refactor(web): rename withAuthV2 to withAuth

[brendan-kellam]

Summary

• Renames withAuthV2/withOptionalAuthV2 to withAuth/withOptionalAuth and moves from src/withAuthV2.ts to src/middleware/withAuth.ts
• Extracts withMinimumOrgRole and sew into their own files under src/middleware/
• Fixes 'use server' build error caused by exporting logger (a non-async-function) from actions.ts, and fixes mock path in withAuth.test.ts

Test plan

• withAuth.test.ts passes (45 tests)
• Verify web builds successfully (yarn workspace @sourcebot/web build)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Refactored authentication and error-handling middleware wiring across the web app; internal imports/middleware locations changed but user-facing behavior, API signatures, and responses remain unchanged.
• Tests
  • Updated test suites and mocks to match the middleware refactor and preserve existing coverage.
• Documentation
  • Updated developer docs and examples to reflect the new middleware usage.

[github-actions]

@brendan-kellam your pull request is missing a changelog!

[coderabbitai]

Walkthrough

Renames and relocates auth middleware across the web package: withAuthV2* → withAuth*/withOptionalAuth*, extracts withMinimumOrgRole into its own module, and moves sew into packages/web/src/middleware/sew.ts; updates imports/usages across actions, API routes, pages, tests, and docs. (34 words)

Changes

Cohort / File(s)	Summary
Middleware Core Modules packages/web/src/middleware/withAuth.ts, packages/web/src/middleware/withAuth.test.ts, packages/web/src/middleware/withMinimumOrgRole.ts, packages/web/src/middleware/sew.ts	Renamed exported auth wrappers (drop V2), implemented sew in its own file, added withMinimumOrgRole as a separate module, and updated tests/relative imports.
Core Actions Module packages/web/src/actions.ts	Removed local sew export and Sentry wrapper; now imports sew from @/middleware/sew and references new auth wrapper names.
API Routes (server) packages/web/src/app/api/(server)/... chat/route.ts, ee/.../api.ts, ee/chat/.../route.ts, mcp/route.ts, models/route.ts, repos/listReposApi.ts	Swapped withAuthV2/withOptionalAuthV2 → withAuth/withOptionalAuth and updated sew imports to @/middleware/sew; handler wrappers changed but business logic unchanged.
Pages & Server Data Loaders packages/web/src/app/[domain]/... askgh/.../api.ts, repos/[id]/page.tsx, repos/page.tsx, settings/connections/..., settings/layout.tsx	Rewired server-side loaders to use new sew and withAuth/withOptionalAuth; queries and return shapes left intact.
Git & Repo-related APIs packages/web/src/features/git/... getDiffApi.ts, getFileSourceApi.ts, getFilesApi.ts, getFolderContentsApi.ts, getTreeApi.ts, listCommitsApi.ts	Replaced optional-auth wrapper names and moved sew import; internal git logic unchanged.
Search, CodeNav, MCP, and Related Features packages/web/src/features/... search/searchApi.ts, searchAssist/actions.ts, codeNav/api.ts, mcp/askCodebase.ts	Updated withOptionalAuth usage and sew import locations across search, code nav, MCP, preserving internal logic.
Chat, Collaboration, Invite packages/web/src/features/chat/actions.ts, packages/web/src/app/invite/actions.ts	Rewired chat and invite actions to use withAuth/withOptionalAuth and new sew module; no behavior changes.
Enterprise (EE) Features packages/web/src/ee/features/... analytics/actions.ts, audit/actions.ts, oauth/actions.ts, sso/actions.ts, userManagement/actions.ts	Replaced withAuthV2 with withAuth, moved withMinimumOrgRole import to new module, and updated sew imports.
User & Worker APIs packages/web/src/features/userManagement/actions.ts, packages/web/src/features/workerApi/actions.ts	Updated auth wrapper names and sew import locations; role enforcement now uses extracted withMinimumOrgRole.
Tests, Docs & Tools packages/web/src/features/git/listCommitsApi.test.ts, packages/web/src/middleware/withAuth.test.ts, packages/web/src/lib/posthog.ts, CLAUDE.md, packages/web/tools/globToRegexpPlayground.ts	Adjusted test mocks and docs/examples to reference new middleware paths/names; updated posthog verification import to use new withAuth export.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add anonymous access option to core #385 — Overlapping edits in packages/web/src/actions.ts and auth/sew usage changes.
• refactor(web): migrate all auth to withAuthV2/withOptionalAuthV2 #1071 — Related refactor of auth middleware names/locations and affected call sites.
• feat(web): Streamed code search #623 — Changes to the sew wrapper and its location that overlap this migration.

