simstudioai · waleedlatif1 · Dec 14, 2025 · Dec 14, 2025 · Dec 14, 2025 · Dec 14, 2025
diff --git a/apps/sim/.env.example b/apps/sim/.env.example
@@ -4,10 +4,13 @@ DATABASE_URL="postgresql://postgres:password@localhost:5432/postgres"
 # PostgreSQL Port (Optional) - defaults to 5432 if not specified
 # POSTGRES_PORT=5432
 
-# Authentication (Required)
+# Authentication (Required unless DISABLE_AUTH=true)
 BETTER_AUTH_SECRET=your_secret_key  # Use `openssl rand -hex 32` to generate, or visit https://www.better-auth.com/docs/installation
 BETTER_AUTH_URL=http://localhost:3000
 
+# Authentication Bypass (Optional - for self-hosted deployments behind private networks)
+# DISABLE_AUTH=true  # Uncomment to bypass authentication entirely. Creates an anonymous session for all requests.
+
 # NextJS (Required)
 NEXT_PUBLIC_APP_URL=http://localhost:3000
 

diff --git a/apps/sim/app/(auth)/components/oauth-provider-checker.tsx b/apps/sim/app/(auth)/components/oauth-provider-checker.tsx
@@ -1,7 +1,7 @@
 'use server'
 
 import { env } from '@/lib/core/config/env'
-import { isProd } from '@/lib/core/config/environment'
+import { isProd } from '@/lib/core/config/feature-flags'
 
 export async function getOAuthProviderStatus() {
   const githubAvailable = !!(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET)

diff --git a/apps/sim/app/(auth)/login/page.tsx b/apps/sim/app/(auth)/login/page.tsx
@@ -1,7 +1,6 @@
 import { getOAuthProviderStatus } from '@/app/(auth)/components/oauth-provider-checker'
 import LoginForm from '@/app/(auth)/login/login-form'
 
-// Force dynamic rendering to avoid prerender errors with search params
 export const dynamic = 'force-dynamic'
 
 export default async function LoginPage() {

diff --git a/apps/sim/app/(auth)/signup/page.tsx b/apps/sim/app/(auth)/signup/page.tsx
@@ -1,16 +1,16 @@
-import { env, isTruthy } from '@/lib/core/config/env'
+import { isRegistrationDisabled } from '@/lib/core/config/feature-flags'
 import { getOAuthProviderStatus } from '@/app/(auth)/components/oauth-provider-checker'
 import SignupForm from '@/app/(auth)/signup/signup-form'
 
 export const dynamic = 'force-dynamic'
 
 export default async function SignupPage() {
-  const { githubAvailable, googleAvailable, isProduction } = await getOAuthProviderStatus()
-
-  if (isTruthy(env.DISABLE_REGISTRATION)) {
+  if (isRegistrationDisabled) {
     return <div>Registration is disabled, please contact your admin.</div>
   }
 
+  const { githubAvailable, googleAvailable, isProduction } = await getOAuthProviderStatus()
+
   return (
     <SignupForm
       githubAvailable={githubAvailable}

diff --git a/apps/sim/app/(auth)/verify/page.tsx b/apps/sim/app/(auth)/verify/page.tsx
@@ -1,4 +1,4 @@
-import { isEmailVerificationEnabled, isProd } from '@/lib/core/config/environment'
+import { isEmailVerificationEnabled, isProd } from '@/lib/core/config/feature-flags'
 import { hasEmailService } from '@/lib/messaging/email/mailer'
 import { VerifyContent } from '@/app/(auth)/verify/verify-content'
 

diff --git a/apps/sim/app/(landing)/careers/page.tsx b/apps/sim/app/(landing)/careers/page.tsx
@@ -13,7 +13,7 @@ import {
   SelectValue,
 } from '@/components/ui/select'
 import { Textarea } from '@/components/ui/textarea'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { cn } from '@/lib/core/utils/cn'
 import { createLogger } from '@/lib/logs/console/logger'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'

diff --git a/apps/sim/app/(landing)/components/legal-layout.tsx b/apps/sim/app/(landing)/components/legal-layout.tsx
@@ -1,6 +1,6 @@
 'use client'
 
