test(security): cover isEmailAllowed case-insensitive matching

TheodoreSpeaks · TheodoreSpeaks · commit 990bc03d3631 · 2026-06-19T13:49:13.000-07:00
diff --git a/apps/sim/lib/core/security/deployment.test.ts b/apps/sim/lib/core/security/deployment.test.ts
@@ -0,0 +1,24 @@
+/**
+ * @vitest-environment node
+ */
+import { describe, expect, it } from 'vitest'
+import { isEmailAllowed } from '@/lib/core/security/deployment'
+
+describe('isEmailAllowed', () => {
+  it('matches an exact email regardless of casing on either side', () => {
+    expect(isEmailAllowed('user@acme.com', ['user@acme.com'])).toBe(true)
+    expect(isEmailAllowed('User@Acme.com', ['user@acme.com'])).toBe(true)
+    expect(isEmailAllowed('user@acme.com', ['USER@ACME.COM'])).toBe(true)
+    expect(isEmailAllowed('  User@Acme.com  ', ['user@acme.com'])).toBe(true)
+  })
+
+  it('matches a domain pattern regardless of casing (covers IdP/session emails)', () => {
+    expect(isEmailAllowed('User@Acme.com', ['@acme.com'])).toBe(true)
+    expect(isEmailAllowed('user@acme.com', ['@Acme.com'])).toBe(true)
+  })
+
+  it('rejects emails not on the allow-list', () => {
+    expect(isEmailAllowed('user@evil.com', ['user@acme.com', '@acme.com'])).toBe(false)
+    expect(isEmailAllowed('user@acme.com', [])).toBe(false)
+  })
+})
