fix(sso): treat caller's own user-scoped provider as owned during conflict check

waleedlatif1 · claude · waleedlatif1 · commit 3f61c4a2f68d · 2026-05-30T16:35:54.000-07:00
Self-hosters often register SSO user-scoped via the CLI script (no
SSO_ORGANIZATION_ID). If they later enable organizations and reconfigure the
same domain org-scoped through the UI, the conflict check previously treated
their own user-scoped row as another tenant's and returned a misleading 409.
Recognize the caller's own user-scoped provider as owned so that migration is
allowed, while still blocking another user's or another org's domain.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/auth/sso/register/route.test.ts b/apps/sim/app/api/auth/sso/register/route.test.ts
@@ -169,6 +169,22 @@ describe('POST /api/auth/sso/register', () => {
     expect(mockRegisterSSOProvider).toHaveBeenCalledTimes(1)
   })
 
+  it('lets an org admin adopt their own user-scoped provider for the same domain', async () => {
+    dbState.members = [{ organizationId: 'org1', role: 'owner' }]
+    dbState.providers = [{ domain: 'acme.com', userId: 'u1', organizationId: null }]
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org1' }))
+    expect(res.status).toBe(200)
+    expect(mockRegisterSSOProvider).toHaveBeenCalledTimes(1)
+  })
+
+  it("still blocks an org admin from claiming another user's user-scoped domain", async () => {
+    dbState.members = [{ organizationId: 'org1', role: 'owner' }]
+    dbState.providers = [{ domain: 'acme.com', userId: 'someone-else', organizationId: null }]
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org1' }))
+    expect(res.status).toBe(409)
+    expect(mockRegisterSSOProvider).not.toHaveBeenCalled()
+  })
+
   it('normalizes the domain before persisting it', async () => {
     dbState.members = [{ organizationId: 'org1', role: 'owner' }]
     const res = await POST(request({ ...OIDC_BODY, domain: 'ACME.com', orgId: 'org1' }))
diff --git a/apps/sim/app/api/auth/sso/register/route.ts b/apps/sim/app/api/auth/sso/register/route.ts
@@ -77,8 +77,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       userId: string | null
       organizationId: string | null
     }): boolean => {
-      if (orgId) return provider.organizationId === orgId
-      return provider.userId === session.user.id && !provider.organizationId
+      if (provider.userId === session.user.id && !provider.organizationId) return true
+      return orgId ? provider.organizationId === orgId : false
     }
 
     const existingProviders = await db