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import Footer from '@/app/(landing)/components/footer/footer'
 import Nav from '@/app/(landing)/components/nav/nav'

diff --git a/apps/sim/app/(landing)/components/nav/nav.tsx b/apps/sim/app/(landing)/components/nav/nav.tsx
@@ -7,7 +7,7 @@ import Link from 'next/link'
 import { useRouter } from 'next/navigation'
 import { GithubIcon } from '@/components/icons'
 import { useBrandConfig } from '@/lib/branding/branding'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import { getFormattedGitHubStars } from '@/app/(landing)/actions/github'

diff --git a/apps/sim/app/api/auth/[...all]/route.ts b/apps/sim/app/api/auth/[...all]/route.ts
@@ -1,6 +1,23 @@
 import { toNextJsHandler } from 'better-auth/next-js'
+import { type NextRequest, NextResponse } from 'next/server'
 import { auth } from '@/lib/auth'
+import { createAnonymousSession, ensureAnonymousUserExists } from '@/lib/auth/anonymous'
+import { isAuthDisabled } from '@/lib/core/config/feature-flags'
 
 export const dynamic = 'force-dynamic'
 
-export const { GET, POST } = toNextJsHandler(auth.handler)
+const { GET: betterAuthGET, POST: betterAuthPOST } = toNextJsHandler(auth.handler)
+
+export async function GET(request: NextRequest) {
+  const url = new URL(request.url)
+  const path = url.pathname.replace('/api/auth/', '')
+
+  if (path === 'get-session' && isAuthDisabled) {
+    await ensureAnonymousUserExists()
+    return NextResponse.json(createAnonymousSession())
+  }
+
+  return betterAuthGET(request)
+}
+
+export const POST = betterAuthPOST
diff --git a/apps/sim/app/api/auth/socket-token/route.ts b/apps/sim/app/api/auth/socket-token/route.ts
@@ -1,9 +1,14 @@
 import { headers } from 'next/headers'
 import { NextResponse } from 'next/server'
 import { auth } from '@/lib/auth'
+import { isAuthDisabled } from '@/lib/core/config/feature-flags'
 
 export async function POST() {
   try {
+    if (isAuthDisabled) {
+      return NextResponse.json({ token: 'anonymous-socket-token' })
+    }
+
     const hdrs = await headers()
     const response = await auth.api.generateOneTimeToken({
       headers: hdrs,

diff --git a/apps/sim/app/api/auth/sso/providers/route.ts b/apps/sim/app/api/auth/sso/providers/route.ts
@@ -1,14 +1,14 @@
 import { db, ssoProvider } from '@sim/db'
 import { eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { auth } from '@/lib/auth'
+import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
 
 const logger = createLogger('SSO-Providers')
 
-export async function GET(req: NextRequest) {
+export async function GET() {
   try {
-    const session = await auth.api.getSession({ headers: req.headers })
+    const session = await getSession()
 
     let providers
     if (session?.user?.id) {
@@ -38,8 +38,6 @@ export async function GET(req: NextRequest) {
                 : ('oidc' as 'oidc' | 'saml'),
       }))
     } else {
-      // Unauthenticated users can only see basic info (domain only)
-      // This is needed for SSO login flow to check if a domain has SSO enabled
       const results = await db
         .select({
           domain: ssoProvider.domain,

diff --git a/apps/sim/app/api/billing/update-cost/route.ts b/apps/sim/app/api/billing/update-cost/route.ts
@@ -5,7 +5,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkAndBillOverageThreshold } from '@/lib/billing/threshold-billing'
 import { checkInternalApiKey } from '@/lib/copilot/utils'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 

diff --git a/apps/sim/app/api/chat/manage/[id]/route.test.ts b/apps/sim/app/api/chat/manage/[id]/route.test.ts
@@ -6,6 +6,12 @@ import { NextRequest } from 'next/server'
  */
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
+vi.mock('@/lib/core/config/feature-flags', () => ({
+  isDev: true,
+  isHosted: false,
+  isProd: false,
+}))
+
 describe('Chat Edit API Route', () => {
   const mockSelect = vi.fn()
   const mockFrom = vi.fn()
@@ -24,7 +30,6 @@ describe('Chat Edit API Route', () => {
   beforeEach(() => {
     vi.resetModules()
 
-    // Set default return values
     mockLimit.mockResolvedValue([])
     mockSelect.mockReturnValue({ from: mockFrom })
     mockFrom.mockReturnValue({ where: mockWhere })
@@ -77,10 +82,6 @@ describe('Chat Edit API Route', () => {
       getEmailDomain: vi.fn().mockReturnValue('localhost:3000'),
     }))
 
-    vi.doMock('@/lib/core/config/environment', () => ({
-      isDev: true,
-    }))
-
     vi.doMock('@/app/api/chat/utils', () => ({
       checkChatAccess: mockCheckChatAccess,
     }))
@@ -254,7 +255,6 @@ describe('Chat Edit API Route', () => {
 
       mockCheckChatAccess.mockResolvedValue({ hasAccess: true, chat: mockChat })
 
-      // Reset and reconfigure mockLimit to return the conflict
       mockLimit.mockReset()
       mockLimit.mockResolvedValue([{ id: 'other-chat-id', identifier: 'new-identifier' }])
       mockWhere.mockReturnValue({ limit: mockLimit })
@@ -291,7 +291,7 @@ describe('Chat Edit API Route', () => {
 
       const req = new NextRequest('http://localhost:3000/api/chat/manage/chat-123', {
         method: 'PATCH',
-        body: JSON.stringify({ authType: 'password' }), // No password provided
+        body: JSON.stringify({ authType: 'password' }),
       })
       const { PATCH } = await import('@/app/api/chat/manage/[id]/route')
       const response = await PATCH(req, { params: Promise.resolve({ id: 'chat-123' }) })
@@ -316,9 +316,8 @@ describe('Chat Edit API Route', () => {
         workflowId: 'workflow-123',
       }
 
-      // User doesn't own chat but has workspace admin access
       mockCheckChatAccess.mockResolvedValue({ hasAccess: true, chat: mockChat })
-      mockLimit.mockResolvedValueOnce([]) // No identifier conflict
+      mockLimit.mockResolvedValueOnce([])
 
       const req = new NextRequest('http://localhost:3000/api/chat/manage/chat-123', {
         method: 'PATCH',
@@ -399,7 +398,6 @@ describe('Chat Edit API Route', () => {
         }),
       }))
 
-      // User doesn't own chat but has workspace admin access
       mockCheckChatAccess.mockResolvedValue({ hasAccess: true })
       mockWhere.mockResolvedValue(undefined)
 

diff --git a/apps/sim/app/api/chat/manage/[id]/route.ts b/apps/sim/app/api/chat/manage/[id]/route.ts
@@ -4,7 +4,7 @@ import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { isDev } from '@/lib/core/config/environment'
+import { isDev } from '@/lib/core/config/feature-flags'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { getEmailDomain } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'

diff --git a/apps/sim/app/api/chat/route.ts b/apps/sim/app/api/chat/route.ts
@@ -5,7 +5,7 @@ import type { NextRequest } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { isDev } from '@/lib/core/config/environment'
+import { isDev } from '@/lib/core/config/feature-flags'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'

diff --git a/apps/sim/app/api/chat/utils.test.ts b/apps/sim/app/api/chat/utils.test.ts
@@ -44,6 +44,12 @@ vi.mock('@/lib/core/utils/request', () => ({
   generateRequestId: vi.fn(),
 }))
 
