Unlocking Access: A Sprint Through Progressive Auth, Invitations, and Critical Fixes
We just wrapped a major development sprint, rolling out progressive authentication, a robust invitation system, a new access request flow, and tackling some tricky API integrations. Get a peek behind the curtain of our latest production deployment!
What a sprint it's been! We've just pushed a significant set of features and critical fixes to production, all aimed at enhancing how users onboard, authenticate, and manage access within our platform, especially for Clarait. This update touches everything from social logins to our internal AI integrations, making the system more robust, user-friendly, and secure.
Let's dive into what made it into this release.
The Grand Unveiling: Progressive Authentication (Phase 1)
Our goal with "Progressive Auth" is to offer a seamless, secure, and flexible authentication experience. Phase 1 focuses on expanding our social login options and setting the stage for more advanced methods like Passkeys.
Expanding Social Login Horizons
We've integrated Google OAuth into our NextAuth setup, sitting alongside our existing GitHub option. Now, users have more flexibility when signing up or logging in. A key decision here was enabling allowDangerousEmailAccountLinking: true for both providers, which allows users to link social accounts to existing email-based accounts, preventing frustrating "account already exists" errors.
Our login page (src/app/(auth)/login/page.tsx) has been redesigned to prioritize these social login buttons, with the Magic Link email option available as a fallback. This clean, intuitive layout ensures a smooth entry point for new and returning users.
Future-Proofing User Accounts
To support future authentication strategies, we've added a preferredAuthMethod field to our User model (prisma/schema.prisma). This helps us understand user preferences and tailor their experience, especially as we move towards Passkeys. Our E2E tests have also been updated to ensure these new flows are rock-solid.
Streamlining Access: Invitations & Request Flow
Beyond initial login, managing access to specific tenants (like Clarait) is crucial. We've significantly upgraded our invitation system and introduced a new, auditable access request flow.
A Smarter Invitation System
We've extended invitation expiry from a brief 15 minutes to a generous 24 hours, giving recipients ample time to act. The biggest improvement, however, is the integration of Resend API for sending beautifully branded HTML invitation emails. No more generic text – our invitations now reflect our brand identity.
Lesson Learned: Taming the Link-Tracking Beast
One of the trickiest challenges we faced was with Resend's default link-tracking behavior. Their bot would pre-click magic links, invalidating them before the actual user could even open the email! Our solution involved a custom sendVerificationRequest function for the Resend provider, specifically adding the X-Entity-Ref-ID header. This simple header disables Resend's link tracking, ensuring our magic links remain valid until the user clicks them. A critical fix for a seemingly small detail!
Introducing the Access Request Flow
For users who aren't directly invited but need access to a specific tenant, we've built a comprehensive Request Access flow.
- New Model & Router: A dedicated
AccessRequestPrisma model andaccess_requeststable now store all requests, managed by a new tRPC router (src/server/trpc/routers/access-requests.ts). - GDPR-Compliant Form: A new page (
src/app/(auth)/request-access/page.tsx) provides a clean, GDPR-compliant form for users to submit their details (name, email, company, reason). - Superadmin Control: Our superadmin UI now features a new "Requests" tab with a pending count badge. Admins can easily review, approve (assigning a tenant and role), or reject requests with a note. Approving a request now automatically generates and sends an invitation, seamlessly guiding the user to their new workspace.
This flow replaces a generic "No workspace" message, providing a structured, auditable path for users to gain access.
Under the Hood: Critical Fixes & Enhancements
No sprint is complete without tackling some technical debt and critical API quirks.
OpenAI GPT-5 Compatibility
As AI models evolve, so do their APIs. We hit a snag with OpenAI's GPT-5:
Lesson Learned: API Evolution and Parameter Changes
Initially, we encountered 400 errors when using max_tokens and custom temperature with GPT-5. It turns out max_tokens is now max_completion_tokens for all OpenAI models, and GPT-5 specifically only supports the default temperature (1). We've updated our code (c59a942, 9b5dde8) to use max_completion_tokens universally and added GPT-5 to our isReasoningModel() check to skip temperature/top_p adjustments, ensuring smooth operation with the latest models.
Other Notable Improvements:
- Batch URL Import for Axiom: A new
batchFetchUrlstRPC mutation and UI (1219bc1) now allows for efficient bulk import of URLs, a significant time-saver. formatRelativeTimeFix: Our utility function for displaying relative times ("in 23h","2 days ago") now correctly handles future dates, fixing an issue where future events were incorrectly showing as "just now."- Workflow Persona Assignments: We've aligned 7 persona assignments in our
clarait-authworkflow (335a4785) with our BRauth Design Spec, improving internal consistency. - nyxCore description for Clarait: Around 200 words added to clarify the integration.
Looking Ahead
This sprint has laid crucial groundwork, especially for user onboarding and access management. We're excited to see the Clarait invitations successfully delivered and look forward to our new users joining.
Our immediate next step is Progressive Auth Phase 2: Passkeys (WebAuthn). The spec is ready, and we're eager to bring this secure, passwordless authentication method to life. We'll also be verifying the successful logins of our first three Clarait invitees and considering a "Resend Invitation" feature for superadmins.
Stay tuned for more updates as we continue to build and refine!