workos org sync (#2412)

Author: motatoes

ui/src/api/orchestrator_orgs.ts

@@ -15,7 +15,7 @@ export async function syncOrgToBackend(orgId: string, orgName: string, adminEmai
   });
 
   if (!response.ok) {
-    throw new Error(`Failed to sync organization: ${response.statusText}`);
+    throw new Error(`Failed to sync organization to backend: ${response.statusText}`);
   }
 
   return response.json();

ui/src/api/statesman_orgs.ts

@@ -1,29 +1,29 @@
 
 
-export async function syncOrgToStatesman(orgId: string, orgName: string, displayName: string, userId: string, adminEmail: string) {
+export async function syncOrgToStatesman(orgId: string, orgName: string, displayName: string, userId: string | null, adminEmail: string | null) {
     const response = await fetch(`${process.env.STATESMAN_BACKEND_URL}/internal/api/orgs`, {
         method: 'POST',
         headers: {
             'Content-Type': 'application/json',
             'Authorization': `Bearer ${process.env.STATESMAN_BACKEND_WEBHOOK_SECRET}`,
             'X-Org-ID': "",
-            'X-User-ID': userId,
-            'X-Email': adminEmail,
+            'X-User-ID': userId ?? '',
+            'X-Email': adminEmail ?? '',
         },
         body: JSON.stringify({ 
             "external_org_id": orgId,
             "name": orgName,
             "display_name": displayName,
         })
-    })  
+    })
 
     if (response.status === 409) {
         console.log("Org already exists in statesman")
         return response.json();
     }
 
     if (!response.ok) {
-        throw new Error(`Failed to sync organization to statesman: ${response.statusText}`);
+        throw new Error(`Failed to sync organization to statesman: ${response.statusText}`, { cause: await response.text() });
     }
 
     return response.json();

ui/src/components/sign-in-button.tsx

@@ -15,7 +15,24 @@ export default function SignInButton({ large, user, url }: { large?: boolean; us
 
   return (
     <Button asChild size={large ? '3' : '2'} className="cursor-pointer">
-      <a href={url}>Sign In To Get Started</a>
+      <a
+        href={url}
+        style={{
+          color: 'white',
+          background:
+            'linear-gradient(90deg, #6D28D9 0%, #3B82F6 100%)',
+          padding: '0.65em 2em',
+          borderRadius: '8px',
+          fontWeight: 'bold',
+          letterSpacing: '0.03em',
+          fontSize: '1.1em',
+          boxShadow: '0 2px 16px 0 rgba(59, 130, 246, 0.35)',
+          border: 'none',
+          textShadow: '0 2px 8px rgba(59,130,246,0.17)'
+        }}
+      >
+        Sign In To Get Started
+      </a>
     </Button>
   );
 }

