fix(auth): close nOAuth account takeover via email-based OAuth linking

Restrict the unauthenticated sign-in endpoints to first-party login
providers, trim trustedProviders to providers that verify email
ownership, and stop hardcoding emailVerified for multi-tenant Microsoft
and Salesforce connectors.

Author: waleedlatif1

apps/sim/lib/auth/auth.ts

@@ -88,6 +88,7 @@ import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 import { disableUserResources } from '@/lib/workflows/lifecycle'
 import { SSO_TRUSTED_PROVIDERS } from '@/ee/sso/constants'
 import { createAnonymousSession, ensureAnonymousUserExists } from './anonymous'
+import { isSignInProviderAllowed } from './constants'
 
 const logger = createLogger('Auth')
 
@@ -128,12 +129,25 @@ function getMicrosoftUserInfoFromIdToken(tokens: { accessToken?: string }, provi
     )
   }
 
+  /**
+   * Azure AD's `email`/`upn` claims are unverified and mutable on multi-tenant
+   * (`/common/`) endpoints, so trust the email only when the token explicitly
+   * proves ownership via `email_verified` or the verified-email claims, mirroring
+   * Better Auth's built-in Microsoft provider. Never hardcode verification.
+   */
+  const verifiedPrimaryEmail = payload.verified_primary_email as string[] | undefined
+  const verifiedSecondaryEmail = payload.verified_secondary_email as string[] | undefined
+  const emailVerified =
+    payload.email_verified !== undefined
+      ? Boolean(payload.email_verified)
+      : Boolean(verifiedPrimaryEmail?.includes(email) || verifiedSecondaryEmail?.includes(email))
+
   const now = new Date()
   return {
     id: `${payload.oid || payload.sub}-${generateId()}`,
     name: (payload.name as string) || 'Microsoft User',
     email,
-    emailVerified: true,
+    emailVerified,
     createdAt: now,
     updatedAt: now,
   }
@@ -661,60 +675,21 @@ export const auth = betterAuth({
       enabled: true,
       allowDifferentEmails: true,
       requireLocalEmailVerified: false,
+      /**
+       * Only providers that verify email ownership may auto-link to an existing
+       * account during sign-in. Integration connectors are deliberately absent:
+       * they connect through the authenticated `/oauth2/link` flow, which binds
+       * to the current session user and never consults this list. `microsoft` is
+       * also excluded because it authenticates against the multi-tenant
+       * `/common/` endpoint where the email claim is attacker-controllable;
+       * leaving it trusted would bypass the email-verified check and allow
+       * nOAuth account takeover. Microsoft sign-in still works — it just links
+       * to an existing account only when the IdP asserts a verified email.
+       */
       trustedProviders: [
         'google',
         'github',
         'email-password',
-        'confluence',
-        'x',
-        'notion',
-        'microsoft',
-        'slack',
-        'reddit',
-        'webflow',
-        'asana',
-        'pipedrive',
-        'hubspot',
-        'linkedin',
-        'spotify',
-        'google-email',
-        'google-calendar',
-        'google-contacts',
-        'google-drive',
-        'google-docs',
-        'google-sheets',
-        'google-forms',
-        'google-ads',
-        'google-bigquery',
-        'google-vault',
-        'google-groups',
-        'google-meet',
-        'google-tasks',
-        'vertex-ai',
-
-        'microsoft-ad',
-        'microsoft-dataverse',
-        'microsoft-teams',
-        'microsoft-excel',
-        'microsoft-planner',
-        'outlook',
-        'onedrive',
-        'sharepoint',
-        'jira',
-        'airtable',
-        'box',
-        'dropbox',
-        'salesforce',
-        'wealthbox',
-        'zoom',
-        'wordpress',
-        'linear',
-        'monday',
-        'attio',
-        'shopify',
-        'trello',
-        'calcom',
-        'docusign',
         ...SSO_TRUSTED_PROVIDERS,
         ...additionalTrustedSsoProviders,
       ],
@@ -883,6 +858,25 @@ export const auth = betterAuth({
   },
   hooks: {
     before: createAuthMiddleware(async (ctx) => {
+      /**
+       * Restrict the unauthenticated sign-in endpoints to first-party login
+       * providers. Better Auth registers every generic-OAuth integration
+       * connector as a social provider, so without this guard `microsoft-ad`,
+       * `salesforce`, `jira`, and the rest are reachable through
+       * `/sign-in/social` and `/sign-in/oauth2` and can mint a session for any
+       * user by email (nOAuth account takeover). Connectors are connected only
+       * through the authenticated `/oauth2/link` flow, which is unaffected.
+       */
+      if (ctx.path === '/sign-in/social' || ctx.path === '/sign-in/oauth2') {
+        const requestedProviderId = ctx.body?.provider ?? ctx.body?.providerId
+        if (!isSignInProviderAllowed(requestedProviderId)) {
+          throw new APIError('FORBIDDEN', {
+            message:
+              'This provider can only be connected from a signed-in account and cannot be used to sign in.',
+          })
+        }
+      }
+
       if (ctx.path.startsWith('/sign-up') && isRegistrationDisabled)
         throw new APIError('FORBIDDEN', {
           message: 'Registration is disabled, please contact your admin.',
@@ -1921,7 +1915,7 @@ export const auth = betterAuth({
                 id: `${(data.user_id || data.sub).toString()}-${generateId()}`,
                 name: data.name || 'Salesforce User',
                 email: data.email || `salesforce-${data.user_id}@salesforce.com`,
-                emailVerified: data.email_verified || true,
+                emailVerified: data.email_verified === true,
                 image: data.picture || undefined,
                 createdAt: new Date(),
                 updatedAt: new Date(),

