agent-relay 2.0.23 → 2.0.24

package/packages/cloud/dist/api/nango-auth.js

@@ -1,741 +0,0 @@
-/**
- * Nango Auth API Routes
- *
- * Handles GitHub OAuth via Nango with two-connection pattern:
- * - github: User login (identity)
- * - github-app-oauth: Repository access
- */
-import { Router } from 'express';
-import { randomUUID } from 'crypto';
-import { requireAuth } from './auth.js';
-import { db } from '../db/index.js';
-import { nangoService, NANGO_INTEGRATIONS } from '../services/nango.js';
-export const nangoAuthRouter = Router();
-/**
- * GET /api/auth/nango/status
- * Check if Nango is configured
- */
-nangoAuthRouter.get('/status', (req, res) => {
-    try {
-        res.json({
-            configured: true,
-            integrations: NANGO_INTEGRATIONS,
-        });
-    }
-    catch (_error) {
-        res.json({
-            configured: false,
-            message: 'Nango not configured',
-        });
-    }
-});
-/**
- * GET /api/auth/nango/login-session
- * Create a Nango connect session for GitHub login
- */
-nangoAuthRouter.get('/login-session', async (req, res) => {
-    try {
-        const tempUserId = randomUUID();
-        const session = await nangoService.createConnectSession([NANGO_INTEGRATIONS.GITHUB_USER], { id: tempUserId });
-        res.json({ sessionToken: session.token, tempUserId });
-    }
-    catch (error) {
-        console.error('Error creating login session:', error);
-        res.status(500).json({ error: 'Failed to create login session' });
-    }
-});
-/**
- * GET /api/auth/nango/login-status/:connectionId
- * Poll for login completion after Nango connect UI
- */
-nangoAuthRouter.get('/login-status/:connectionId', async (req, res) => {
-    const connectionId = req.params.connectionId;
-    try {
-        // Check if a user exists with this incoming connection
-        const user = await db.users.findByIncomingConnectionId(connectionId);
-        if (!user) {
-            return res.json({ ready: false });
-        }
-        // Issue session
-        req.session.userId = user.id;
-        // Clear incoming connection ID
-        await db.users.clearIncomingConnectionId(user.id);
-        // Check if user has any repos connected
-        const repos = await db.repositories.findByUserId(user.id);
-        const hasRepos = repos.length > 0;
-        // Check if user needs to provide an email
-        const needsEmail = !user.email;
-        res.json({
-            ready: true,
-            hasRepos,
-            needsEmail,
-            user: {
-                id: user.id,
-                githubUsername: user.githubUsername,
-                email: user.email,
-                avatarUrl: user.avatarUrl,
-                plan: user.plan,
-            },
-        });
-    }
-    catch (error) {
-        console.error('Error checking login status:', error);
-        res.status(500).json({ error: 'Failed to check login status' });
-    }
-});
-/**
- * GET /api/auth/nango/repo-session
- * Create a Nango connect session for GitHub App OAuth (repo access)
- * Requires authentication
- */
-nangoAuthRouter.get('/repo-session', requireAuth, async (req, res) => {
-    const userId = req.session.userId;
-    try {
-        const user = await db.users.findById(userId);
-        if (!user) {
-            return res.status(404).json({ error: 'User not found' });
-        }
-        const session = await nangoService.createConnectSession([NANGO_INTEGRATIONS.GITHUB_APP], { id: user.id, email: user.email || undefined });
-        res.json({ sessionToken: session.token });
-    }
-    catch (error) {
-        console.error('Error creating repo session:', error);
-        res.status(500).json({ error: 'Failed to create repo session' });
-    }
-});
-/**
- * GET /api/auth/nango/repo-status/:connectionId
- * Poll for repo sync completion after GitHub App OAuth
- * Requires authentication
- */
-nangoAuthRouter.get('/repo-status/:connectionId', requireAuth, async (req, res) => {
-    const userId = req.session.userId;
-    const _connectionId = req.params.connectionId;
-    try {
-        const user = await db.users.findById(userId);
-        if (!user) {
-            return res.status(404).json({ error: 'User not found' });
-        }
-        // Check for pending org approval
-        if (user.pendingInstallationRequest) {
-            return res.json({
-                ready: false,
-                pendingApproval: true,
-                message: 'Waiting for organization admin approval',
-            });
-        }
-        // Check if repos have been synced
-        const repos = await db.repositories.findByUserId(userId);
-        const reposFromConnection = repos.filter(r => r.syncStatus === 'synced' && r.nangoConnectionId);
-        if (reposFromConnection.length === 0) {
-            return res.json({ ready: false });
-        }
-        // Check workspace status for frontend visibility
