## Context
Following this https://github.com/twentyhq/twenty/issues/4199
This has not been fully implemented, after 5months of dead code I'm
removing the feature for the time being until we re-prioritise the
feature (unlikely during these next 6 months) to keep the codebase a bit
cleaner (no need to maintain dead features)
Feel free to reopen / revert this PR once feature is ready
## Test
locally after importing emails
## Context
2 issues here:
- We use a metadata repository find method without providing a
workspaceId: In practice this is not an issue in this specific part but
let's avoid that pattern
- await this.workspaceService.deleteWorkspace(workspaceId); deletes
almost everything, emitting an event on workspaceMember could
potentially bring issues and not much values imho
### Summary
This pull request addresses the issue described in #9232, where
attempting to delete a user account results in a `TypeError: Cannot read
properties of undefined (reading 'dataSourceService')`.
### Changes Made
- Fixed the `this` context issue in the `deleteUserFromWorkspace` method
by ensuring it is correctly bound.
- Updated the `deleteUser` method to use a bound function when calling
`deleteUserFromWorkspace`.
### Linked Issue
This pull request fixes#9232.
### Additional Notes
- Please review the changes carefully to ensure no unintended side
effects in the user or workspace deletion process.
- Suggestions for further improvement are welcome.
---------
Co-authored-by: Lucas Bordeau <bordeau.lucas@gmail.com>
Co-authored-by: Weiko <corentin@twenty.com>
The DX is not great when you need to do a lot of database
resets/command.
Should we disable Typescript validation to speed things up? With this
and caching database:reset takes 1min instead of 2 on my machine.
See also: https://github.com/typeorm/typeorm/issues/4136
And #9291 / #9293
---------
Co-authored-by: Lucas Bordeau <bordeau.lucas@gmail.com>
**Solves**
[ https://github.com/twentyhq/private-issues/issues/211 ]
**TLDR:**
Add a command that fetches the plans product, meters and price in stripe
and whrites it to the DataBase. For now it fetches only active products.
**In order to test**
- Set IS_BILLING_ENABLED=true
- Run `npx nx database:reset twenty-server` if you don't have the
billing tables in your data base schema
- run `npx nx run twenty-server:command billing:sync-plans-data -v`
---------
Co-authored-by: Félix Malfait <felix.malfait@gmail.com>
We want to avoid infinite loops using workflows. Adding a throttler with
a limit of 10 executions / sec by default for each workflow.
We were not emitting events on workflow actions so loops could not
happen. Since throttler is there we can now and these.
Adding an error message so the user knows when it happens.
<img width="1284" alt="Capture d’écran 2024-12-27 à 17 05 20"
src="https://github.com/user-attachments/assets/dafa837b-5b4c-48be-8207-c90f5c71a236"
/>
Closes#9187
This pull request introduces a new feature and several enhancements for
managing webhook security by adding a secret field and enabling HMAC
signature-based authentication. Below is a detailed breakdown of the
changes made:
## Frontend Updates
### Secret Field on Webhook Edit Page
- Added a new **Secret** section on the webhook edit page.
- Includes a text input field for entering a webhook secret.
- Added a descriptive note explaining the purpose of the secret for
webhook authentication.
### State Management and Persistence
- Integrated the secret field into the Webhook type definition and state
management.
- Connected the secret field UI to the data layer, ensuring seamless
persistence of the secret field.
### Validation Improvement
- Trims leading and trailing whitespace from webhook secret inputs to
avoid potential validation issues.
## Backend Updates
### Database and Entity Changes
- Introduced a nullable `secret` field to the `WebhookWorkspaceEntity`
for securely storing webhook signing secrets.
- Field uses a standard field ID:
`20202020-97ce-410f-bff9-e9ccb038fb67`.
### Signature Generation
- Implemented HMAC-SHA256 signature generation for webhook payloads when
a secret is present:
- Signatures are added as a custom `X-Twenty-Webhook-Signature` header.
- Secret is excluded from the payload to maintain security.
### Enhanced Security Measures
- Added additional headers for enhanced security:
- **Timestamp Header**: Prevents replay attacks.
- **Nonce Header**: Mitigates duplicate requests.
- Updated the OpenAPI specification to include documentation on these
security-related headers and signature verification.
## Documentation Updates
- Updated OpenAPI documentation for webhook endpoints:
- Described security-related headers (signature, timestamp, nonce).
- Included detailed instructions for verifying HMAC signatures to assist
consumers.
## Testing and Demonstration
- [Loom Video
Link](https://www.loom.com/share/bd827e4d045f46d99f3c8186e5e5676a?sid=a5e61904-0536-4e82-8055-3d05e4598393):
Demonstrating the functionality of the secret field and webhook security
features.
- [Script Example
Link](https://runkit.com/samyakpiya/676af044040c0400086d400a): A script
showing how consumers can verify webhook authenticity using the HMAC
signature.
