while-basic
diff --git a/‎.claude/CLAUDE-KNOWLEDGE.md‎
Lines changed: 127 additions & 2 deletions b/‎.claude/CLAUDE-KNOWLEDGE.md‎
Lines changed: 127 additions & 2 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 5 additions & 3 deletions b/‎CLAUDE.md‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎apps/backend/src/app/api/latest/auth/anonymous/sign-up/route.ts‎
Lines changed: 0 additions & 13 deletions b/‎apps/backend/src/app/api/latest/auth/anonymous/sign-up/route.ts‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎apps/backend/src/app/api/latest/auth/oauth/authorize/[provider_id]/route.tsx‎
Lines changed: 7 additions & 3 deletions b/‎apps/backend/src/app/api/latest/auth/oauth/authorize/[provider_id]/route.tsx‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎apps/backend/src/app/api/latest/auth/oauth/callback/[provider_id]/route.tsx‎
Lines changed: 28 additions & 21 deletions b/‎apps/backend/src/app/api/latest/auth/oauth/callback/[provider_id]/route.tsx‎
Lines changed: 28 additions & 21 deletions
diff --git a/‎apps/backend/src/app/api/latest/auth/otp/sign-in/verification-code-handler.tsx‎
Lines changed: 9 additions & 5 deletions b/‎apps/backend/src/app/api/latest/auth/otp/sign-in/verification-code-handler.tsx‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎apps/backend/src/app/api/latest/auth/password/sign-up/route.tsx‎
Lines changed: 12 additions & 10 deletions b/‎apps/backend/src/app/api/latest/auth/password/sign-up/route.tsx‎
Lines changed: 12 additions & 10 deletions
@@ -1,6 +1,131 @@
 # CLAUDE-KNOWLEDGE.md
 
