Add Auth0 user linking

apps/rpc/src/configuration.ts

@@ -7,7 +7,9 @@ export const createConfiguration = () =>
     AUTH0_ISSUER: config(process.env.AUTH0_ISSUER),
     AUTH0_AUDIENCES: config(process.env.AUTH0_AUDIENCES),
     AUTH0_CLIENT_ID: config(process.env.AUTH0_CLIENT_ID),
+    AUTH0_WEB_CLIENT_ID: config(process.env.AUTH0_WEB_CLIENT_ID),
     AUTH0_CLIENT_SECRET: config(process.env.AUTH0_CLIENT_SECRET),
+    AUTH0_WEB_CLIENT_SECRET: config(process.env.AUTH0_WEB_CLIENT_SECRET),
     AUTH0_MGMT_TENANT: config(process.env.AUTH0_MGMT_TENANT),
 
     WEB_PUBLIC_ORIGIN: config(process.env.WEB_PUBLIC_ORIGIN),

apps/rpc/src/modules/core.ts

@@ -104,17 +104,25 @@ export function createThirdPartyClients(configuration: Configuration) {
   const s3Client = new S3Client({ region: configuration.AWS_REGION })
   const sesClient = new SESClient({ region: configuration.AWS_REGION })
   const sqsClient = new SQSClient({ region: configuration.AWS_REGION })
+
   const auth0Client = new ManagementClient({
     domain: configuration.AUTH0_MGMT_TENANT,
     clientId: configuration.AUTH0_CLIENT_ID,
     clientSecret: configuration.AUTH0_CLIENT_SECRET,
   })
+
+  const webAuth0Client = new ManagementClient({
+    domain: configuration.AUTH0_MGMT_TENANT,
+    clientId: configuration.AUTH0_WEB_CLIENT_ID,
+    clientSecret: configuration.AUTH0_WEB_CLIENT_SECRET,
+  })
+
   const stripe = new Stripe(configuration.STRIPE_SECRET_KEY, {
     apiVersion: "2025-08-27.basil",
   })
   const prisma = createPrisma(configuration.DATABASE_URL)
   const workspaceDirectory = isGoogleWorkspaceFeatureEnabled(configuration) ? getDirectory(configuration) : null
-  return { s3Client, sesClient, sqsClient, auth0Client, stripe, prisma, workspaceDirectory }
+  return { s3Client, sesClient, sqsClient, auth0Client, webAuth0Client, stripe, prisma, workspaceDirectory }
 }
 
 /**
@@ -162,7 +170,9 @@ export async function createServiceLayer(
   const userService = getUserService(
     userRepository,
     feideGroupsRepository,
+    groupRepository,
     clients.auth0Client,
+    clients.webAuth0Client,
     membershipService,
     clients.s3Client,
     configuration.AWS_S3_BUCKET

apps/rpc/src/modules/group/group-repository.ts

@@ -16,6 +16,7 @@ import {
   GroupSchema,
   type GroupWrite,
   type UserId,
+  type GroupMembershipWriteWithRoles,
 } from "@dotkomonline/types"
 import type { GroupType } from "@prisma/client"
 import z from "zod"
@@ -33,6 +34,14 @@ export interface GroupRepository {
   findManyByType(handle: DBHandle, groupType: GroupType): Promise<Group[]>
   findManyByUserId(handle: DBHandle, userId: UserId): Promise<Group[]>
 
+  findGroupMembershipById(handle: DBHandle, groupMembershipId: GroupMembershipId): Promise<GroupMembership | null>
+  findGroupMembersByRoleType(handle: DBHandle, groupSlug: GroupId, roleType: GroupRoleType): Promise<GroupMember[]>
+
+  findManyGroupMemberships(
+    handle: DBHandle,
+    groupSlug: GroupId | null,
+    userId: UserId | null
+  ): Promise<GroupMembership[]>
   createGroupMembership(
     handle: DBHandle,
     groupMembershipData: GroupMembershipWrite,
@@ -44,9 +53,8 @@ export interface GroupRepository {
     groupMembershipData: GroupMembershipWrite,
     groupRoleIds: Set<GroupRoleId>
   ): Promise<GroupMembership>
-  findGroupMembershipById(handle: DBHandle, groupMembershipId: GroupMembershipId): Promise<GroupMembership | null>
-  findGroupMembersByRoleType(handle: DBHandle, groupSlug: GroupId, roleType: GroupRoleType): Promise<GroupMember[]>
-  findManyGroupMemberships(handle: DBHandle, groupSlug: GroupId, userId?: UserId): Promise<GroupMembership[]>
+  deleteGroupMemberships(handle: DBHandle, groupMembershipIds: GroupMembershipId[]): Promise<void>
+  createManyGroupMemberships(handle: DBHandle, groupMembershipData: GroupMembershipWriteWithRoles[]): Promise<void>
 