-        const workspaces = await db.workspaces.findByUserId(userId);
-        const primaryWorkspace = workspaces[0];
-        res.json({
-            ready: true,
-            repos: reposFromConnection.map(r => ({
-                id: r.id,
-                fullName: r.githubFullName,
-                isPrivate: r.isPrivate,
-                defaultBranch: r.defaultBranch,
-            })),
-            workspace: primaryWorkspace ? {
-                id: primaryWorkspace.id,
-                name: primaryWorkspace.name,
-                status: primaryWorkspace.status,
-                publicUrl: primaryWorkspace.publicUrl,
-            } : null,
-            workspaceProvisioning: primaryWorkspace?.status === 'provisioning',
-        });
-    }
-    catch (error) {
-        console.error('Error checking repo status:', error);
-        res.status(500).json({ error: 'Failed to check repo status' });
-    }
-});
-// ============================================================================
-// Nango Webhook Handler
-// ============================================================================
-/**
- * POST /api/auth/nango/webhook
- * Handle Nango webhooks for auth and sync events
- */
-nangoAuthRouter.post('/webhook', async (req, res) => {
-    const rawBody = req.rawBody || JSON.stringify(req.body);
-    // Verify webhook signature if present
-    const hasSignature = req.headers['x-nango-signature'] || req.headers['x-nango-hmac-sha256'];
-    if (hasSignature) {
-        if (!nangoService.verifyWebhookSignature(rawBody, req.headers)) {
-            console.error('[nango-webhook] Invalid signature');
-            return res.status(401).json({ error: 'Invalid signature' });
-        }
-    }
-    const payload = req.body;
-    console.log(`[nango-webhook] Received ${payload.type} event`);
-    try {
-        switch (payload.type) {
-            case 'auth':
-                await handleAuthWebhook(payload);
-                break;
-            case 'sync':
-                console.log('[nango-webhook] Sync event received');
-                break;
-            case 'forward':
-                await handleForwardWebhook(payload);
-                break;
-            default:
-                console.log(`[nango-webhook] Unhandled event type: ${payload.type}`);
-        }
-        res.json({ success: true });
-    }
-    catch (error) {
-        console.error('[nango-webhook] Error processing webhook:', error);
-        res.status(500).json({ error: 'Failed to process webhook' });
-    }
-});
-/**
- * Handle Nango auth webhook
- */
-async function handleAuthWebhook(payload) {
-    const { connectionId, providerConfigKey, endUser } = payload;
-    console.log(`[nango-webhook] Auth event for ${providerConfigKey} (${connectionId})`);
-    if (providerConfigKey === NANGO_INTEGRATIONS.GITHUB_USER) {
-        await handleLoginWebhook(connectionId, endUser);
-    }
-    else if (providerConfigKey === NANGO_INTEGRATIONS.GITHUB_APP) {
-        await handleRepoAuthWebhook(connectionId, endUser);
-    }
-}
-/**
- * Check user's repo access and auto-add them to workspaces
- * Uses GitHub user OAuth to query accessible repos and persists them to database
- */
-async function checkAndAutoAddToWorkspaces(userId, connectionId) {
-    try {
-        const user = await db.users.findById(userId);
-        if (!user)
-            return;
-        console.log(`[nango-webhook] Checking workspace auto-add for ${user.githubUsername}`);
-        // Query repos the user has access to via GitHub OAuth
-        const { repositories } = await nangoService.listUserAccessibleRepos(connectionId, {
-            perPage: 100,
-            type: 'all',
-        });
-        const workspacesToJoin = new Set();
-        // Check for workspace memberships - only persist repos that match existing workspaces
-        for (const repo of repositories) {
-            // Check if any user has this repo linked to a workspace
-            const allRepoRecords = await db.repositories.findByGithubFullName(repo.fullName);
-            let matchedWorkspaceId = null;
-            for (const record of allRepoRecords) {
-                if (record.workspaceId) {
-                    workspacesToJoin.add(record.workspaceId);
-                    matchedWorkspaceId = record.workspaceId; // Save the workspaceId to copy
-                }
-            }
-            // Only persist repos that are linked to workspaces
-            if (matchedWorkspaceId) {
-                await db.repositories.upsert({
-                    userId: user.id,
-                    githubFullName: repo.fullName,
-                    githubId: repo.id,
-                    isPrivate: repo.isPrivate,
-                    defaultBranch: repo.defaultBranch,
-                    nangoConnectionId: connectionId,
-                    workspaceId: matchedWorkspaceId, // Copy the workspaceId
