fix(security): make isEmailAllowed case-insensitive; normalize email at client gates

TheodoreSpeaks · TheodoreSpeaks · commit 82db6c2d059a · 2026-06-19T13:34:04.000-07:00
diff --git a/apps/sim/app/f/[token]/public-file-email-auth.tsx b/apps/sim/app/f/[token]/public-file-email-auth.tsx
@@ -43,7 +43,7 @@ export function PublicFileEmailAuth({ token }: PublicFileEmailAuthProps) {
     }
     setError(null)
     try {
-      await requestOtp.mutateAsync({ email })
+      await requestOtp.mutateAsync({ email: email.trim().toLowerCase() })
       setSent(true)
       setOtp('')
     } catch (err) {
@@ -55,7 +55,7 @@ export function PublicFileEmailAuth({ token }: PublicFileEmailAuthProps) {
     if (code.length !== 6) return
     setError(null)
     try {
-      await verifyOtp.mutateAsync({ email, otp: code })
+      await verifyOtp.mutateAsync({ email: email.trim().toLowerCase(), otp: code })
       router.refresh()
     } catch (err) {
       setError(getErrorMessage(err, 'Invalid verification code'))
@@ -65,7 +65,7 @@ export function PublicFileEmailAuth({ token }: PublicFileEmailAuthProps) {
   const resend = async () => {
     setCountdown(30)
     try {
-      await requestOtp.mutateAsync({ email })
+      await requestOtp.mutateAsync({ email: email.trim().toLowerCase() })
       setOtp('')
       setError(null)
     } catch (err) {
diff --git a/apps/sim/app/f/[token]/public-file-sso-auth.tsx b/apps/sim/app/f/[token]/public-file-sso-auth.tsx
@@ -34,9 +34,10 @@ export function PublicFileSSOAuth({ token }: PublicFileSSOAuthProps) {
     setError(null)
     setIsLoading(true)
     try {
+      const normalizedEmail = email.trim().toLowerCase()
       const { eligible } = await requestJson(publicFileSSOContract, {
         params: { token },
-        body: { email },
+        body: { email: normalizedEmail },
       })
       if (!eligible) {
         setError('Email not authorized for this file.')
@@ -45,7 +46,7 @@ export function PublicFileSSOAuth({ token }: PublicFileSSOAuthProps) {
       }
       const callbackUrl = `/f/${token}`
       router.push(
-        `/sso?email=${encodeURIComponent(email)}&callbackUrl=${encodeURIComponent(callbackUrl)}`
+        `/sso?email=${encodeURIComponent(normalizedEmail)}&callbackUrl=${encodeURIComponent(callbackUrl)}`
       )
     } catch (err) {
       setError(getErrorMessage(err, 'Email not authorized for this file.'))
diff --git a/apps/sim/lib/core/security/deployment.ts b/apps/sim/lib/core/security/deployment.ts
@@ -103,17 +103,22 @@ export function setDeploymentAuthCookie(
 }
 
 /**
- * Checks if an email matches the allowed emails list (exact match or domain match)
+ * Checks if an email matches the allowed emails list (exact match or domain
+ * match). Case-insensitive — email addresses are compared lowercased on both
+ * sides, so callers don't need to normalize before calling.
  */
 export function isEmailAllowed(email: string, allowedEmails: string[]): boolean {
-  if (allowedEmails.includes(email)) {
+  const normalizedEmail = email.trim().toLowerCase()
+  const normalizedAllowed = allowedEmails.map((allowed) => allowed.trim().toLowerCase())
+
+  if (normalizedAllowed.includes(normalizedEmail)) {
     return true
   }
 
-  const atIndex = email.indexOf('@')
+  const atIndex = normalizedEmail.indexOf('@')
   if (atIndex > 0) {
-    const domain = email.substring(atIndex + 1)
-    if (domain && allowedEmails.some((allowed: string) => allowed === `@${domain}`)) {
+    const domain = normalizedEmail.substring(atIndex + 1)
+    if (domain && normalizedAllowed.some((allowed) => allowed === `@${domain}`)) {
       return true
     }
   }
