feat: Plain customer cards

[isshaddad]

Changes

• Add Plain customer cards endpoint that returns user account details, organizations, and projects when Plain requests customer information.
• Add impersonate button in customer cards that links to /admin?impersonate={userId} for admin users.
• Update admin route to support GET-based impersonation via query parameter (in addition to existing POST form).

Testing

Setup

1. Environment Variables

   Set these in your .env file:

   PLAIN_CUSTOMER_CARDS_SECRET=your-secret-here
   PLAIN_CUSTOMER_CARDS_KEY=account-details  # optional, defaults to "account-details"
   PLAIN_CUSTOMER_CARDS_HEADERS=Authorization  # optional, defaults to "Authorization"

2. Configure Plain Customer Cards

   • Go to Plain Settings > Customer Cards
   • Create a new card or use the existing "Account Details" card
   • Set the endpoint URL to a publicly accessible URL (e.g., using ngrok: https://your-ngrok-url/api/v1/plain/customer-cards or your deployed URL)
   • Populate the 3 environment variables in Plain's configuration

Option 1: Test with cURL

curl -X POST http://localhost:3030/api/v1/plain/customer-cards \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-secret-here" \
  -d '{
    "customer": {
      "id": "test-customer",
      "email": "test@example.com"
    },
    "cardKeys": ["your-card-key"]
  }'

Replace:

• test@example.com with an actual user email from your database
• your-card-key with the value you set for PLAIN_CUSTOMER_CARDS_KEY (or use "account-details" if using the default)

Option 2: Test with Plain Account

1. Open a Plain thread for a customer that exists in your database
2. The customer card should appear in the bottom right under account details
3. Verify the impersonate button is visible and links correctly

[changeset-bot]

⚠️ No Changeset found

Latest commit: b51943f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vibe-kanban-cloud]

Review Complete

Your review story is ready!

View Story

Comment !reviewfast on this PR to re-generate the story.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds three optional env vars: PLAIN_CUSTOMER_CARDS_SECRET, PLAIN_CUSTOMER_CARDS_KEY, and PLAIN_CUSTOMER_CARDS_HEADERS. Adds a POST route at /api.v1/plain/customer-cards that authenticates via bearer/plain token, validates JSON, looks up users by externalId or email, and returns assembled UI card payloads (account-details, organizations, projects) including impersonation action links. Adds that endpoint to the rate-limit whitelist. Extracts impersonation handling from the admin index, introducing a dedicated /admin/impersonate route and a new impersonation service that issues and validates short-lived JWT one‑time tokens with Redis-backed replay protection.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 36.36% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: Plain customer cards' directly and clearly summarizes the main change: adding a Plain customer cards feature.
Description check	✅ Passed	The PR description provides a clear 'Changes' section, detailed testing instructions with setup steps and curl examples, but does not follow the required template structure with all sections filled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch plain-customer-cards

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ericallam]

This looks great but needs one tweak before getting merged: instead of using the /admin route for the impersonation request, could you add a new route /admin/impersonate and move the impersonation code into there? That way the /admin route isn't overloaded with impersonation code.

[devin-ai-integration]

Devin Review found 2 new potential issues.

View 9 additional findings in Devin Review.