fix: resolve login 400 — auto-resolve organizationId from email when omitted

Backend now falls back to findUserByEmailOnly() when the frontend
doesn't send organizationId (deployed admin still uses old build).
Password verification still required — auth security unchanged.

Also adds organizationId field to login form for first-time users,
and removes last default-org-id references from tenant.tsx.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/admin/src/lib/tenant.tsx

@@ -33,10 +33,8 @@ export function TenantProvider({ children }: { children: React.ReactNode }) {
     const slug = isSubdomain ? parts[0] : null;
 
     useEffect(() => {
-        const isValidId = selectedOrgId && selectedOrgId !== 'default-org-id';
-        if (isValidId && token) {
-            sessionStorage.setItem(TENANT_KEY, selectedOrgId!);
-            // Fetch org details for branding
+        if (selectedOrgId && token) {
+            sessionStorage.setItem(TENANT_KEY, selectedOrgId);
             api.get(`/v1/organizations/${selectedOrgId}`, token)
                 .then(setCurrentOrg)
                 .catch(err => {
@@ -44,9 +42,7 @@ export function TenantProvider({ children }: { children: React.ReactNode }) {
                     setCurrentOrg(null);
                 });
         } else {
-            if (!selectedOrgId || selectedOrgId === 'default-org-id') {
-                sessionStorage.removeItem(TENANT_KEY);
-            }
+            if (!selectedOrgId) sessionStorage.removeItem(TENANT_KEY);
             setCurrentOrg(null);
         }
     }, [selectedOrgId, token]);

apps/admin/src/pages/LoginPage.tsx

@@ -6,41 +6,53 @@ import { API_URL } from '../lib/api';
 
 export default function LoginPage() {
     const { login, token } = useAuth();
-    const { currentOrg, isSubdomain, slug } = useTenant();
+    const { selectedOrgId, setSelectedOrgId, currentOrg, isSubdomain, slug } = useTenant();
     const navigate = useNavigate();
-    
+
     const [email, setEmail] = useState('');
     const [password, setPassword] = useState('');
+    const [orgId, setOrgId] = useState(selectedOrgId || '');
     const [error, setError] = useState('');
     const [loading, setLoading] = useState(false);
 
-    useEffect(() => { 
-        if (token) navigate('/', { replace: true }); 
+    useEffect(() => {
+        if (token) navigate('/', { replace: true });
     }, [token, navigate]);
 
+    // Keep local orgId in sync if tenant context resolves it (e.g. after page load)
+    useEffect(() => {
+        if (selectedOrgId && !orgId) setOrgId(selectedOrgId);
+    }, [selectedOrgId]);
+
     const handleSubmit = async (e: React.FormEvent) => {
-        e.preventDefault(); 
-        setError(''); 
+        e.preventDefault();
+        const resolvedOrgId = orgId.trim();
+        if (!resolvedOrgId) {
+            setError("L'identifiant d'organisation est requis.");
+            return;
+        }
+        setError('');
         setLoading(true);
         try {
-            const res = await fetch(`${API_URL}/v1/auth/login`, { 
+            const res = await fetch(`${API_URL}/v1/auth/login`, {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ email, password })
+                body: JSON.stringify({ email, password, organizationId: resolvedOrgId })
             });
-            
+
             const data = await res.json();
-            
-            if (res.ok) { 
-                login(data.token, data.user); 
-                navigate('/', { replace: true }); 
+
+            if (res.ok) {
+                setSelectedOrgId(resolvedOrgId);
+                login(data.token, data.user);
+                navigate('/', { replace: true });
             } else {
                 setError(data.message || 'Identifiants invalides.');
             }
-        } catch { 
-            setError('Impossible de joindre le serveur.'); 
-        } finally { 
-            setLoading(false); 
+        } catch {
+            setError('Impossible de joindre le serveur.');
+        } finally {
+            setLoading(false);
         }
     };
 
@@ -65,6 +77,20 @@ export default function LoginPage() {
                 </div>
 
                 <form onSubmit={handleSubmit} className="space-y-5">
+                    {!selectedOrgId && (
+                        <div>
+                            <label className="block text-xs font-bold text-slate-400 uppercase tracking-wider mb-2">ID Organisation</label>
+                            <input
+                                type="text"
+                                required
+                                placeholder="ex: cldxxxxxxxxxxxx"
+                                value={orgId}
+                                onChange={e => setOrgId(e.target.value)}
+                                className="w-full bg-slate-50 border-none rounded-2xl px-5 py-4 text-sm outline-none focus:ring-2 focus:ring-indigo-500 transition font-mono"
+                            />
+                        </div>
+                    )}
+
                     <div>
                         <label className="block text-xs font-bold text-slate-400 uppercase tracking-wider mb-2">Email</label>
                         <input 

apps/api/src/routes/auth.ts

@@ -20,17 +20,21 @@ export async function authRoutes(fastify: FastifyInstance) {
             }
         }
     }, async (request, reply) => {
-        const { email, password, organizationId } = request.body as { email: string; password: string; organizationId: string };
-        logger.info(`[AUTH] Login attempt for ${email} (Org: ${organizationId || 'default'})`);
-
-        if (!organizationId) {
-            return reply.code(400).send({ error: 'organizationId required' });
+        const { email, password, organizationId: bodyOrgId } = request.body as { email: string; password: string; organizationId?: string };
+
+        // If organizationId is omitted (older frontend), resolve it from the user record.
+        // Security: password is still verified — this doesn't bypass auth.
+        let user;
+        if (bodyOrgId) {
+            logger.info(`[AUTH] Login attempt for ${email} (Org: ${bodyOrgId})`);
+            user = await AuthService.findUserByEmail(email, bodyOrgId);
+        } else {
+            logger.info(`[AUTH] Login attempt for ${email} (no org — resolving from email)`);
+            user = await AuthService.findUserByEmailOnly(email);
         }
-
-        const user = await AuthService.findUserByEmail(email, organizationId);
         
         if (!user || !user.passwordHash) {
-            logger.warn(`[AUTH] User not found: ${email} in Org: ${organizationId}`);
+            logger.warn(`[AUTH] User not found: ${email} in Org: ${bodyOrgId ?? 'unknown'}`);
             return reply.code(401).send({ error: 'Unauthorized', message: 'Invalid email or password' });
         }
 

apps/api/src/services/auth.ts

@@ -28,6 +28,13 @@ export class AuthService {
         });
     }
 
+    static async findUserByEmailOnly(email: string) {
+        return prisma.user.findFirst({
+            where: { email },
+            include: { organization: true }
+        });
+    }
+
     /**
      * Checks if a user is allowed to access an organization.
      */