+vi.mock('@/lib/core/config/feature-flags', () => ({
+  isDev: true,
+  isHosted: false,
+  isProd: false,
+}))
+
 describe('Chat API Utils', () => {
   beforeEach(() => {
     vi.doMock('@/lib/logs/console/logger', () => ({
@@ -62,11 +68,6 @@ describe('Chat API Utils', () => {
         NODE_ENV: 'development',
       },
     })
-
-    vi.doMock('@/lib/core/config/environment', () => ({
-      isDev: true,
-      isHosted: false,
-    }))
   })
 
   afterEach(() => {

diff --git a/apps/sim/app/api/chat/utils.ts b/apps/sim/app/api/chat/utils.ts
@@ -3,7 +3,7 @@ import { db } from '@sim/db'
 import { chat, workflow } from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import type { NextRequest, NextResponse } from 'next/server'
-import { isDev } from '@/lib/core/config/environment'
+import { isDev } from '@/lib/core/config/feature-flags'
 import { decryptSecret } from '@/lib/core/security/encryption'
 import { createLogger } from '@/lib/logs/console/logger'
 import { hasAdminPermission } from '@/lib/workspaces/permissions/utils'
@@ -282,8 +282,8 @@ export async function validateChatAuth(
         return { authorized: false, error: 'Email not authorized for SSO access' }
       }
 
-      const { auth } = await import('@/lib/auth')
-      const session = await auth.api.getSession({ headers: request.headers })
+      const { getSession } = await import('@/lib/auth')
+      const session = await getSession()
 
       if (!session || !session.user) {
         return { authorized: false, error: 'auth_required_sso' }

diff --git a/apps/sim/app/api/copilot/auto-allowed-tools/route.ts b/apps/sim/app/api/copilot/auto-allowed-tools/route.ts
@@ -2,17 +2,17 @@ import { db } from '@sim/db'
 import { settings } from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { auth } from '@/lib/auth'
+import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
 
 const logger = createLogger('CopilotAutoAllowedToolsAPI')
 
 /**
  * GET - Fetch user's auto-allowed integration tools
  */
-export async function GET(request: NextRequest) {
+export async function GET() {
   try {
-    const session = await auth.api.getSession({ headers: request.headers })
+    const session = await getSession()
 
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -31,7 +31,6 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ autoAllowedTools })
     }
 
-    // If no settings record exists, create one with empty array
     await db.insert(settings).values({
       id: userId,
       userId,
@@ -50,7 +49,7 @@ export async function GET(request: NextRequest) {
  */
 export async function POST(request: NextRequest) {
   try {
-    const session = await auth.api.getSession({ headers: request.headers })
+    const session = await getSession()
 
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -65,13 +64,11 @@ export async function POST(request: NextRequest) {
 
     const toolId = body.toolId
 
-    // Get existing settings
     const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
 
     if (existing) {
       const currentTools = (existing.copilotAutoAllowedTools as string[]) || []
 
-      // Add tool if not already present
       if (!currentTools.includes(toolId)) {
         const updatedTools = [...currentTools, toolId]
         await db
@@ -89,7 +86,6 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ success: true, autoAllowedTools: currentTools })
     }
 
-    // Create new settings record with the tool
     await db.insert(settings).values({
       id: userId,
       userId,
@@ -109,7 +105,7 @@ export async function POST(request: NextRequest) {
  */
 export async function DELETE(request: NextRequest) {
   try {
-    const session = await auth.api.getSession({ headers: request.headers })
+    const session = await getSession()
 
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -123,7 +119,6 @@ export async function DELETE(request: NextRequest) {
       return NextResponse.json({ error: 'toolId query parameter is required' }, { status: 400 })
     }
 
-    // Get existing settings
     const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
 
     if (existing) {