Suggested labels

sourcebot-team

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: renaming withAuthV2 to withAuth, which is the primary refactoring objective across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch brendan/rename-withauth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/web/src/ee/features/oauth/actions.ts (1)

47-47: ⚠️ Potential issue | 🟡 Minor

Use braces for single-line if bodies in these handlers.

Both if (state) statements should use block bodies to match repo standards.

Suggested patch

-        if (state) callbackUrl.searchParams.set('state', state);
+        if (state) {
+            callbackUrl.searchParams.set('state', state);
+        }
...
-        if (state) callbackUrl.searchParams.set('state', state);
+        if (state) {
+            callbackUrl.searchParams.set('state', state);
+        }

As per coding guidelines, “Always use curly braces for if statements, with the body on a new line — even for single-line bodies.”

Also applies to: 66-66

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/ee/features/oauth/actions.ts` at line 47, Two single-line if
statements that set the state on callbackUrl (e.g. "if (state)
callbackUrl.searchParams.set('state', state);") must use braces per repo style;
update both occurrences (the one using callbackUrl.searchParams.set(...) and the
similar one at the other occurrence) to use block bodies with the body on a new
line, e.g. add { ... } around the callbackUrl.searchParams.set call so the if
uses a curly-braced block.

🧹 Nitpick comments (3)

packages/web/src/middleware/withAuth.test.ts (2)

464-464: Update describe block name to match renamed function.

The describe block still references withAuthV2 but the tests now use the renamed withAuth function. This inconsistency could cause confusion when reading test output.

📝 Suggested fix

-describe('withAuthV2', () => {
+describe('withAuth', () => {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/middleware/withAuth.test.ts` at line 464, Update the test
suite's describe block name to match the renamed function: change the describe
string from "withAuthV2" to "withAuth" so it reflects the actual function under
test (withAuth) used in the tests; locate the describe(...) containing
'withAuthV2' and rename it to 'withAuth' to keep test output and intent
consistent.

---

731-731: Update describe block name to match renamed function.

Same issue here — the describe block references withOptionalAuthV2 but tests now use withOptionalAuth.

📝 Suggested fix

-describe('withOptionalAuthV2', () => {
+describe('withOptionalAuth', () => {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/middleware/withAuth.test.ts` at line 731, Rename the test
suite description to match the actual exported function name: change the
describe block string from "withOptionalAuthV2" to "withOptionalAuth" so the
describe block aligns with the tests calling withOptionalAuth; update any other
describe blocks in this file that still reference withOptionalAuthV2 to
withOptionalAuth to keep names consistent with the function under test.

packages/web/src/middleware/withMinimumOrgRole.ts (1)

12-23: Consider using exhaustive Record mapping for OrgRole precedence.

getAuthorizationPrecedence uses a switch without a default case. While TypeScript's strict mode (noImplicitReturns enabled) will catch missing returns if OrgRole is expanded, an exhaustive Record<OrgRole, number> mapping would be more explicit and maintainable:

const precedence: Record<OrgRole, number> = {
    [OrgRole.GUEST]: 0,
    [OrgRole.MEMBER]: 1,
    [OrgRole.OWNER]: 2,
};

