From c7df5c83a4fe1bd726300106bedf763b7afa09c6 Mon Sep 17 00:00:00 2001
From: admin <admin@c5ai.ch>
Date: Wed, 29 Apr 2026 12:33:04 +0200
Subject: [PATCH] Fix user view tenant

---
 src/lib/auth.ts | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 2914308..3fc2c3c 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -57,6 +57,22 @@ export const authConfig: NextAuthConfig = {
           claims["urn:zitadel:iam:org:project:roles"]
         );
         token.accessToken = account.access_token;
+        // Pin token.sub to the OIDC subject. Auth.js v5 otherwise puts a
+        // freshly generated UUID in token.sub on initial sign-in,
+        // ignoring what profile() returns for `id`. That UUID then
+        // becomes session.user.id everywhere downstream — including
+        // `tenant_user_assignments.assigned_by` and (more importantly)
+        // the WHERE clause used to look up the invited user's
+        // assignments on the dashboard. With a UUID in the session and
+        // a ZITADEL snowflake in the DB, the lookup matches nothing
+        // and assigned tenants never appear (Bug 27).
+        //
+        // Reference: https://github.com/nextauthjs/next-auth/issues/11174
+        // Auth.js respects an explicit token.sub assignment; the
+        // override below is preserved across subsequent jwt() calls.
+        if (typeof profile.sub === "string") {
+          token.sub = profile.sub;
+        }
       }
       return token;
     },