fix(sso): restrict SSO provider read/write to org owners and admins

waleedlatif1 · waleedlatif1 · commit ef82fcd6826b · 2026-04-20T13:38:48.000-07:00
diff --git a/apps/sim/app/api/auth/sso/providers/route.ts b/apps/sim/app/api/auth/sso/providers/route.ts
@@ -19,13 +19,16 @@ export async function GET(request: NextRequest) {
       let verifiedOrganizationId: string | null = null
       if (organizationId) {
         const [membership] = await db
-          .select({ organizationId: member.organizationId })
+          .select({ organizationId: member.organizationId, role: member.role })
           .from(member)
           .where(and(eq(member.userId, userId), eq(member.organizationId, organizationId)))
           .limit(1)
         if (!membership) {
           return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
         }
+        if (membership.role !== 'owner' && membership.role !== 'admin') {
+          return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+        }
         verifiedOrganizationId = membership.organizationId
       }
 
diff --git a/apps/sim/app/api/auth/sso/register/route.ts b/apps/sim/app/api/auth/sso/register/route.ts
@@ -116,13 +116,16 @@ export async function POST(request: NextRequest) {
 
     if (orgId) {
       const [membership] = await db
-        .select({ organizationId: member.organizationId })
+        .select({ organizationId: member.organizationId, role: member.role })
         .from(member)
         .where(and(eq(member.userId, session.user.id), eq(member.organizationId, orgId)))
         .limit(1)
       if (!membership) {
         return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
       }
+      if (membership.role !== 'owner' && membership.role !== 'admin') {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
     }
 
     const headers: Record<string, string> = {}