apps/sim/lib/auth/constants.test.ts

@@ -0,0 +1,48 @@
+/**
+ * @vitest-environment node
+ */
+import { describe, expect, it } from 'vitest'
+import { isSignInProviderAllowed, SIGN_IN_PROVIDER_IDS } from '@/lib/auth/constants'
+
+describe('sign-in provider allowlist', () => {
+  it('permits only the first-party login providers', () => {
+    expect([...SIGN_IN_PROVIDER_IDS]).toEqual(['google', 'github', 'microsoft'])
+  })
+
+  it('allows first-party login providers to sign in', () => {
+    for (const providerId of SIGN_IN_PROVIDER_IDS) {
+      expect(isSignInProviderAllowed(providerId)).toBe(true)
+    }
+  })
+
+  it('rejects integration connectors from the sign-in endpoints', () => {
+    const connectors = [
+      'microsoft-ad',
+      'microsoft-teams',
+      'microsoft-excel',
+      'outlook',
+      'onedrive',
+      'sharepoint',
+      'salesforce',
+      'jira',
+      'confluence',
+      'hubspot',
+      'box',
+      'wordpress',
+      'google-drive',
+      'google-sheets',
+      'vertex-ai',
+    ]
+    for (const providerId of connectors) {
+      expect(isSignInProviderAllowed(providerId)).toBe(false)
+    }
+  })
+
+  it('rejects missing or malformed provider identifiers', () => {
+    expect(isSignInProviderAllowed(undefined)).toBe(false)
+    expect(isSignInProviderAllowed(null)).toBe(false)
+    expect(isSignInProviderAllowed('')).toBe(false)
+    expect(isSignInProviderAllowed(123)).toBe(false)
+    expect(isSignInProviderAllowed({ provider: 'google' })).toBe(false)
+  })
+})

apps/sim/lib/auth/constants.ts

@@ -8,3 +8,30 @@ export const ANONYMOUS_USER = {
   emailVerified: true,
   image: null,
 } as const
+
+/**
+ * Provider IDs permitted to authenticate (create or link a session) through the
+ * unauthenticated sign-in endpoints `/sign-in/social` and `/sign-in/oauth2`.
+ *
+ * Only first-party login providers that verify email ownership belong here.
+ * Integration connectors (Salesforce, Jira, the Microsoft/Google work
+ * connectors, etc.) are deliberately excluded: they are connected exclusively
+ * through the authenticated `/oauth2/link` flow, which binds the new account to
+ * the current session user and never mints a session. Allowing a connector to
+ * reach the sign-in endpoints enables nOAuth-style account takeover, where a
+ * multi-tenant IdP asserting an attacker-controlled, unverified email mints a
+ * session for the matching existing user. SSO uses a separate `/sign-in/sso`
+ * endpoint and is unaffected by this list.
+ */
+export const SIGN_IN_PROVIDER_IDS = ['google', 'github', 'microsoft'] as const
+
+const signInProviderIdSet: ReadonlySet<string> = new Set(SIGN_IN_PROVIDER_IDS)
+
+/**
+ * Returns true when `providerId` is a first-party login provider allowed to sign
+ * in. Used to reject integration connectors at the sign-in endpoints so they can
+ * only ever be connected through the authenticated link flow.
+ */
+export function isSignInProviderAllowed(providerId: unknown): boolean {
+  return typeof providerId === 'string' && signInProviderIdSet.has(providerId)
+}