Skip to content

[comp] Production Deploy#2352

Merged
Marfuen merged 4 commits intoreleasefrom
main
Mar 20, 2026
Merged

[comp] Production Deploy#2352
Marfuen merged 4 commits intoreleasefrom
main

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 20, 2026

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.

github-actions bot and others added 2 commits March 20, 2026 15:17
@github-actions
chore: merge release v3.10.3 back to main [skip ci]
a937e2d
@github-actions
fix: 2FA GWS workspace returning users that have been excluded from t…
bac5138 
…he config

CS-150 [Bug] - 2FA GWS workspace returning users that have been excluded from the config
@vercel
Copy link

vercel bot commented Mar 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app (staging) Ready Ready Preview, Comment Mar 21, 2026 4:19pm
portal (staging) Ready Ready Preview, Comment Mar 21, 2026 4:19pm

Request Review

@cursor
Copy link

cursor bot commented Mar 20, 2026
edited
Loading

PR Summary

Medium Risk
Modifies CORS/Origin validation to allow subdomains and DB-backed custom domains, which affects CSRF/CORS protections and depends on Redis/env configuration. Also refactors directory sync email filtering into a shared module used by both API sync and Google Workspace checks, which could change which users are included/excluded.

Overview
Origin/CORS hardening and flexibility: replaces the static getTrustedOrigins() allowlist usage with an async isTrustedOrigin() check in main.ts CORS and originCheckMiddleware, allowing trusted *.trycomp.ai/*.trust.inc subdomains and verified custom domains loaded from the DB and cached in Upstash Redis (5 min TTL). Error CORS headers are now only applied when isStaticTrustedOrigin() passes.

Directory sync filter reuse: moves Google Workspace sync email include/exclude term parsing/matching into packages/integration-platform (parseSyncFilterTerms, matchesSyncFilterTerms), reuses it in SyncController and the Google Workspace two-factor-auth check, and adds unit tests; related mocks/tests were updated for the new async origin logic and shared exports.

Written by Cursor Bugbot for commit 10c467d. This will update automatically on new commits. Configure here.

@github-actions @chasprowebdev
CS-150 [Bug] - 2FA GWS workspace returning users that have been exclu…
613193e 
…ded from the config - Fix build issue (#2353)

* fix(integration-platform): excluse users in Google Workspace integrations

* fix(api): excluse users in Google Workspace integrations

* fix(integration-platform): re-make ifFullEmailTerm without depending on regexp

* fix(integration-platform): fix org unit filter bypassing email exclusion logic

* fix(integration-platform): rename filter-terms functions

* fix(integration-platform): fix test build issue for email-exclusion-terms

* fix(integration-platform): remove duplicated test file

---------

Co-authored-by: chasprowebdev <chasgarciaprowebdev@gmail.com>
@vercel vercel bot temporarily deployed to staging – portal March 20, 2026 19:18 Inactive
@Marfuen @claude
fix: allow trust portal subdomains and custom domains through CORS (#…
10c467d 
…2354)

Trust portals are served on dynamic subdomains (e.g. security.trycomp.ai,
acme.trust.inc) and verified custom domains (e.g. trust.acmecorp.com),
but the CORS config only had a static allowlist. This caused browsers to
block requests from trust portals to api.trycomp.ai.

- Add isStaticTrustedOrigin() for sync checks (*.trycomp.ai, *.trust.inc)
- Add async isTrustedOrigin() that also checks verified custom domains
  from the DB via Upstash Redis cache (5-min TTL)
- Update CORS origin callback, origin-check middleware, and
  cors-exception filter to use the new functions
- Update tests to cover subdomain matching and async behavior

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel vercel bot temporarily deployed to staging – portal March 20, 2026 22:30 Inactive
@vercel vercel bot temporarily deployed to staging – app March 20, 2026 22:30 Inactive
@Marfuen Marfuen merged commit 7e8ae96 into release Mar 20, 2026
13 checks passed
@claudfuen
Copy link
Contributor

claudfuen commented Mar 20, 2026

🎉 This PR is included in version 3.10.4 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated-pr prod-deploy released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@claudfuen @Marfuen