Migrate to better auth

.github/workflows/test.yml

@@ -47,7 +47,9 @@ jobs:
           NEXTAUTH_SECRET: "secret"
           GOOGLE_CLIENT_ID: "client_id"
           GOOGLE_CLIENT_SECRET: "client_secret"
+          MICROSOFT_CLIENT_ID: "client_id"
+          MICROSOFT_CLIENT_SECRET: "client_secret"
           GOOGLE_PUBSUB_TOPIC_NAME: "topic"
           EMAIL_ENCRYPT_SECRET: "secret"
           EMAIL_ENCRYPT_SALT: "salt"
-          INTERNAL_API_KEY: "secret"
+          INTERNAL_API_KEY: "secret"

README.md

@@ -142,7 +142,9 @@ Create [new credentials](https://console.cloud.google.com/apis/credentials):
     2. In `Application Type`, Choose `Web application`
     3. Choose a name for your web client
     4. In Authorized JavaScript origins, add a URI and enter `http://localhost:3000`
-    5. In `Authorized redirect URIs` enter `http://localhost:3000/api/auth/callback/google`
+    5. In `Authorized redirect URIs` enter:
+      - `http://localhost:3000/api/auth/callback/google`
+      - `http://localhost:3000/api/google/linking/callback`
     6. Click `Create`.
     7. A popup will show up with the new credentials, including the Client ID and secret.
 3.  Update .env file:

apps/web/__tests__/ai-choose-rule.test.ts

@@ -76,6 +76,7 @@ describe.runIf(isAiTest)("aiChooseRule", () => {
         cc: null,
         bcc: null,
         url: null,
+        folderName: null,
         delayInMinutes: null,
       },
     ]);

apps/web/__tests__/outlook-odata-escape.test.ts

@@ -0,0 +1,58 @@
+import { describe, it, expect } from "vitest";
+import { escapeODataString } from "@/utils/outlook/odata-escape";
+
+describe("OData String Escaping", () => {
+  it("should escape single quotes by doubling them", () => {
+    expect(escapeODataString("O'Brien")).toBe("O''Brien");
+    expect(escapeODataString("test' or 1=1 --")).toBe("test'' or 1=1 --");
+    expect(escapeODataString("it's a test")).toBe("it''s a test");
+  });
+
+  it("should handle strings without quotes", () => {
+    expect(escapeODataString("normal string")).toBe("normal string");
+    expect(escapeODataString("test@example.com")).toBe("test@example.com");
+  });
+
+  it("should handle multiple quotes", () => {
+    expect(escapeODataString("'test'")).toBe("''test''");
+    expect(escapeODataString("test's 'quoted' text")).toBe(
+      "test''s ''quoted'' text",
+    );
+  });
+
+  it("should handle empty strings", () => {
+    expect(escapeODataString("")).toBe("");
+  });
+
+  it("should handle non-string inputs safely", () => {
+    expect(escapeODataString(null as any)).toBe("");
+    expect(escapeODataString(undefined as any)).toBe("");
+    expect(escapeODataString(123 as any)).toBe("");
+  });
+
+  it("should prevent OData injection attacks", () => {
+    // Simulated malicious inputs
+    const maliciousEmail = "attacker@example.com' or subject eq 'sensitive";
+    const escaped = escapeODataString(maliciousEmail);
+
+    // The escaped version should have doubled quotes
+    expect(escaped).toBe("attacker@example.com'' or subject eq ''sensitive");
+
+    // When used in a filter, it should be safe
+    const filter = `from/emailAddress/address eq '${escaped}'`;
+    expect(filter).toBe(
+      "from/emailAddress/address eq 'attacker@example.com'' or subject eq ''sensitive'",
+    );
+
+    // The filter should not allow breaking out of the string literal
+    // Check that there are no unescaped single quotes followed by " or "
+    // (All quotes should be doubled, so we shouldn't see a single quote followed by " or ")
+    expect(filter).toContain(
+      "attacker@example.com'' or subject eq ''sensitive",
+    );
+    // Verify the malicious pattern has been neutralized
+    expect(filter).toBe(
+      "from/emailAddress/address eq 'attacker@example.com'' or subject eq ''sensitive'",
+    );
+  });
+});

apps/web/app/(app)/ErrorMessages.tsx

@@ -1,4 +1,4 @@
-import { auth } from "@/app/api/auth/[...nextauth]/auth";
+import { auth } from "@/utils/auth";
 import { AlertError } from "@/components/Alert";
 import { Button } from "@/components/ui/button";
 import { clearUserErrorMessagesAction } from "@/utils/actions/error-messages";

apps/web/app/(app)/[emailAccountId]/assess.tsx

@@ -28,7 +28,7 @@ export function AssessUser() {
     async function assess() {
       const result = await executeAssessAsync();
       // no need to run this over and over after the first time
-      if (!result?.data?.skipped && provider !== "microsoft-entra-id") {
+      if (!result?.data?.skipped && provider !== "microsoft") {
         executeWhitelistInboxZero();
       }
     }

apps/web/app/(app)/[emailAccountId]/assistant/ActionSummaryCard.tsx

@@ -190,6 +190,10 @@ export function ActionSummaryCard({
       summaryContent = "Add to digest";
       break;
 
