fix(brand-claim): surface workos_misconfigured when verification_prefix missing#4520
Open
bokelley wants to merge 1 commit into
Open
fix(brand-claim): surface workos_misconfigured when verification_prefix missing#4520bokelley wants to merge 1 commit into
bokelley wants to merge 1 commit into
Conversation
…ix missing
WorkOS DNS-strategy domains were being returned without a
`verification_prefix`, leaving users with no way to publish the TXT
record and the brand-claim flow stuck. The `tokenMissing` branch
deleted-and-recreated on every retry, churning tokens in a no-win loop.
- Split the broken-state detection: only delete-and-recreate when
`verificationToken` is actually missing. Missing prefix with a present
token is an env-config gap that recreate can't fix.
- New `workos_misconfigured` result code → 503 from the route, with a
clear "operator action needed" message instead of half-broken
instructions.
- Same guard after `createOrganizationDomain` succeeds — if the new
record has no prefix, surface the error rather than echoing nulls.
- Route response now includes a `dns_record_name` field and the
`instructions` string interpolates real values instead of literal
`verification_prefix.{domain}` placeholders.
- Addie's `request_brand_domain_challenge` tool handles the new code
with a stop-and-wait message rather than offering retries.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Found while triaging Mark Hoekx's (BridgeFund) escalation. WorkOS is returning DNS-strategy organization domains without a
verification_prefixin our environment, butissueDomainChallengewas treating the field as guaranteed. Result: users got back instructions that read literallyPublish the DNS TXT record at verification_prefix.{domain}with the placeholder unsubstituted, and had no way to publish a record. Worse, the existingtokenMissingbranch deleted-and-recreated the WorkOS domain on every retry — combined with missing prefixes, this rotated tokens in a no-win loop, invalidating any DNS records the user had managed to publish through guesswork.This is the second issue I've seen in this area in 24h (the first was a manual-flip + missed-webhook recovery → admin endpoint in #4486-ish). Same surface, different failure mode.
Changes
server/src/services/brand-claim.tsworkos_misconfiguredresult code in theIssueChallengeResultunion for the case where WorkOS returns a token but no prefix (operator-side env-config gap, not a transient failure).verificationToken(the original brand-claim: re-issuing challenge for existing domain with null verification token returns silent workos_error #3953 case). Missing prefix with a present token is now a hard stop — surface the error rather than churn WorkOS state recreate can't fix.createOrganizationDomain— if the new record has no prefix, returnworkos_misconfiguredinstead of echoing nulls back.server/src/routes/member-profiles.ts/brand-claim/issuemapsworkos_misconfigured→ 503 with an operator-action message.dns_record_namefield and theinstructionsstring interpolates real values (prefix.domain+ token) instead of literal placeholder text.server/src/addie/mcp/member-tools.tsrequest_brand_domain_challengehandles the new code with a stop-and-wait message instead of offering retries — the fix lives in the WorkOS dashboard, not in the user's flow.Tests: 2 new unit tests covering the existing-domain-no-prefix and create-returns-no-prefix paths, both asserting we don't churn WorkOS via delete/recreate.
Operator note
Resolving the missing-prefix at the source still requires configuring the WorkOS DNS verification template in the dashboard. This PR doesn't fix that — it just makes the failure mode legible and stops handing users broken instructions. While the WorkOS config is missing, brand-claim flow fails fast with a 503; manual
verification_strategy: manualflips via the WorkOS dashboard (followed by/api/admin/.../brand-claim/verifyto write through) remain the workaround.Test plan
npx vitest run tests/unit/brand-claim-service.test.ts— 21/21 pass (2 new + 19 existing)npx vitest run tests/integration/brand-claim-apply-verified.test.ts— 8/8 passPOST /api/me/member-profile/brand-claim/issueagainst a WorkOS env without DNS template configured, verify 503 + clear message🤖 Generated with Claude Code