fix(auth): guard trusted SSO providers with isSsoEnabled (isTruthy)

waleedlatif1 · claude · waleedlatif1 · commit 481c66d3c46b · 2026-06-03T10:58:37.000-07:00
env.SSO_ENABLED can be the string "false" (t3-env returns strings for
booleans), which is truthy in JS. Use the canonical isSsoEnabled flag
(isTruthy(env.SSO_ENABLED)) so SSO_ENABLED="false"/"0" correctly yields an
empty trusted-provider list, matching how SSO is gated elsewhere.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts
@@ -71,6 +71,7 @@ import {
   isRegistrationDisabled,
   isSignupEmailValidationEnabled,
   isSignupMxValidationEnabled,
+  isSsoEnabled,
 } from '@/lib/core/config/feature-flags'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { getBaseUrl, isLocalhostUrl, parseOriginList } from '@/lib/core/utils/urls'
@@ -172,7 +173,7 @@ const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) =>
  * Resolved once at startup; `trustEmailVerified` on the SSO plugin handles IdPs
  * that assert `email_verified` live, so this is only needed for IdPs that omit it.
  */
-const additionalTrustedSsoProviders = env.SSO_ENABLED
+const additionalTrustedSsoProviders = isSsoEnabled
   ? [env.SSO_PROVIDER_ID, ...(env.SSO_TRUSTED_PROVIDER_IDS?.split(',') ?? [])]
       .map((id) => id?.trim())
       .filter((id): id is string => Boolean(id))