This pattern makes it impossible to forget an enum value and is easier to read.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/middleware/withMinimumOrgRole.ts` around lines 12 - 23,
Replace the switch-based getAuthorizationPrecedence with an explicit exhaustive
Record mapping for OrgRole (e.g., create a const precedence: Record<OrgRole,
number> = { [OrgRole.GUEST]: 0, [OrgRole.MEMBER]: 1, [OrgRole.OWNER]: 2 }) and
then use precedence[userRole] and precedence[minRequiredRole] in the comparison;
update any reference to getAuthorizationPrecedence to read from the precedence
map (or remove the function entirely) so all OrgRole values are statically
covered and cannot be missed when the enum grows.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/web/src/ee/features/audit/actions.ts`:
- Around line 37-38: The fetchAuditRecords action is using the global Prisma
client instead of the auth context's prisma, which bypasses user-scoped
permission enforcement; update the implementation inside
withAuth/withMinimumOrgRole to use the prisma instance passed in the auth
context (e.g., use the prisma parameter available in the withAuth callback) for
all DB calls (replace any direct uses/imports of '@/prisma' with the
context.prisma or prisma argument) so that methods like fetchAuditRecords call
prisma.audit.findMany (and related queries) through the context-provided client
with userScopedPrismaClientExtension applied.

In `@packages/web/src/ee/features/userManagement/actions.ts`:
- Around line 23-24: The actions wrapped with withAuth and withMinimumOrgRole
are currently using the global Prisma client; update both server actions to
destructure prisma from the withAuth context parameter (e.g., change the async
({ user, org, role }) => to async ({ user, org, role, prisma }) =>) and then
replace any use of the global prisma with that context-scoped prisma so the
userScopedPrismaClientExtension is applied (apply this change for the two
occurrences wrapped by withAuth/withMinimumOrgRole).

---

Outside diff comments:
In `@packages/web/src/ee/features/oauth/actions.ts`:
- Line 47: Two single-line if statements that set the state on callbackUrl (e.g.
"if (state) callbackUrl.searchParams.set('state', state);") must use braces per
repo style; update both occurrences (the one using
callbackUrl.searchParams.set(...) and the similar one at the other occurrence)
to use block bodies with the body on a new line, e.g. add { ... } around the
callbackUrl.searchParams.set call so the if uses a curly-braced block.

---

Nitpick comments:
In `@packages/web/src/middleware/withAuth.test.ts`:
- Line 464: Update the test suite's describe block name to match the renamed
function: change the describe string from "withAuthV2" to "withAuth" so it
reflects the actual function under test (withAuth) used in the tests; locate the
describe(...) containing 'withAuthV2' and rename it to 'withAuth' to keep test
output and intent consistent.
- Line 731: Rename the test suite description to match the actual exported
function name: change the describe block string from "withOptionalAuthV2" to
"withOptionalAuth" so the describe block aligns with the tests calling
withOptionalAuth; update any other describe blocks in this file that still
reference withOptionalAuthV2 to withOptionalAuth to keep names consistent with
the function under test.

In `@packages/web/src/middleware/withMinimumOrgRole.ts`:
- Around line 12-23: Replace the switch-based getAuthorizationPrecedence with an
explicit exhaustive Record mapping for OrgRole (e.g., create a const precedence:
Record<OrgRole, number> = { [OrgRole.GUEST]: 0, [OrgRole.MEMBER]: 1,
[OrgRole.OWNER]: 2 }) and then use precedence[userRole] and
precedence[minRequiredRole] in the comparison; update any reference to
getAuthorizationPrecedence to read from the precedence map (or remove the
function entirely) so all OrgRole values are statically covered and cannot be
missed when the enum grows.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b20d8e50-3443-486b-b18e-ebc655380621

📥 Commits

Reviewing files that changed from the base of the PR and between 85cf4be and 285c7ed.

