improvement(auth): make Microsoft emailVerified derivation total (#5157)

waleedlatif1 · web-flow · commit 55f432637f68 · 2026-06-20T15:13:48.000-07:00
* improvement(auth): make Microsoft emailVerified derivation total

deriveMicrosoftEmailVerified cast the verified-email claims to string[]
and called .includes through optional chaining, which only guards
null/undefined. A claim arriving as a non-array, non-string value (e.g.
a number) would throw inside getUserInfo and fail the OAuth flow.
Array-check the claims with a proper type guard so any claim shape
resolves to unverified instead of throwing.

* test(auth): lock in unverified for a string verified-email claim

Add a boundary case asserting a string verified_primary_email/
verified_secondary_email equal to the email resolves to unverified —
the old string[] cast would have returned true via String.includes.
diff --git a/apps/sim/lib/oauth/microsoft.test.ts b/apps/sim/lib/oauth/microsoft.test.ts
@@ -54,10 +54,20 @@ describe('deriveMicrosoftEmailVerified', () => {
     expect(deriveMicrosoftEmailVerified({ email_verified: 'true' }, EMAIL)).toBe(true)
   })
 
-  it('treats a malformed verified-email claim as unverified', () => {
+  it('treats malformed (non-array) verified-email claims as unverified without throwing', () => {
     expect(deriveMicrosoftEmailVerified({ verified_primary_email: 'not-an-array' }, EMAIL)).toBe(
       false
     )
+    expect(deriveMicrosoftEmailVerified({ verified_primary_email: 123 }, EMAIL)).toBe(false)
+    expect(deriveMicrosoftEmailVerified({ verified_secondary_email: { foo: 'bar' } }, EMAIL)).toBe(
+      false
+    )
+    expect(deriveMicrosoftEmailVerified({ verified_primary_email: null }, EMAIL)).toBe(false)
+  })
+
+  it('does not treat a string claim equal to the email as verified (guards the old unsafe cast)', () => {
+    expect(deriveMicrosoftEmailVerified({ verified_primary_email: EMAIL }, EMAIL)).toBe(false)
+    expect(deriveMicrosoftEmailVerified({ verified_secondary_email: EMAIL }, EMAIL)).toBe(false)
   })
 })
 
diff --git a/apps/sim/lib/oauth/microsoft.ts b/apps/sim/lib/oauth/microsoft.ts
@@ -36,7 +36,10 @@ export function deriveMicrosoftEmailVerified(
   if (claims.email_verified !== undefined) {
     return Boolean(claims.email_verified)
   }
-  const verifiedPrimaryEmail = claims.verified_primary_email as string[] | undefined
-  const verifiedSecondaryEmail = claims.verified_secondary_email as string[] | undefined
-  return Boolean(verifiedPrimaryEmail?.includes(email) || verifiedSecondaryEmail?.includes(email))
+  const { verified_primary_email: verifiedPrimary, verified_secondary_email: verifiedSecondary } =
+    claims
+  return (
+    (Array.isArray(verifiedPrimary) && verifiedPrimary.includes(email)) ||
+    (Array.isArray(verifiedSecondary) && verifiedSecondary.includes(email))
+  )
 }

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,10 @@ export function deriveMicrosoftEmailVerified(`
`36`	`36`	`if (claims.email_verified !== undefined) {`
`37`	`37`	`return Boolean(claims.email_verified)`
`38`	`38`	`}`
`39`		`- const verifiedPrimaryEmail = claims.verified_primary_email as string[] \| undefined`
`40`		`- const verifiedSecondaryEmail = claims.verified_secondary_email as string[] \| undefined`
`41`		`- return Boolean(verifiedPrimaryEmail?.includes(email) \|\| verifiedSecondaryEmail?.includes(email))`
	`39`	`+ const { verified_primary_email: verifiedPrimary, verified_secondary_email: verifiedSecondary } =`
	`40`	`+ claims`
	`41`	`+ return (`
	`42`	`+ (Array.isArray(verifiedPrimary) && verifiedPrimary.includes(email)) \|\|`
	`43`	`+ (Array.isArray(verifiedSecondary) && verifiedSecondary.includes(email))`
	`44`	`+ )`
`42`	`45`	`}`