+    case ActionType.MOVE_FOLDER:
+      summaryContent = `Folder: ${action.folderName?.value || "unset"}`;
+      break;
+
     default:
       summaryContent = actionTypeLabel;
   }

apps/web/app/(app)/[emailAccountId]/assistant/RuleForm.tsx

@@ -125,7 +125,7 @@ export function RuleForm({
   isDialog?: boolean;
   mutate?: (data?: any, options?: any) => void;
 }) {
-  const { emailAccountId } = useAccount();
+  const { emailAccountId, provider } = useAccount();
 
   const form = useForm<CreateRuleBody>({
     resolver: zodResolver(createRuleBody),
@@ -140,6 +140,7 @@ export function RuleForm({
                 ...action.content,
                 setManually: !!action.content?.value,
               },
+              folderName: action.folderName,
             })),
           ],
         }
@@ -319,9 +320,19 @@ export function RuleForm({
   const conditionalOperator = watch("conditionalOperator");
 
   const typeOptions = useMemo(() => {
-    return [
+    const providerOptions: { label: string; value: ActionType }[] = [];
+
+    if (provider === "microsoft") {
+      providerOptions.push({
+        label: "Move to folder",
+        value: ActionType.MOVE_FOLDER,
+      });
+    }
+
+    const options = [
       { label: "Archive", value: ActionType.ARCHIVE },
       { label: "Label", value: ActionType.LABEL },
+      ...providerOptions,
       { label: "Draft reply", value: ActionType.DRAFT_EMAIL },
       { label: "Reply", value: ActionType.REPLY },
       { label: "Send email", value: ActionType.SEND_EMAIL },
@@ -332,7 +343,9 @@ export function RuleForm({
       { label: "Call webhook", value: ActionType.CALL_WEBHOOK },
       { label: "Auto-update reply label", value: ActionType.TRACK_THREAD },
     ];
-  }, []);
+
+    return options;
+  }, [provider]);
 
   const [isNameEditMode, setIsNameEditMode] = useState(alwaysEditMode);
   const [isConditionsEditMode, setIsConditionsEditMode] =

apps/web/app/(app)/[emailAccountId]/assistant/Rules.tsx

@@ -133,6 +133,7 @@ export function Rules({ size = "md" }: { size?: "sm" | "md" }) {
           cc: null,
           bcc: null,
           url: null,
+          folderName: null,
           delayInMinutes: null,
         },
         showArchiveAction
@@ -149,6 +150,7 @@ export function Rules({ size = "md" }: { size?: "sm" | "md" }) {
               cc: null,
               bcc: null,
               url: null,
+              folderName: null,
               delayInMinutes: null,
             }
           : null,
@@ -166,6 +168,7 @@ export function Rules({ size = "md" }: { size?: "sm" | "md" }) {
               cc: null,
               bcc: null,
               url: null,
+              folderName: null,
               delayInMinutes: null,
             }
           : null,
@@ -464,6 +467,7 @@ export function ActionBadges({
     id: string;
     type: ActionType;
     label?: string | null;
+    folderName?: string | null;
   }[];
 }) {
   return (

apps/web/app/(app)/[emailAccountId]/assistant/constants.ts

@@ -10,6 +10,7 @@ import {
   WebhookIcon,
   EyeIcon,
   FileTextIcon,
+  FolderInputIcon,
 } from "lucide-react";
 import { ActionType } from "@prisma/client";
 
@@ -25,6 +26,7 @@ const ACTION_TYPE_COLORS = {
   [ActionType.CALL_WEBHOOK]: "bg-gray-500",
   [ActionType.TRACK_THREAD]: "bg-indigo-500",
   [ActionType.DIGEST]: "bg-teal-500",
+  [ActionType.MOVE_FOLDER]: "bg-emerald-500",
 } as const;
 
 export const ACTION_TYPE_TEXT_COLORS = {
@@ -39,6 +41,7 @@ export const ACTION_TYPE_TEXT_COLORS = {
   [ActionType.CALL_WEBHOOK]: "text-gray-500",
   [ActionType.TRACK_THREAD]: "text-indigo-500",
   [ActionType.DIGEST]: "text-teal-500",
+  [ActionType.MOVE_FOLDER]: "text-emerald-500",
 } as const;
 
 export const ACTION_TYPE_ICONS = {
@@ -53,6 +56,7 @@ export const ACTION_TYPE_ICONS = {
   [ActionType.CALL_WEBHOOK]: WebhookIcon,
   [ActionType.TRACK_THREAD]: EyeIcon,
   [ActionType.DIGEST]: FileTextIcon,
+  [ActionType.MOVE_FOLDER]: FolderInputIcon,
 } as const;
 