-                    syncStatus: 'synced',
-                    lastSyncedAt: new Date(),
-                });
-            }
-        }
-        // Auto-add user to workspaces
-        for (const workspaceId of workspacesToJoin) {
-            const existingMembership = await db.workspaceMembers.findMembership(workspaceId, userId);
-            if (!existingMembership) {
-                const workspace = await db.workspaces.findById(workspaceId);
-                if (workspace) {
-                    console.log(`[nango-webhook] Auto-adding ${user.githubUsername} to workspace ${workspace.name}`);
-                    await db.workspaceMembers.addMember({
-                        workspaceId,
-                        userId,
-                        role: 'member',
-                        invitedBy: workspace.userId,
-                    });
-                    await db.workspaceMembers.acceptInvite(workspaceId, userId);
-                }
-            }
-        }
-        console.log(`[nango-webhook] Synced ${repositories.length} repos, auto-added ${user.githubUsername} to ${workspacesToJoin.size} workspaces`);
-    }
-    catch (error) {
-        console.error(`[nango-webhook] Error checking workspace auto-add:`, error);
-        // Non-fatal - don't throw
-    }
-}
-/**
- * Fetch and sync user emails from GitHub
- * Requires 'user:email' scope to be configured in Nango's GitHub integration
- */
-async function syncGitHubEmails(userId, connectionId) {
-    try {
-        const emails = await nangoService.getGithubUserEmails(connectionId);
-        if (emails.length === 0) {
-            console.log(`[nango-webhook] No emails returned from GitHub (scope may not be granted)`);
-            return null;
-        }
-        // Sync all verified emails to user_emails table
-        const verifiedEmails = emails.filter(e => e.verified);
-        if (verifiedEmails.length > 0) {
-            await db.userEmails.syncFromGitHub(userId, verifiedEmails);
-            console.log(`[nango-webhook] Synced ${verifiedEmails.length} verified emails for user ${userId}`);
-        }
-        // Return the primary verified email
-        const primaryEmail = emails.find(e => e.primary && e.verified)?.email;
-        return primaryEmail || null;
-    }
-    catch (error) {
-        console.error('[nango-webhook] Error syncing GitHub emails:', error);
-        return null;
-    }
-}
-/**
- * Handle GitHub login webhook
- *
- * Three scenarios:
- * 1. New user - Create user record, keep connection as permanent
- * 2. Returning user with existing connection - Store incoming ID for polling, delete temp connection
- * 3. Existing user, first connection - Set connection ID as permanent
- */
-async function handleLoginWebhook(connectionId, _endUser) {
-    // Get GitHub user info via Nango proxy
-    const githubUser = await nangoService.getGithubUser(connectionId);
-    const githubId = String(githubUser.id);
-    // Check if user already exists by GitHub ID
-    let existingUser = await db.users.findByGithubId(githubId);
-    // If not found by GitHub ID, check by email (for email-signup users connecting GitHub)
-    if (!existingUser && githubUser.email) {
-        const userByEmail = await db.users.findByEmail(githubUser.email);
-        if (userByEmail) {
-            // Email-signup user is connecting their GitHub account
-            console.log(`[nango-webhook] Linking GitHub to existing email user: ${githubUser.login} -> ${userByEmail.email}`);
-            // Update the existing user with GitHub info
-            await db.users.update(userByEmail.id, {
-                githubId,
-                githubUsername: githubUser.login,
-                avatarUrl: githubUser.avatar_url || null,
-                nangoConnectionId: connectionId,
-                incomingConnectionId: connectionId,
-            });
-            // Sync GitHub emails
-            await syncGitHubEmails(userByEmail.id, connectionId);
-            // Update connection with user ID
-            await nangoService.updateEndUser(connectionId, NANGO_INTEGRATIONS.GITHUB_USER, {
-                id: userByEmail.id,
-                email: userByEmail.email || undefined,
-            });
-            // Check for auto-add to workspaces
-            await checkAndAutoAddToWorkspaces(userByEmail.id, connectionId);
-            return;
-        }
-    }
-    // SCENARIO 1: New user (no existing user by GitHub ID or email)
-    if (!existingUser) {
-        // First, get the primary email from GitHub API (requires user:email scope)
-        // We'll create the user first, then sync emails
-        const newUser = await db.users.upsert({
-            githubId,
-            githubUsername: githubUser.login,
-            email: githubUser.email || null,
-            avatarUrl: githubUser.avatar_url || null,