-This file documents key learnings from implementing wildcard domain support in Stack Auth, organized in Q&A format.
+This file contains knowledge learned while working on the codebase in Q&A format.
+
+## Q: How do anonymous users work in Stack Auth?
+A: Anonymous users are a special type of user that can be created without any authentication. They have `isAnonymous: true` in the database and use different JWT signing keys with a `role: 'anon'` claim. Anonymous JWTs use a prefixed secret ("anon-" + audience) for signing and verification.
+
+## Q: How are anonymous user JWTs different from regular user JWTs?
+A: Anonymous JWTs have:
+1. Different kid (key ID) - prefixed with "anon-" in the generation
+2. Different signing secret - uses `getPerAudienceSecret` with `isAnonymous: true`
+3. Contains `role: 'anon'` in the payload
+4. Must pass `isAnonymous` flag to both `getPrivateJwk` and `getPublicJwkSet` functions for proper verification
+
+## Q: What is the X-Stack-Allow-Anonymous-User header?
+A: This header controls whether anonymous users are allowed to access an endpoint. When set to "true" (which is the default for client SDK calls), anonymous JWTs are accepted. When false or missing, anonymous users get an `AnonymousAuthenticationNotAllowed` error.
+
+## Q: How do you upgrade an anonymous user to a regular user?
+A: When an anonymous user (identified by `is_anonymous: true`) signs up or signs in through any auth method (password, OTP, OAuth), instead of creating a new user, the system upgrades the existing anonymous user by:
+1. Setting `is_anonymous: false`
+2. Adding the authentication method (email, password, OAuth provider, etc.)
+3. Keeping the same user ID so old JWTs remain valid
+
+## Q: How do you access the current user in smart route handlers?
+A: In smart route handlers, the user is accessed through `fullReq.auth?.user` not through the destructured `auth` parameter. The auth parameter only guarantees `tenancy`, while `user` is optional and needs to be accessed from the full request.
+
+## Q: How do user CRUD handlers work with parameters?
+A: The `adminUpdate` and similar methods take parameters directly, not wrapped in a `params` object:
+- Correct: `adminUpdate({ tenancy, user_id: "...", data: {...} })`
+- Wrong: `adminUpdate({ tenancy, params: { user_id: "..." }, data: {...} })`
+
+## Q: What query parameter filters anonymous users in user endpoints?
+A: The `include_anonymous` query parameter controls whether anonymous users are included in results:
+- Without parameter or `include_anonymous=false`: Anonymous users are filtered out
+- With `include_anonymous=true`: Anonymous users are included in results
+This applies to user list, get by ID, search, and team member endpoints.
+
+## Q: How does the JWKS endpoint handle anonymous keys?
+A: The JWKS (JSON Web Key Set) endpoint at `/.well-known/jwks.json`:
+- By default: Returns only regular user signing keys
+- With `?include_anonymous=true`: Returns both regular and anonymous user signing keys
+This allows systems that need to verify anonymous JWTs to fetch the appropriate public keys.
+
+## Q: What is the typical test command flow for Stack Auth?
+A: 
+1. `pnpm typecheck` - Check TypeScript compilation
+2. `pnpm lint --fix` - Fix linting issues
+3. `pnpm test run <path>` - Run specific tests (the `run` is important to avoid watch mode)
+4. Use `-t "test name"` to run specific tests by name
+
+## Q: How do E2E tests handle authentication in Stack Auth?
+A: E2E tests use `niceBackendFetch` which automatically:
+- Sets `x-stack-allow-anonymous-user: "true"` for client access type
+- Includes project keys and tokens from `backendContext.value`
+- Handles auth tokens through the context rather than manual header setting
+
+## Q: What is the signature of a verification code handler?
+A: The handler function in `createVerificationCodeHandler` receives 5 parameters:
+```typescript
+async handler(tenancy, validatedMethod, validatedData, requestBody, currentUser)
+```
+Where:
+- `tenancy` - The tenancy object
+- `validatedMethod` - The validated method data (e.g., `{ email: "..." }`)
+- `validatedData` - The validated data object
+- `requestBody` - The raw request body
+- `currentUser` - The current authenticated user (if any)
+
+## Q: How does JWT key derivation work for anonymous users?
+A: The JWT signing/verification uses a multi-step key derivation process:
+1. **Secret Derivation**: `getPerAudienceSecret()` creates a derived secret from:
+   - Base secret (STACK_SERVER_SECRET)
+   - Audience (usually project ID)
+   - Optional "anon-" prefix for anonymous users
+2. **Kid Generation**: `getKid()` creates a key ID from:
+   - Base secret (STACK_SERVER_SECRET) 
+   - "kid" string with optional "anon-" prefix
+   - Takes only first 12 characters of hash
+3. **Key Generation**: Private/public keys are generated from the derived secret
+
+## Q: What is the JWT signing and verification flow?
+A: 
+**Signing (signJWT)**:
+1. Derive secret: `getPerAudienceSecret(audience, STACK_SERVER_SECRET, isAnonymous)`
+2. Generate kid: `getKid(STACK_SERVER_SECRET, isAnonymous)`
+3. Create private key from derived secret
+4. Sign JWT with kid in header and role in payload
+
+**Verification (verifyJWT)**:
+1. Decode JWT without verification to read the role
+2. Check if role === 'anon' to determine if it's anonymous
+3. Derive secret with same parameters as signing
+4. Generate kid with same parameters as signing
+5. Create public key set and verify JWT
+
+## Q: What makes anonymous JWTs different from regular JWTs?
+A: Anonymous JWTs have:
+1. **Different derived secret**: Uses "anon-" prefix in secret derivation
+2. **Different kid**: Uses "anon-" prefix resulting in different key ID
+3. **Role field**: Contains `role: 'anon'` in the payload
+4. **Verification requirements**: Requires `allowAnonymous: true` flag to be verified
+
+## Q: How do you debug JWT verification issues?
+A: Common debugging steps:
+1. Check that the `X-Stack-Allow-Anonymous-User` header is set to "true"
+2. Verify the JWT has `role: 'anon'` in its payload
+3. Ensure the same secret derivation parameters are used for signing and verification
+4. Check that the kid in the JWT header matches the expected kid
+5. Verify that `allowAnonymous` flag is passed through the entire call chain
+
+## Q: What is the difference between getPrivateJwk and getPrivateJwkFromDerivedSecret?
+A: 
+- `getPrivateJwk(secret, isAnonymous)`: Takes a base secret, may derive it internally, generates kid
+- `getPrivateJwkFromDerivedSecret(derivedSecret, kid)`: Takes an already-derived secret and pre-calculated kid
+The second is used internally for the actual JWT signing flow, while the first is for backward compatibility and special cases like IDP.
+
+## Q: How does the JWT verification process work with jose?
+A: The `jose.jwtVerify` function:
+1. Extracts the kid from the JWT header
+2. Looks for a key with matching kid in the provided JWK set
+3. Uses that key to verify the JWT signature
+4. If no matching kid is found, verification fails with an error
+
+## Q: What causes UNPARSABLE_ACCESS_TOKEN errors?
+A: This error occurs when JWT verification fails in `decodeAccessToken`. Common causes:
+1. Kid mismatch - the kid in the JWT header doesn't match any key in the JWK set
+2. Wrong secret derivation - using different parameters for signing vs verification
+3. JOSEError thrown during `jose.jwtVerify` due to invalid signature or key mismatch
 
