fix: Explicitly guard restricted modes and username sign in

Author: dmoerner

packages/ui/src/components/SignIn/SignInStart.tsx

@@ -375,11 +375,17 @@ function SignInStartInternal(): JSX.Element {
       } as any);
     }
     try {
-      // Sign up if missing sign-in-or-sign-up flows do not currently support password
-      // sign in, since this is not enumeration-safe.
+      // Sign up if missing sign-in-or-sign-up flows only support public sign-up
+      // instances and identifiers that can be verified out-of-band.
       const hasPassword = fields.some(f => f.name === 'password' && !!f.value);
+      const signUpAttribute = getSignUpAttributeFromIdentifier(identifierField);
+      const supportsSignUpIfMissing =
+        signUpAttribute !== 'username' && userSettings.signUp.mode === SIGN_UP_MODES.PUBLIC;
       const shouldSignUpIfMissing =
-        isCombinedFlow && userSettings.attackProtection.enumeration_protection.enabled && !hasPassword;
+        isCombinedFlow &&
+        userSettings.attackProtection.enumeration_protection.enabled &&
+        supportsSignUpIfMissing &&
+        !hasPassword;
 
       const res = await safePasswordSignInForEnterpriseSSOInstance(
         signIn.create({

packages/ui/src/components/SignIn/__tests__/SignInStart.test.tsx

@@ -679,6 +679,59 @@ describe('SignInStart', () => {
         );
       });
     });
+
+    it('does not pass signUpIfMissing when sign-up mode is restricted', async () => {
+      const { wrapper, fixtures, props } = await createFixtures(f => {
+        f.withEmailAddress();
+        f.withEnumerationProtection();
+        f.withRestrictedMode();
+      });
+      props.setProps({ withSignUp: true });
+      fixtures.signIn.create.mockReturnValueOnce(Promise.resolve({ status: 'needs_first_factor' } as SignInResource));
+      const { userEvent } = render(<SignInStart />, { wrapper });
+      await userEvent.type(screen.getByLabelText(/email address/i), 'hello@clerk.com');
+      await userEvent.click(screen.getByText('Continue'));
+      expect(fixtures.signIn.create).toHaveBeenCalledWith(
+        expect.not.objectContaining({
+          signUpIfMissing: true,
+        }),
+      );
+    });
+
+    it('does not pass signUpIfMissing when sign-up mode is waitlist', async () => {
+      const { wrapper, fixtures, props } = await createFixtures(f => {
+        f.withEmailAddress();
+        f.withEnumerationProtection();
+        f.withWaitlistMode();
+      });
+      props.setProps({ withSignUp: true });
+      fixtures.signIn.create.mockReturnValueOnce(Promise.resolve({ status: 'needs_first_factor' } as SignInResource));
+      const { userEvent } = render(<SignInStart />, { wrapper });
+      await userEvent.type(screen.getByLabelText(/email address/i), 'hello@clerk.com');
+      await userEvent.click(screen.getByText('Continue'));
+      expect(fixtures.signIn.create).toHaveBeenCalledWith(
+        expect.not.objectContaining({
+          signUpIfMissing: true,
+        }),
+      );
+    });
+
+    it('does not pass signUpIfMissing when the identifier is a username', async () => {
+      const { wrapper, fixtures, props } = await createFixtures(f => {
+        f.withUsername();
+        f.withEnumerationProtection();
+      });
+      props.setProps({ withSignUp: true });
+      fixtures.signIn.create.mockReturnValueOnce(Promise.resolve({ status: 'needs_first_factor' } as SignInResource));
+      const { userEvent } = render(<SignInStart />, { wrapper });
+      await userEvent.type(screen.getByLabelText(/username/i), 'hello');
+      await userEvent.click(screen.getByText('Continue'));
+      expect(fixtures.signIn.create).toHaveBeenCalledWith(
+        expect.not.objectContaining({
+          signUpIfMissing: true,
+        }),
+      );
+    });
   });
 
   describe('ticket flow', () => {