stack-auth
diff --git a/‎.github/workflows/reviewers-assignees.yml‎
Lines changed: 80 additions & 0 deletions b/‎.github/workflows/reviewers-assignees.yml‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎apps/backend/.env‎
Lines changed: 2 additions & 0 deletions b/‎apps/backend/.env‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎apps/backend/package.json‎
Lines changed: 2 additions & 1 deletion b/‎apps/backend/package.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎apps/backend/prisma/migrations/20250815012830_email_drafts/migration.sql‎
Lines changed: 17 additions & 0 deletions b/‎apps/backend/prisma/migrations/20250815012830_email_drafts/migration.sql‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎apps/backend/prisma/schema.prisma‎
Lines changed: 23 additions & 0 deletions b/‎apps/backend/prisma/schema.prisma‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎apps/backend/prisma/seed.ts‎
Lines changed: 7 additions & 0 deletions b/‎apps/backend/prisma/seed.ts‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎apps/backend/src/app/api/latest/auth/sessions/crud.tsx‎
Lines changed: 1 addition & 1 deletion b/‎apps/backend/src/app/api/latest/auth/sessions/crud.tsx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎apps/backend/src/app/api/latest/connected-accounts/[user_id]/[provider_id]/access-token/crud.tsx‎
Lines changed: 7 additions & 7 deletions b/‎apps/backend/src/app/api/latest/connected-accounts/[user_id]/[provider_id]/access-token/crud.tsx‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎apps/backend/src/app/api/latest/data-vault/stores/[id]/set/route.tsx‎
Lines changed: 0 additions & 2 deletions b/‎apps/backend/src/app/api/latest/data-vault/stores/[id]/set/route.tsx‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎apps/backend/src/app/api/latest/emails/render-email/route.tsx‎
Lines changed: 42 additions & 22 deletions b/‎apps/backend/src/app/api/latest/emails/render-email/route.tsx‎
Lines changed: 42 additions & 22 deletions
@@ -0,0 +1,80 @@
+name: Sync Reviewers and Assignees
+
+on:
+  pull_request_target:
+    types: [review_requested]
+  pull_request_review:
+    types: [submitted]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Add reviewer as assignee
+        if: ${{ github.event_name == 'pull_request' && github.event.action == 'review_requested' }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            const reviewer = context.payload.requested_reviewer;
+            if (!reviewer || !reviewer.login) {
+              core.info('No individual reviewer in payload (team review or missing). Skipping.');
+              return;
+            }
+            await github.rest.issues.addAssignees({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number,
+              assignees: [reviewer.login],
+            });
+            core.info(`Assigned ${reviewer.login} to PR #${pr.number}`);
+
+      - name: Remove reviewer from assignees on review submission
+        if: ${{ github.event_name == 'pull_request_review' && github.event.action == 'submitted' }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            const reviewer = context.payload.review?.user;
+            const state = context.payload.review?.state?.toLowerCase();
+            const author = pr.user;
+            if (!reviewer || !reviewer.login) {
+              core.info('No reviewer user found in payload. Skipping.');
+              return;
+            }
+            if (!state) {
+              core.info('No review state provided. Skipping.');
+              return;
+            }
+            if (!['approved', 'changes_requested'].includes(state)) {
+              core.info(`Review state is '${state}' (likely a comment). Not removing assignee.`);
+              return;
+            }
+            if (author && reviewer.login === author.login) {
+              core.info('Reviewer is the PR author. Not removing assignee.');
+              return;
+            }
+            await github.rest.issues.removeAssignees({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number,
+              assignees: [reviewer.login],
+            });
+            core.info(`Removed ${reviewer.login} from assignees on PR #${pr.number}`);
+
+            if (author?.login) {
+              await github.rest.issues.addAssignees({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                assignees: [author.login],
+              });
+              core.info(`Re-assigned PR author ${author.login} to PR #${pr.number}`);
+            } else {
+              core.info('No PR author found to re-assign.');
+            }
@@ -3,6 +3,7 @@ NEXT_PUBLIC_STACK_API_URL=# the base URL of Stack's backend/API. For local devel
 NEXT_PUBLIC_STACK_DASHBOARD_URL=# the URL of Stack's dashboard. For local development, this is `http://localhost:8101`; for the managed service, this is `https://app.stack-auth.com`.
 STACK_SECRET_SERVER_KEY=# a random, unguessable secret key generated by `pnpm generate-keys`
 