 ## OAuth Flow and Validation
 
@@ -240,4 +365,4 @@ A: This happens when packages haven't been built yet. Run these commands in orde
 ```bash
 pnpm clean && pnpm i && pnpm codegen && pnpm build:packages
 ```
-Then restart the dev server. This rebuilds all packages and generates the necessary TypeScript declarations.
+Then restart the dev server. This rebuilds all packages and generates the necessary TypeScript declarations.
@@ -72,9 +72,11 @@ To see all development ports, refer to the index.html of `apps/dev-launchpad/pub
 - Environment variables are pre-configured in `.env.development` files
 - Always run typecheck, lint, and test to make sure your changes are working as expected. You can save time by only linting and testing the files you've changed (and/or related E2E tests).
 - The project uses a custom route handler system in the backend for consistent API responses
-- Sometimes, the typecheck will give errors along the line of "Cannot assign Buffer to Uint8Array" or similar, on changes that are completely unrelated to your own changes. If that happens, tell the user to run `pnpm clean && pnpm i && pnpm run codegen && pnpm build:packages`, and restart the dev server (you cannot run this yourself). After that's done, the typecheck should pass.
-- When writing tests, prefer .toMatchInlineSnapshot over other selectors, if possible. You can check (and modify) the snapshot-serializer.ts file to see how the snapshots are formatted and how non-deterministic values are handled.
-- Whenever you learn something new, or at the latest right before you call the `Stop` tool, write whatever you learned into the ./claude/CLAUDE-KNOWLEDGE.md file, in the Q&A format in there. You will later be able to look up knowledge from there (based on the question you asked).
+- Sometimes, the typecheck will give errors along the line of "Cannot assign Buffer to Uint8Array" or similar, on changes that are completely unrelated to your own changes. If that happens, stop and tell the user to run `pnpm clean && pnpm i && pnpm run codegen && pnpm build:packages`, and restart the dev server (you cannot run this yourself). After that's done, the typecheck should pass.
+- Whenever you learn something new, or at the latest right before you call the `Stop` tool, write whatever you learned into the .claude/CLAUDE-KNOWLEDGE.md file, in the Q&A format in there. You will later be able to look up knowledge from there (based on the question you asked). Note that it's not 100% accurate and you may have to update it later if you find that something is wrong.
 
 ### Code-related
 - Use ES6 maps instead of records wherever you can.
+
+### Testing-related
+- When writing tests, prefer .toMatchInlineSnapshot over other matchers, if possible. You can check (and modify) the snapshot-serializer.ts file to see how the snapshots are formatted and how non-deterministic values are handled.
@@ -1,16 +1,8 @@
 import { createAuthTokens } from "@/lib/tokens";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
-import { KnownErrors } from "@stackframe/stack-shared";
 import { adaptSchema, clientOrHigherAuthTypeSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 import { usersCrudHandlers } from "../../../users/crud";
 
-// Define the allowed project IDs for anonymous sign-up
-const ALLOWED_PROJECT_IDS = [
-  "9bee8100-8d83-4ad7-aaad-d6607e386a28",
-  "71bd203a-14d9-4ccc-b704-32bfac0e2542",
-  "internal",
-];
-
 export const POST = createSmartRouteHandler({
   metadata: {
     summary: "Sign up anonymously",
@@ -34,14 +26,9 @@ export const POST = createSmartRouteHandler({
     }).defined(),
   }),
   async handler({ auth: { project, type, tenancy } }) {
-    if (!ALLOWED_PROJECT_IDS.includes(project.id)) {
-      throw new KnownErrors.AnonymousAccountsNotEnabled();
-    }
-
     const createdUser = await usersCrudHandlers.adminCreate({
       tenancy,
       data: {
-        display_name: "Anonymous user",
         is_anonymous: true,
       },
       allowedErrorTypes: [],
 