-            nangoConnectionId: connectionId,
-            incomingConnectionId: connectionId,
-        });
-        // Sync all GitHub emails and get primary email
-        const primaryEmail = await syncGitHubEmails(newUser.id, connectionId);
-        // If we got a primary email from the API and user doesn't have one, update it
-        if (primaryEmail && !newUser.email) {
-            await db.users.update(newUser.id, { email: primaryEmail });
-        }
-        // Update connection with real user ID
-        await nangoService.updateEndUser(connectionId, NANGO_INTEGRATIONS.GITHUB_USER, {
-            id: newUser.id,
-            email: primaryEmail || newUser.email || undefined,
-        });
-        console.log(`[nango-webhook] New user created: ${githubUser.login}`);
-        // Check for auto-add to workspaces based on repo access
-        await checkAndAutoAddToWorkspaces(newUser.id, connectionId);
-        return;
-    }
-    // SCENARIO 2: Returning user with existing connection - delete temp connection
-    if (existingUser.nangoConnectionId && existingUser.nangoConnectionId !== connectionId) {
-        console.log(`[nango-webhook] Returning user: ${githubUser.login}`, {
-            permanentConnectionId: existingUser.nangoConnectionId,
-            incomingConnectionId: connectionId,
-        });
-        // Store incoming connection ID for polling
-        await db.users.update(existingUser.id, {
-            incomingConnectionId: connectionId,
-            githubUsername: githubUser.login,
-            avatarUrl: githubUser.avatar_url || null,
-        });
-        // Sync GitHub emails using the temporary connection before we delete it
-        await syncGitHubEmails(existingUser.id, connectionId);
-        // Delete the temporary connection from Nango to prevent duplicates
-        try {
-            await nangoService.deleteConnection(connectionId, NANGO_INTEGRATIONS.GITHUB_USER);
-            console.log(`[nango-webhook] Deleted temp connection for returning user`);
-        }
-        catch (error) {
-            console.error(`[nango-webhook] Failed to delete temp connection:`, error);
-            // Non-fatal - continue anyway
-        }
-        // Check for auto-add using permanent connection
-        await checkAndAutoAddToWorkspaces(existingUser.id, existingUser.nangoConnectionId);
-        return;
-    }
-    // SCENARIO 3: Existing user, first connection (or same connection)
-    console.log(`[nango-webhook] First/same connection for existing user: ${githubUser.login}`);
-    await db.users.update(existingUser.id, {
-        nangoConnectionId: connectionId,
-        incomingConnectionId: connectionId,
-        githubUsername: githubUser.login,
-        avatarUrl: githubUser.avatar_url || null,
-    });
-    // Sync GitHub emails
-    const primaryEmail = await syncGitHubEmails(existingUser.id, connectionId);
-    // Update connection with user ID
-    await nangoService.updateEndUser(connectionId, NANGO_INTEGRATIONS.GITHUB_USER, {
-        id: existingUser.id,
-        email: primaryEmail || existingUser.email || undefined,
-    });
-    // Check for auto-add to workspaces
-    await checkAndAutoAddToWorkspaces(existingUser.id, connectionId);
-}
-/**
- * Handle Nango forward webhook (GitHub events forwarded by Nango)
- */
-async function handleForwardWebhook(payload) {
-    const githubPayload = payload.payload;
-    console.log(`[nango-webhook] Forward event: action=${githubPayload.action} from ${payload.providerConfigKey}`);
-    // Only process GitHub App events
-    if (payload.providerConfigKey !== NANGO_INTEGRATIONS.GITHUB_APP) {
-        console.log('[nango-webhook] Ignoring forward event from non-GitHub-App integration');
-        return;
-    }
-    try {
-        // Determine event type from payload structure
-        if (githubPayload.installation && githubPayload.action === 'created' && githubPayload.repositories) {
-            // Installation created event
-            await handleInstallationForward(githubPayload, payload.connectionId);
-        }
-        else if (githubPayload.repositories_added || githubPayload.repositories_removed) {
-            // Installation repositories added/removed
-            await handleInstallationRepositoriesForward(githubPayload, payload.connectionId);
-        }
-        else {
-            console.log(`[nango-webhook] Unhandled forward event structure: action=${githubPayload.action}`);
-        }
-    }
-    catch (error) {
-        console.error(`[nango-webhook] Error processing forward event:`, error);
-        throw error;
-    }
-}
-/**
- * Handle GitHub installation events forwarded by Nango
- */
-async function handleInstallationForward(body, connectionId) {
-    const { action, installation, repositories, sender } = body;
-    if (!installation || !sender)
-        return;
-    const installationId = String(installation.id);
