Files
simstudioai--sim/apps/sim/lib/auth/constants.ts
T
wehub-resource-sync d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

55 lines
2.4 KiB
TypeScript

/** Anonymous user ID used when DISABLE_AUTH is enabled */
export const ANONYMOUS_USER_ID = '00000000-0000-0000-0000-000000000000'
export const ANONYMOUS_USER = {
id: ANONYMOUS_USER_ID,
name: 'Anonymous',
email: 'anonymous@localhost',
emailVerified: true,
image: null,
} as const
/**
* Provider IDs permitted to authenticate (create or link a session) through the
* unauthenticated sign-in endpoints `/sign-in/social` and `/sign-in/oauth2`.
*
* Only first-party login providers that verify email ownership belong here.
* Integration connectors (Salesforce, Jira, the Microsoft/Google work
* connectors, etc.) are deliberately excluded: they are connected exclusively
* through the authenticated `/oauth2/link` flow, which binds the new account to
* the current session user and never mints a session. Allowing a connector to
* reach the sign-in endpoints enables nOAuth-style account takeover, where a
* multi-tenant IdP asserting an attacker-controlled, unverified email mints a
* session for the matching existing user. SSO uses a separate `/sign-in/sso`
* endpoint and is unaffected by this list.
*/
export const SIGN_IN_PROVIDER_IDS = ['google', 'github', 'microsoft'] as const
const signInProviderIdSet: ReadonlySet<string> = new Set(SIGN_IN_PROVIDER_IDS)
/**
* Returns true when `providerId` is a first-party login provider allowed to sign
* in. Used to reject integration connectors at the sign-in endpoints so they can
* only ever be connected through the authenticated link flow.
*/
export function isSignInProviderAllowed(providerId: unknown): boolean {
return typeof providerId === 'string' && signInProviderIdSet.has(providerId)
}
/**
* Resolves the provider identifier the sign-in handler will actually act on for a
* given auth path. Better Auth reads `provider` on `/sign-in/social` and
* `providerId` on `/sign-in/oauth2`, so the allowlist guard must read the same
* field the handler uses. Reading the wrong field would let a request pass the
* guard with an allowed value in one field while the handler starts OAuth for a
* blocked value in the other, reopening connector sign-in.
*/
export function getRequestedSignInProviderId(
path: string,
body: { provider?: unknown; providerId?: unknown } | null | undefined
): unknown {
if (path === '/sign-in/social') return body?.provider
if (path === '/sign-in/oauth2') return body?.providerId
return undefined
}