@@ -71,10 +71,14 @@ export const GET = createSmartRouteHandler({
 
     const provider = { id: providerRaw[0], ...providerRaw[1] };
 
-    // If the authorization token is present, we are adding new scopes to the user instead of sign-in/sign-up
+    if (query.type === "link" && !query.token) {
+      throw new StatusError(StatusError.BadRequest, "?token= query parameter is required for link type");
+    }
+
+    // If a token is provided, store it in the outer info so we can use it to link another user to the account, or to upgrade an anonymous user
     let projectUserId: string | undefined;
-    if (query.type === "link") {
-      const result = await decodeAccessToken(query.token);
+    if (query.token) {
+      const result = await decodeAccessToken(query.token, { allowAnonymous: true });
       if (result.status === "error") {
         throw result.error;
       }
 
@@ -3,6 +3,7 @@ import { getAuthContactChannel } from "@/lib/contact-channel";
 import { validateRedirectUrl } from "@/lib/redirect-urls";
 import { Tenancy, getTenancy } from "@/lib/tenancies";
 import { oauthCookieSchema } from "@/lib/tokens";
+import { createOrUpgradeAnonymousUser } from "@/lib/users";
 import { getProvider, oauthServer } from "@/oauth";
 import { getPrismaClientForTenancy, globalPrismaClient } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
@@ -348,45 +349,51 @@ const handler = createSmartRouteHandler({
                     }
                   }
 
+
                   if (!tenancy.config.auth.allowSignUp) {
                     throw new KnownErrors.SignUpNotEnabled();
                   }
 
-                  const newAccount = await usersCrudHandlers.adminCreate({
+                  const currentUser = projectUserId ? await usersCrudHandlers.adminRead({ tenancy, user_id: projectUserId }) : null;
+                  const newAccountBeforeAuthMethod = await createOrUpgradeAnonymousUser(
                     tenancy,
-                    data: {
+                    currentUser,
+                    {
                       display_name: userInfo.displayName,
                       profile_image_url: userInfo.profileImageUrl || undefined,
                       primary_email: userInfo.email,
                       primary_email_verified: userInfo.emailVerified,
                       primary_email_auth_enabled: primaryEmailAuthEnabled,
-                      oauth_providers: [{
-                        id: provider.id,
-                        account_id: userInfo.accountId,
-                        email: userInfo.email,
-                      }],
                     },
+                    [],
+                  );
+                  const authMethod = await prisma.authMethod.create({
+                    data: {
+                      tenancyId: tenancy.id,
+                      projectUserId: newAccountBeforeAuthMethod.id,
+                    }
                   });
-
-                  const oauthAccount = await prisma.projectUserOAuthAccount.findUnique({
-                    where: {
-                      tenancyId_configOAuthProviderId_projectUserId_providerAccountId: {
-                        tenancyId: outerInfo.tenancyId,
-                        configOAuthProviderId: provider.id,
-                        providerAccountId: userInfo.accountId,
-                        projectUserId: newAccount.id,
+                  const oauthAccount = await prisma.projectUserOAuthAccount.create({
+                    data: {
+                      tenancyId: tenancy.id,
+                      projectUserId: newAccountBeforeAuthMethod.id,
+                      configOAuthProviderId: provider.id,
+                      providerAccountId: userInfo.accountId,
+                      email: userInfo.email,
+                      oauthAuthMethod: {
+                        create: {
+                          authMethodId: authMethod.id,
+                        }
                       },
-                    },
+                      allowConnectedAccounts: true,
+                      allowSignIn: true,
+                    }
                   });
 
-                  if (!oauthAccount) {
-                    throw new StackAssertionError("OAuth account not found");
-                  }
-
                   await storeTokens(oauthAccount.id);
 
                   return {
-                    id: newAccount.id,
+                    id: newAccountBeforeAuthMethod.id,
                     newUser: true,
                     afterCallbackRedirectUrl,
                   };
 