ui/src/routeTree.gen.ts

@@ -13,11 +13,13 @@ import { Route as LogoutRouteImport } from './routes/logout'
 import { Route as AuthenticatedRouteImport } from './routes/_authenticated'
 import { Route as IndexRouteImport } from './routes/index'
 import { Route as TfeSplatRouteImport } from './routes/tfe/$'
+import { Route as ManualTerraformWellKnownRouteImport } from './routes/manual/terraformWellKnown'
 import { Route as OrchestratorJob_artefactsRouteImport } from './routes/_orchestrator/job_artefacts'
 import { Route as AuthenticatedDashboardRouteImport } from './routes/_authenticated/_dashboard'
 import { Route as OrchestratorGithubWebhookRouteImport } from './routes/orchestrator/github/webhook'
 import { Route as OrchestratorGithubCallbackRouteImport } from './routes/orchestrator/github/callback'
 import { Route as AppSettingsTokensRouteImport } from './routes/app/settings.tokens'
+import { Route as ApiInternalSyncWorkosOrgsRouteImport } from './routes/api/internal/sync-workos-orgs'
 import { Route as ApiAuthCallbackRouteImport } from './routes/api/auth/callback'
 import { Route as ApiAuthWorkosWebhooksRouteImport } from './routes/api/auth/workos/webhooks'
 import { Route as ApiAuthWorkosSwitchOrgRouteImport } from './routes/api/auth/workos/switch-org'
@@ -63,6 +65,12 @@ const TfeSplatRoute = TfeSplatRouteImport.update({
   path: '/tfe/$',
   getParentRoute: () => rootRouteImport,
 } as any)
+const ManualTerraformWellKnownRoute =
+  ManualTerraformWellKnownRouteImport.update({
+    id: '/manual/terraformWellKnown',
+    path: '/manual/terraformWellKnown',
+    getParentRoute: () => rootRouteImport,
+  } as any)
 const OrchestratorJob_artefactsRoute =
   OrchestratorJob_artefactsRouteImport.update({
     id: '/_orchestrator/job_artefacts',
@@ -90,6 +98,12 @@ const AppSettingsTokensRoute = AppSettingsTokensRouteImport.update({
   path: '/app/settings/tokens',
   getParentRoute: () => rootRouteImport,
 } as any)
+const ApiInternalSyncWorkosOrgsRoute =
+  ApiInternalSyncWorkosOrgsRouteImport.update({
+    id: '/api/internal/sync-workos-orgs',
+    path: '/api/internal/sync-workos-orgs',
+    getParentRoute: () => rootRouteImport,
+  } as any)
 const ApiAuthCallbackRoute = ApiAuthCallbackRouteImport.update({
   id: '/api/auth/callback',
   path: '/api/auth/callback',
@@ -244,8 +258,10 @@ export interface FileRoutesByFullPath {
   '/': typeof IndexRoute
   '/logout': typeof LogoutRoute
   '/job_artefacts': typeof OrchestratorJob_artefactsRoute
+  '/manual/terraformWellKnown': typeof ManualTerraformWellKnownRoute
   '/tfe/$': typeof TfeSplatRoute
   '/api/auth/callback': typeof ApiAuthCallbackRoute
+  '/api/internal/sync-workos-orgs': typeof ApiInternalSyncWorkosOrgsRoute
   '/app/settings/tokens': typeof AppSettingsTokensRoute
   '/orchestrator/github/callback': typeof OrchestratorGithubCallbackRoute
   '/orchestrator/github/webhook': typeof OrchestratorGithubWebhookRoute
@@ -278,8 +294,10 @@ export interface FileRoutesByTo {
   '/': typeof IndexRoute
   '/logout': typeof LogoutRoute
   '/job_artefacts': typeof OrchestratorJob_artefactsRoute
+  '/manual/terraformWellKnown': typeof ManualTerraformWellKnownRoute
   '/tfe/$': typeof TfeSplatRoute
   '/api/auth/callback': typeof ApiAuthCallbackRoute
+  '/api/internal/sync-workos-orgs': typeof ApiInternalSyncWorkosOrgsRoute
   '/app/settings/tokens': typeof AppSettingsTokensRoute
   '/orchestrator/github/callback': typeof OrchestratorGithubCallbackRoute
   '/orchestrator/github/webhook': typeof OrchestratorGithubWebhookRoute
@@ -313,8 +331,10 @@ export interface FileRoutesById {
   '/logout': typeof LogoutRoute
   '/_authenticated/_dashboard': typeof AuthenticatedDashboardRouteWithChildren
   '/_orchestrator/job_artefacts': typeof OrchestratorJob_artefactsRoute
