feat(auth): add DISABLE_GOOGLE_AUTH and DISABLE_GITHUB_AUTH env vars (#4019)

* feat(auth): add DISABLE_GOOGLE_AUTH and DISABLE_GITHUB_AUTH env vars

* fix(auth): also disable server-side OAuth provider registration when flags are set

* lint

Author: waleedlatif1

apps/sim/app/(auth)/components/oauth-provider-checker.tsx

@@ -1,10 +1,12 @@
 import { env } from '@/lib/core/config/env'
-import { isProd } from '@/lib/core/config/feature-flags'
+import { isGithubAuthDisabled, isGoogleAuthDisabled, isProd } from '@/lib/core/config/feature-flags'
 
 export async function getOAuthProviderStatus() {
-  const githubAvailable = !!(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET)
+  const githubAvailable =
+    !!(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET) && !isGithubAuthDisabled
 
-  const googleAvailable = !!(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET)
+  const googleAvailable =
+    !!(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET) && !isGoogleAuthDisabled
 
   return { githubAvailable, googleAvailable, isProduction: isProd }
 }

apps/sim/lib/auth/auth.ts

@@ -65,6 +65,8 @@ import {
   isBillingEnabled,
   isEmailPasswordEnabled,
   isEmailVerificationEnabled,
+  isGithubAuthDisabled,
+  isGoogleAuthDisabled,
   isHosted,
   isOrganizationsEnabled,
   isRegistrationDisabled,
@@ -607,19 +609,23 @@ export const auth = betterAuth({
     },
   },
   socialProviders: {
-    github: {
-      clientId: env.GITHUB_CLIENT_ID as string,
-      clientSecret: env.GITHUB_CLIENT_SECRET as string,
-      scope: ['user:email', 'repo'],
-    },
-    google: {
-      clientId: env.GOOGLE_CLIENT_ID as string,
-      clientSecret: env.GOOGLE_CLIENT_SECRET as string,
-      scope: [
-        'https://www.googleapis.com/auth/userinfo.email',
-        'https://www.googleapis.com/auth/userinfo.profile',
-      ],
-    },
+    ...(!isGithubAuthDisabled && {
+      github: {
+        clientId: env.GITHUB_CLIENT_ID as string,
+        clientSecret: env.GITHUB_CLIENT_SECRET as string,
+        scope: ['user:email', 'repo'],
+      },
+    }),
+    ...(!isGoogleAuthDisabled && {
+      google: {
+        clientId: env.GOOGLE_CLIENT_ID as string,
+        clientSecret: env.GOOGLE_CLIENT_SECRET as string,
+        scope: [
+          'https://www.googleapis.com/auth/userinfo.email',
+          'https://www.googleapis.com/auth/userinfo.profile',
+        ],
+      },
+    }),
   },
   emailVerification: {
     autoSignInAfterVerification: true,

apps/sim/lib/core/config/env.ts

@@ -260,6 +260,8 @@ export const env = createEnv({
     GOOGLE_CLIENT_SECRET:                  z.string().optional(),                  // Google OAuth client secret
     GITHUB_CLIENT_ID:                      z.string().optional(),                  // GitHub OAuth client ID for GitHub integration
     GITHUB_CLIENT_SECRET:                  z.string().optional(),                  // GitHub OAuth client secret
+    DISABLE_GOOGLE_AUTH:                   z.boolean().optional(),                 // Disable Google OAuth login even when credentials are configured
+    DISABLE_GITHUB_AUTH:                   z.boolean().optional(),                 // Disable GitHub OAuth login even when credentials are configured
 
     X_CLIENT_ID:                           z.string().optional(),                  // X (Twitter) OAuth client ID
     X_CLIENT_SECRET:                       z.string().optional(),                  // X (Twitter) OAuth client secret

apps/sim/lib/core/config/feature-flags.ts

@@ -150,6 +150,18 @@ export const isInvitationsDisabled = isTruthy(env.DISABLE_INVITATIONS)
  */
 export const isPublicApiDisabled = isTruthy(env.DISABLE_PUBLIC_API)
 
+/**
+ * Is Google OAuth login disabled
+ * When true, the Google OAuth login button is hidden even when credentials are configured
+ */
+export const isGoogleAuthDisabled = isTruthy(env.DISABLE_GOOGLE_AUTH)
+
+/**
+ * Is GitHub OAuth login disabled
+ * When true, the GitHub OAuth login button is hidden even when credentials are configured
+ */
+export const isGithubAuthDisabled = isTruthy(env.DISABLE_GITHUB_AUTH)
+
 /**
  * Is React Grab enabled for UI element debugging
  * When true and in development mode, enables React Grab for copying UI element context to clipboard

helm/sim/examples/values-production.yaml

@@ -45,6 +45,8 @@ app:
     RESEND_API_KEY: "your-resend-api-key"
     GOOGLE_CLIENT_ID: "your-google-client-id"
     GOOGLE_CLIENT_SECRET: "your-google-client-secret"
+    # DISABLE_GOOGLE_AUTH: "true"                      # Uncomment to hide Google OAuth login
+    # DISABLE_GITHUB_AUTH: "true"                      # Uncomment to hide GitHub OAuth login
 
 # Realtime service
 realtime:

helm/sim/values.schema.json

@@ -184,6 +184,14 @@
               "type": "string",
               "description": "GitHub OAuth client secret"
             },
+            "DISABLE_GOOGLE_AUTH": {
+              "type": "string",
+              "description": "Set to 'true' to hide Google OAuth login even when credentials are configured"
+            },
+            "DISABLE_GITHUB_AUTH": {
+              "type": "string",
+              "description": "Set to 'true' to hide GitHub OAuth login even when credentials are configured"
+            },
             "OPENAI_API_KEY": {
               "type": "string",
               "description": "Primary OpenAI API key"

helm/sim/values.yaml

@@ -109,6 +109,8 @@ app:
     GOOGLE_CLIENT_SECRET: ""                              # Google OAuth client secret
     GITHUB_CLIENT_ID: ""                                  # GitHub OAuth client ID
     GITHUB_CLIENT_SECRET: ""                              # GitHub OAuth client secret
+    DISABLE_GOOGLE_AUTH: ""                               # Set to "true" to hide Google OAuth login
+    DISABLE_GITHUB_AUTH: ""                               # Set to "true" to hide GitHub OAuth login
 
     # Google Vertex AI Configuration
     VERTEX_PROJECT: ""                                    # Google Cloud project ID for Vertex AI