Skip to content

IAM module #575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
gearnode wants to merge 193 commits into
base: main
Choose a base branch
from
Draft

IAM module #575

gearnode wants to merge 193 commits into from
+86,290 −48,748

Conversation

@gearnode
Copy link
Contributor

@gearnode gearnode commented Dec 8, 2025
edited by cubic-dev-ai bot
Loading

Summary by cubic

Unifies auth and authz into a single IAM module and introduces the Connect v1 GraphQL API with split Relay environments. Refreshes IAM Organizations with session switching and SAML domain verification, and replugged Custom Domain settings and employee document signing pages.

  • New Features

    • IAM service for sign-in/signup (password/invitation), password reset, email management, organization/membership, permissions, sessions (including assume organization session), and API keys.
    • New IAM Sign-In page and Memberships experience with dropdown/session controls; session dropdown added for profile/sign-out.
    • Personal API Keys page to create, reveal, and revoke tokens via IAM GraphQL.
    • Session model extended with expire_reason, user_agent, ip_address, tenant_id, parent_session, plus new order fields; membership exposes lastSession and activeSession.
    • Connect v1 GraphQL API with session middleware and API key auth; console/MCP/trust endpoints now use IAM.
    • SAML services moved under IAM with domain verification and test login; handlers updated.
    • Relay package for GraphQL fetch with auth error mapping; console uses a multi-project Relay config (core, iam) with separate environments and new Core/IAM Relay providers.
    • Permission field exposed on core schema nodes; UI gates create/update/delete/publish and signature actions across core pages (documents, assets, audits, data, continual improvements, meetings, frameworks, custom domains).

  • Migration

    • Apply DB migrations adding session columns and the expire_reason enum, plus expire_reason on auth_user_api_keys.
    • Prefix related tables with iam_.
    • Update application config with the new IAM settings and cookie details.
    • Replace auth/authz usages with iam.Service and iam.Permissions in server code.

Written for commit c91f470. Summary will update on new commits.

@gearnode gearnode force-pushed the refactor-iam branch 7 times, most recently from 2f4901c to 27a41e4 Compare December 12, 2025 13:43
@gearnode gearnode force-pushed the refactor-iam branch 5 times, most recently from 71dbfe1 to 32571bc Compare December 16, 2025 17:52
@codenem codenem force-pushed the refactor-iam branch 2 times, most recently from da81ece to d9ca7d6 Compare December 21, 2025 01:12
gearnode and others added 14 commits January 5, 2026 19:24
@gearnode
Rewrite identity and access management
0476348 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Gracefully handle many errors
712313e 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Rewrite permission system
ea22a12 
Signed-off-by: Bryan Frimin <[email protected]>
@codenem @gearnode
Make console buildable and relay-compilable
d4a39be 
Signed-off-by: Émile Ré <[email protected]>
@codenem @gearnode
Setup 2 relay configs for 2 graphQL APIs
226e28f 
Signed-off-by: Émile Ré <[email protected]>
@codenem @gearnode
Querying connect graphQL API
a5ae65c 
Signed-off-by: Émile Ré <[email protected]>
@codenem @gearnode
Generate connect GQL on build
243da3e 
Signed-off-by: Émile Ré <[email protected]>
@gearnode
Add activeSession on membership
a178f3d 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Fix active session must not be return if expired
4e0a71b 
Signed-off-by: Bryan Frimin <[email protected]>
@codenem @gearnode
Replug organizations page without assumable sessions
40fa09f 
Signed-off-by: Émile Ré <[email protected]>
@codenem @gearnode
OrganizationsPage switch to MembershipCard and add membership session…
cd9d0bf 
… state

Signed-off-by: Émile Ré <[email protected]>
@codenem @gearnode
Fix collision between connect API key & Session middlewares
f5be9bb 
Signed-off-by: Émile Ré <[email protected]>
@gearnode
Rename open session for saml
380b29e 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Change session from method tracking
58455bb 
Signed-off-by: Bryan Frimin <[email protected]>
gearnode and others added 30 commits January 5, 2026 19:48
@gearnode
Use new coredata error pattern
cb730e2 
Signed-off-by: Bryan Frimin <[email protected]>
@codenem
Fix invitations totalCount update
f0328bb 
Signed-off-by: Émile Ré <[email protected]>
@gearnode
Remove dead code
d02fd33 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Fix incosistent filter
9009504 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Fix SCIM filter test
94728cd 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Fix error when enable SCIM
f548429 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Fix 5xx when scim filter not present
b7af72b 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Style
9447774 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Fix re-activitating membership does not reset the role
8b28673 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Use employee as default role
ac96103 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Update default SAML role to employee
6427a44 
Signed-off-by: Bryan Frimin <[email protected]>
@codenem
Plug sign in steps + sso login URL check
15c7e9b 
Signed-off-by: Émile Ré <[email protected]>
@gearnode
Fix missing trust center object
c22a51f 
Signed-off-by: Bryan Frimin <[email protected]>
@codenem
Plug forgot password page
de0b150 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Plug reset password page
6b36643 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Fix mutation errors
3b9d4a4 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Plug verify email
e723bb1 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Rename MembershipLayout and create ViewerLayout for identity context …
25df768 
…pages

Signed-off-by: Émile Ré <[email protected]>
@codenem
Implement organization assumption check in authorization layer
6a612f1 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Fix uneeded assume + assume after invite accept
548eccb 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Accept/Expire invitations on SAML & SCIM operations
f6fc8a1 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Expire invitations on SCIM delete
106224c 
Signed-off-by: Émile Ré <[email protected]>
@gearnode
Fix internal error when create new org
42e90cf 
Signed-off-by: Bryan Frimin <[email protected]>
@codenem
Expire invitations on SAML sign up and invitation accept
a13eb05 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Extract authn & authz utils
7c3fd13 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Extract cookie config into authn pkg
43a19ad 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Plug trust center part 1
ae79ba9 
Signed-off-by: Émile Ré <[email protected]>
@codenem
Use trust center from context
d3934ea 
Signed-off-by: Émile Ré <[email protected]>
@gearnode
Extract session directive in a dedicated package
bd3b9dc 
Signed-off-by: Bryan Frimin <[email protected]>
@gearnode
Use session instead of mustBeAuthenticated
c91f470 
Signed-off-by: Bryan Frimin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gearnode @codenem