fix(auth): address review — guard trusted SSO providers, revert invite callback

waleedlatif1 · claude · waleedlatif1 · commit 45d5d64b7f09 · 2026-06-03T10:36:40.000-07:00
- Only compute additionalTrustedSsoProviders when SSO_ENABLED, so
  trustedProviders is exactly unchanged for non-SSO deployments.
- Revert the invite getCallbackUrl change: keep the token in the callback URL
  (with sessionStorage/searchParams fallback) so the token survives when
  sessionStorage is unavailable. The account-linking fix removes the
  "account not linked" error that caused the malformed callback URL, so the
  callback cleanup is unnecessary.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/invite/[id]/invite.tsx b/apps/sim/app/invite/[id]/invite.tsx
@@ -255,13 +255,11 @@ export default function Invite() {
     }
   }
 
-  /**
-   * Post-authentication return URL. Omits the token query string: Better Auth
-   * appends `?error=<message>` onto callbackURL unescaped, producing a malformed
-   * URL that fails its callbackURL validation. The token is persisted to
-   * sessionStorage on mount and rehydrated on return, so it need not ride in the URL.
-   */
-  const getCallbackUrl = () => `/invite/${inviteId}`
+  const getCallbackUrl = () => {
+    const effectiveToken =
+      token || sessionStorage.getItem(inviteTokenStorageKey) || searchParams.get('token')
+    return `/invite/${inviteId}${effectiveToken ? `?token=${effectiveToken}` : ''}`
+  }
 
   if (!session?.user && !isPending) {
     const callbackUrl = encodeURIComponent(getCallbackUrl())
diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts
@@ -167,16 +167,16 @@ const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) =>
 /**
  * SSO provider IDs to trust for automatic account linking when an SSO sign-in
  * matches an existing account's email. Includes `SSO_PROVIDER_ID` when it is set
- * in the app environment, plus any IDs from `SSO_TRUSTED_PROVIDER_IDS`. Resolved
- * once at startup; `trustEmailVerified` on the SSO plugin handles IdPs that assert
- * `email_verified` live, so this is only needed for IdPs that omit that claim.
+ * in the app environment, plus any IDs from `SSO_TRUSTED_PROVIDER_IDS`. Empty when
+ * SSO is disabled, so `trustedProviders` is unchanged for non-SSO deployments.
+ * Resolved once at startup; `trustEmailVerified` on the SSO plugin handles IdPs
+ * that assert `email_verified` live, so this is only needed for IdPs that omit it.
  */
-const additionalTrustedSsoProviders = [
-  env.SSO_PROVIDER_ID,
-  ...(env.SSO_TRUSTED_PROVIDER_IDS?.split(',') ?? []),
-]
-  .map((id) => id?.trim())
-  .filter((id): id is string => Boolean(id))
+const additionalTrustedSsoProviders = env.SSO_ENABLED
+  ? [env.SSO_PROVIDER_ID, ...(env.SSO_TRUSTED_PROVIDER_IDS?.split(',') ?? [])]
+      .map((id) => id?.trim())
+      .filter((id): id is string => Boolean(id))
+  : []
 
 if (env.NODE_ENV === 'production') {
   const baseUrl = getBaseUrl()
