test(auth): cover Microsoft id-token emailVerified derivation

Extract the Microsoft ID-token email-verification logic into a pure
deriveMicrosoftEmailVerified helper and add unit coverage for explicit,
verified-claim, partial, absent, and malformed Azure AD claim
combinations.

Author: waleedlatif1

apps/sim/lib/auth/auth.ts

@@ -92,7 +92,11 @@ import { isSignInProviderAllowed } from './constants'
 
 const logger = createLogger('Auth')
 
-import { getMicrosoftRefreshTokenExpiry, isMicrosoftProvider } from '@/lib/oauth/microsoft'
+import {
+  deriveMicrosoftEmailVerified,
+  getMicrosoftRefreshTokenExpiry,
+  isMicrosoftProvider,
+} from '@/lib/oauth/microsoft'
 import { getCanonicalScopesForProvider } from '@/lib/oauth/utils'
 
 /**
@@ -129,18 +133,7 @@ function getMicrosoftUserInfoFromIdToken(tokens: { accessToken?: string }, provi
     )
   }
 
-  /**
-   * Azure AD's `email`/`upn` claims are unverified and mutable on multi-tenant
-   * (`/common/`) endpoints, so trust the email only when the token explicitly
-   * proves ownership via `email_verified` or the verified-email claims, mirroring
-   * Better Auth's built-in Microsoft provider. Never hardcode verification.
-   */
-  const verifiedPrimaryEmail = payload.verified_primary_email as string[] | undefined
-  const verifiedSecondaryEmail = payload.verified_secondary_email as string[] | undefined
-  const emailVerified =
-    payload.email_verified !== undefined
-      ? Boolean(payload.email_verified)
-      : Boolean(verifiedPrimaryEmail?.includes(email) || verifiedSecondaryEmail?.includes(email))
+  const emailVerified = deriveMicrosoftEmailVerified(payload, email)
 
   const now = new Date()
   return {

apps/sim/lib/oauth/microsoft.test.ts

@@ -0,0 +1,74 @@
+/**
+ * @vitest-environment node
+ */
+import { describe, expect, it } from 'vitest'
+import { deriveMicrosoftEmailVerified, isMicrosoftProvider } from '@/lib/oauth/microsoft'
+
+const EMAIL = 'user@contoso.com'
+
+describe('deriveMicrosoftEmailVerified', () => {
+  it('honors an explicit email_verified=true claim', () => {
+    expect(deriveMicrosoftEmailVerified({ email_verified: true }, EMAIL)).toBe(true)
+  })
+
+  it('honors an explicit email_verified=false claim over verified-email claims', () => {
+    expect(
+      deriveMicrosoftEmailVerified(
+        { email_verified: false, verified_primary_email: [EMAIL] },
+        EMAIL
+      )
+    ).toBe(false)
+  })
+
+  it('treats a verified primary email matching the email as verified', () => {
+    expect(deriveMicrosoftEmailVerified({ verified_primary_email: [EMAIL] }, EMAIL)).toBe(true)
+  })
+
+  it('treats a verified secondary email matching the email as verified', () => {
+    expect(
+      deriveMicrosoftEmailVerified({ verified_secondary_email: ['x@y.com', EMAIL] }, EMAIL)
+    ).toBe(true)
+  })
+
+  it('does not verify when the verified-email claims do not include the email', () => {
+    expect(
+      deriveMicrosoftEmailVerified(
+        {
+          verified_primary_email: ['other@contoso.com'],
+          verified_secondary_email: ['another@contoso.com'],
+        },
+        EMAIL
+      )
+    ).toBe(false)
+  })
+
+  it('defaults to false when no verification claim is present (typical Azure AD token)', () => {
+    expect(deriveMicrosoftEmailVerified({ name: 'User', oid: 'abc' }, EMAIL)).toBe(false)
+  })
+
+  it('defaults to false for an empty claim set', () => {
+    expect(deriveMicrosoftEmailVerified({}, EMAIL)).toBe(false)
+  })
+
+  it('coerces a truthy non-boolean email_verified claim', () => {
+    expect(deriveMicrosoftEmailVerified({ email_verified: 'true' }, EMAIL)).toBe(true)
+  })
+
+  it('treats a malformed verified-email claim as unverified', () => {
+    expect(deriveMicrosoftEmailVerified({ verified_primary_email: 'not-an-array' }, EMAIL)).toBe(
+      false
+    )
+  })
+})
+
+describe('isMicrosoftProvider', () => {
+  it('recognizes Microsoft connector provider IDs', () => {
+    expect(isMicrosoftProvider('microsoft-ad')).toBe(true)
+    expect(isMicrosoftProvider('outlook')).toBe(true)
+  })
+
+  it('rejects non-Microsoft provider IDs', () => {
+    expect(isMicrosoftProvider('google')).toBe(false)
+    expect(isMicrosoftProvider('microsoft')).toBe(false)
+  })
+})

apps/sim/lib/oauth/microsoft.ts

@@ -19,3 +19,24 @@ export function isMicrosoftProvider(providerId: string): boolean {
 export function getMicrosoftRefreshTokenExpiry(): Date {
   return new Date(Date.now() + MICROSOFT_REFRESH_TOKEN_LIFETIME_DAYS * 24 * 60 * 60 * 1000)
 }
+
+/**
+ * Derives whether a Microsoft ID token proves ownership of `email`. Azure AD's
+ * `email`/`upn` claims are unverified and mutable on multi-tenant (`/common/`)
+ * endpoints, so the email is trusted only when the token explicitly proves it via
+ * the `email_verified` claim or the verified-email claims, mirroring Better
+ * Auth's built-in Microsoft provider. Defaults to `false` when no claim asserts
+ * verification, so an attacker-controlled tenant can never assert a verified
+ * email it does not own.
+ */
+export function deriveMicrosoftEmailVerified(
+  claims: Record<string, unknown>,
+  email: string
+): boolean {
+  if (claims.email_verified !== undefined) {
+    return Boolean(claims.email_verified)
+  }
+  const verifiedPrimaryEmail = claims.verified_primary_email as string[] | undefined
+  const verifiedSecondaryEmail = claims.verified_secondary_email as string[] | undefined
+  return Boolean(verifiedPrimaryEmail?.includes(email) || verifiedSecondaryEmail?.includes(email))
+}