📒 Files selected for processing (40)

• packages/web/src/actions.ts
• packages/web/src/app/[domain]/askgh/[owner]/[repo]/api.ts
• packages/web/src/app/[domain]/repos/[id]/page.tsx
• packages/web/src/app/[domain]/repos/page.tsx
• packages/web/src/app/[domain]/settings/connections/[id]/page.tsx
• packages/web/src/app/[domain]/settings/connections/page.tsx
• packages/web/src/app/[domain]/settings/layout.tsx
• packages/web/src/app/api/(server)/chat/route.ts
• packages/web/src/app/api/(server)/ee/accountPermissionSyncJobStatus/api.ts
• packages/web/src/app/api/(server)/ee/chat/[chatId]/searchMembers/route.ts
• packages/web/src/app/api/(server)/ee/permissionSyncStatus/api.ts
• packages/web/src/app/api/(server)/ee/user/route.ts
• packages/web/src/app/api/(server)/ee/users/route.ts
• packages/web/src/app/api/(server)/mcp/route.ts
• packages/web/src/app/api/(server)/models/route.ts
• packages/web/src/app/api/(server)/repos/listReposApi.ts
• packages/web/src/app/invite/actions.ts
• packages/web/src/ee/features/analytics/actions.ts
• packages/web/src/ee/features/audit/actions.ts
• packages/web/src/ee/features/oauth/actions.ts
• packages/web/src/ee/features/sso/actions.ts
• packages/web/src/ee/features/userManagement/actions.ts
• packages/web/src/features/chat/actions.ts
• packages/web/src/features/codeNav/api.ts
• packages/web/src/features/git/getDiffApi.ts
• packages/web/src/features/git/getFileSourceApi.ts
• packages/web/src/features/git/getFilesApi.ts
• packages/web/src/features/git/getFolderContentsApi.ts
• packages/web/src/features/git/getTreeApi.ts
• packages/web/src/features/git/listCommitsApi.ts
• packages/web/src/features/mcp/askCodebase.ts
• packages/web/src/features/search/searchApi.ts
• packages/web/src/features/searchAssist/actions.ts
• packages/web/src/features/userManagement/actions.ts
• packages/web/src/features/workerApi/actions.ts
• packages/web/src/lib/posthog.ts
• packages/web/src/middleware/sew.ts
• packages/web/src/middleware/withAuth.test.ts
• packages/web/src/middleware/withAuth.ts
• packages/web/src/middleware/withMinimumOrgRole.ts

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/web/src/features/git/listCommitsApi.test.ts (1)

35-44: ⚠️ Potential issue | 🟠 Major

Match the sew mock to production error semantics.

On Line 35, the mock returns Promise<T> and currently forwards thrown error messages; production sew returns T | ServiceError and uses a fixed generic message for unexpected failures. This mismatch can make error-path tests pass/fail for the wrong reasons.

Proposed fix

 vi.mock('@/middleware/sew', () => ({
-    sew: async <T>(fn: () => Promise<T> | T): Promise<T> => {
+    sew: async <T>(fn: () => Promise<T> | T): Promise<T | { errorCode: string; message: string }> => {
         try {
             return await fn();
         } catch (error) {
-            // Mock sew to convert thrown errors to ServiceError
+            // Match production sew behavior for unexpected failures
             return {
                 errorCode: 'UNEXPECTED_ERROR',
-                message: error instanceof Error ? error.message : String(error),
-            } as T;
+                message: 'An unexpected error occurred. Please try again later.',
+            };
         }
     },
 }));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/features/git/listCommitsApi.test.ts` around lines 35 - 44,
The mock implementation of sew in listCommitsApi.test.ts wrongly types/behaves
like Promise<T> and forwards thrown error messages; update the mock for sew to
return Promise<T | ServiceError> (or T | ServiceError) and, when catching,
return a ServiceError object with the fixed generic message used in production
(e.g. message set to a generic unexpected-failure string and errorCode
'UNEXPECTED_ERROR') instead of using error.message so test error-path semantics
match the real sew; locate and update the sew async mock in the test to change
its return type and caught-error behavior accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/web/src/features/git/listCommitsApi.test.ts`:
- Around line 51-53: The mock for withOptionalAuth in listCommitsApi.test.ts is
incomplete and the comment references the wrong helper; update the mock callback
shape to match the real withOptionalAuth by passing an object like { user:
undefined, org: mockOrg, role: 'member' (or appropriate role), prisma:
mockPrisma } instead of just { org, prisma }, and change the comment from "Mock
withOptionalAuthV2" to "Mock withOptionalAuth" so the test context and comment
reflect the actual function signature (refer to withOptionalAuth and mockOrg in
the test).