+  '/manual/terraformWellKnown': typeof ManualTerraformWellKnownRoute
   '/tfe/$': typeof TfeSplatRoute
   '/api/auth/callback': typeof ApiAuthCallbackRoute
+  '/api/internal/sync-workos-orgs': typeof ApiInternalSyncWorkosOrgsRoute
   '/app/settings/tokens': typeof AppSettingsTokensRoute
   '/orchestrator/github/callback': typeof OrchestratorGithubCallbackRoute
   '/orchestrator/github/webhook': typeof OrchestratorGithubWebhookRoute
@@ -349,8 +369,10 @@ export interface FileRouteTypes {
     | '/'
     | '/logout'
     | '/job_artefacts'
+    | '/manual/terraformWellKnown'
     | '/tfe/$'
     | '/api/auth/callback'
+    | '/api/internal/sync-workos-orgs'
     | '/app/settings/tokens'
     | '/orchestrator/github/callback'
     | '/orchestrator/github/webhook'
@@ -383,8 +405,10 @@ export interface FileRouteTypes {
     | '/'
     | '/logout'
     | '/job_artefacts'
+    | '/manual/terraformWellKnown'
     | '/tfe/$'
     | '/api/auth/callback'
+    | '/api/internal/sync-workos-orgs'
     | '/app/settings/tokens'
     | '/orchestrator/github/callback'
     | '/orchestrator/github/webhook'
@@ -417,8 +441,10 @@ export interface FileRouteTypes {
     | '/logout'
     | '/_authenticated/_dashboard'
     | '/_orchestrator/job_artefacts'
+    | '/manual/terraformWellKnown'
     | '/tfe/$'
     | '/api/auth/callback'
+    | '/api/internal/sync-workos-orgs'
     | '/app/settings/tokens'
     | '/orchestrator/github/callback'
     | '/orchestrator/github/webhook'
@@ -453,8 +479,10 @@ export interface RootRouteChildren {
   AuthenticatedRoute: typeof AuthenticatedRouteWithChildren
   LogoutRoute: typeof LogoutRoute
   OrchestratorJob_artefactsRoute: typeof OrchestratorJob_artefactsRoute
+  ManualTerraformWellKnownRoute: typeof ManualTerraformWellKnownRoute
   TfeSplatRoute: typeof TfeSplatRoute
   ApiAuthCallbackRoute: typeof ApiAuthCallbackRoute
+  ApiInternalSyncWorkosOrgsRoute: typeof ApiInternalSyncWorkosOrgsRoute
   AppSettingsTokensRoute: typeof AppSettingsTokensRoute
   OrchestratorGithubCallbackRoute: typeof OrchestratorGithubCallbackRoute
   OrchestratorGithubWebhookRoute: typeof OrchestratorGithubWebhookRoute
@@ -498,6 +526,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof TfeSplatRouteImport
       parentRoute: typeof rootRouteImport
     }
+    '/manual/terraformWellKnown': {
+      id: '/manual/terraformWellKnown'
+      path: '/manual/terraformWellKnown'
+      fullPath: '/manual/terraformWellKnown'
+      preLoaderRoute: typeof ManualTerraformWellKnownRouteImport
+      parentRoute: typeof rootRouteImport
+    }
     '/_orchestrator/job_artefacts': {
       id: '/_orchestrator/job_artefacts'
       path: '/job_artefacts'
@@ -533,6 +568,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof AppSettingsTokensRouteImport
       parentRoute: typeof rootRouteImport
     }
+    '/api/internal/sync-workos-orgs': {
+      id: '/api/internal/sync-workos-orgs'
+      path: '/api/internal/sync-workos-orgs'
+      fullPath: '/api/internal/sync-workos-orgs'
+      preLoaderRoute: typeof ApiInternalSyncWorkosOrgsRouteImport
+      parentRoute: typeof rootRouteImport
+    }
     '/api/auth/callback': {
       id: '/api/auth/callback'
       path: '/api/auth/callback'
@@ -836,8 +878,10 @@ const rootRouteChildren: RootRouteChildren = {
   AuthenticatedRoute: AuthenticatedRouteWithChildren,
   LogoutRoute: LogoutRoute,
   OrchestratorJob_artefactsRoute: OrchestratorJob_artefactsRoute,
+  ManualTerraformWellKnownRoute: ManualTerraformWellKnownRoute,
   TfeSplatRoute: TfeSplatRoute,
   ApiAuthCallbackRoute: ApiAuthCallbackRoute,
+  ApiInternalSyncWorkosOrgsRoute: ApiInternalSyncWorkosOrgsRoute,
   AppSettingsTokensRoute: AppSettingsTokensRoute,
   OrchestratorGithubCallbackRoute: OrchestratorGithubCallbackRoute,
   OrchestratorGithubWebhookRoute: OrchestratorGithubWebhookRoute,

