ -2,7 +2,7 @@
   "openapi": "3.0.3",
   "info": {
     "title": "Sourcebot Public API",
-    "version": "v5.0.2",
+    "version": "v5.0.3",
     "description": "OpenAPI description for the public Sourcebot REST endpoints used for search, repository listing, and file browsing. Authentication is instance-dependent: API keys are the standard integration mechanism, OAuth bearer tokens are EE-only, and some instances may allow anonymous access."
   },
   "tags": [
@@ -1103,8 +1103,7 @@
             "nullable": true
           },
           "email": {
-            "type": "string",
-            "nullable": true
+            "type": "string"
           },
           "createdAt": {
             "type": "string",
@@ -1148,8 +1147,7 @@
             "nullable": true
           },
           "email": {
-            "type": "string",
-            "nullable": true
+            "type": "string"
           },
           "role": {
             "type": "string",
diff --git a/packages/db/prisma/migrations/20260616000000_make_user_email_required/migration.sql b/packages/db/prisma/migrations/20260616000000_make_user_email_required/migration.sql
@@ -0,0 +1,20 @@
+-- Make `User.email` required (NOT NULL).
+--
+-- This migration runs automatically on startup (`prisma migrate deploy`), so it must
+-- never fail on existing data. Some instances have legacy `User` rows with a NULL
+-- email — most commonly OAuth/OIDC accounts created from an identity-provider profile
+-- that returned no email. A bare `SET NOT NULL` would error on those rows and brick the
+-- upgrade, so we first backfill any NULL email with a deterministic, unique, obviously
+-- synthetic placeholder (the `.invalid` TLD is reserved and can never be a real address;
+-- keying off the row `id` guarantees uniqueness under the existing unique constraint).
+--
+-- Going forward, the `signIn` callback in `packages/web/src/auth.ts` rejects OAuth/OIDC
+-- sign-ins whose profile has no email, so no new NULL/placeholder rows are created.
+-- Operators can identify backfilled accounts with:
+--   SELECT id, email FROM "User" WHERE email LIKE 'placeholder-%@no-email.invalid';
+UPDATE "User"
+SET "email" = 'placeholder-' || "id" || '@no-email.invalid'
+WHERE "email" IS NULL;
+
+-- AlterTable
+ALTER TABLE "User" ALTER COLUMN "email" SET NOT NULL;
diff --git a/packages/db/prisma/schema.prisma b/packages/db/prisma/schema.prisma
@@ -430,7 +430,7 @@ model Audit {
 model User {
   id              String                 @id @default(cuid())
   name            String?
-  email           String?                @unique
+  email           String                 @unique
   hashedPassword  String?
   emailVerified   DateTime?
   image           String?
diff --git a/packages/shared/src/env.server.ts b/packages/shared/src/env.server.ts
@@ -342,7 +342,7 @@ const options = {
         // requirement means this must be exactly 32 characters. Generate one with
         // `openssl rand -base64 24` (24 random bytes => a 32-character base64 string).
         SOURCEBOT_ENCRYPTION_KEY: z.string().length(32, {
-            message: "SOURCEBOT_ENCRYPTION_KEY must be exactly 32 characters (a 256-bit AES key). Generate one with `openssl rand -base64 24`.",
+            message: "SOURCEBOT_ENCRYPTION_KEY must be exactly 32 characters (a 256-bit AES key). Generate one with `openssl rand -base64 24`.\nWARNING: Updating this value will invalidate any existing API keys.",
         }),
         SOURCEBOT_INSTALL_ID: z.string().default("unknown"),
         SOURCEBOT_LIGHTHOUSE_URL: z.string().url().default("https://deployments.sourcebot.dev"),
diff --git a/packages/shared/src/version.ts b/packages/shared/src/version.ts
@@ -1,2 +1,2 @@
 // This file is auto-generated by .github/workflows/release-sourcebot.yml
-export const SOURCEBOT_VERSION = "v5.0.2";
+export const SOURCEBOT_VERSION = "v5.0.3";
diff --git a/packages/web/src/actions.ts b/packages/web/src/actions.ts
@@ -443,7 +443,7 @@ export const createAccountRequest = async () => sew(async () => {
                     baseUrl: deploymentUrl,
                     requestor: {
                         name: user.name ?? undefined,
-                        email: user.email!,
+                        email: user.email,
                         avatarUrl: user.image ?? undefined,
                     },
                     orgName: org.name,
diff --git a/packages/web/src/app/(app)/layout.tsx b/packages/web/src/app/(app)/layout.tsx
@@ -148,7 +148,7 @@ export default async function Layout(props: LayoutProps) {
     const headersList = await headers();
     const cookieStore = await cookies()
     const userAgent = headersList.get('user-agent');
-    const { isMobile } = getSelectorsByUserAgent(userAgent ?? '');
+    const { isMobile } = userAgent ? getSelectorsByUserAgent(userAgent) : { isMobile: false };
 
