fix(web): require User.email and reject SSO sign-ins without an email

[brendan-kellam]

Fixes SOU-1335

Problem

The Members settings page (and the Pending Requests tab) crashed with TypeError: Cannot read properties of null (reading 'toLowerCase') on instances that had User rows with a null email. These rows are created when an OAuth/OIDC identity provider returns a profile without an email — next-auth's adapter persists whatever profile() produced, and nothing in the app ever backfills it. The getOrgMembers/getOrgAccountRequests actions asserted email!, hiding the nullability from the type checker, and the client list components then called member.email.toLowerCase().

Approach

Make a non-null email an enforced invariant rather than something the UI has to defensively handle:

1. Schema — User.email is now String @unique (was String?).
2. Self-healing migration (20260616000000_make_user_email_required) — because prisma migrate deploy runs automatically on container startup, a bare SET NOT NULL would fail and brick the upgrade on any instance that still has null rows. The migration first backfills existing nulls with a deterministic, unique, obviously-synthetic placeholder (placeholder-<id>@no-email.invalid), then applies NOT NULL. Backfilled rows are findable via WHERE email LIKE 'placeholder-%@no-email.invalid'.
3. Guard — the signIn callback now rejects any sign-in that arrives without an email, so a null can never reach createUser (which would otherwise 500 on the NOT NULL insert). In practice only OAuth/OIDC profiles can lack one; the check is unconditional so future providers are covered too.
4. Cleanup — removed the now-redundant email! assertions across the user-management/invite/auth code, corrected the stale "email is nullable" comment in the encrypted adapter, and tightened the public EE user API schemas (email is no longer nullable) + regenerated the OpenAPI spec.

Notes

• Backfilled placeholder users will be blocked from re-signing-in until their IdP returns a real email (they were unusable anyway); admins can find them with the LIKE query above.
• The API schema change is non-breaking for consumers — email was already always populated in practice; the contract now states it's guaranteed.

Testing

• tsc --noEmit on @sourcebot/web: no new errors (pre-existing lastActiveAt test-fixture errors are unrelated).
• Prisma client regenerated; OpenAPI spec regenerated and verified email is type: string and in required for PublicEeUser / PublicEeUserListItem.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Fixed a crash on the Members page when a user’s email is missing.
  • Rejected SSO sign-ins when the identity provider does not provide an email address.
  • Updated account and invitation-related flows to consistently require and use email where applicable.
• Documentation
  • Updated the public API documentation/schemas to make email non-nullable.
• Chores
  • Enforced User.email as required in the database via backfill + schema update.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c4d16caf-ddde-4c10-8e2f-f1fc4ae571cc

📥 Commits

Reviewing files that changed from the base of the PR and between e1a4b15 and 7004b07.

📒 Files selected for processing (2)

• packages/web/src/app/login/error/page.tsx
• packages/web/src/auth.ts

---

Walkthrough

User.email is enforced as non-nullable: a migration backfills NULL emails with synthetic placeholders then sets NOT NULL, the Prisma schema updates accordingly, an SSO sign-in guard rejects email-less accounts, OpenAPI/Zod schemas remove nullable, and non-null assertions (!) are removed from application actions.

Changes

User email non-nullable enforcement

Layer / File(s)	Summary
Database migration and Prisma schema packages/db/prisma/schema.prisma, packages/db/prisma/migrations/.../migration.sql	User.email changes from String? to String in the Prisma schema. The migration backfills any NULL email rows with <id>@no-email.invalid``, then ALTER TABLE ... SET NOT NULL.
Sign-in guard for missing email packages/web/src/auth.ts, packages/web/src/app/login/error/page.tsx	callbacks.signIn now destructures user alongside account and returns false unconditionally when user.email is absent, redirecting to /login/error?error=EmailRequired. The error page displays a new EmailRequired case.
OpenAPI and Zod schema contracts packages/web/src/openapi/publicApiSchemas.ts, docs/api-reference/sourcebot-public.openapi.json	publicEeUserSchema and publicEeUserListItemSchema change email from z.string().nullable() to z.string(). The generated OpenAPI JSON removes nullable: true from PublicEeUser and PublicEeUserListItem.
Non-null assertion removal in application actions packages/web/src/actions.ts, packages/web/src/app/invite/actions.ts, packages/web/src/features/userManagement/actions.ts, packages/web/src/lib/authUtils.ts, packages/web/src/lib/encryptedPrismaAdapter.ts, CHANGELOG.md	Removes ! non-null assertions on .email across join-request emails, invite info host/recipient mapping, approval and invite email flows, org member/account-request mappings, and the invite-deletion filter. Adapter comment is updated; changelog entry is added.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#1066: Both PRs touch the Enterprise "public EE user" OpenAPI schema definitions in docs/api-reference/sourcebot-public.openapi.json—the main PR changes PublicEeUser.email/PublicEeUserListItem.email to non-nullable, while the other PR restructures/adds those EE schemas.
• sourcebot-dev/sourcebot#1221: Both PRs modify packages/web/src/auth.ts's NextAuth callbacks.signIn logic to reject certain sign-in flows (main PR blocks when user.email is missing; retrieved PR blocks OAuth account-linking when there's no signed-in session).

Suggested reviewers

• msukkari

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main changes: making User.email required and rejecting SSO sign-ins without email.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch brendan/require-user-email-SOU-1335

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
sourcebot	🟢 Ready	View Preview	Jun 16, 2026, 11:45 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 20: The changelog entry in CHANGELOG.md contains multiple sentences
separated by periods, but the repository format requires a single sentence
followed by the PR link. Combine the two sentences about fixing the Members page
crash and making User.email required into one cohesive sentence, then follow it
with the PR link [`#1310`](https://github.com/sourcebot-dev/sourcebot/pull/1310)
to match the required format.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4a97f7ab-f167-441c-a0a0-266c9a164f8b

📥 Commits

Reviewing files that changed from the base of the PR and between 4ec4de1 and f054e81.

📒 Files selected for processing (11)

• CHANGELOG.md
• docs/api-reference/sourcebot-public.openapi.json
• packages/db/prisma/migrations/20260616000000_make_user_email_required/migration.sql
• packages/db/prisma/schema.prisma
• packages/web/src/actions.ts
• packages/web/src/app/invite/actions.ts
• packages/web/src/auth.ts
• packages/web/src/features/userManagement/actions.ts
• packages/web/src/lib/authUtils.ts
• packages/web/src/lib/encryptedPrismaAdapter.ts
• packages/web/src/openapi/publicApiSchemas.ts