fix(sso): scope redacted-secret lookup to caller's org or userId

waleedlatif1 · waleedlatif1 · commit b70ea444c4f0 · 2026-04-20T15:57:42.000-07:00
diff --git a/apps/sim/app/api/auth/sso/register/route.ts b/apps/sim/app/api/auth/sso/register/route.ts
@@ -155,10 +155,13 @@ export async function POST(request: NextRequest) {
 
       let clientSecret = rawClientSecret
       if (rawClientSecret === REDACTED_MARKER) {
+        const ownerClause = orgId
+          ? and(eq(ssoProvider.providerId, providerId), eq(ssoProvider.organizationId, orgId))
+          : and(eq(ssoProvider.providerId, providerId), eq(ssoProvider.userId, session.user.id))
         const [existing] = await db
           .select({ oidcConfig: ssoProvider.oidcConfig })
           .from(ssoProvider)
-          .where(eq(ssoProvider.providerId, providerId))
+          .where(ownerClause)
           .limit(1)
         if (!existing?.oidcConfig) {
           return NextResponse.json(
