refactor(dashboard-api): send creator context with team provisioning (#2505)

* feat(dashboard-api): send creator context with team provisioning

Populate creator_user_id and resolve creator_context (signup IP, user agent,
auth method) from auth.users.raw_app_meta_data inside the HTTP provisioning
sink so the receiving service no longer needs its own Supabase auth lookup.

- Extend GetAuthUserByID to return raw_app_meta_data and add the column to
  the auth.users schema/test migration so sqlc can generate it.
- Drop the deprecated owner_user_id field from the shared request struct now
  that the receiver accepts creator_user_id.
- Resolution lives inside HTTPProvisionSink so the noop sink stays free of
  any Supabase load.

Made-with: Cursor

* fix(dashboard-api): broaden oauth detection and bound creator context lookup

- Treat any non-"email" supabase provider as social so apple/gitlab/microsoft
  signups are no longer misclassified as Password.
- Cap the auth.users lookup with a 2s deadline so a slow query cannot eat
  into the team provisioning HTTP budget.

Made-with: Cursor

Author: ben-fornefeld

packages/dashboard-api/internal/handlers/team_provisioning.go

@@ -130,11 +130,11 @@ func (s *APIStore) bootstrapUser(ctx context.Context, userID uuid.UUID) (provisi
 		}
 
 		req := teamprovision.TeamBillingProvisionRequestedV1{
-			TeamID:      existingTeam.ID,
-			TeamName:    existingTeam.Name,
-			TeamEmail:   existingTeam.Email,
-			OwnerUserID: userID,
-			Reason:      teamprovision.ReasonDefaultSignupTeam,
+			TeamID:        existingTeam.ID,
+			TeamName:      existingTeam.Name,
+			TeamEmail:     existingTeam.Email,
+			CreatorUserID: userID,
+			Reason:        teamprovision.ReasonDefaultSignupTeam,
 		}
 		_ = s.teamProvisionSink.ProvisionTeam(ctx, req)
 
@@ -176,11 +176,11 @@ func (s *APIStore) bootstrapUser(ctx context.Context, userID uuid.UUID) (provisi
 	}
 
 	req := teamprovision.TeamBillingProvisionRequestedV1{
-		TeamID:      team.ID,
-		TeamName:    team.Name,
-		TeamEmail:   team.Email,
-		OwnerUserID: userID,
-		Reason:      teamprovision.ReasonDefaultSignupTeam,
+		TeamID:        team.ID,
+		TeamName:      team.Name,
+		TeamEmail:     team.Email,
+		CreatorUserID: userID,
+		Reason:        teamprovision.ReasonDefaultSignupTeam,
 	}
 	_ = s.teamProvisionSink.ProvisionTeam(ctx, req)
 
@@ -249,11 +249,11 @@ func (s *APIStore) createTeam(ctx context.Context, userID uuid.UUID, name string
 	}
 
 	req := teamprovision.TeamBillingProvisionRequestedV1{
-		TeamID:      team.ID,
-		TeamName:    team.Name,
-		TeamEmail:   team.Email,
-		OwnerUserID: userID,
-		Reason:      teamprovision.ReasonAdditionalTeam,
+		TeamID:        team.ID,
+		TeamName:      team.Name,
+		TeamEmail:     team.Email,
+		CreatorUserID: userID,
+		Reason:        teamprovision.ReasonAdditionalTeam,
 	}
 	if err := s.teamProvisionSink.ProvisionTeam(ctx, req); err != nil {
 		rollbackCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), teamProvisionRollbackTimeout)

packages/dashboard-api/internal/teamprovision/creator_context.go

@@ -0,0 +1,80 @@
+package teamprovision
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/google/uuid"
+
+	"github.com/e2b-dev/infra/packages/db/pkg/dberrors"
+	supabasedb "github.com/e2b-dev/infra/packages/db/pkg/supabase"
+	sharedteamprovision "github.com/e2b-dev/infra/packages/shared/pkg/teamprovision"
+)
+
+const (
+	// supabase uses "email" for password signups; everything else (google,
+	// github, apple, gitlab, ...) is treated as a social provider.
+	emailAuthProvider = "email"
+
+	signupIPMetadataKey        = "signup_ip"
+	signupUserAgentMetadataKey = "signup_user_agent"
+	providersMetadataKey       = "providers"
+)
+
+// resolveCreatorContext reads signup IP/UA and auth provider from
+// auth.users.raw_app_meta_data, which Supabase populates for every signup flow.
+// Returns nil when the user cannot be found so callers can keep going without
+// the optional context.
+func resolveCreatorContext(ctx context.Context, supabaseDB *supabasedb.Client, userID uuid.UUID) (*sharedteamprovision.CreatorContextV1, error) {
+	authUser, err := supabaseDB.Write.GetAuthUserByID(ctx, userID)
+	if err != nil {
+		if dberrors.IsNotFoundError(err) {
+			return nil, nil
+		}
+
+		return nil, fmt.Errorf("get auth user: %w", err)
+	}
+
+	metadata := map[string]any{}
+	if len(authUser.RawAppMetaData) > 0 {
+		if err := json.Unmarshal(authUser.RawAppMetaData, &metadata); err != nil {
+			return nil, fmt.Errorf("decode raw_app_meta_data: %w", err)
+		}
+	}
+
+	authMethod := sharedteamprovision.AuthMethodPassword
+	if hasOAuthProvider(metadata) {
+		authMethod = sharedteamprovision.AuthMethodSocial
+	}
+
+	return &sharedteamprovision.CreatorContextV1{
+		IPAddress:  stringFromMetadata(metadata, signupIPMetadataKey),
+		UserAgent:  stringFromMetadata(metadata, signupUserAgentMetadataKey),
+		AuthMethod: authMethod,
+	}, nil
+}
+
+func hasOAuthProvider(metadata map[string]any) bool {
+	rawProviders, ok := metadata[providersMetadataKey].([]any)
+	if !ok {
+		return false
+	}
+
+	for _, p := range rawProviders {
+		name, ok := p.(string)
+		if ok && name != "" && name != emailAuthProvider {
+			return true
+		}
+	}
+
+	return false
+}
+
+func stringFromMetadata(metadata map[string]any, key string) string {
+	if value, ok := metadata[key].(string); ok {
+		return value
+	}
+
+	return ""
+}

