Skip to content

Sync: end users 2.0#662

Open
heushreck wants to merge 2 commits intomainfrom
sync-from-hosted-1771248754
Open

Sync: end users 2.0#662
heushreck wants to merge 2 commits intomainfrom
sync-from-hosted-1771248754

Conversation

@heushreck
Copy link
Contributor

Auto-synced from hosted repository

Original PR: https://github.com/superglue-ai/superglue-hosted/pull/330
Author: @stefanfaistenauer
Merged by: @stefanfaistenauer


Summary by cubic

Revamps end-user management. POST /v1/end-users now creates users and returns a restricted API key. Authorization shifts from per-tool to per-system allowedSystems with portal filtering and simplified checks. MCP auth accepts an optional systemId and returns an agentUrl when keys aren’t linked to end users.

  • New Features

    • End Users: POST /v1/end-users creates an end user and returns an API key; 409 on duplicate externalId. PATCH /v1/end-users/{id} updates end users. OpenAPI/docs updated; allowedSystems defaults to [] (no access).
    • Authorization: sync checks simplified; tool access now enforced by allowedSystems in async checks. Portal lists only multi-tenant systems within a user’s allowedSystems.
    • EE: end-user API keys are created automatically via Supabase as restricted backend keys and scoped by allowed systems.
    • MCP: superglue_authenticate accepts optional systemId; when the key isn’t linked to an end user, returns an agentUrl with guidance (includes systemId in prompt when provided).
    • Systems: PATCH supports multiTenancyMode updates.
    • UI: removed per-key tool access controls and the API key edit dialog; portal no longer shows tool access lists.
  • Migration

    • Replace upsertEndUser with createEndUser and updateEndUser in EE datastore and server code.
    • Update clients: use POST to create and PATCH to update; handle 409 on duplicate externalId.
    • Remove allowedTools-based checks and UI; rely on allowedSystems for permission enforcement.
    • Regenerate API clients from the updated OpenAPI spec if applicable.

Written for commit fac952dbffbec74cbaca7f8b2b6d0684ba20ec78. Summary will update on new commits.


⚠️ Note: Hosted-only files (ee/, supabase/, scheduler/, discovery/, etc.) have been automatically excluded from this sync.

stefanfaistenauer and others added 2 commits February 16, 2026 13:32
* more end user improvements

* linting

* minor improvements

* linting

* minor fixes

* ui issue

* cleanup

* linting
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 11 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/web/src/app/portal/page.tsx">

<violation number="1" location="packages/web/src/app/portal/page.tsx:758">
P2: The credential dialog's "Connect" button has no loading/disabled state during submission, unlike the OAuth connect and disconnect buttons which both track in-progress state (`authenticatingSystem`, `disconnecting`). This allows double-submission of credentials. Add a `savingCredentials` state to disable the button and show a spinner while the request is in flight.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

>
Cancel
</Button>
<Button type="submit">Connect</Button>
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The credential dialog's "Connect" button has no loading/disabled state during submission, unlike the OAuth connect and disconnect buttons which both track in-progress state (authenticatingSystem, disconnecting). This allows double-submission of credentials. Add a savingCredentials state to disable the button and show a spinner while the request is in flight.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/web/src/app/portal/page.tsx, line 758:

<comment>The credential dialog's "Connect" button has no loading/disabled state during submission, unlike the OAuth connect and disconnect buttons which both track in-progress state (`authenticatingSystem`, `disconnecting`). This allows double-submission of credentials. Add a `savingCredentials` state to disable the button and show a spinner while the request is in flight.</comment>

<file context>
@@ -0,0 +1,765 @@
+              >
+                Cancel
+              </Button>
+              <Button type="submit">Connect</Button>
+            </DialogFooter>
+          </form>
</file context>
Fix with Cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments