Greptile Overview

Greptile Summary

Added SSO authentication as a fourth access control option for chat deployments, allowing users to authenticate via their organization's SSO provider.

Key Changes:

• Created new SSOAuth component that validates user email against allowed list before redirecting to SSO provider
• Implemented two-phase SSO validation: pre-check for email authorization, then session validation after SSO login
• Updated chat deployment UI to conditionally show SSO option based on NEXT_PUBLIC_SSO_ENABLED flag
• Extended auth validation logic across API routes and form validation to support SSO alongside existing public, password, and email auth types
• Added email pre-fill support in SSO form to maintain context when redirecting from chat deployments

Issue Found:

• Critical bug in apps/sim/app/api/chat/route.ts:173 where allowedEmails are not saved to database when authType === 'sso', which would cause all SSO authentications to fail

Confidence Score: 2/5

• Critical bug prevents SSO feature from working - allowed emails not saved to database
• The implementation is mostly well-structured with proper validation and UI integration, but contains a critical logic error in route.ts:173 where allowedEmails are only saved when authType === 'email', excluding SSO. This means SSO deployments will save with an empty allowed list, causing all SSO authentication attempts to fail during validation. The bug needs to be fixed before merging.
• apps/sim/app/api/chat/route.ts - Fix line 173 to include SSO in allowedEmails condition

Important Files Changed

File Analysis

Sequence Diagram

sequenceDiagram
    participant User
    participant ChatUI as Chat UI
    participant API as Chat API
    participant SSOAuth as SSO Auth Component
    participant SSOForm as SSO Form
    participant AuthProvider as SSO Provider
    participant Session as Auth Session

    User->>ChatUI: Access chat (GET /chat/:identifier)
    ChatUI->>API: GET /api/chat/:identifier
    API->>API: Check authType === 'sso'
    API-->>ChatUI: 401 auth_required_sso
    ChatUI->>SSOAuth: Render SSO Auth Component
    
    User->>SSOAuth: Enter email
    SSOAuth->>API: POST /api/chat/:identifier (checkSSOAccess: true)
    API->>API: Validate email against allowedEmails
    alt Email authorized
        API-->>SSOAuth: 200 OK
        SSOAuth->>SSOForm: Redirect to /sso?email=...&callbackUrl=/chat/:identifier
        SSOForm->>AuthProvider: Initiate SSO flow
        AuthProvider->>SSOForm: Return with session
        SSOForm->>ChatUI: Redirect to /chat/:identifier
        ChatUI->>API: POST /api/chat/:identifier (with input)
        API->>Session: Validate session (auth.api.getSession)
        Session-->>API: Return session with email
        API->>API: Check session.user.email in allowedEmails
        alt Session email authorized
            API-->>ChatUI: Chat response
        else Session email not authorized
            API-->>ChatUI: 401 Not authorized
        end
    else Email not authorized
        API-->>SSOAuth: 400 Not authorized
        SSOAuth->>User: Show error message
    end

_{11 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}