packages/dashboard-api/internal/teamprovision/factory.go

@@ -6,6 +6,7 @@ import (
 
 	"go.uber.org/zap"
 
+	supabasedb "github.com/e2b-dev/infra/packages/db/pkg/supabase"
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
 )
 
@@ -14,7 +15,7 @@ var (
 	ErrMissingAPIToken = errors.New("billing server api token is required when billing http team provision sink is enabled")
 )
 
-func NewProvisionSink(ctx context.Context, enabled bool, baseURL, apiToken string) (TeamProvisionSink, error) {
+func NewProvisionSink(ctx context.Context, enabled bool, baseURL, apiToken string, supabaseDB *supabasedb.Client) (TeamProvisionSink, error) {
 	if !enabled {
 		logger.L().Info(ctx, "team provision sink configured",
 			zap.String("sink", "noop"),
@@ -38,5 +39,5 @@ func NewProvisionSink(ctx context.Context, enabled bool, baseURL, apiToken strin
 		zap.String("base_url", baseURL),
 	)
 
-	return NewHTTPProvisionSink(baseURL, apiToken), nil
+	return NewHTTPProvisionSink(baseURL, apiToken, supabaseDB), nil
 }

packages/dashboard-api/internal/teamprovision/http_sink.go

@@ -16,6 +16,7 @@ import (
 	"go.opentelemetry.io/otel/attribute"
 	"go.uber.org/zap"
 
+	supabasedb "github.com/e2b-dev/infra/packages/db/pkg/supabase"
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
 	sharedteamprovision "github.com/e2b-dev/infra/packages/shared/pkg/teamprovision"
 	"github.com/e2b-dev/infra/packages/shared/pkg/telemetry"
@@ -32,13 +33,16 @@ const (
 	provisionBackoffMultiplier       = 2.0
 	// Error responses only need enough body to extract a short API message without buffering large upstream payloads.
 	provisionErrorMessageReadLimit = 2 * 1024
+	// short cap so a slow auth.users lookup can't eat into the provisioning timeout.
+	creatorContextResolveTimeout = 2 * time.Second
 )
 
 type HTTPProvisionSink struct {
-	baseURL  string
-	apiToken string
-	client   *retryablehttp.Client
-	timeout  time.Duration
+	baseURL    string
+	apiToken   string
+	client     *retryablehttp.Client
+	timeout    time.Duration
+	supabaseDB *supabasedb.Client
 }
 
 var _ TeamProvisionSink = (*HTTPProvisionSink)(nil)
@@ -47,12 +51,13 @@ type errorResponse struct {
 	Message string `json:"message"`
 }
 
-func NewHTTPProvisionSink(baseURL, apiToken string) *HTTPProvisionSink {
+func NewHTTPProvisionSink(baseURL, apiToken string, supabaseDB *supabasedb.Client) *HTTPProvisionSink {
 	return &HTTPProvisionSink{
-		baseURL:  strings.TrimRight(baseURL, "/"),
-		apiToken: apiToken,
-		client:   newRetryableProvisionClient(defaultProvisionAttemptTimeout),
-		timeout:  defaultProvisionTimeout,
+		baseURL:    strings.TrimRight(baseURL, "/"),
+		apiToken:   apiToken,
+		client:     newRetryableProvisionClient(defaultProvisionAttemptTimeout),
+		timeout:    defaultProvisionTimeout,
+		supabaseDB: supabaseDB,
 	}
 }
 
@@ -75,6 +80,20 @@ func (s *HTTPProvisionSink) ProvisionTeam(ctx context.Context, req sharedteampro
 		return err
 	}
 
