The magic link verification endpoint now returns `requires_signup_completion`
to indicate whether the client needs to collect a name and complete signup.
The signup completion endpoint now supports JSON responses with the account ID.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The CSS change in 39575a0 added `display: flex` to the lightbox dialog
unconditionally, which overrode the browser's default `display: none`
for closed dialogs. This made the invisible lightbox overlay intercept
all clicks on the page.
Move flexbox properties to the `&[open]` selector so they only apply
when the dialog is actually open.
Also fix typo: `innerHtml` → `innerHTML` (capital H).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename SaasAdminController to Admin::AuditController
- Override require_authentication to support bearer tokens alongside
session auth, allowing API access to audit console
- Add migration for audits1984_auditor_tokens table
- Add controller tests for authentication scenarios including staff
validation on token-based access
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This is so that native API clients can get the session record deleted
server-side. They still need to take care of clearing any cookies
they've set in web views.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* main: (26 commits)
Add a new Pins section to docs/API.md covering pin/unpin and the pinned cards list response.
Align board name start so it doesn't get too big
Clean up card/events header layout
Sync email to Stripe when user changes email address (#2432)
Fix IDOR in webhook activation endpoint (#2431)
Add card reactions to API docs and reactions_url to card JSON (#2427)
Remove unnecessary claude plan
Allow boosts on cards (#2411)
Revert "Fix notification click URL by using correct data property"
Add migration to remove draft cards from search index
Guard search indexing with searchable? check
Forbid comments on draft cards
prefactor: update search to use published cards
Fix notification click URL by using correct data property
Wait for service worker to be active before subscribing
Fix stuck state when permission granted but no subscription
Extract Card::Commentable
Include arm64 build in Docker workflow
Remove unnecessary `await` in push handler
Correctly initialise WebPush connection (#2417)
...
* main: (127 commits)
Align board name start so it doesn't get too big
Clean up card/events header layout
Sync email to Stripe when user changes email address (#2432)
Fix IDOR in webhook activation endpoint (#2431)
Add card reactions to API docs and reactions_url to card JSON (#2427)
Remove unnecessary claude plan
Allow boosts on cards (#2411)
Revert "Fix notification click URL by using correct data property"
Add migration to remove draft cards from search index
Guard search indexing with searchable? check
Forbid comments on draft cards
prefactor: update search to use published cards
Fix notification click URL by using correct data property
Wait for service worker to be active before subscribing
Fix stuck state when permission granted but no subscription
Extract Card::Commentable
Include arm64 build in Docker workflow
Remove unnecessary `await` in push handler
Correctly initialise WebPush connection (#2417)
Update models, views, and fixtures for polymorphic reactions
...
* Sync owner email to Stripe when changed
When an account owner changes their email address, update the
corresponding Stripe customer record via a background job.
Also handles ownership transfers: when a user becomes the account
owner, their email is synced to Stripe.
Responsibility chain:
- User::NotifiesAccountOfEmailChange triggers on owner identity change
or when a user becomes owner
- Account::Billing#owner_email_changed enqueues sync job
- Account::SyncStripeCustomerEmailJob performs the update with
polynomial backoff retries
- Account::Subscription#sync_customer_email_to_stripe calls Stripe API
* Address PR feedback: error handling and test coverage
- Handle Stripe::InvalidRequestError in sync_customer_email_to_stripe
(mirrors cancel method behavior for deleted customers)
- Add test for deactivated owner (owner with nil identity)
- Add test for deleted Stripe customer scenario
The webhook activation controller was using account-scoped lookup
instead of board-scoped lookup, allowing users to reactivate webhooks
on boards they don't have access to.
This was an oversight when board-scoping was added to the main webhooks
controller - the activations controller was missed in that update.
The fix adds the BoardScoped concern to properly restrict webhook
activation to boards the user has explicit access to.