Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions crates/billing-integrations/src/publish.rs
Original file line number Diff line number Diff line change
Expand Up @@ -825,6 +825,11 @@ async fn get_or_create_customer_for_tenant(
join auth.users as users on user_grants.user_id = users.id
where users.email is not null and user_grants.object_role = $1
and user_grants.capability = 'admin'
-- Exclude service accounts: their synthetic addresses must
-- never be chosen as a tenant's Stripe billing contact.
and not exists (
select 1 from internal.service_accounts sa where sa.user_id = users.id
)
order by users.created_at asc
"#,
tenant
Expand Down
21 changes: 19 additions & 2 deletions crates/control-plane-api/src/envelope.rs
Original file line number Diff line number Diff line change
Expand Up @@ -237,8 +237,25 @@ impl axum::extract::FromRequestParts<Arc<crate::App>> for Envelope {
let mut token = auth.token();
let exchanged_token: Option<String>;

// Is this is a refresh token? If so, first exchange for an access token.
if !token.contains(".") {
// A service-account API key (flow_sa_-prefixed) or a
// refresh token (base64 JSON, which never contains '.') may
// be presented in lieu of a signed JWT. We exchange either
// for a short-lived signed access token and then verify it
// exactly like a JWT presented directly; a JWT is verified
// by its signature. The exchange's stateful database check
// is the source of trust — the signature just lets the
// minted token flow through the normal verify path.
if token.starts_with("flow_sa_") {
exchanged_token = Some(
crate::server::exchange_api_key(
&state.pg_pool,
&state.control_plane_jwt_encode_key,
token,
)
.await?,
);
token = exchanged_token.as_ref().unwrap();
} else if !token.contains('.') {
exchanged_token = Some(
crate::server::exchange_refresh_token(&state.pg_pool, token).await?,
);
Expand Down
Loading
Loading