+	if s.supabaseDB != nil && req.CreatorContext == nil {
+		resolveCtx, cancel := context.WithTimeout(ctx, creatorContextResolveTimeout)
+		creatorContext, resolveErr := resolveCreatorContext(resolveCtx, s.supabaseDB, req.CreatorUserID)
+		cancel()
+		if resolveErr != nil {
+			// creator context is best-effort; keep going without it
+			logger.L().Warn(ctx, "failed to resolve creator context for team provisioning",
+				append(provisionLogFields(req, provisionSinkHTTP), zap.Error(resolveErr))...,
+			)
+		} else {
+			req.CreatorContext = creatorContext
+		}
+	}
+
 	body, err := json.Marshal(req)
 	if err != nil {
 		telemetry.ReportCriticalError(ctx, "marshal billing provisioning request", err, baseAttrs...)

packages/dashboard-api/internal/teamprovision/http_sink_test.go

@@ -24,7 +24,7 @@ func TestHTTPProvisionSink_ReturnsJSONErrorMessage(t *testing.T) {
 	}))
 	defer server.Close()
 
-	sink := NewHTTPProvisionSink(server.URL, "token")
+	sink := NewHTTPProvisionSink(server.URL, "token", nil)
 	err := sink.ProvisionTeam(t.Context(), testProvisionRequest())
 	require.Error(t, err)
 
@@ -52,7 +52,7 @@ func TestHTTPProvisionSink_RetriesRetryableResponsesAndSucceeds(t *testing.T) {
 	}))
 	defer server.Close()
 
-	sink := NewHTTPProvisionSink(server.URL, "token")
+	sink := NewHTTPProvisionSink(server.URL, "token", nil)
 	sink.client.RetryWaitMin = time.Millisecond
 	sink.client.RetryWaitMax = time.Millisecond
 	err := sink.ProvisionTeam(t.Context(), testProvisionRequest())
@@ -74,7 +74,7 @@ func TestHTTPProvisionSink_RetriesRequestTimeoutWithinOverallBudget(t *testing.T
 	}))
 	defer server.Close()
 
-	sink := NewHTTPProvisionSink(server.URL, "token")
+	sink := NewHTTPProvisionSink(server.URL, "token", nil)
 	sink.timeout = 80 * time.Millisecond
 	sink.client.HTTPClient.Timeout = 25 * time.Millisecond
 	sink.client.RetryWaitMin = time.Millisecond
@@ -87,10 +87,10 @@ func TestHTTPProvisionSink_RetriesRequestTimeoutWithinOverallBudget(t *testing.T
 
 func testProvisionRequest() sharedteamprovision.TeamBillingProvisionRequestedV1 {
 	return sharedteamprovision.TeamBillingProvisionRequestedV1{
-		TeamID:      uuid.New(),
-		TeamName:    "Acme",
-		TeamEmail:   "acme@example.com",
-		OwnerUserID: uuid.New(),
-		Reason:      sharedteamprovision.ReasonAdditionalTeam,
+		TeamID:        uuid.New(),
+		TeamName:      "Acme",
+		TeamEmail:     "acme@example.com",
+		CreatorUserID: uuid.New(),
+		Reason:        sharedteamprovision.ReasonAdditionalTeam,
 	}
 }

packages/dashboard-api/internal/teamprovision/sink.go

@@ -46,7 +46,7 @@ func (e *ProvisionError) Unwrap() error {
 func provisionLogFields(req sharedteamprovision.TeamBillingProvisionRequestedV1, sink string) []zap.Field {
 	return []zap.Field{
 		logger.WithTeamID(req.TeamID.String()),
-		logger.WithUserID(req.OwnerUserID.String()),
+		logger.WithUserID(req.CreatorUserID.String()),
 		zap.String("team.provision.reason", req.Reason),
 		zap.String("team.provision.sink", sink),
 	}
@@ -55,7 +55,7 @@ func provisionLogFields(req sharedteamprovision.TeamBillingProvisionRequestedV1,
 func provisionTelemetryAttrs(req sharedteamprovision.TeamBillingProvisionRequestedV1, sink string, attrs ...attribute.KeyValue) []attribute.KeyValue {
 	base := []attribute.KeyValue{
 		telemetry.WithTeamID(req.TeamID.String()),
-		telemetry.WithUserID(req.OwnerUserID.String()),
+		telemetry.WithUserID(req.CreatorUserID.String()),
 		attribute.String("team.provision.reason", req.Reason),
 		attribute.String("team.provision.sink", sink),
 	}

packages/dashboard-api/main.go

@@ -195,6 +195,7 @@ func run() int {
 		config.EnableBillingHTTPTeamProvisionSink,
 		config.BillingServerURL,
 		config.BillingServerAPIToken,
+		supabaseDB,
 	)
 	if err != nil {
 		l.Error(ctx, "initializing team provision sink", zap.Error(err))

packages/db/migrations/20000101000000_auth.sql

@@ -17,6 +17,7 @@ CREATE TABLE auth.users (
     id uuid NOT NULL DEFAULT gen_random_uuid(),
     email text NOT NULL,
     created_at timestamptz NOT NULL DEFAULT now(),
+    raw_app_meta_data jsonb,
     PRIMARY KEY (id)
 );
 -- +goose StatementEnd