@@ -2,6 +2,7 @@ import { getAuthContactChannel } from "@/lib/contact-channel";
 import { sendEmailFromTemplate } from "@/lib/emails";
 import { getSoleTenancyFromProjectBranch, Tenancy } from "@/lib/tenancies";
 import { createAuthTokens } from "@/lib/tokens";
+import { createOrUpgradeAnonymousUser } from "@/lib/users";
 import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createVerificationCodeHandler } from "@/route-handlers/verification-code-handler";
 import { VerificationCodeType } from "@prisma/client";
@@ -100,20 +101,23 @@ export const signInVerificationCodeHandler = createVerificationCodeHandler({
       nonce: codeObj.code.slice(6),
     };
   },
-  async handler(tenancy, { email }) {
+  async handler(tenancy, { email }, data, requestBody, currentUser) {
     let user = await ensureUserForEmailAllowsOtp(tenancy, email);
     let isNewUser = false;
+
     if (!user) {
-      isNewUser = true;
-      user = await usersCrudHandlers.adminCreate({
+      user = await createOrUpgradeAnonymousUser(
         tenancy,
-        data: {
+        currentUser ?? null,
+        {
           primary_email: email,
           primary_email_verified: true,
           primary_email_auth_enabled: true,
           otp_auth_enabled: true,
         },
-      });
+        []
+      );
+      isNewUser = true;
     }
 
     if (user.requires_totp_mfa) {
 
@@ -1,12 +1,12 @@
 import { validateRedirectUrl } from "@/lib/redirect-urls";
 import { createAuthTokens } from "@/lib/tokens";
+import { createOrUpgradeAnonymousUser } from "@/lib/users";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { runAsynchronouslyAndWaitUntil } from "@/utils/vercel";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { getPasswordError } from "@stackframe/stack-shared/dist/helpers/password";
 import { adaptSchema, clientOrHigherAuthTypeSchema, emailVerificationCallbackUrlSchema, passwordSchema, signInEmailSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 import { contactChannelVerificationCodeHandler } from "../../../contact-channels/verify/verification-code-handler";
-import { usersCrudHandlers } from "../../../users/crud";
 import { createMfaRequiredError } from "../../mfa/sign-in/verification-code-handler";
 
 export const POST = createSmartRouteHandler({
@@ -19,6 +19,7 @@ export const POST = createSmartRouteHandler({
     auth: yupObject({
       type: clientOrHigherAuthTypeSchema,
       tenancy: adaptSchema,
+      user: adaptSchema.optional()
     }).defined(),
     body: yupObject({
       email: signInEmailSchema.defined(),
@@ -35,7 +36,7 @@ export const POST = createSmartRouteHandler({
       user_id: yupString().defined(),
     }).defined(),
   }),
-  async handler({ auth: { tenancy }, body: { email, password, verification_callback_url: verificationCallbackUrl } }, fullReq) {
+  async handler({ auth: { tenancy, user: currentUser }, body: { email, password, verification_callback_url: verificationCallbackUrl } }, fullReq) {
     if (!tenancy.config.auth.password.allowSignIn) {
       throw new KnownErrors.PasswordAuthenticationNotEnabled();
     }
@@ -44,25 +45,26 @@ export const POST = createSmartRouteHandler({
       throw new KnownErrors.RedirectUrlNotWhitelisted();
     }
 
+    if (!tenancy.config.auth.allowSignUp) {
+      throw new KnownErrors.SignUpNotEnabled();
+    }
+
     const passwordError = getPasswordError(password);
     if (passwordError) {
       throw passwordError;
     }
 
-    if (!tenancy.config.auth.allowSignUp) {
-      throw new KnownErrors.SignUpNotEnabled();
-    }
-
-    const createdUser = await usersCrudHandlers.adminCreate({
+    const createdUser = await createOrUpgradeAnonymousUser(
       tenancy,
-      data: {
+      currentUser ?? null,
+      {
         primary_email: email,
         primary_email_verified: false,
         primary_email_auth_enabled: true,
         password,
       },
-      allowedErrorTypes: [KnownErrors.UserWithEmailAlreadyExists],
-    });
+      [KnownErrors.UserWithEmailAlreadyExists]
+    );
 
     runAsynchronouslyAndWaitUntil((async () => {
       await contactChannelVerificationCodeHandler.sendCode({