-    console.log(`[nango-webhook] Installation ${action}: ${installation.account.login} (${installationId})`);
-    if (action === 'created') {
-        // Find user by GitHub ID
-        const user = await db.users.findByGithubId(String(sender.id));
-        // Create/update installation record
-        await db.githubInstallations.upsert({
-            installationId,
-            accountType: installation.account.type.toLowerCase(),
-            accountLogin: installation.account.login,
-            accountId: String(installation.account.id),
-            installedById: user?.id ?? null,
-            permissions: installation.permissions,
-            events: installation.events,
-        });
-        // Sync repositories if provided
-        if (repositories && user) {
-            const dbInstallation = await db.githubInstallations.findByInstallationId(installationId);
-            if (dbInstallation) {
-                const workspacesToJoin = new Set();
-                for (const repo of repositories) {
-                    const syncedRepo = await db.repositories.upsert({
-                        userId: user.id,
-                        githubFullName: repo.full_name,
-                        githubId: repo.id,
-                        isPrivate: repo.private,
-                        installationId: dbInstallation.id,
-                        nangoConnectionId: connectionId,
-                        syncStatus: 'synced',
-                        lastSyncedAt: new Date(),
-                    });
-                    // Check if repo is part of an existing workspace
-                    // Look for ANY user's record of this repo that has a workspaceId
-                    if (syncedRepo.workspaceId) {
-                        workspacesToJoin.add(syncedRepo.workspaceId);
-                    }
-                    else {
-                        // Check if other users have this repo linked to a workspace
-                        const allRepoRecords = await db.repositories.findByGithubFullName(repo.full_name);
-                        for (const otherRecord of allRepoRecords) {
-                            if (otherRecord.workspaceId && otherRecord.userId !== user.id) {
-                                workspacesToJoin.add(otherRecord.workspaceId);
-                            }
-                        }
-                    }
-                }
-                // Auto-join user to workspaces for repos they have access to
-                for (const workspaceId of workspacesToJoin) {
-                    const existingMembership = await db.workspaceMembers.findMembership(workspaceId, user.id);
-                    if (!existingMembership) {
-                        const workspace = await db.workspaces.findById(workspaceId);
-                        if (workspace) {
-                            console.log(`[nango-webhook] Auto-adding ${user.githubUsername} to workspace ${workspace.name}`);
-                            await db.workspaceMembers.addMember({
-                                workspaceId,
-                                userId: user.id,
-                                role: 'member',
-                                invitedBy: workspace.userId,
-                            });
-                            await db.workspaceMembers.acceptInvite(workspaceId, user.id);
-                        }
-                    }
-                }
-                console.log(`[nango-webhook] Installation created for ${installation.account.login}, auto-joined ${workspacesToJoin.size} workspaces`);
-            }
-        }
-    }
-}
-/**
- * Handle installation_repositories events forwarded by Nango
- */
-async function handleInstallationRepositoriesForward(body, connectionId) {
-    const { action, installation, repositories_added, repositories_removed, sender } = body;
-    console.log(`[nango-webhook] handleInstallationRepositoriesForward called`, {
-        action,
-        installation: installation?.id,
-        sender: sender?.login,
-        connectionId,
-        repositories_added: repositories_added?.map(r => r.full_name),
-        repositories_removed: repositories_removed?.map(r => r.full_name),
-    });
-    if (!installation || !sender) {
-        console.log(`[nango-webhook] Missing installation or sender, skipping`);
-        return;
-    }
-    const installationId = String(installation.id);
-    console.log(`[nango-webhook] Repositories ${action} for ${installation.account.login}`);
-    // Find installation in database
-    const dbInstallation = await db.githubInstallations.findByInstallationId(installationId);
-    if (!dbInstallation) {
-        console.error(`[nango-webhook] Installation ${installationId} not found in database`);
-        return;
-    }
-    console.log(`[nango-webhook] Found installation: ${dbInstallation.id}`);
-    // Find user who triggered this