ui/src/routes/api/internal/sync-workos-orgs.tsx

@@ -0,0 +1,95 @@
+import { syncOrgToBackend } from '@/api/orchestrator_orgs';
+import { syncOrgToStatesman } from '@/api/statesman_orgs';
+import { getWorkOS } from '@/authkit/ssr/workos';
+import { createFileRoute } from '@tanstack/react-router'
+import { syncUserToBackend } from '@/api/orchestrator_users';
+import { syncUserToStatesman } from '@/api/statesman_users';
+
+async function syncWorkosOrgs() {
+    const workos = await getWorkOS()
+
+    let after: string | undefined = undefined;
+    let totalSynced = 0;
+
+    do {
+        const page = await workos.organizations.listOrganizations({ after });
+        for (const org of page.data) {
+            try {                
+                // Determine oldest member's email to use as adminEmail
+                let adminEmail: string | null = null;
+                let oldestUserId: string | null = null;
+                let orgMemberships: any[] = [];
+                try {
+                    // List memberships for this organization
+                    const memberships = await getWorkOS().userManagement.listOrganizationMemberships({
+                        organizationId: org.id,
+                    } as any);
+                    orgMemberships = (memberships as any)?.data ?? [];
+
+                    const sorted = orgMemberships.slice?.().sort?.((a: any, b: any) => {
+                        const aTime = new Date(a?.createdAt ?? a?.created_at ?? 0).getTime();
+                        const bTime = new Date(b?.createdAt ?? b?.created_at ?? 0).getTime();
+                        return aTime - bTime;
+                    }) ?? [];
+                    const oldest = sorted[0] as any;
+                    if (oldest?.userId || oldest?.user?.id) {
+                        const userId = oldest?.userId ?? oldest?.user?.id;
+                        oldestUserId = userId ?? null;
+                        try {
+                            const user = await getWorkOS().userManagement.getUser(userId);
+                            adminEmail = (user as any)?.email ?? null;
+                        } catch {
+                            adminEmail = (oldest as any)?.user?.email ?? null;
+                        }
+                    }
+                } catch (err) {
+                    console.warn('Could not resolve oldest org member for adminEmail', { orgId: org.id, err: err instanceof Error ? err.message : String(err) });
+                }
+
+                await syncOrgToBackend(org.id, org.name, adminEmail);
+                await syncOrgToStatesman(org.id, org.name, org.name, oldestUserId, adminEmail);
+
+                // After org sync completes, sync all users for this org to backend and statesman
+                for (const m of orgMemberships) {
+                    const uid = (m as any)?.userId ?? (m as any)?.user?.id;
+                    if (!uid) continue;
+                    let email = (m as any)?.user?.email ?? '';
+                    if (!email) {
+                        try {
+                            const user = await getWorkOS().userManagement.getUser(uid);
+                            email = (user as any)?.email ?? '';
+                        } catch {}
+                    }
+                    if (!email || email === adminEmail) continue;
+                    await Promise.allSettled([
+                        syncUserToBackend(uid, email, org.id),
+                        syncUserToStatesman(uid, email, org.id),
+                    ]);
+                }
+                console.log("Synced organization to backend", { id: org.id, name: org.name });
+                totalSynced += 1;
+            } catch (error) {
+                console.error("Failed to sync organization", { id: org.id, name: org.name, error: error instanceof Error ? error.message : String(error) });
+            }
+        }
+        after = page.listMetadata?.after ?? undefined;
+    } while (after);
+
+    console.log(`Completed WorkOS organization resync`, { totalSynced });
+}
+
+export const Route = createFileRoute('/api/internal/sync-workos-orgs' as any)({
+    server: {
+      handlers: {
+        POST: async ({ request }) => {
+            const internalTasksSecret = request.headers.get('Authorization')?.replace('Bearer ', '');
+            if (internalTasksSecret !== process.env.INTERNAL_TASKS_SECRET) {
+                return new Response('Unauthorized', { status: 401 });
+            }
+            syncWorkosOrgs();
+            return new Response('OK');
+        }   
+    },
+  },
+})
+

ui/src/routes/manual/terraformWellKnown.tsx

@@ -1,6 +1,10 @@
 import { createFileRoute, createRoute } from '@tanstack/react-router'
 import { Route as rootRoute } from '@/routes/__root'
 
+// File-route shim to satisfy the file-based router scanner
+export const Route = createFileRoute('/manual/terraformWellKnown' as any)({})
+
+
 export const terraformRoute = createRoute({
     getParentRoute: () => rootRoute,
     path: '/.well-known/terraform.json',