feat(sso-chat-deployment): added sso auth option for chat deployment #1729
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Added SSO authentication as a fourth access control option for chat deployments, allowing users to authenticate via their organization's SSO provider.
Key Changes:
- Created new
SSOAuthcomponent that validates user email against allowed list before redirecting to SSO provider - Implemented two-phase SSO validation: pre-check for email authorization, then session validation after SSO login
- Updated chat deployment UI to conditionally show SSO option based on
NEXT_PUBLIC_SSO_ENABLEDflag - Extended auth validation logic across API routes and form validation to support SSO alongside existing public, password, and email auth types
- Added email pre-fill support in SSO form to maintain context when redirecting from chat deployments
Issue Found:
- Critical bug in
apps/sim/app/api/chat/route.ts:173whereallowedEmailsare not saved to database whenauthType === 'sso', which would cause all SSO authentications to fail
Confidence Score: 2/5
- Critical bug prevents SSO feature from working - allowed emails not saved to database
- The implementation is mostly well-structured with proper validation and UI integration, but contains a critical logic error in
route.ts:173whereallowedEmailsare only saved whenauthType === 'email', excluding SSO. This means SSO deployments will save with an empty allowed list, causing all SSO authentication attempts to fail during validation. The bug needs to be fixed before merging. - apps/sim/app/api/chat/route.ts - Fix line 173 to include SSO in allowedEmails condition
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| apps/sim/app/chat/components/auth/sso/sso-auth.tsx | 4/5 | New SSO authentication component that validates user email against allowed list before redirecting to SSO provider |
| apps/sim/app/api/chat/utils.ts | 3/5 | Added SSO validation logic with session checking and email domain matching; includes pre-check and session validation flows |
| apps/sim/app/api/chat/route.ts | 5/5 | Updated schema to accept 'sso' auth type with validation requiring allowed emails for SSO deployments |
Sequence Diagram
sequenceDiagram
participant User
participant ChatUI as Chat UI
participant API as Chat API
participant SSOAuth as SSO Auth Component
participant SSOForm as SSO Form
participant AuthProvider as SSO Provider
participant Session as Auth Session
User->>ChatUI: Access chat (GET /chat/:identifier)
ChatUI->>API: GET /api/chat/:identifier
API->>API: Check authType === 'sso'
API-->>ChatUI: 401 auth_required_sso
ChatUI->>SSOAuth: Render SSO Auth Component
User->>SSOAuth: Enter email
SSOAuth->>API: POST /api/chat/:identifier (checkSSOAccess: true)
API->>API: Validate email against allowedEmails
alt Email authorized
API-->>SSOAuth: 200 OK
SSOAuth->>SSOForm: Redirect to /sso?email=...&callbackUrl=/chat/:identifier
SSOForm->>AuthProvider: Initiate SSO flow
AuthProvider->>SSOForm: Return with session
SSOForm->>ChatUI: Redirect to /chat/:identifier
ChatUI->>API: POST /api/chat/:identifier (with input)
API->>Session: Validate session (auth.api.getSession)
Session-->>API: Return session with email
API->>API: Check session.user.email in allowedEmails
alt Session email authorized
API-->>ChatUI: Chat response
else Session email not authorized
API-->>ChatUI: 401 Not authorized
end
else Email not authorized
API-->>SSOAuth: 400 Not authorized
SSOAuth->>User: Show error message
end
Additional Comments (1)
-
apps/sim/app/api/chat/route.ts, line 173 (link)logic:
allowedEmailsnot saved whenauthType === 'sso'
11 files reviewed, 1 comment
waleedlatif1
added a commit
that referenced
this pull request
Oct 27, 2025
…1729) * feat(sso-chat-deployment): added sso auth option for chat deployment * ack PR comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
added sso auth option for chat deployment
Type of Change
Testing
Tested manually
Checklist