-    const user = await db.users.findByGithubId(String(sender.id));
-    if (!user) {
-        console.error(`[nango-webhook] User ${sender.login} (github id: ${sender.id}) not found in database`);
-        return;
-    }
-    console.log(`[nango-webhook] Found user: ${user.id} (${user.githubUsername})`);
-    console.log(`[nango-webhook] Processing action: ${action}, repos_added: ${repositories_added?.length}, repos_removed: ${repositories_removed?.length}`);
-    if (action === 'added' && repositories_added) {
-        console.log(`[nango-webhook] Adding ${repositories_added.length} repos for user ${user.id}`);
-        const workspacesToJoin = new Set();
-        for (const repo of repositories_added) {
-            console.log(`[nango-webhook] Upserting repo: ${repo.full_name}`);
-            const syncedRepo = await db.repositories.upsert({
-                userId: user.id,
-                githubFullName: repo.full_name,
-                githubId: repo.id,
-                isPrivate: repo.private,
-                installationId: dbInstallation.id,
-                nangoConnectionId: connectionId,
-                syncStatus: 'synced',
-                lastSyncedAt: new Date(),
-            });
-            console.log(`[nango-webhook] Upserted repo: ${syncedRepo.id}, syncStatus: ${syncedRepo.syncStatus}, nangoConnectionId: ${syncedRepo.nangoConnectionId}`);
-            // Check if repo is part of an existing workspace
-            // Look for ANY user's record of this repo that has a workspaceId
-            if (syncedRepo.workspaceId) {
-                workspacesToJoin.add(syncedRepo.workspaceId);
-            }
-            else {
-                // Check if other users have this repo linked to a workspace
-                const allRepoRecords = await db.repositories.findByGithubFullName(repo.full_name);
-                for (const otherRecord of allRepoRecords) {
-                    if (otherRecord.workspaceId && otherRecord.userId !== user.id) {
-                        workspacesToJoin.add(otherRecord.workspaceId);
-                    }
-                }
-            }
-        }
-        // Auto-join user to workspaces for repos they have access to
-        for (const workspaceId of workspacesToJoin) {
-            const existingMembership = await db.workspaceMembers.findMembership(workspaceId, user.id);
-            if (!existingMembership) {
-                const workspace = await db.workspaces.findById(workspaceId);
-                if (workspace) {
-                    console.log(`[nango-webhook] Auto-adding ${user.githubUsername} to workspace ${workspace.name}`);
-                    await db.workspaceMembers.addMember({
-                        workspaceId,
-                        userId: user.id,
-                        role: 'member',
-                        invitedBy: workspace.userId,
-                    });
-                    await db.workspaceMembers.acceptInvite(workspaceId, user.id);
-                }
-            }
-        }
-        console.log(`[nango-webhook] Added ${repositories_added.length} repositories, auto-joined ${workspacesToJoin.size} workspaces`);
-    }
-    if (action === 'removed' && repositories_removed) {
-        for (const repo of repositories_removed) {
-            const repos = await db.repositories.findByUserId(user.id);
-            const existingRepo = repos.find(r => r.githubFullName === repo.full_name);
-            if (existingRepo) {
-                await db.repositories.updateSyncStatus(existingRepo.id, 'access_removed');
-            }
-        }
-        console.log(`[nango-webhook] Removed access to ${repositories_removed.length} repositories`);
-    }
-}
-/**
- * Handle GitHub App OAuth webhook (repo access)
- */
-async function handleRepoAuthWebhook(connectionId, endUser) {
-    let userId = endUser?.id;
-    // Fallback: If endUser.id not in webhook, fetch connection metadata from Nango
-    if (!userId) {
-        console.log('[nango-webhook] No user ID in webhook payload, fetching from connection metadata...');
-        try {
-            const connection = await nangoService.getConnection(connectionId, NANGO_INTEGRATIONS.GITHUB_APP);
-            userId = connection.end_user?.id;
-            console.log(`[nango-webhook] Got user ID from connection: ${userId || 'not found'}`);
-        }
-        catch (err) {
-            console.error('[nango-webhook] Failed to fetch connection metadata:', err);
-        }
-    }
-    if (!userId) {
-        console.error('[nango-webhook] No user ID found - cannot sync repos');
-        return;
-    }
-    const user = await db.users.findById(userId);
-    if (!user) {
-        console.error(`[nango-webhook] User ${userId} not found`);
-        return;
-    }
-    try {
-        // Get the GitHub App installation ID
-        const githubInstallationId = await nangoService.getGithubAppInstallationId(connectionId);