   createGroupRoles(handle: DBHandle, groupRolesData: GroupRoleWrite[]): Promise<GroupRole[]>
   updateGroupRole(
@@ -315,7 +323,7 @@ export function getGroupRepository(): GroupRepository {
     async findManyGroupMemberships(handle, groupSlug, userId) {
       const memberships = await handle.groupMembership.findMany({
         where: {
-          groupId: groupSlug,
+          ...(groupSlug ? { groupId: groupSlug } : {}),
           ...(userId ? { userId } : {}),
         },
         include: {
@@ -353,6 +361,29 @@ export function getGroupRepository(): GroupRepository {
 
       return parseOrReport(GroupRoleSchema, row)
     },
+
+    async deleteGroupMemberships(handle, groupMembershipIds) {
+      await handle.groupMembership.deleteMany({
+        where: {
+          id: {
+            in: groupMembershipIds,
+          },
+        },
+      })
+    },
+
+    async createManyGroupMemberships(handle, groupMembershipData) {
+      await handle.groupMembership.createMany({
+        data: groupMembershipData.map(({ roleIds, ...membershipData }) => ({
+          ...membershipData,
+          roles: {
+            createMany: {
+              data: [...roleIds].map((roleId) => ({ roleId })),
+            },
+          },
+        })),
+      })
+    },
   }
 }
 

apps/rpc/src/modules/group/group-service.ts

@@ -16,14 +16,17 @@ import {
   type UserId,
   getDefaultGroupMemberRoles,
   GROUP_IMAGE_MAX_SIZE_KIB,
+  areGroupRolesEqual,
+  type GroupMembershipWriteWithRoles,
 } from "@dotkomonline/types"
 import { createS3PresignedPost, getCurrentUTC, slugify } from "@dotkomonline/utils"
-import { areIntervalsOverlapping, compareDesc } from "date-fns"
+import { areIntervalsOverlapping, compareDesc, isAfter, isEqual } from "date-fns"
 import { maxTime } from "date-fns/constants"
 import invariant from "tiny-invariant"
 import { FailedPreconditionError, NotFoundError } from "../../error"
 import type { UserService } from "../user/user-service"
 import type { GroupRepository } from "./group-repository"
+import crypto from "node:crypto"
 
 export interface GroupService {
   create(handle: DBHandle, data: GroupWrite): Promise<Group>
@@ -72,6 +75,16 @@ export interface GroupService {
     groupMembershipData: GroupMembershipWrite,
     groupRoleIds: Set<GroupRoleId>
   ): Promise<GroupMembership>
+  deleteManyGroupMemberships(handle: DBHandle, groupMembershipIds: GroupMembershipId[]): Promise<void>
+  createManyGroupMemberships(
+    handle: DBHandle,
+    groupMembershipData: (GroupMembershipWrite & { roleIds: Set<GroupRoleId> })[]
+  ): Promise<void>
+  /**
+   * Reduces the array of memberships to its simplest form, removing overlapping memberships and merging memberships
+   * which could be merged.
+   */
+  simplifyMemberships(memberships: GroupMembership[]): GroupMembershipWriteWithRoles[]
 
   createRole(handle: DBHandle, groupRoleData: GroupRoleWrite): Promise<GroupRole>
   updateRole(handle: DBHandle, groupRoleId: GroupRoleId, groupRoleData: GroupRoleWrite): Promise<GroupRole>
@@ -210,9 +223,9 @@ export function getGroupService(
     },
 
     async getMembers(handle, groupSlug) {
-      const memberships = await groupRepository.findManyGroupMemberships(handle, groupSlug)
+      const memberships = await groupRepository.findManyGroupMemberships(handle, groupSlug, null)
 
-      if (!memberships) {
+      if (memberships.length === 0) {
         return new Map()
       }
 
@@ -318,6 +331,38 @@ export function getGroupService(
       return await groupRepository.updateGroupRole(handle, groupRoleId, groupRoleData)
     },
 
