chore: Adding organizationId in email verification

[trishaanand]

Description

Tip

Add a TL;DR when the description is longer than 500 words or extremely technical (helps the content, marketing, and DevRel team).

Please also include relevant motivation and context. List any dependencies that are required for this change. Add links to Notion, Figma or any other documents that might be relevant to the PR.

Fixes #Issue Number
or
Fixes Issue URL

Warning

If no issue exists, please create an issue first, and check with the maintainers if the issue is valid.

Automation

/test sanity

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/14053389188
Commit: 62fa250
Cypress dashboard.
Tags: @tag.Sanity
Spec:

---

Tue, 25 Mar 2025 07:24:44 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• New Features

  • Enhanced email verification: links now include organization details for improved security.
  • Existing verification tokens have been updated to carry organization-specific information.

• Refactor

  • Streamlined user onboarding and profile management workflows to better incorporate organization data.
  • Improved error messages during email verification to clearly indicate organization mismatches.

[coderabbitai]

Walkthrough

This pull request introduces an organizationId field to the EmailVerificationToken entity and implements necessary changes across the codebase. A new migration class is added to update existing documents in the database by setting this field when missing. Additionally, updates in the UserServiceCEImpl class refactor user organization assignment, enhance email verification token creation and verification, and include improved error handling and new methods for managing user profiles.

Changes

Files	Change Summary
app/server/appsmith-server/src/main/java/com/appsmith/server/domains/EmailVerificationToken.java	Added new field String organizationId to associate email verification tokens with organizations.
app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration070_…java	Introduced Migration070_AddOrganizationIdToEmailVerificationToken migration class to update existing documents with an organization ID. Logs a warning if no organization is found and specifies that rollback is not supported.
app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java	Modified email verification flow: updated URL format to include organizationId, refactored user organization handling by introducing setOrganizationIdForUser, added getAnonymousUserProfile, and enhanced token verification error handling.

Sequence Diagram(s)

sequenceDiagram
    participant US as UserServiceCEImpl
    participant DB as Database
    participant Token as EmailVerificationToken

    Note over US: User Creation Flow
    US->>US: setOrganizationIdForUser(user)
    US->>Token: Create token with organizationId
    Token-->>US: Token created
    US->>Token: verifyEmailVerificationToken(token, providedOrganizationId)
    Token-->>US: Validate organizationId match or error

Loading

sequenceDiagram
    participant M as Migration070_AddOrganizationIdToEmailVerificationToken
    participant DB as Database
    participant Org as Organization

    M->>DB: Query for Organization instance
    alt Organization exists
        DB-->>M: Return organization with organizationId
        M->>DB: Update EmailVerificationToken docs missing organizationId
        DB-->>M: Return count of modified documents
    else No organization found
        M-->>M: Log warning and skip migration
    end

Loading

Possibly related PRs

• chore: Adding migration to make user email unique in an organization #39567: Introduces a migration to ensure user email uniqueness within an organization, involving organizationId implications at the database level.
• chore: Update instance variables via organization config update #39856: Updates the email verification process to handle organization-related data, with similar modifications for organizationId usage during token creation and verification.

Suggested labels

Bug, ok-to-test

Suggested reviewers

• sharat87
• abhvsn

Poem

In code we trust, with changes bright,
An organizationId shines in the night.
Tokens, migrations, services align,
Each method revised to simply refine.
Cheers to progress and code so neat,
Where logic and structure endlessly meet!
🚀✨

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration070_AddOrganizationIdToEmailVerificationToken.java (2)

16-17: Use a descriptive author or remove if unnecessary.
Providing the author's identity can help trace future migration issues.

---

25-46: Consider multi-organization scenarios.
The migration currently assumes only one organization. If new organizations exist or arrive later, tokens might be assigned an incorrect organizationId.

app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java (2)

115-115: Check for potential PII exposure.
Embedding organizationId in the URL can leak info if logged or shared. Consider masking or limiting logs.

---

758-772: Anonymous profile creation is neat.
If anonymous users ever need org-specific data, consider an optional org ID. Currently, this is fine.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1183208 and 62fa250.

📒 Files selected for processing (3)

• app/server/appsmith-server/src/main/java/com/appsmith/server/domains/EmailVerificationToken.java (1 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration070_AddOrganizationIdToEmailVerificationToken.java (1 hunks)
• app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java (12 hunks)

🧰 Additional context used

🧬 Code Definitions (1)

app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration070_AddOrganizationIdToEmailVerificationToken.java (1)

app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java (1)

• Slf4j (90-1007)

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: perform-test / rts-build / build
• GitHub Check: perform-test / server-build / server-unit-tests
• GitHub Check: perform-test / client-build / client-build
• GitHub Check: server-unit-tests / server-unit-tests
• GitHub Check: server-spotless / spotless-check

🔇 Additional comments (15)

app/server/appsmith-server/src/main/java/com/appsmith/server/domains/EmailVerificationToken.java (1)

21-21: New field addition looks good.
Please ensure null or empty scenarios are consistently handled downstream.

app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration070_AddOrganizationIdToEmailVerificationToken.java (1)

48-51: Rollback not supported.
This is acceptable if changes are irreversible. Just ensure it's documented for future clarity.

app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java (13)

110-110: Be mindful of widening visibility.
Making this constant protected instead of private might unintentionally expose it to subclasses.

---

418-419: Good layering for setting organizationId.
This ensures the user object always has an organizationId before being saved.

---

532-546: Helper method keeps code clean.
Nicely encapsulated logic for assigning organizationId. Consider error handling for null returns from getCurrentUserOrganizationId.

---

587-595: Sequential flow is clear.
Retrieving org ID before creation aligns with the new approach.

---

713-716: Anonymous user handling is well isolated.
This check simplifies your user profile flow nicely.

---

718-718: No concerns here.
Transition to regular user flow is straightforward.

---

926-928: Error handling is robust.
Catching these exceptions and redirecting is a good defensive approach.

---

933-936: Null token check is properly handled.
Returning early avoids unnecessary processing and confusion.

---

939-940: Graceful handling for missing email tokens.
Prevents unexpected null referencing.

---

942-945: Organization-specific user lookup is appropriate.
Ensures the verified user matches the correct organization.

---

949-949: Security context usage is consistent.
No issues found.

---

966-971: Organization mismatch check is a good security measure.
Prevents cross-organization token usage.

---

1000-1000: Final email verification flag set.
Confirms user is verified with minimal overhead.