refactor(auth): prepare user profile auth migration

[ben-fornefeld]

Summary

• expands the auth provider contract for live user profiles and account updates
• moves dashboard account/profile flows onto the new user router while keeping Supabase as the active provider
• adds auth migration guardrails, including sign-up pause and temporary GitHub sign-in disable flags
• extracts auth forms and proxy handlers so the Ory integration can layer on top cleanly

[linear-code]

ENG-4125

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web	Ready	Preview, Comment	Jun 5, 2026 9:23pm
web-juliett	Ready	Preview, Comment	Jun 5, 2026 9:23pm

[cursor]

PR Summary

High Risk
Touches authentication entry points, account credential updates, sessions/sign-out redirects, and dashboard user context; migration flag misconfiguration could block all sign-ins.

Overview
Adds NEXT_PUBLIC_AUTH_MIGRATION_IN_PROGRESS and blocks sign-in, sign-up, OAuth, forgot-password, and credential updates on the server (UI disables OAuth/sign-in; sign-up shows a pause message).

Widens AuthProvider with getUserProfile, updateUser, reauth dispatch, and sign-out redirect URLs; Supabase implements these (Ory stubs). Removes user-actions in favor of user tRPC (profile, update, createAccessToken) with timed profile lookup and canChangeEmail / canChangePassword on AuthUser. Dashboard layout prefetches profile; account settings use mutations and cache updates. Reauth uses reauthForAccountSettingsAction plus hard window.location navigation.

Team members no longer use Supabase admin enrichment; they map from dashboard API fields. Verify-OTP email_change redirects to account settings with success params. Auth forms move to separate client modules; proxy logic splits into ordered handlers in core/server/http/proxy.

^{Reviewed by Cursor Bugbot for commit c3bd266. Bugbot is set up for automated code reviews on this repo. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9f4f344895

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[Copilot]

Pull request overview

Prepares the dashboard for an upcoming auth-provider migration by expanding the server-side auth provider contract, moving account/profile mutations to a new tRPC user router, and adding migration guardrails (signup pause + GitHub OAuth disable) while Supabase remains the active provider.

Changes:

• Introduces userRouter (profile/update/access-token) and migrates dashboard account flows to tRPC mutations/queries.
• Expands auth provider abstractions (profile lookup, update user, reauth dispatch, sign-out return URL) and refactors proxy handling into ordered handlers.
• Adds migration flags/env wiring and updates auth UX/tests (signup pause, GitHub OAuth blocking, reauth hard-navigation).

Reviewed changes

Copilot reviewed 37 out of 37 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/unit/user-router.test.ts	Adds unit coverage for userRouter update behavior around credential-change restrictions.
tests/unit/teams-repository.test.ts	Updates tests to reflect teams repository no longer depending on authAdmin.
tests/unit/proxy-handlers.test.ts	Adds coverage for the extracted proxy handler functions and auth-gate fast path.
tests/unit/auth-supabase-provider.test.ts	Updates expectations for the new signOut() return shape and adds returnTo redirect coverage.
tests/integration/auth.test.ts	Adds integration coverage for GitHub OAuth blocking via migration flag; ensures env stubs are reset.
src/proxy.ts	Refactors proxy logic to delegate to ordered handler functions.
src/lib/env.ts	Adds new NEXT_PUBLIC migration flag env vars to client env schema.
src/features/dashboard/account/user-access-token.tsx	Moves access-token fetch from server action to tRPC mutation via react-query.
src/features/dashboard/account/reauth-dialog.tsx	Switches reauth flow to a dedicated action returning a hard-navigation URL.
src/features/dashboard/account/password-settings.tsx	Migrates password update to tRPC mutation and uses provider-derived capability flags.
src/features/dashboard/account/name-settings.tsx	Migrates name update to tRPC mutation and updates the cached profile on success.
src/features/dashboard/account/email-settings.tsx	Migrates email update to tRPC mutation, adds reauth dialog wiring, and handles provider capability flags.
src/features/auth/oauth-provider-buttons.tsx	Disables GitHub button client-side when the migration flag is enabled; improves SVG accessibility attrs.
src/core/server/http/proxy.ts	Extracts proxy concerns into ordered handler functions (redirects, rewrites, auth gating).
src/core/server/auth/types.ts	Expands auth contracts (capabilities, update user, reauth dispatch, sign-out redirect target).
src/core/server/auth/supabase/user.ts	Derives canChangeEmail/canChangePassword from Supabase provider list.
src/core/server/auth/supabase/provider.ts	Implements new provider methods (profile lookup, updateUser, reauth dispatch, signOut redirect building).
src/core/server/auth/supabase/flows.ts	Removes now-redundant updateUser flow helper (moved into provider).
src/core/server/auth/provider.ts	Updates the AuthProvider interface to match the new contract.
src/core/server/auth/ory/provider.ts	Extends Ory stub provider to satisfy the expanded AuthProvider interface.
src/core/server/api/routers/user.ts	Adds user tRPC router (profile timeout fallback, update flow, access token creation).
src/core/server/api/routers/index.ts	Registers the new user router in the app router.
src/core/server/actions/user-actions.ts	Removes legacy server actions for user updates/access token (replaced by tRPC).
src/core/server/actions/auth-actions.ts	Adds migration guardrails (signup pause, GitHub OAuth block) and implements reauth dispatcher action.
src/core/modules/teams/teams-repository.server.ts	Removes auth-admin enrichment; maps team member info directly from dashboard API response.
src/core/application/user/queries.ts	Adds shared react-query options for user profile prefetch/caching in dashboard.
src/configs/flags.ts	Adds migration flags and GitHub sign-in disable helper/constant.
src/app/dashboard/[teamSlug]/team-gate.tsx	Fetches user profile via tRPC query and provides it through DashboardContext instead of prop threading.
src/app/dashboard/[teamSlug]/layout.tsx	Prefetches user profile query alongside teams list and removes server-provided user prop.
src/app/(auth)/sign-up/signup-form.tsx	Extracts signup form into its own client component and adds migration “signup paused” UX.
src/app/(auth)/sign-up/page.tsx	Converts sign-up page to a thin wrapper around the extracted form component.
src/app/(auth)/sign-in/page.tsx	Converts sign-in page to a thin wrapper around the extracted login form.
src/app/(auth)/sign-in/login-form.tsx	Extracts sign-in form into its own client component (no functional change beyond extraction).
src/app/(auth)/forgot-password/page.tsx	Converts forgot-password page to a thin wrapper around the extracted form.
src/app/(auth)/forgot-password/forgot-password-form.tsx	Extracts forgot-password form into its own client component (minor message-timer refactor).
.gitattributes	Marks generated API spec/types as generated for GitHub linguist.
.env.example	Documents new migration-related NEXT_PUBLIC flags.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4b04759. Configure here.}