 // Helper function to get action type from string (for RulesPrompt.tsx)
@@ -83,6 +87,9 @@ export function getActionTypeColor(example: string): string {
   if (lowerExample.includes("digest")) {
     return ACTION_TYPE_COLORS[ActionType.DIGEST];
   }
+  if (lowerExample.includes("folder")) {
+    return ACTION_TYPE_COLORS[ActionType.MOVE_FOLDER];
+  }
 
   // Default fallback
   return "bg-gray-500";

apps/web/app/(app)/[emailAccountId]/assistant/settings/DraftReplies.tsx

@@ -88,6 +88,7 @@ export function useDraftReplies() {
                       bcc: null,
                       url: null,
                       delayInMinutes: null,
+                      folderName: null,
                       createdAt: new Date(),
                       updatedAt: new Date(),
                     },

apps/web/app/(app)/[emailAccountId]/debug/rule-history/[ruleId]/page.tsx

@@ -10,7 +10,7 @@ import {
 import { Badge } from "@/components/ui/badge";
 import { notFound } from "next/navigation";
 import { formatDistanceToNow } from "date-fns";
-import { auth } from "@/app/api/auth/[...nextauth]/auth";
+import { auth } from "@/utils/auth";
 
 export default async function RuleHistoryPage(props: {
   params: Promise<{ emailAccountId: string; ruleId: string }>;

apps/web/app/(app)/[emailAccountId]/settings/MultiAccountSection.tsx

@@ -2,7 +2,7 @@
 
 import { useCallback } from "react";
 import { type SubmitHandler, useFieldArray, useForm } from "react-hook-form";
-import { useSession } from "next-auth/react";
+import { useSession } from "@/utils/auth-client";
 import { zodResolver } from "@hookform/resolvers/zod";
 import useSWR from "swr";
 import { usePostHog } from "posthog-js/react";

apps/web/app/(app)/accounts/AddAccount.tsx

@@ -1,7 +1,7 @@
 "use client";
 
 import { useState } from "react";
-import { signIn } from "next-auth/react";
+import { signIn } from "@/utils/auth-client";
 import { Card, CardContent } from "@/components/ui/card";
 import { Button } from "@/components/ui/button";
 import { toastError } from "@/components/Toast";
@@ -14,10 +14,16 @@ import { DialogTrigger } from "@/components/ui/dialog";
 import { Dialog } from "@/components/ui/dialog";
 import type { GetAuthLinkUrlResponse } from "@/app/api/google/linking/auth-url/route";
 import type { GetOutlookAuthLinkUrlResponse } from "@/app/api/outlook/linking/auth-url/route";
+import { SCOPES as GMAIL_SCOPES } from "@/utils/gmail/scopes";
+import { SCOPES as OUTLOOK_SCOPES } from "@/utils/outlook/scopes";
 
 export function AddAccount() {
   const handleConnectGoogle = async () => {
-    await signIn("google", { callbackUrl: "/accounts", redirect: true });
+    await signIn.social({
+      provider: "google",
+      callbackURL: "/accounts",
+      scopes: [...GMAIL_SCOPES],
+    });
   };
 
   const handleMergeGoogle = async () => {
@@ -32,9 +38,10 @@ export function AddAccount() {
   };
 
   const handleConnectMicrosoft = async () => {
-    await signIn("microsoft-entra-id", {
-      callbackUrl: "/accounts",
-      redirect: true,
+    await signIn.social({
+      provider: "microsoft",
+      callbackURL: "/accounts",
+      scopes: [...OUTLOOK_SCOPES],
     });
   };
 

apps/web/app/(app)/admin/page.tsx

@@ -1,7 +1,7 @@
 import { AdminUpgradeUserForm } from "@/app/(app)/admin/AdminUpgradeUserForm";
 import { AdminUserControls } from "@/app/(app)/admin/AdminUserControls";
 import { TopSection } from "@/components/TopSection";
-import { auth } from "@/app/api/auth/[...nextauth]/auth";
+import { auth } from "@/utils/auth";
 import { ErrorPage } from "@/components/ErrorPage";
 import { isAdmin } from "@/utils/admin";
 import {

apps/web/app/(app)/layout.tsx

@@ -4,8 +4,8 @@ import { cookies } from "next/headers";
 import { Suspense } from "react";
 import { redirect } from "next/navigation";
 import { SideNavWithTopNav } from "@/components/SideNavWithTopNav";
-import { TokenCheck } from "@/components/TokenCheck";
-import { auth } from "@/app/api/auth/[...nextauth]/auth";
+
+import { auth } from "@/utils/auth";
 import { PostHogIdentify } from "@/providers/PostHogProvider";
 import { CommandK } from "@/components/CommandK";
 import { AppProviders } from "@/providers/AppProviders";
@@ -50,7 +50,7 @@ export default async function AppLayout({
       <EmailViewer />
       <ErrorBoundary extra={{ component: "AppLayout" }}>
         <PostHogIdentify />
-        <TokenCheck />
+
         <CommandK />
         <QueueInitializer />
         <AssessUser />