+
 # seed script settings
 STACK_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED=# true to enable user sign up to the dashboard when seeding
 STACK_SEED_INTERNAL_PROJECT_OTP_ENABLED=# true to add OTP auth to the dashboard when seeding
@@ -82,3 +83,4 @@ STACK_OPENAI_API_KEY=# enter your openai api key
 STACK_FEATUREBASE_API_KEY=# enter your featurebase api key
 STACK_STRIPE_SECRET_KEY=# enter your stripe api key
 STACK_STRIPE_WEBHOOK_SECRET=# enter your stripe webhook secret
+
@@ -61,8 +61,9 @@
     "@prisma/adapter-pg": "^6.12.0",
     "@prisma/client": "^6.12.0",
     "@prisma/instrumentation": "^6.12.0",
-    "@sentry/nextjs": "^8.40.0",
+    "@sentry/nextjs": "^10.11.0",
     "@simplewebauthn/server": "^11.0.0",
+    "@stackframe/stack": "workspace:*",
     "@stackframe/stack-shared": "workspace:*",
     "@upstash/qstash": "^2.8.2",
     "@vercel/functions": "^2.0.0",
 
@@ -0,0 +1,17 @@
+-- CreateEnum
+CREATE TYPE "DraftThemeMode" AS ENUM ('PROJECT_DEFAULT', 'NONE', 'CUSTOM');
+
+-- CreateTable
+CREATE TABLE "EmailDraft" (
+    "tenancyId" UUID NOT NULL,
+    "id" UUID NOT NULL,
+    "displayName" TEXT NOT NULL,
+    "themeMode" "DraftThemeMode" NOT NULL DEFAULT 'PROJECT_DEFAULT',
+    "themeId" TEXT,
+    "tsxSource" TEXT NOT NULL,
+    "sentAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "EmailDraft_pkey" PRIMARY KEY ("tenancyId","id")
+);
@@ -673,6 +673,29 @@ model SentEmail {
@@id([tenancyId, id])
 }
 
+model EmailDraft {
+  tenancyId String @db.Uuid
+
+  id String @default(uuid()) @db.Uuid
+
+  displayName String
+  themeMode   DraftThemeMode @default(PROJECT_DEFAULT)
+  themeId     String?
+  tsxSource   String
+  sentAt      DateTime?
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@id([tenancyId, id])
+}
+
+enum DraftThemeMode {
+  PROJECT_DEFAULT
+  NONE
+  CUSTOM
+}
+
 model CliAuthAttempt {
   tenancyId String @db.Uuid
 
 
@@ -90,6 +90,13 @@ async function seed() {
     projectId: 'internal',
     branchId: DEFAULT_BRANCH_ID,
     environmentConfigOverrideOverride: {
+      dataVault: {
+        stores: {
+          'neon-connection-strings': {
+            displayName: 'Neon Connection Strings',
+          }
+        }
+      },
       payments: {
         groups: {
           plans: {
 
@@ -18,7 +18,7 @@ export const sessionsCrudHandlers = createLazyProxy(() => createCrudHandlers(ses
   }).defined(),
   onList: async ({ auth, query }) => {
     const prisma = await getPrismaClientForTenancy(auth.tenancy);
-    const schema = getPrismaSchemaForTenancy(auth.tenancy);
+    const schema = await getPrismaSchemaForTenancy(auth.tenancy);
     const listImpersonations = auth.type === 'admin';
 
     if (auth.type === 'client') {
 
@@ -141,18 +141,18 @@ export const connectedAccountAccessTokenCrudHandlers = createLazyProxy(() => cre
         });
 
         if (tokenSet.refreshToken) {
-          // remove the old token, add the new token to the DB
-          await prisma.oAuthToken.deleteMany({
-            where: {
-              refreshToken: token.refreshToken,
-            },
+          // mark the old token as invalid, add the new token to the DB
+          const oldToken = token;
+          await prisma.oAuthToken.update({
+            where: { id: oldToken.id },
+            data: { isValid: false },
           });
           await prisma.oAuthToken.create({
             data: {
               tenancyId: auth.tenancy.id,
               refreshToken: tokenSet.refreshToken,
-              oauthAccountId: token.projectUserOAuthAccount.id,
-              scopes: token.scopes,
+              oauthAccountId: oldToken.projectUserOAuthAccount.id,
+              scopes: oldToken.scopes,
             }
           });
         }
 
