more coderabbit changes

Author: isshaddad

apps/webapp/app/models/admin.server.ts

@@ -212,8 +212,13 @@ export async function adminGetOrganizations(userId: string, { page, search }: Se
   };
 }
 
-export async function redirectWithImpersonation(request: Request, userId: string, path: string) {
-  const user = await requireUser(request);
+export async function redirectWithImpersonation(
+  request: Request,
+  userId: string,
+  path: string,
+  currentUser?: { id: string; admin: boolean }
+) {
+  const user = currentUser ?? (await requireUser(request));
   if (!user.admin) {
     throw new Error("Unauthorized");
   }

apps/webapp/app/routes/admin.impersonate.tsx

@@ -12,7 +12,7 @@ async function handleImpersonationRequest(request: Request, userId: string): Pro
   if (!user.admin) {
     return redirect("/");
   }
-  return redirectWithImpersonation(request, userId, "/");
+  return redirectWithImpersonation(request, userId, "/", user);
 }
 
 export const loader = async ({ request }: LoaderFunctionArgs) => {
@@ -42,7 +42,7 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     return redirect("/");
   }
 
-  return redirectWithImpersonation(request, impersonateUserId, "/");
+  return redirectWithImpersonation(request, impersonateUserId, "/", user);
 };
 
 export async function action({ request }: ActionFunctionArgs) {

apps/webapp/app/routes/api.v1.plain.customer-cards.ts

@@ -115,54 +115,32 @@ export async function action({ request }: ActionFunctionArgs) {
 
     const { customer, cardKeys } = parsed.data;
 
-    // Look up the user by externalId (which is User.id)
-    let user = null;
-    if (customer.externalId) {
-      user = await prisma.user.findUnique({
-        where: { id: customer.externalId },
-        include: {
-          orgMemberships: {
-            where: {
-              organization: { deletedAt: null },
-            },
-            include: {
-              organization: {
-                include: {
-                  projects: {
-                    where: { deletedAt: null },
-                    take: 10, // Limit to recent projects
-                    orderBy: { createdAt: "desc" },
-                  },
-                },
-              },
-            },
-          },
+    const userInclude = {
+      orgMemberships: {
+        where: {
+          organization: { deletedAt: null },
         },
-      });
-    } else if (customer.email) {
-      // Fallback to email lookup if externalId is not provided
-      user = await prisma.user.findUnique({
-        where: { email: customer.email },
         include: {
-          orgMemberships: {
-            where: {
-              organization: { deletedAt: null },
-            },
+          organization: {
             include: {
-              organization: {
-                include: {
-                  projects: {
-                    where: { deletedAt: null },
-                    take: 10,
-                    orderBy: { createdAt: "desc" },
-                  },
-                },
+              projects: {
+                where: { deletedAt: null },
+                take: 10,
+                orderBy: { createdAt: "desc" as const },
               },
             },
           },
         },
-      });
-    }
+      },
+    };
+
+    const where = customer.externalId
+      ? { id: customer.externalId }
+      : customer.email
+      ? { email: customer.email }
+      : null;
+
+    const user = where ? await prisma.user.findUnique({ where, include: userInclude }) : null;
 
     // If user not found, return empty cards
     if (!user) {

apps/webapp/app/services/impersonation.server.ts

@@ -1,5 +1,6 @@
 import { createCookieSessionStorage, type Session } from "@remix-run/node";
 import { SignJWT, jwtVerify, errors } from "jose";
+import { randomUUID } from "node:crypto";
 import { singleton } from "~/utils/singleton";
 import { createRedisClient, type RedisClient } from "~/redis.server";
 import { env } from "~/env.server";
@@ -83,6 +84,7 @@ export async function generateImpersonationToken(userId: string): Promise<string
     .setExpirationTime(now + IMPERSONATION_TOKEN_EXPIRY_SECONDS)
     .setIssuer("https://trigger.dev")
     .setAudience("https://trigger.dev/admin")
+    .setJti(randomUUID())
     .sign(secret);
 
   return token;
@@ -109,12 +111,19 @@ export async function validateAndConsumeImpersonationToken(
     }
 
     // Atomically mark the token as used to prevent replay attacks.
+    // Use the jti (a short UUID) as the Redis key rather than the full JWT string.
     // If Redis is unavailable, fall back to JWT expiry as the only protection.
     if (env.CACHE_REDIS_HOST) {
+      // Defensively reject tokens without a jti (e.g. issued before this change)
+      if (!payload.jti) {
+        logger.warn("Impersonation token missing jti claim, rejecting for safety");
+        return undefined;
+      }
+
       try {
         const redis = getImpersonationTokenRedisClient();
         const result = await redis.set(
-          token,
+          payload.jti,
           "1",
           "EX",
           IMPERSONATION_TOKEN_EXPIRY_SECONDS,