     if (isMobile && !cookieStore.has(MOBILE_UNSUPPORTED_SPLASH_SCREEN_DISMISSED_COOKIE_NAME)) {
         return (
diff --git a/packages/web/src/app/invite/actions.ts b/packages/web/src/app/invite/actions.ts
@@ -195,12 +195,12 @@ export const getInviteInfo = async (inviteId: string) => sew(async () => {
         orgImageUrl: invite.org.imageUrl ?? undefined,
         host: {
             name: invite.host.name ?? undefined,
-            email: invite.host.email!,
+            email: invite.host.email,
             avatarUrl: invite.host.image ?? undefined,
         },
         recipient: {
             name: user.name ?? undefined,
-            email: user.email!,
+            email: user.email,
         }
     };
 });
diff --git a/packages/web/src/app/login/error/page.tsx b/packages/web/src/app/login/error/page.tsx
@@ -20,6 +20,10 @@ const ERROR_CONTENT: Record<string, { title: string; description: string }> = {
         title: "Access denied",
         description: "You do not have permission to sign in.",
     },
+    EmailRequired: {
+        title: "No email on your account",
+        description: "Your identity provider didn't share an email address, which Sourcebot requires to sign you in. Add or verify an email on your upstream account, then try again.",
+    },
     Verification: {
         title: "This sign-in link has expired",
         description: "The code or link you used is no longer valid - it may have expired or already been used. Request a new one and try again.",
diff --git a/packages/web/src/auth.ts b/packages/web/src/auth.ts
@@ -288,7 +288,7 @@ const nextAuthResult = NextAuth(async () => ({
         }
     },
     callbacks: {
-        async signIn({ account }) {
+        async signIn({ account, user }) {
             const matchingProvider = account
                 ? (await getProviders()).find((p) => p.id === account.provider)
                 : undefined;
@@ -318,6 +318,12 @@ const nextAuthResult = NextAuth(async () => ({
                 return false;
             }
 
+            // Reject any sign-in that arrives without an email.
+            // @see 20260616000000_make_user_email_required/migration.sql
+            if (!user.email) {
+                return '/login/error?error=EmailRequired';
+            }
+
             return true;
         },
         // Restrict post-auth redirects (sign-in / sign-out, `callbackUrl`,
diff --git a/packages/web/src/features/userManagement/actions.ts b/packages/web/src/features/userManagement/actions.ts
@@ -233,15 +233,15 @@ export const approveAccountRequest = async (requestId: string) => sew(async () =
                     baseUrl: env.AUTH_URL,
                     user: {
                         name: request.requestedBy.name ?? undefined,
-                        email: request.requestedBy.email!,
+                        email: request.requestedBy.email,
                         avatarUrl: request.requestedBy.image ?? undefined,
                     },
                     orgName: org.name,
                 }));
 
                 const transport = createTransport(smtpConnectionUrl);
                 const result = await transport.sendMail({
-                    to: request.requestedBy.email!,
+                    to: request.requestedBy.email,
                     from: env.EMAIL_FROM_ADDRESS,
                     subject: `Your request to join ${org.name} has been approved`,
                     html,
@@ -391,7 +391,7 @@ export const createInvites = async (emails: string[]): Promise<{ success: boolea
                         baseUrl: env.AUTH_URL,
                         host: {
                             name: user.name ?? undefined,
-                            email: user.email!,
+                            email: user.email,
                             avatarUrl: user.image ?? undefined,
                         },
                         recipient: {
@@ -481,7 +481,7 @@ export const getOrgMembers = async () => sew(() =>
 
             return members.map((member) => ({
                 id: member.userId,
-                email: member.user.email!,
+                email: member.user.email,
                 name: member.user.name ?? undefined,
                 avatarUrl: member.user.image ?? undefined,
                 role: member.role,
@@ -520,7 +520,7 @@ export const getOrgAccountRequests = async () => sew(() =>
 
             return requests.map((request) => ({
                 id: request.id,
-                email: request.requestedBy.email!,
+                email: request.requestedBy.email,
                 createdAt: request.createdAt,
                 name: request.requestedBy.name ?? undefined,
                 image: request.requestedBy.image ?? undefined,
diff --git a/packages/web/src/lib/authUtils.ts b/packages/web/src/lib/authUtils.ts
@@ -260,7 +260,7 @@ export const addUserToOrganization = async (userId: string, orgId: number): Prom
         // Delete any invites that may exist for this user since we've added them to the org
         const invites = await tx.invite.findMany({
             where: {
-                recipientEmail: user.email!,
+                recipientEmail: user.email,
                 orgId: org.id,
             },
         })
diff --git a/packages/web/src/lib/encryptedPrismaAdapter.ts b/packages/web/src/lib/encryptedPrismaAdapter.ts
@@ -53,9 +53,8 @@ export function EncryptedPrismaAdapter(prisma: PrismaClient): Adapter {
                 },
                 include: { user: true },
             });
-            // Cast: Prisma's User.email is nullable but AdapterUser.email is
-            // typed as `string`. The base PrismaAdapter performs the same
-            // implicit widening; we mirror it here.
+            // Cast to AdapterUser to satisfy next-auth's adapter return type;
+            // the base PrismaAdapter returns the user row directly, and we mirror it.
             return (account?.user ?? null) as AdapterUser | null;
         },
         async unlinkAccount({ provider, providerAccountId }) {
diff --git a/packages/web/src/openapi/publicApiSchemas.ts b/packages/web/src/openapi/publicApiSchemas.ts
@@ -67,15 +67,15 @@ export const publicHealthResponseSchema = z.object({
 // EE: User Management
 export const publicEeUserSchema = z.object({
     name: z.string().nullable(),
-    email: z.string().nullable(),
+    email: z.string(),
     createdAt: z.string().datetime(),
     updatedAt: z.string().datetime(),
 }).openapi('PublicEeUser');
 
 export const publicEeUserListItemSchema = z.object({
     id: z.string(),
     name: z.string().nullable(),
-    email: z.string().nullable(),
+    email: z.string(),
     role: z.enum(['OWNER', 'MEMBER']),
     createdAt: z.string().datetime(),
     lastActivityAt: z.string().datetime().nullable(),

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`// This file is auto-generated by .github/workflows/release-sourcebot.yml`
`2`		`-export const SOURCEBOT_VERSION = "v5.0.2";`
	`2`	`+export const SOURCEBOT_VERSION = "v5.0.3";`