+    simplifyMemberships(memberships) {
+      const membershipsByGroup = new Map<string, GroupMembership[]>()
+
+      for (const membership of memberships) {
+        // @ts-ignore: getOrInsert is a function
+        const groupMemberships = membershipsByGroup.getOrInsert(membership.groupId, [])
+        groupMemberships.push(membership)
+      }
+
+      const results: GroupMembershipWriteWithRoles[] = []
+
+      for (const groupMemberships of membershipsByGroup.values()) {
+        const simplified = simplifyGroupMemberships(groupMemberships)
+        results.push(...simplified)
+      }
+
+      return results
+    },
+
+    createManyGroupMemberships(
+      handle: DBHandle,
+      groupMembershipData: (GroupMembershipWrite & {
+        roleIds: Set<GroupRoleId>
+      })[]
+    ): Promise<void> {
+      return groupRepository.createManyGroupMemberships(handle, groupMembershipData)
+    },
+
+    deleteManyGroupMemberships(handle: DBHandle, groupMembershipIds: GroupMembershipId[]): Promise<void> {
+      return groupRepository.deleteGroupMemberships(handle, groupMembershipIds)
+    },
+
     async createFileUpload(filename, contentType, createdByUserId) {
       const uuid = crypto.randomUUID()
       const key = `group/${Date.now()}-${uuid}-${slugify(filename)}`
@@ -332,3 +377,115 @@ export function getGroupService(
     },
   }
 }
+
+type Segment = {
+  start: Date
+  end: Date | null
+  roles: GroupRole[]
+  sourceMembership: GroupMembership
+}
+
+/**
+ * Simplifies a list of group memberships by merging overlapping memberships and removing duplicate memberships.
+ *
+ * @example
+ * // Example with boundaries 0-5 and roles A, B, and C:
+ * 0   1     2  3  4  5
+ * A---------   C-----
+ *     B-----------
+ *
+ * // Result:
+ * 0   1     2  3  4  5
+ * A---      B--   C--
+ *     AB----   BC-
+ */
+export function simplifyGroupMemberships(memberships: GroupMembership[]): GroupMembershipWriteWithRoles[] {
+  const hasOngoingMembership = memberships.some((membership) => membership.end === null)
+
+  // This set collects membership boundary points so we can recreate segments for merging roles into.
+  const boundaryTimestamps = new Set<number>()
+
+  for (const membership of memberships) {
+    boundaryTimestamps.add(membership.start.getTime())
+
+    if (membership.end !== null) {
+      boundaryTimestamps.add(membership.end.getTime())
+    }
+  }
+
+  const sortedBoundaries = [...boundaryTimestamps].toSorted((a, b) => a - b).map((timestamp) => new Date(timestamp))
+
+  const segments: Segment[] = []
+
+  for (let i = 0; i < sortedBoundaries.length; i++) {
+    const segmentStart = sortedBoundaries[i]
+    const isLastBoundary = i === sortedBoundaries.length - 1
+
+    if (isLastBoundary && !hasOngoingMembership) {
+      break
+    }
+
+    const segmentEnd = isLastBoundary ? null : sortedBoundaries[i + 1]
+
+    const activeRolesInSegment: GroupRole[] = []
+    let sourceMembership: GroupMembership | null = null
+
+    for (const membership of memberships) {
+      const isSegmentStartContained = !isAfter(membership.start, segmentStart)
+      const isSegmentEndContained = membership.end === null || isAfter(membership.end, segmentStart)
+
+      if (isSegmentStartContained && isSegmentEndContained) {
+        activeRolesInSegment.push(...membership.roles)
+
+        if (sourceMembership === null) {
+          sourceMembership = membership
+        }
+      }
+    }
+
+    if (activeRolesInSegment.length === 0 || sourceMembership === null) {
+      continue
+    }
+
+    const uniqueRolesById = new Map<string, GroupRole>()
+    for (const role of activeRolesInSegment) {
+      if (!uniqueRolesById.has(role.id)) {
+        uniqueRolesById.set(role.id, role)
+      }
+    }
+
+    segments.push({
+      start: segmentStart,
+      end: segmentEnd,
+      roles: [...uniqueRolesById.values()],
+      sourceMembership,
+    })
+  }
+
+  const mergedSegments: Segment[] = []
+
+  for (const segment of segments) {
+    const previousSegment = mergedSegments.length > 0 ? mergedSegments[mergedSegments.length - 1] : null
+
+    const canMergeWithPrevious =
+      previousSegment !== null &&
+      previousSegment.end !== null &&
+      isEqual(previousSegment.end, segment.start) &&
+      areGroupRolesEqual(previousSegment.roles, segment.roles)
+
+    if (canMergeWithPrevious && previousSegment !== null) {
+      previousSegment.end = segment.end
+    } else {
+      mergedSegments.push({ ...segment })
+    }
+  }
+
+  return mergedSegments.map((segment) => ({
+    id: segment.sourceMembership.id,
+    start: segment.start,
+    end: segment.end,
+    userId: segment.sourceMembership.userId,
+    groupId: segment.sourceMembership.groupId,
+    roleIds: new Set(segment.roles.map((role) => role.id)),
+  }))
+}