[CLC-2032] Block login and workspace operations for Classic PAYG sunset #21100
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implement feature flag-based blocking for Gitpod Classic PAYG users: Backend: - Add utility functions to check if user is blocked by sunset - Block login attempts in /login route handler, redirect to app.ona.com - Block workspace creation and start operations in workspace-service-api - Exempt users with roles/permissions and users in exempted organizations Frontend: - Update login page to show 'Login with Ona' button when sunset is enabled - Keep SSO login form visible for exempted organizations - Hide sunset notice banner when flag is enabled - Update heading to 'Gitpod Classic has sunset' Feature flag: classic_payg_sunset_enabled (JSON with enabled boolean and exemptedOrganizations array) Co-authored-by: Ona <[email protected]>
When sunset is enabled on gitpod.io, users now see a simplified UI: - 'Continue with Ona' button (default) - Link to show all login options (?oldLogin=true) With ?oldLogin=true parameter: - Shows all OAuth provider buttons - Shows SSO login form - Full functionality for exempted organizations The link preserves returnToPath parameter if present. Co-authored-by: Ona <[email protected]>
Split sunset blocking logic into two functions: - isUserLoginBlockedBySunset: checks roles/permissions exemption for login - isWorkspaceStartBlockedBySunset: checks org-level exemption for workspace ops Move ClassicPaygSunsetConfig interface to gitpod-protocol for reusability. Pass organizationId explicitly to workspace blocking checks. Co-authored-by: Ona <[email protected]>
Import ClassicPaygSunsetConfig type from gitpod-protocol and use it as the default value for classic_payg_sunset_enabled feature flag. This leverages TypeScript's generic type inference in useFeatureFlag: - useFeatureFlag<K extends keyof FeatureFlags> returns FeatureFlags[K] - For classic_payg_sunset_enabled, it now returns ClassicPaygSunsetConfig - Other flags continue to return their respective types (boolean, string, etc.) Updated Login.tsx to access .enabled property with type guard to handle the union type (ClassicPaygSunsetConfig | boolean) during loading state. This ensures type safety and consistency between frontend and backend. Co-authored-by: Ona <[email protected]>
ConfigCat text flags return strings, so we need to parse JSON on both frontend and backend. Backend (featureflags.ts): - Send JSON.stringify(defaultConfig) to ConfigCat - Parse returned string with JSON.parse() - Handle errors gracefully with fallback to default Frontend (featureflag-query.ts): - Add parseFeatureFlagValue() helper for JSON flags - Send stringified default for classic_payg_sunset_enabled - Parse returned string value - Maintain type safety with generic return types This allows ConfigCat to store the flag as text while maintaining the typed object structure in our code. Co-authored-by: Ona <[email protected]>
Add isDedicatedInstallation parameter to sunset check functions. Dedicated installations always return false (not blocked) regardless of feature flag state. Changes: - isUserLoginBlockedBySunset: add isDedicatedInstallation param - isWorkspaceStartBlockedBySunset: add isDedicatedInstallation param - UserController: pass config.isDedicatedInstallation to login check - WorkspaceServiceAPI: inject Config and pass isDedicatedInstallation This ensures the sunset only affects gitpod.io (PAYG) and not dedicated installations. Co-authored-by: Ona <[email protected]>
Co-authored-by: Ona <[email protected]>
Co-authored-by: Ona <[email protected]>
corneliusludmann
approved these changes
Oct 15, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does
Implements feature flag-based blocking for Gitpod Classic PAYG users to support the sunset process.
Backend Changes
featureflags.ts:getClassicPaygSunsetConfig()- fetches feature flag configurationisUserBlockedBySunset()- determines if a user should be blockeduser-controller.ts:/loginroute handlerapp.ona.com/loginworkspace-service-api.ts:createAndStartWorkspace()operationsstartWorkspace()operationsFrontend Changes
Login.tsx):featureflag-query.tsFeature Flag Configuration
classic_payg_sunset_enabled{ enabled: boolean, exemptedOrganizations: string[] }{ enabled: false, exemptedOrganizations: [] }Exemption Logic
Users are NOT blocked if:
rolesOrPermissions(admins, staff)organizationIdis in theexemptedOrganizationslistUsers ARE blocked if:
organizationId)Testing
GITPOD_WITH_DEDICATED_EMU=true leeway run dev:previewleeway run dev:previewRelated Issues
Fixes CLC-2032