@@ -39,7 +39,6 @@ export const POST = createSmartRouteHandler({
     // note that encryptedValue is encrypted by client-side encryption, while encrypted is encrypted by both client-side
     // and server-side encryption.
     const encrypted = await encryptWithKms(encryptedValue);
-
     // Store or update the entry
     await prisma.dataVaultEntry.upsert({
       where: {
@@ -59,7 +58,6 @@ export const POST = createSmartRouteHandler({
         encrypted,
       },
     });
-
     return {
       statusCode: 200,
       bodyType: "success",
 
@@ -1,7 +1,7 @@
 import { getEmailThemeForTemplate, renderEmailWithTemplate } from "@/lib/email-rendering";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { KnownErrors } from "@stackframe/stack-shared/dist/known-errors";
-import { adaptSchema, templateThemeIdSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+import { adaptSchema, templateThemeIdSchema, yupNumber, yupObject, yupString, yupUnion } from "@stackframe/stack-shared/dist/schema-fields";
 import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
 
 export const POST = createSmartRouteHandler({
@@ -15,12 +15,24 @@ export const POST = createSmartRouteHandler({
       type: yupString().oneOf(["admin"]).defined(),
       tenancy: adaptSchema.defined(),
     }).defined(),
-    body: yupObject({
-      theme_id: templateThemeIdSchema.nullable(),
-      theme_tsx_source: yupString(),
-      template_id: yupString(),
-      template_tsx_source: yupString(),
-    }),
+    body: yupUnion(
+      yupObject({
+        template_id: yupString().uuid().defined(),
+        theme_id: templateThemeIdSchema,
+      }),
+      yupObject({
+        template_id: yupString().uuid().defined(),
+        theme_tsx_source: yupString().defined(),
+      }),
+      yupObject({
+        template_tsx_source: yupString().defined(),
+        theme_id: templateThemeIdSchema,
+      }),
+      yupObject({
+        template_tsx_source: yupString().defined(),
+        theme_tsx_source: yupString().defined(),
+      }),
+    ).defined(),
   }),
   response: yupObject({
     statusCode: yupNumber().oneOf([200]).defined(),
@@ -32,32 +44,40 @@ export const POST = createSmartRouteHandler({
     }).defined(),
   }),
   async handler({ body, auth: { tenancy } }) {
-    if ((body.theme_id === undefined && !body.theme_tsx_source) || (body.theme_id && body.theme_tsx_source)) {
-      throw new StatusError(400, "Exactly one of theme_id or theme_tsx_source must be provided");
-    }
-    if ((!body.template_id && !body.template_tsx_source) || (body.template_id && body.template_tsx_source)) {
-      throw new StatusError(400, "Exactly one of template_id or template_tsx_source must be provided");
+    const templateList = new Map(Object.entries(tenancy.config.emails.templates));
+    const themeList = new Map(Object.entries(tenancy.config.emails.themes));
+    let themeSource: string;
+    if ("theme_tsx_source" in body) {
+      themeSource = body.theme_tsx_source;
+    } else {
+      if (typeof body.theme_id === "string" && !themeList.has(body.theme_id)) {
+        throw new StatusError(400, "No theme found with given id");
+      }
+      themeSource = getEmailThemeForTemplate(tenancy, body.theme_id);
     }
 
-    if (body.theme_id && !(body.theme_id in tenancy.config.emails.themes)) {
-      throw new StatusError(400, "No theme found with given id");
+    let contentSource: string;
+    if ("template_tsx_source" in body) {
+      contentSource = body.template_tsx_source;
+    } else if ("template_id" in body) {
+      const template = templateList.get(body.template_id);
+      if (!template) {
+        throw new StatusError(400, "No template found with given id");
+      }
+      contentSource = template.tsxSource;
+    } else {
+      throw new KnownErrors.SchemaError("Either template_id or template_tsx_source must be provided");
     }
-    const templateList = new Map(Object.entries(tenancy.config.emails.templates));
-    const themeSource = body.theme_id === undefined ? body.theme_tsx_source! : getEmailThemeForTemplate(tenancy, body.theme_id);
-    const templateSource = body.template_id ? templateList.get(body.template_id)?.tsxSource : body.template_tsx_source;
 
-    if (!templateSource) {
-      throw new StatusError(400, "No template found with given id");
-    }
     const result = await renderEmailWithTemplate(
-      templateSource,
+      contentSource,
       themeSource,
       {
         project: { displayName: tenancy.project.display_name },
         previewMode: true,
       },
     );
-    if ("error" in result) {
+    if (result.status === "error") {
       throw new KnownErrors.EmailRenderingError(result.error);
     }
     return {