Add daily Okta employee sync#123
Conversation
Fetches all users from Okta via SSWS API token and upserts into a new EmployeeInfo model linked to User by email. Runs as a Vercel cron job daily at 6 AM UTC, secured with CRON_SECRET.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4176d7c. Configure here.
| res: NextApiResponse | ||
| ) { | ||
| const authHeader = req.headers.authorization | ||
| if (authHeader !== `Bearer ${serverEnv.CRON_SECRET}`) { |
There was a problem hiding this comment.
Empty CRON_SECRET allows authentication bypass on cron endpoint
High Severity
CRON_SECRET defaults to an empty string via allowEmpty: true, default: ''. When unset, the auth check becomes authHeader !== 'Bearer ', which any external caller can satisfy by sending an Authorization: Bearer header. This effectively leaves the cron endpoint—which writes to the database and calls the Okta API—completely unprotected. The guard needs to reject requests when CRON_SECRET is empty/not configured.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4176d7c. Configure here.
| provider = "mysql" | ||
| url = env("DATABASE_URL") | ||
| referentialIntegrity = "prisma" | ||
| provider = "postgresql" |
There was a problem hiding this comment.
Database migration breaks plain-text search queries
High Severity
Switching the database provider from mysql to postgresql breaks the existing search feature in server/routers/post.ts. Prisma's search filter on PostgreSQL uses to_tsquery, which requires tsquery syntax (e.g. hello & world). The search dialog passes raw user-typed text, which will throw a database syntax error for any multi-word query. MySQL's MATCH ... AGAINST accepted natural language input, but PostgreSQL's to_tsquery does not.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4176d7c. Configure here.
| url = env("DATABASE_URL") | ||
| referentialIntegrity = "prisma" | ||
| provider = "postgresql" | ||
| url = env("DATABASE_URL") |
There was a problem hiding this comment.
NoAction FK constraints now enforced, blocking deletions
High Severity
Removing referentialIntegrity = "prisma" and switching to PostgreSQL means foreign key constraints are now enforced at the database level. The LikedPosts model uses onDelete: NoAction on both its post and user relations, which previously had no real enforcement (Prisma emulated FKs without creating them). Now PostgreSQL will reject any attempt to delete a Post that has likes or a User who has liked posts, breaking post and user deletion.
Reviewed by Cursor Bugbot for commit 4176d7c. Configure here.
| } | ||
|
|
||
| datasource db { | ||
| provider = "mysql" |
There was a problem hiding this comment.
Thought this was a pg database? https://app.planetscale.com/benchmarks/beam
1 participant
Summary
EmployeeInfomodel linked 1:1 toUser, storing employee data from Okta (name, email, title, department, start date, manager, status)/api/cron/sync-okta-usersendpoint fetches all Okta users via SSWS API token and upserts into the databasevercel.jsonEnv vars needed
OKTA_API_TOKEN— SSWS token from Okta Admin Console (Security > API > Tokens)CRON_SECRET— protects the cron endpoint (Vercel sends automatically)Test plan
npx prisma db pushagainst production databaseMade with Cursor