fix(files): normalize allow-list emails to lowercase; genericize shared SSO denial message

Author: TheodoreSpeaks

apps/sim/app/api/chat/utils.test.ts

@@ -408,7 +408,7 @@ describe('Chat API Utils', () => {
         })
 
         expect(result.authorized).toBe(false)
-        expect(result.error).toBe('Your email is not authorized to access this chat')
+        expect(result.error).toBe('Your email is not authorized to access this resource')
       })
     })
   })

apps/sim/app/api/files/public/[token]/otp/route.test.ts

@@ -104,6 +104,12 @@ describe('POST /api/files/public/[token]/otp', () => {
     expect(mockStoreOTP).not.toHaveBeenCalled()
   })
 
+  it('lowercases the email for allow-list matching and OTP storage', async () => {
+    await POST(post('User@ACME.com'), params())
+    expect(mockIsEmailAllowed).toHaveBeenCalledWith('user@acme.com', expect.anything())
+    expect(mockStoreOTP).toHaveBeenCalledWith('file', 'sh_1', 'user@acme.com', '123456')
+  })
+
   it('rejects a non-email share with 400', async () => {
     mockResolveActiveShareByToken.mockResolvedValueOnce({
       ...emailShare,

apps/sim/app/api/files/public/[token]/otp/route.ts

@@ -69,7 +69,9 @@ export const POST = withRouteHandler(
       const parsed = await parseRequest(requestPublicFileOtpContract, request, context)
       if (!parsed.success) return parsed.response
       const { token } = parsed.data.params
-      const { email } = parsed.data.body
+      // Normalize once so allow-list matching, OTP storage, and the verify lookup
+      // all key off the same value (allow-list entries are stored lowercase).
+      const email = parsed.data.body.email.trim().toLowerCase()
 
       const resolved = await resolveActiveShareByToken(token)
       if (!resolved) {
@@ -87,7 +89,7 @@ export const POST = withRouteHandler(
       }
 
       const emailRateLimit = await rateLimiter.checkRateLimitDirect(
-        `file-otp:email:${resolved.share.id}:${email.toLowerCase()}`,
+        `file-otp:email:${resolved.share.id}:${email}`,
         OTP_EMAIL_RATE_LIMIT
       )
       if (!emailRateLimit.allowed) {
@@ -130,7 +132,8 @@ export const PUT = withRouteHandler(
       const parsed = await parseRequest(verifyPublicFileOtpContract, request, context)
       if (!parsed.success) return parsed.response
       const { token } = parsed.data.params
-      const { email, otp } = parsed.data.body
+      const { otp } = parsed.data.body
+      const email = parsed.data.body.email.trim().toLowerCase()
 
       const resolved = await resolveActiveShareByToken(token)
       if (!resolved) {

apps/sim/app/api/files/public/[token]/sso/route.ts

@@ -53,7 +53,7 @@ export const POST = withRouteHandler(
     const parsed = await parseRequest(publicFileSSOContract, request, context)
     if (!parsed.success) return parsed.response
     const { token } = parsed.data.params
-    const { email } = parsed.data.body
+    const email = parsed.data.body.email.trim().toLowerCase()
 
     const resolved = await resolveActiveShareByToken(token)
     if (!resolved) {

apps/sim/lib/core/security/deployment-auth.ts

@@ -188,7 +188,7 @@ export async function validateDeploymentAuth(
         return { authorized: true }
       }
 
-      return { authorized: false, error: 'Your email is not authorized to access this chat' }
+      return { authorized: false, error: 'Your email is not authorized to access this resource' }
     } catch (error) {
       logger.error(`[${requestId}] Error validating SSO:`, error)
       return { authorized: false, error: 'SSO authentication error' }