From e8cce67c08928d9980804eb3d70629fc0a7cdbfe Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Tue, 7 Apr 2026 12:10:52 -0700 Subject: [PATCH 1/3] feat(auth): add DISABLE_GOOGLE_AUTH and DISABLE_GITHUB_AUTH env vars --- .../app/(auth)/components/oauth-provider-checker.tsx | 12 +++++++++--- apps/sim/lib/core/config/env.ts | 2 ++ apps/sim/lib/core/config/feature-flags.ts | 12 ++++++++++++ helm/sim/examples/values-production.yaml | 2 ++ helm/sim/values.schema.json | 8 ++++++++ helm/sim/values.yaml | 2 ++ 6 files changed, 35 insertions(+), 3 deletions(-) diff --git a/apps/sim/app/(auth)/components/oauth-provider-checker.tsx b/apps/sim/app/(auth)/components/oauth-provider-checker.tsx index 6a7177e4faf..66d4fa29419 100644 --- a/apps/sim/app/(auth)/components/oauth-provider-checker.tsx +++ b/apps/sim/app/(auth)/components/oauth-provider-checker.tsx @@ -1,10 +1,16 @@ import { env } from '@/lib/core/config/env' -import { isProd } from '@/lib/core/config/feature-flags' +import { + isGithubAuthDisabled, + isGoogleAuthDisabled, + isProd, +} from '@/lib/core/config/feature-flags' export async function getOAuthProviderStatus() { - const githubAvailable = !!(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET) + const githubAvailable = + !!(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET) && !isGithubAuthDisabled - const googleAvailable = !!(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET) + const googleAvailable = + !!(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET) && !isGoogleAuthDisabled return { githubAvailable, googleAvailable, isProduction: isProd } } diff --git a/apps/sim/lib/core/config/env.ts b/apps/sim/lib/core/config/env.ts index 84ffe503d4e..f4c751b7b72 100644 --- a/apps/sim/lib/core/config/env.ts +++ b/apps/sim/lib/core/config/env.ts @@ -260,6 +260,8 @@ export const env = createEnv({ GOOGLE_CLIENT_SECRET: z.string().optional(), // Google OAuth client secret GITHUB_CLIENT_ID: z.string().optional(), // GitHub OAuth client ID for GitHub integration GITHUB_CLIENT_SECRET: z.string().optional(), // GitHub OAuth client secret + DISABLE_GOOGLE_AUTH: z.boolean().optional(), // Disable Google OAuth login even when credentials are configured + DISABLE_GITHUB_AUTH: z.boolean().optional(), // Disable GitHub OAuth login even when credentials are configured X_CLIENT_ID: z.string().optional(), // X (Twitter) OAuth client ID X_CLIENT_SECRET: z.string().optional(), // X (Twitter) OAuth client secret diff --git a/apps/sim/lib/core/config/feature-flags.ts b/apps/sim/lib/core/config/feature-flags.ts index 7aeb4c33071..b66444d43e7 100644 --- a/apps/sim/lib/core/config/feature-flags.ts +++ b/apps/sim/lib/core/config/feature-flags.ts @@ -150,6 +150,18 @@ export const isInvitationsDisabled = isTruthy(env.DISABLE_INVITATIONS) */ export const isPublicApiDisabled = isTruthy(env.DISABLE_PUBLIC_API) +/** + * Is Google OAuth login disabled + * When true, the Google OAuth login button is hidden even when credentials are configured + */ +export const isGoogleAuthDisabled = isTruthy(env.DISABLE_GOOGLE_AUTH) + +/** + * Is GitHub OAuth login disabled + * When true, the GitHub OAuth login button is hidden even when credentials are configured + */ +export const isGithubAuthDisabled = isTruthy(env.DISABLE_GITHUB_AUTH) + /** * Is React Grab enabled for UI element debugging * When true and in development mode, enables React Grab for copying UI element context to clipboard diff --git a/helm/sim/examples/values-production.yaml b/helm/sim/examples/values-production.yaml index 9874cb1a51d..81893fd25ae 100644 --- a/helm/sim/examples/values-production.yaml +++ b/helm/sim/examples/values-production.yaml @@ -45,6 +45,8 @@ app: RESEND_API_KEY: "your-resend-api-key" GOOGLE_CLIENT_ID: "your-google-client-id" GOOGLE_CLIENT_SECRET: "your-google-client-secret" + # DISABLE_GOOGLE_AUTH: "true" # Uncomment to hide Google OAuth login + # DISABLE_GITHUB_AUTH: "true" # Uncomment to hide GitHub OAuth login # Realtime service realtime: diff --git a/helm/sim/values.schema.json b/helm/sim/values.schema.json index 3aeef472ed9..615db3939fd 100644 --- a/helm/sim/values.schema.json +++ b/helm/sim/values.schema.json @@ -184,6 +184,14 @@ "type": "string", "description": "GitHub OAuth client secret" }, + "DISABLE_GOOGLE_AUTH": { + "type": "string", + "description": "Set to 'true' to hide Google OAuth login even when credentials are configured" + }, + "DISABLE_GITHUB_AUTH": { + "type": "string", + "description": "Set to 'true' to hide GitHub OAuth login even when credentials are configured" + }, "OPENAI_API_KEY": { "type": "string", "description": "Primary OpenAI API key" diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml index 9fbe6195b67..b7b32cb4c4e 100644 --- a/helm/sim/values.yaml +++ b/helm/sim/values.yaml @@ -109,6 +109,8 @@ app: GOOGLE_CLIENT_SECRET: "" # Google OAuth client secret GITHUB_CLIENT_ID: "" # GitHub OAuth client ID GITHUB_CLIENT_SECRET: "" # GitHub OAuth client secret + DISABLE_GOOGLE_AUTH: "" # Set to "true" to hide Google OAuth login + DISABLE_GITHUB_AUTH: "" # Set to "true" to hide GitHub OAuth login # Google Vertex AI Configuration VERTEX_PROJECT: "" # Google Cloud project ID for Vertex AI From e0e14d5e0a1be86c6a893b5881d25de84282b4da Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Tue, 7 Apr 2026 12:15:39 -0700 Subject: [PATCH 2/3] fix(auth): also disable server-side OAuth provider registration when flags are set --- apps/sim/lib/auth/auth.ts | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts index 6aa989e720b..6c51ab2d16b 100644 --- a/apps/sim/lib/auth/auth.ts +++ b/apps/sim/lib/auth/auth.ts @@ -65,6 +65,8 @@ import { isBillingEnabled, isEmailPasswordEnabled, isEmailVerificationEnabled, + isGithubAuthDisabled, + isGoogleAuthDisabled, isHosted, isOrganizationsEnabled, isRegistrationDisabled, @@ -607,19 +609,23 @@ export const auth = betterAuth({ }, }, socialProviders: { - github: { - clientId: env.GITHUB_CLIENT_ID as string, - clientSecret: env.GITHUB_CLIENT_SECRET as string, - scope: ['user:email', 'repo'], - }, - google: { - clientId: env.GOOGLE_CLIENT_ID as string, - clientSecret: env.GOOGLE_CLIENT_SECRET as string, - scope: [ - 'https://www.googleapis.com/auth/userinfo.email', - 'https://www.googleapis.com/auth/userinfo.profile', - ], - }, + ...(!isGithubAuthDisabled && { + github: { + clientId: env.GITHUB_CLIENT_ID as string, + clientSecret: env.GITHUB_CLIENT_SECRET as string, + scope: ['user:email', 'repo'], + }, + }), + ...(!isGoogleAuthDisabled && { + google: { + clientId: env.GOOGLE_CLIENT_ID as string, + clientSecret: env.GOOGLE_CLIENT_SECRET as string, + scope: [ + 'https://www.googleapis.com/auth/userinfo.email', + 'https://www.googleapis.com/auth/userinfo.profile', + ], + }, + }), }, emailVerification: { autoSignInAfterVerification: true, From 02d3c2a3b83e5c1ce853ac9f12b4c2660873f7f3 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Tue, 7 Apr 2026 12:17:30 -0700 Subject: [PATCH 3/3] lint --- apps/sim/app/(auth)/components/oauth-provider-checker.tsx | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/apps/sim/app/(auth)/components/oauth-provider-checker.tsx b/apps/sim/app/(auth)/components/oauth-provider-checker.tsx index 66d4fa29419..73a95f98b02 100644 --- a/apps/sim/app/(auth)/components/oauth-provider-checker.tsx +++ b/apps/sim/app/(auth)/components/oauth-provider-checker.tsx @@ -1,9 +1,5 @@ import { env } from '@/lib/core/config/env' -import { - isGithubAuthDisabled, - isGoogleAuthDisabled, - isProd, -} from '@/lib/core/config/feature-flags' +import { isGithubAuthDisabled, isGoogleAuthDisabled, isProd } from '@/lib/core/config/feature-flags' export async function getOAuthProviderStatus() { const githubAvailable =