fix(auth): check the provider field the sign-in handler actually uses

waleedlatif1 · waleedlatif1 · commit dc5cf93ac865 · 2026-06-20T14:47:11.000-07:00
The allowlist guard resolved the provider with `provider ?? providerId`,
but Better Auth reads `provider` on /sign-in/social and `providerId` on
/sign-in/oauth2. A request to /sign-in/oauth2 with an allowed `provider`
and a blocked `providerId` could pass the guard while the handler started
OAuth for the blocked connector. Resolve the field per path via
getRequestedSignInProviderId so the guard checks the same field the
handler acts on.
diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts
@@ -88,7 +88,7 @@ import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 import { disableUserResources } from '@/lib/workflows/lifecycle'
 import { SSO_TRUSTED_PROVIDERS } from '@/ee/sso/constants'
 import { createAnonymousSession, ensureAnonymousUserExists } from './anonymous'
-import { isSignInProviderAllowed } from './constants'
+import { getRequestedSignInProviderId, isSignInProviderAllowed } from './constants'
 
 const logger = createLogger('Auth')
 
@@ -861,7 +861,7 @@ export const auth = betterAuth({
        * through the authenticated `/oauth2/link` flow, which is unaffected.
        */
       if (ctx.path === '/sign-in/social' || ctx.path === '/sign-in/oauth2') {
-        const requestedProviderId = ctx.body?.provider ?? ctx.body?.providerId
+        const requestedProviderId = getRequestedSignInProviderId(ctx.path, ctx.body)
         if (!isSignInProviderAllowed(requestedProviderId)) {
           throw new APIError('FORBIDDEN', {
             message:
diff --git a/apps/sim/lib/auth/constants.test.ts b/apps/sim/lib/auth/constants.test.ts
@@ -2,7 +2,11 @@
  * @vitest-environment node
  */
 import { describe, expect, it } from 'vitest'
-import { isSignInProviderAllowed, SIGN_IN_PROVIDER_IDS } from '@/lib/auth/constants'
+import {
+  getRequestedSignInProviderId,
+  isSignInProviderAllowed,
+  SIGN_IN_PROVIDER_IDS,
+} from '@/lib/auth/constants'
 
 describe('sign-in provider allowlist', () => {
   it('permits only the first-party login providers', () => {
@@ -46,3 +50,37 @@ describe('sign-in provider allowlist', () => {
     expect(isSignInProviderAllowed({ provider: 'google' })).toBe(false)
   })
 })
+
+describe('getRequestedSignInProviderId', () => {
+  it('reads the `provider` field on /sign-in/social', () => {
+    expect(getRequestedSignInProviderId('/sign-in/social', { provider: 'microsoft' })).toBe(
+      'microsoft'
+    )
+  })
+
+  it('reads the `providerId` field on /sign-in/oauth2', () => {
+    expect(getRequestedSignInProviderId('/sign-in/oauth2', { providerId: 'salesforce' })).toBe(
+      'salesforce'
+    )
+  })
+
+  it('checks the field the /sign-in/oauth2 handler uses, ignoring a decoy `provider`', () => {
+    const body = { provider: 'google', providerId: 'salesforce' }
+    const resolved = getRequestedSignInProviderId('/sign-in/oauth2', body)
+    expect(resolved).toBe('salesforce')
+    expect(isSignInProviderAllowed(resolved)).toBe(false)
+  })
+
+  it('checks the field the /sign-in/social handler uses, ignoring a decoy `providerId`', () => {
+    const body = { provider: 'salesforce', providerId: 'google' }
+    const resolved = getRequestedSignInProviderId('/sign-in/social', body)
+    expect(resolved).toBe('salesforce')
+    expect(isSignInProviderAllowed(resolved)).toBe(false)
+  })
+
+  it('returns undefined for unrelated paths and missing bodies', () => {
+    expect(getRequestedSignInProviderId('/sign-in/email', { provider: 'google' })).toBeUndefined()
+    expect(getRequestedSignInProviderId('/sign-in/social', undefined)).toBeUndefined()
+    expect(getRequestedSignInProviderId('/sign-in/oauth2', null)).toBeUndefined()
+  })
+})
diff --git a/apps/sim/lib/auth/constants.ts b/apps/sim/lib/auth/constants.ts
@@ -35,3 +35,20 @@ const signInProviderIdSet: ReadonlySet<string> = new Set(SIGN_IN_PROVIDER_IDS)
 export function isSignInProviderAllowed(providerId: unknown): boolean {
   return typeof providerId === 'string' && signInProviderIdSet.has(providerId)
 }
+
+/**
+ * Resolves the provider identifier the sign-in handler will actually act on for a
+ * given auth path. Better Auth reads `provider` on `/sign-in/social` and
+ * `providerId` on `/sign-in/oauth2`, so the allowlist guard must read the same
+ * field the handler uses. Reading the wrong field would let a request pass the
+ * guard with an allowed value in one field while the handler starts OAuth for a
+ * blocked value in the other, reopening connector sign-in.
+ */
+export function getRequestedSignInProviderId(
+  path: string,
+  body: { provider?: unknown; providerId?: unknown } | null | undefined
+): unknown {
+  if (path === '/sign-in/social') return body?.provider
+  if (path === '/sign-in/oauth2') return body?.providerId
+  return undefined
+}