-        let installationUuid = null;
-        if (githubInstallationId) {
-            // Find or create the github_installations record
-            let installation = await db.githubInstallations.findByInstallationId(String(githubInstallationId));
-            if (!installation) {
-                // Create a new installation record
-                // We need to get more info about the installation - for now use user info
-                installation = await db.githubInstallations.upsert({
-                    installationId: String(githubInstallationId),
-                    accountType: 'user', // Could be 'organization' - we'd need to detect this
-                    accountLogin: user.githubUsername || 'unknown',
-                    accountId: user.githubId || 'unknown',
-                    installedById: user.id,
-                    permissions: {},
-                    events: [],
-                });
-                console.log(`[nango-webhook] Created installation record for ${githubInstallationId}`);
-            }
-            installationUuid = installation.id;
-        }
-        else {
-            console.warn('[nango-webhook] Could not get installation ID from Nango connection');
-        }
-        // Fetch repos the user has access to
-        const { repositories: repos } = await nangoService.listGithubAppRepos(connectionId);
-        // Track workspaces to auto-join
-        const workspacesToJoin = new Set();
-        // Sync repos to database
-        for (const repo of repos) {
-            const syncedRepo = await db.repositories.upsert({
-                userId: user.id,
-                githubFullName: repo.full_name,
-                githubId: repo.id,
-                isPrivate: repo.private,
-                defaultBranch: repo.default_branch,
-                nangoConnectionId: connectionId,
-                installationId: installationUuid,
-                syncStatus: 'synced',
-                lastSyncedAt: new Date(),
-            });
-            // Check if this repo is part of an existing workspace
-            // Look for ANY user's record of this repo that has a workspaceId
-            if (syncedRepo.workspaceId) {
-                workspacesToJoin.add(syncedRepo.workspaceId);
-            }
-            else {
-                // Check if other users have this repo linked to a workspace
-                const allRepoRecords = await db.repositories.findByGithubFullName(repo.full_name);
-                for (const otherRecord of allRepoRecords) {
-                    if (otherRecord.workspaceId && otherRecord.userId !== user.id) {
-                        workspacesToJoin.add(otherRecord.workspaceId);
-                    }
-                }
-            }
-        }
-        // Auto-join user to workspaces for repos they have access to
-        for (const workspaceId of workspacesToJoin) {
-            // Check if already a member
-            const existingMembership = await db.workspaceMembers.findMembership(workspaceId, user.id);
-            if (!existingMembership) {
-                // Get workspace owner to use as invitedBy
-                const workspace = await db.workspaces.findById(workspaceId);
-                if (workspace) {
-                    console.log(`[nango-webhook] Auto-adding ${user.githubUsername} to workspace ${workspace.name}`);
-                    await db.workspaceMembers.addMember({
-                        workspaceId,
-                        userId: user.id,
-                        role: 'member',
-                        invitedBy: workspace.userId, // Workspace owner invited them
-                    });
-                    // Auto-accept since they have GitHub repo access
-                    await db.workspaceMembers.acceptInvite(workspaceId, user.id);
-                }
-            }
-        }
-        // Clear any pending installation request
-        await db.users.clearPendingInstallationRequest(user.id);
-        console.log(`[nango-webhook] Synced ${repos.length} repos for ${user.githubUsername} (installation: ${githubInstallationId || 'unknown'}), auto-joined ${workspacesToJoin.size} workspaces`);
-        // Note: We intentionally do NOT auto-provision workspaces here.
-        // Users should go through the onboarding flow at /app to:
-        // 1. Name their workspace
-        // 2. Choose which repos to include
-        // 3. Understand what they're creating
-    }
-    catch (error) {
-        const err = error;
-        if (err.message?.includes('403')) {
-            // Org approval pending
-            await db.users.setPendingInstallationRequest(user.id);
-            console.log(`[nango-webhook] Org approval pending for ${user.githubUsername}`);
-        }
-        else {
-            throw error;
-        }
-    }
-}
-//# sourceMappingURL=nango-auth.js.map