Skip to content

[dev] [Marfuen] mariano/dustin-fix #1904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
github-actions wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[dev] [Marfuen] mariano/dustin-fix #1904

github-actions wants to merge 1 commit into from
+174 −12

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 11, 2025

This is an automated pull request to merge mariano/dustin-fix into dev.
It was created by the [Auto Pull Request] action.

@vercel
Copy link

vercel bot commented Dec 11, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
app Ready Ready Preview Comment Dec 11, 2025 8:29pm
portal Ready Ready Preview Comment Dec 11, 2025 8:29pm

@cursor
Copy link

cursor bot commented Dec 11, 2025
edited
Loading

PR Summary

Adds Stripe-based domain checks to auto-approve org access and limits the onboarding skip button to @trycomp.ai users.

  • Access/Upgrade Flow:
    • In app/(app)/upgrade/[orgId]/page.tsx, auto-approve hasAccess when the user’s email domain is trycomp.ai or matches an active Stripe customer (via isDomainActiveStripeCustomer).
  • Onboarding:
    • In PostPaymentOnboarding.tsx, replace local-env skip logic with canSkipOnboarding limited to @trycomp.ai emails.
  • Stripe Integration:
    • Add lib/stripe.ts with extractDomain, findStripeCustomerByDomain, and isDomainActiveStripeCustomer; initialize Stripe client.
  • Environment:
    • Add STRIPE_SECRET_KEY to server env schema and runtime in env.mjs.
  • Dependencies:
    • Add stripe package to apps/app/package.json.

Written by Cursor Bugbot for commit b07561b. This will update automatically on new commits. Configure here.

@graphite-app graphite-app bot requested a review from Marfuen December 11, 2025 20:27
@graphite-app
Copy link

graphite-app bot commented Dec 11, 2025

Graphite Automations

"Auto-assign PRs to Author" took an action on this PR • (12/11/25)

1 reviewer was added to this PR based on Mariano Fuentes's automation.

cursor[bot]
cursor bot reviewed Dec 11, 2025
View reviewed changes
apps/app/src/app/(app)/upgrade/[orgId]/page.tsx
});
hasAccess = true;
}
}
Copy link

@cursor cursor bot Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Domain-based access grants for common email providers

The auto-approval logic in isDomainActiveStripeCustomer grants access based solely on matching the user's email domain with any Stripe customer's email domain. This means users with common email domains like gmail.com, yahoo.com, or outlook.com could gain unauthorized access to any organization they're a member of, if any existing Stripe customer uses the same email provider. The domain check doesn't verify the user actually belongs to the paying organization, only that someone with the same email domain has an active subscription somewhere.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Marfuen Marfuen Awaiting requested review from Marfuen

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automated-pr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marfuen