---

Outside diff comments:
In `@packages/web/src/features/git/listCommitsApi.test.ts`:
- Around line 35-44: The mock implementation of sew in listCommitsApi.test.ts
wrongly types/behaves like Promise<T> and forwards thrown error messages; update
the mock for sew to return Promise<T | ServiceError> (or T | ServiceError) and,
when catching, return a ServiceError object with the fixed generic message used
in production (e.g. message set to a generic unexpected-failure string and
errorCode 'UNEXPECTED_ERROR') instead of using error.message so test error-path
semantics match the real sew; locate and update the sew async mock in the test
to change its return type and caught-error behavior accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a49646b0-5bba-449c-bd16-1cb05c746b07

📥 Commits

Reviewing files that changed from the base of the PR and between 285c7ed and 22d9269.

📒 Files selected for processing (1)

• packages/web/src/features/git/listCommitsApi.test.ts

[coderabbitai]

♻️ Duplicate comments (1)

packages/web/src/features/git/listCommitsApi.test.ts (1)

51-59: ⚠️ Potential issue | 🟡 Minor

Align withOptionalAuth mock args with real middleware context.

On Line 51 and Line 59, the mock only types/passes { org, prisma }, but real withOptionalAuth passes { user, org, role, prisma } (packages/web/src/middleware/withAuth.ts, Line 87). This can mask auth-context bugs in tests.

Proposed fix

 vi.mock('@/middleware/withAuth', () => ({
-    withOptionalAuth: async <T>(fn: (args: { org: { id: number; name: string }; prisma: unknown }) => Promise<T>): Promise<T> => {
-        // Mock withOptionalAuth to provide org and prisma context
+    withOptionalAuth: async <T>(fn: (args: {
+        user?: unknown;
+        org: { id: number; name: string };
+        role: string;
+        prisma: unknown;
+    }) => Promise<T>): Promise<T> => {
+        // Mock withOptionalAuth to provide auth context
         const mockOrg = { id: 1, name: 'test-org' };
         const mockPrisma = {
             repo: {
                 findFirst: mockFindFirst,
             },
         };
-        return await fn({ org: mockOrg, prisma: mockPrisma });
+        return await fn({ user: undefined, org: mockOrg, role: 'MEMBER', prisma: mockPrisma });
     },
 }));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web/src/features/git/listCommitsApi.test.ts` around lines 51 - 59,
The withOptionalAuth mock used in the test only supplies { org, prisma } but the
real middleware calls handlers with { user, org, role, prisma } (see
withOptionalAuth in withAuth.ts); update the test's mock implementation of
withOptionalAuth to include and type the missing properties (provide a mockUser
and mockRole alongside mockOrg and mockPrisma) and pass { user: mockUser, org:
mockOrg, role: mockRole, prisma: mockPrisma } into fn so the test accurately
reflects runtime auth context and catches auth-related issues.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@packages/web/src/features/git/listCommitsApi.test.ts`:
- Around line 51-59: The withOptionalAuth mock used in the test only supplies {
org, prisma } but the real middleware calls handlers with { user, org, role,
prisma } (see withOptionalAuth in withAuth.ts); update the test's mock
implementation of withOptionalAuth to include and type the missing properties
(provide a mockUser and mockRole alongside mockOrg and mockPrisma) and pass {
user: mockUser, org: mockOrg, role: mockRole, prisma: mockPrisma } into fn so
the test accurately reflects runtime auth context and catches auth-related
issues.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 68a527b0-b527-48f9-9faf-7076cb4bdf1b

📥 Commits

Reviewing files that changed from the base of the PR and between 088001c and f642933.

📒 Files selected for processing (4)

• CLAUDE.md
• packages/web/src/features/git/listCommitsApi.test.ts
• packages/web/src/middleware/withAuth.test.ts
• packages/web/tools/globToRegexpPlayground.ts

✅ Files skipped from review due to trivial changes (3)

• CLAUDE.md
• packages/web/tools/globToRegexpPlayground.ts
• packages/web/src/middleware/withAuth.test.ts