- [Testing Site
Instance](https://webhook.site/#!/view/3472468b-ebcd-4b7f-a083-c4ba20825bb4/6885fdce-8843-4d3f-8fe0-1d8abdd53f68/1):
Contains the logged requests sent during testing and is available for
review.
## Steps for Review
1. Verify the secret field functionality on the webhook edit page,
including state persistence and UI updates.
2. Review the security enhancements, including header additions and HMAC
signature generation.
3. Validate OpenAPI documentation changes for completeness and clarity.
---------
Co-authored-by: Félix Malfait <felix@twenty.com>
- Added all usable composite field types on pet custom object
- Fixed missing createdBy on people and company seeds
- DEFAULT_SUBDOMAIN is now used for login (could be improved for multi
workspace)
- Refactored ObjectMetadataStandardIdToIdMap to disambiguate from
ObjectMetadataMap
- Refactored seedCustomObjects
Delete all workflow sub objects when workflow is deleted. Other sub
objects cannot be deleted otherwise.
We do not listen to deletion events so I am not adding them. Those post
hooks should be deleted Q1 once we properly handle cascade for soft
deletion
Restoring https://github.com/twentyhq/twenty/pull/9185
Also fixing sync-metadata with test values in jsonb
## Test
sync-metadata on existing workspaces should replace colorSchema in both
metadata and workspaceMember tables
- Added a new Seeder service to help with custom object seeds
- Added RichTextFieldInput to edit a rich text field directly on the
table, but deactivated it for now.
Removed unused `LoginTokenService` imports and dependencies for better
code clarity. Enhanced error handling in
`getPublicWorkspaceDataBySubdomain` with a try-catch block, ensuring
consistent exception handling. This improves maintainability and
robustness of the resolver.
## Summary
- [x] Remove defaultWorkspace in user
- [x] Remove all occurrence of defaultWorkspace and defaultWorkspaceId
- [x] Improve activate workspace flow
- [x] Improve security on social login
- [x] Add `ImpersonateGuard`
- [x] Allow to use impersonation with couple `User/Workspace`
- [x] Prevent unexpected reload on activate workspace
- [x] Scope login token with workspaceId
Fix https://github.com/twentyhq/twenty/issues/9033#event-15714863042
fix 9206
In the future, we should have a look at the column naming
"positionInViewFilterGroup"
because it breaks the SQL queries in `record-position-query.factory.ts`
for viewFilter tablenames
Introduced a trigger to automatically set `canImpersonate` to true for
the first user inserted into the `core.user` table. The trigger is
removed after the first user is added to ensure this behavior only
applies to the initial user. Includes both the creation and rollback
logic for the migration.
Close https://github.com/twentyhq/twenty/issues/9173
Closes#9151
## Description
This PR automatically sets a workspace's logo based on the user's work
email domain during signup. When a user creates a new workspace using
their work email (e.g., @airbnb.com), the system will fetch and set
their company logo from twenty-icons.com as the default workspace logo.
## Implementation Details
- Added a new `CompanyEnrichmentService` to handle company-related data
enrichment
- Created a modular architecture that supports future enrichment
features (e.g., company name, details)
- Integrated with existing work email detection
- Maintains user ability to override the logo later
## Testing
https://github.com/user-attachments/assets/f7855c99-462a-4053-9e52-29649e954275
I tested the following scenarios:
- Signing up with a work email (e.g., @company.com) → Logo is
automatically set
- Signing up with a personal email (e.g., @gmail.com) → No logo is set
- User can still upload a custom logo after automatic setting
## Technical Notes
- Uses existing `isWorkEmail` utility
- Structured for future extensibility (additional company data
enrichment)
- No breaking changes to existing functionality
---------
Co-authored-by: Félix Malfait <felix@twenty.com>
Fixes https://github.com/twentyhq/twenty/issues/8863
## Description
This PR fixes an issue with cursor-based pagination when dealing with
composite fields (like `fullName`). Previously, the pagination direction
was incorrectly determined for composite fields because the code wasn't
properly handling nested object structures in the `orderBy` parameter.
Refactored the code accordingly.
**TLDR:**
Solves (https://github.com/twentyhq/private-issues/issues/212)
Add command to sync customer data from stripe to BillingCustomerTable
for all active workspaces. Drop foreign key contraint on billingCustomer
in BillingSubscription (in order to not break the DB).
**In order to test:**
- Billing should be enabled
- Have some workspaces that are active and whose id's are not mentioned
in BillingCustomer (but the customer are present in stripe).
Run the command:
`npx nx run twenty-server:command billing:sync-customer-data`
Take into consideration
Due that all the previous subscriptions in Stripe have the workspaceId
in their metadata, we use that information as source of true for the
data sync
**Things to do:**
- Add tests for Billing utils
- Separate StripeService into multipleServices
(stripeSubscriptionService, stripePriceService etc) perhaps add them in
(https://github.com/twentyhq/private-issues/issues/201)?
