feat: admin_remove_user RPC fully removes from auth.users (schema v17)

Author: eldinmiller

CHANGELOG.md

@@ -2,6 +2,25 @@
 
 All notable changes to BluePLM will be documented in this file.
 
+## [2.19.1] - 2025-12-31
+
+### Changed
+- **Admin remove user fully deletes**: Removing a user from the organization now fully deletes them from `auth.users`, allowing clean re-invites without "user already registered" errors
+- **Schema version**: Bumped to v17
+
+---
+
+## [2.19.0] - 2025-12-31
+
+### Fixed
+- **Multi-vault display bug on sign-in**: Fixed issue where the second vault would show the first vault's files until manually selecting each vault. Root cause was the working directory not updating when `activeVaultId` changed, and stale closure issues in the auto-connect flow
+- **Invited users can't see teams/roles**: Fixed critical bug where `handle_new_user` didn't include `org_id` in the `ON CONFLICT UPDATE` clause, so returning users with pending invites never had their org assigned
+
+### Changed
+- **Schema version**: Bumped to v13
+
+---
+
 ## [2.18.3] - 2025-12-31
 
 ### Added

api/server.ts

@@ -1514,7 +1514,20 @@ export async function buildServer(): Promise<FastifyInstance> {
     const orgCodeChunks = orgCodeBase64.match(/.{1,4}/g) || []
     const orgCode = 'PDM-' + orgCodeChunks.join('-')
 
-    // Send invite email using Supabase Auth
+    // If user already has an auth account (e.g., was previously in org and removed),
+    // we can't send an invite email (Supabase doesn't allow it for existing users)
+    // Return the org code so admin can share it directly
+    if (existingAuthUser) {
+      return {
+        success: true,
+        message: `${normalizedEmail} already has an account. Share this org code with them to rejoin:`,
+        pending_member_id: pendingMemberId,
+        org_code: orgCode,
+        existing_user: true
+      }
+    }
+    
+    // Send invite email using Supabase Auth (only for NEW users)
     // Include org code in email data so it can be displayed in the email template
     // Redirect to downloads page after confirmation
     const { error: inviteError } = await adminClient.auth.admin.inviteUserByEmail(normalizedEmail, {
@@ -1531,9 +1544,7 @@ export async function buildServer(): Promise<FastifyInstance> {
       fastify.log.warn({ email: normalizedEmail, error: inviteError }, 'Failed to send invite email, but pending member created')
       return {
         success: true,
-        message: resend 
-          ? `Failed to resend invite: ${inviteError.message}` 
-          : `User added but invite email failed: ${inviteError.message}. They can still sign up manually.`,
+        message: `Invite created for ${normalizedEmail}. Email delivery failed but they can sign in manually.`,
         pending_member_id: pendingMemberId
       }
     }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "blue-plm",
-  "version": "2.18.3",
+  "version": "2.19.1",
   "description": "Product Lifecycle Management for everyone who builds",
   "main": "dist-electron/main.js",
   "scripts": {

src/components/settings/TeamMembersSettings.tsx

@@ -15,7 +15,7 @@ import {
   Check,
   Search,
   Copy,
-  Crown,
+  Star,
   Lock,
   UserMinus,
   RefreshCw,
@@ -1626,7 +1626,7 @@ export function TeamMembersSettings() {
                               </span>
                             )}
                             {team.is_system && (
-                              <Crown size={12} className="text-yellow-500" />
+                              <Star size={12} className="text-yellow-500 fill-yellow-500" />
                             )}
                           </div>
                           <div className="text-xs text-plm-fg-muted flex items-center gap-3">
@@ -1717,8 +1717,8 @@ export function TeamMembersSettings() {
                               )}
                               {team.is_system && (
                                 <span className="text-xs text-plm-fg-muted flex items-center gap-1 ml-auto">
-                                  <Crown size={12} className="text-yellow-500" />
-                                  System team (cannot be deleted)
+                                  <Star size={12} className="text-yellow-500 fill-yellow-500" />
+                                  Required
                                 </span>
                               )}
                             </div>
@@ -5146,7 +5146,13 @@ function CreateUserDialog({
           return
         }
 
-        addToast('success', result.message || `Invite sent to ${email}`)
+        // If user already has an account, copy org code to clipboard
+        if (result.existing_user && result.org_code) {
+          await copyToClipboard(result.org_code)
+          addToast('success', `${result.message} (copied to clipboard)`)
+        } else {
+          addToast('success', result.message || `Invite sent to ${email}`)
+        }
         onCreated()
         onClose()
         return

src/lib/schemaVersion.ts

@@ -21,7 +21,7 @@ import { supabase } from './supabase'
 
 // The schema version this app version expects
 // Increment this when releasing app updates that require schema changes
-export const EXPECTED_SCHEMA_VERSION = 12
+export const EXPECTED_SCHEMA_VERSION = 17
 
 // Minimum schema version that will still work (for soft warnings vs hard errors)
 // Set this to allow some backwards compatibility
@@ -41,6 +41,11 @@ export const VERSION_DESCRIPTIONS: Record<number, string> = {
   10: 'join_org_by_slug creates user record if trigger hasn\'t fired (fixes org code race condition)',
   11: 'Case-insensitive email matching for pending_org_members (fixes invite flow with different email case)',
   12: 'Block user feature and regenerate org code (security features)',
+  13: 'Fixed invite org assignment - handle_new_user includes org_id in UPDATE',
+  14: 'Robust enum creation using pg_type check',
+  15: 'Fixed workflow role assignment table name',
+  16: 'Simplified default teams: Administrators (mandatory) + New Users (deletable)',
+  17: 'admin_remove_user RPC fully removes user from org and auth.users',
 }
 
 export interface SchemaVersionInfo {

src/lib/supabase.ts

@@ -2197,43 +2197,37 @@ export async function updateUserRole(
  */
 export async function removeUserFromOrg(
   targetUserId: string,
-  adminOrgId: string
+  _adminOrgId: string
 ): Promise<{ success: boolean; error?: string }> {
   const client = getSupabaseClient()
 
-  // Verify target user is in same org
+  // Get target user's email for the RPC call
   const { data: targetUser, error: fetchError } = await client
     .from('users')
-    .select('id, org_id, email')
+    .select('email')
     .eq('id', targetUserId)
     .single()
 
   if (fetchError || !targetUser) {
     return { success: false, error: 'User not found' }
   }
 
-  if (targetUser.org_id !== adminOrgId) {
-    return { success: false, error: 'User is not in your organization' }
-  }
-  
-  // Delete any pending_org_members entries for this user's email in this org
-  // This allows the user to be re-invited later without constraint violations
-  await client
-    .from('pending_org_members')
-    .delete()
-    .eq('org_id', adminOrgId)
-    .ilike('email', targetUser.email)
-  
-  // Remove from org by setting org_id to null
-  const { error } = await client
-    .from('users')
-    .update({ org_id: null, role: 'engineer' }) // Reset to default role
-    .eq('id', targetUserId)
+  // Call admin_remove_user RPC which fully removes the user from org AND auth.users
+  // This allows them to be cleanly re-invited later
+  const { data, error } = await client.rpc('admin_remove_user', {
+    p_user_email: targetUser.email
+  })
 
   if (error) {
     return { success: false, error: error.message }
   }
 
+  const result = data as { success: boolean; error?: string; message?: string }
+  
+  if (!result.success) {
+    return { success: false, error: result.error || 'Failed to remove user' }
+  }
+  
   return { success: true }
 }