ecarjat replaces email/password auth with Google OAuth restricted to KairosVista domain

ecarjat ships a four-commit sequence that strips email/password login, adds Google OAuth, and locks access to `kairosvista.com` email addresses at the backend middleware level. The domain-gating mechanism is cleanly written and no-ops when left unconfigured.

securitymulti-tenant

The first commit (a7a4138) adds a Google OAuth button alongside the existing forms. The second (13e0a83) removes the email/password forms entirely and adds AUTH_ALLOWED_EMAILS and AUTH_ALLOWED_EMAIL_DOMAINS CSV env vars. These are read in backend/src/middleware/auth.ts inside requireAuth - after Supabase has already verified the token, a 403 is returned if the user's email doesn't match either list. When both lists are empty, the check passes unconditionally. The Google OAuth call also passes hd: "kairosvista.com" as a query parameter, which pre-filters the Google account picker, though this is a UX hint rather than a security boundary. The third commit (786591a) reskins the auth pages to the KairosVista dark navy / neutral-950 design.

The fourth commit (8393b10) backfills OAuth user metadata into profiles. requireAuth exposes res.locals.userMetadata, and GET /user/profile extracts full_name, name, display_name, or user_name fields from it. Organisation is inferred from the email domain (@kairosvista.com → "KairosVista"). Any blank display_name or organisation fields on the user_profiles row are updated on every profile fetch.

The same commit bumps multer from ^1.4.5-lts.2 to ^2.1.1 - multer v2 has breaking API changes so review the changelog before merging. mammoth goes to ^1.12.0, @anthropic-ai/sdk to 0.95.1. @supabase/auth-helpers-nextjs is removed from production dependencies; the fork now uses @supabase/supabase-js directly for auth.

So what Two pieces are worth picking up regardless of whether you use Google OAuth: the `AUTH_ALLOWED_EMAIL_DOMAINS` / `AUTH_ALLOWED_EMAILS` gating in `requireAuth` (clean, no-op by default, useful for any restricted deployment) and the OAuth metadata backfill in `routes/user.ts`. The `multer ^2` bump is worth tracking for security reasons but needs a careful read - the upload API changed. The brand reskin and logo are obviously KairosVista-specific. The removal of `@supabase/auth-helpers-nextjs` is useful signal: Supabase deprecated it in favour of `@supabase/ssr`, so this fork is moving in the right direction.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

4 commits from ecarjat/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
a7a41386 Add Google OAuth login Emmanuel Carjat 2026-05-10 ↗ GitHub
13e0a83b Restrict auth to KairosVista Google users Emmanuel Carjat 2026-05-10 ↗ GitHub
786591a2 Match KairosVista auth layout Emmanuel Carjat 2026-05-10 ↗ GitHub
8393b109 Backfill OAuth profiles and reduce audit findings Emmanuel Carjat 2026-05-10 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-397.md from inside the repo you want the changes in.

⬇ Download capture-thread-397.md