Added validation to ensure refresh tokens include a workspaceId,
throwing an exception for malformed tokens. Included workspaceId in
payloads and introduced expiration handling for access tokens. This
enhances token security and prevents potential misuse.
Close#9126
As part of our rollout strategy, let's remove the workspaces gates,
which will trigger the creation of the field metadatas needed for the
aggregate queries features.
In a later release we will remove the feature flag completely, after all
fields have been created for all workspaces
Added new forbidden words and regex patterns to subdomain validation in
`update-workspace-input`. Enhanced the `ForbiddenWords` validator to
support both strings and regex matching. Updated tests to verify
regex-based forbidden subdomain validation.
Fix#9064
---------
Co-authored-by: Weiko <corentin@twenty.com>
Add support for setting a user's default workspace during sign-in if a
target workspace subdomain exists. Enhance error feedback by displaying
authentication error messages using a Snackbar in the front-end and
improving redirect logic for workspace-specific errors.
`No Value` view groups wasn't properly created when we select a group by
field metadata, this PR fix the issue.
Also a script is added to backfill the current view groups.
---------
Co-authored-by: Marie <51697796+ijreilly@users.noreply.github.com>
Introduce `defaultWorkspaceId` to improve workspace redirection logic.
Updated GraphQL schema, server logic, and frontend components
accordingly to prioritize default workspaces when available.
## Summary
This PR adds a mechanism to handle and prioritize default workspace
selection for users during authentication. It updates the logic in
multiple components and services to ensure users are redirected to their
default workspaces if no specific selection is provided.
### Main changes:
- **GraphQL Schema Updates**:
- Enhanced `UserExists` GraphQL entity with a new `defaultWorkspaceId`
field to specify the user's default workspace.
- Updated queries and mutations to handle the `defaultWorkspaceId`.
- **Client-Side Updates**:
- Enhanced `useAuth` hook to include logic for managing default
workspace redirection.
- Adjusted UI logic in `SignInUpGlobalScopeForm` to utilize the
`defaultWorkspaceId`.
- **Server-Side Adjustments**:
- Modified `AuthService` to include `defaultWorkspaceId` in
`checkUserExists`.
- Default workspace logic added to the backend flow for consistent
handling.
- **Tests/Helpers**:
- Added utility and type changes to integrate the new backend response
changes (e.g., `UserExists` GraphQL).
- **Subsequent function lifecycle** was adjusted to include recheck for
workspace token states when performing sign-in flows.
**TLDR**
Solves: https://github.com/twentyhq/private-issues/issues/199
Partially solves: https://github.com/twentyhq/private-issues/issues/221
(more details below)
Updates the BillingMeter and BillingPrice tables while listening to the
events "price.created" and "price.updated" from the stripe webhook. Also
added the foreign keys, that couldn't be added to the BillingEntities.
**In Order To test**
Billing:
- Set IS_BILLING_ENABLED to true
- Add your BILLING_STRIPE_SECRET and BILLING_STRIPE_API_KEY
- Add your BILLING_STRIPE_BASE_PLAN_PRODUCT_ID (use the one in testMode
> Base Plan)
Authenticate with your account in the stripe CLI
Run the command: stripe listen --forward-to
http://localhost:3000/billing/webhooks
Run the twenty workker
Authenticate yourself on the app choose a plan and run the app normally.
In stripe and in posgress the customer table data should be added.
**Take Into Consideration**
In a previous migration the foreign key to workpaceId was taken down
this was due to the separation of the migrations if billing is enabled.
Because we want to separate in these two categories: we will be
polluting the Common Migrations with relations to tables that don't
exists. This will be addressed in a PR in the next sprint (perhaps a
decorator?)
**Doing**
Testing migrations, when we are in main and when billing is enabled.
closes https://github.com/twentyhq/twenty/issues/8727
@Bonapara wants to keep the code for now so I ended up by setting the
`isFunctionSettingsEnabled` constants to false in the codebase
Added a unique constraint to the "subdomain" column in the workspace
entity to ensure no duplicate subdomains exist in the database. Included
a TypeORM migration script to enforce this change at the database level.
We have conflicts which prevents us from running demo seed command after
a database-reset or/and if dev seed has already been populated. This is
because we are trying to create Tim user twice (but due to the
insert()...onConflict() in the seed creation, it does not create the
second one), for seed-dev and seed-demo .
This PR fixes that by using the same user id, allowing us to use the
same Tim apple for both dev/demo seeds
Test
<img width="802" alt="Screenshot 2024-12-16 at 15 36 56"
src="https://github.com/user-attachments/assets/72244978-130f-4561-8709-43376453b247"
/>
<img width="780" alt="Screenshot 2024-12-16 at 15 37 17"
src="https://github.com/user-attachments/assets/01ce221b-34f6-4e48-ae30-d84bdf9d3cc2"
/>
