Support GitHub organization admin access#10
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 84172ea36b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| async function makeSession(login, orgs, env) { | ||
| const payload = base64UrlEncodeJson({ | ||
| login, | ||
| orgs: uniqueStrings(orgs), |
There was a problem hiding this comment.
When access is granted through STRATEGY_SWITCH_ADMIN_ORGS or ALLOWED_GITHUB_ORGS, this stores the matching org names in the signed session cookie and readSession() later trusts that cached list for the full 8-hour TTL. If a user is removed from the GitHub org, they can continue to access /admin or dispatch switches until their existing cookie expires because the Worker no longer asks GitHub whether they are still a member; unlike login allowlist changes, org revocation does not take effect immediately. Consider revalidating org membership when evaluating org-based authorization or otherwise invalidating these sessions on revocation-sensitive paths.
Useful? React with 👍 / 👎.
1 participant
Summary
read:orgscope and authorize users by GitHub organization membershipALLOWED_GITHUB_ORGSandSTRATEGY_SWITCH_ADMIN_ORGSalongside login-based allow/admin lists/adminto manage allowed/admin users and orgs through KVQuantStrategyLabas the preferred admin organization while keeping login-based break-glass admin supportVerification
node --check --input-type=module < web/strategy-switch-console/worker.jsnode --check --input-type=module < web/strategy-switch-console/page_asset.jssed -n '/<script>/,/<\\/script>/p' docs/index.html | sed '1d;$d' | node --check --input-type=commonjspython3 -m json.tool web/strategy-switch-console/account-options.example.json >/dev/nullpython3 -m py_compile scripts/sync_strategy_switch_page_asset.py scripts/build_runtime_switch.py scripts/runtime_settings.py tests/test_runtime_settings.pytimeout 120 python3 scripts/runtime_settings.py validatetimeout 180 python3 -m unittest discover -s tests -vSTRATEGY_SWITCH_ADMIN_ORGS=QuantStrategyLaborg member can access/adminand save KV confignpx wrangler@3 deploy worker.js --name qsl-strategy-switch-console --compatibility-date 2026-06-09 --dry-run --outdir /tmp/qsl-strategy-switch-console-worker-org