The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 19, 2026 10:26pm

PR Summary

High Risk
Touches authentication, cookies, OTP, and public file byte serving across chat and files; auth-type binding and POST-only password minting reduce but do not eliminate regression risk in existing chat deploy auth.

Overview
Public file shares can be gated with password, email OTP, or SSO (not only private / anyone-with-link). Chat and file flows share a new validateDeploymentAuth helper with file_auth_{shareId} cookies, OTP storage for the 'file' kind, and validateAuthToken now checks auth type so cookies cannot be reused after a share mode change.

API & data: public_share gains auth_type, encrypted password, and allowed_emails. Metadata and content routes call the shared gate (401 auth_required_*); new routes handle password exchange, OTP send/verify, and SSO eligibility. Password POST on public shares is restricted to password mode so cookies cannot be minted on public links and later satisfy stricter modes.

Product & policy: Share modal uses an access ButtonGroup (password, allow-list, client-reserved token before save). /f/[token] shows auth shells until authorized; metadata/OG stay generic for protected shares so filenames do not leak pre-auth. Enterprise access control can allow-list file share auth types; share upsert validates auth config and returns 400 on ShareValidationError.

Refactors: GeneratedPasswordInput, case-insensitive isEmailAllowed, and broad route/unit test coverage.

^{Reviewed by Cursor Bugbot for commit ec5de63. Bugbot is set up for automated code reviews on this repo. Configure here.}

Greptile Summary

This PR adds Password, Email-OTP, and SSO access controls to public file shares, unifying the gate with the existing deploy-as-chat auth machinery by extracting a shared validateDeploymentAuth helper. A migration (0244) adds auth_type, password, and allowed_emails columns to public_share; new routes and UI components wire up the three auth modes on top of the existing "anyone with link" flow.

• Auth core: validateDeploymentAuth replaces the inline validateChatAuth logic; isEmailAllowed is now case-insensitive (lowercases both sides), fixing SSO session-email casing bugs across all callsites simultaneously.
• Routes: GET/POST on the metadata endpoint and the content endpoint are gated by validateDeploymentAuth; dedicated /otp (POST request + PUT verify) and /sso (eligibility check) routes handle the email and SSO flows with IP/email rate limits.
• UI: ShareModal gains a ButtonGroup access selector, conditional password/email fields, and a pre-reserved token so the shareable link is visible before first save; GeneratedPasswordInput is extracted as a shared component used by both the deploy modal and the share modal.

Confidence Score: 5/5

Safe to merge. The auth logic is cleanly shared, the migration is additive, and the file-name-leak issues from earlier review rounds have been addressed.

Cookie generation and validation both use the raw encrypted password from PublicShareRow, so the password-slot invalidation mechanism works as intended. All three new auth modes have IP rate limits on their write paths. The remaining comments are minor validation gaps and a UX inconsistency in the email countdown.

apps/sim/app/api/files/public/[token]/otp/route.ts — the PUT verify endpoint would benefit from an IP rate limit to match the POST request path.

Important Files Changed

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant C as Client
    participant P as /f/[token] page.tsx
    participant M as GET /api/files/public/[token]
    participant O as POST/PUT /otp
    participant S as POST /sso
    participant A as validateDeploymentAuth

    C->>P: Visit share URL
    P->>P: resolveShare(token)
    P->>P: renderAuthGate(share)

    alt "authType = public"
        P-->>C: PublicFileView
    else "authType = password"
        P-->>C: PublicFileAuth gate
        C->>M: POST password
        M->>A: validateDeploymentAuth
        A-->>M: authorized true
        M-->>C: Set file_auth cookie
        C->>P: router.refresh()
        P-->>C: PublicFileView
    else "authType = email"
        P-->>C: PublicFileEmailAuth
        C->>O: POST email request OTP
        O-->>C: 200 message
        C->>O: PUT email otp verify
        O-->>C: Set file_auth cookie
        C->>P: router.refresh()
        P-->>C: PublicFileView
    else "authType = sso"
        P->>P: getSession + isEmailAllowed
        alt not authorized
            P-->>C: PublicFileSSOAuth
            C->>S: POST email eligibility
            S-->>C: eligible true
            C->>C: redirect to SSO
            C->>P: return from SSO
            P-->>C: PublicFileView
        else authorized
            P-->>C: PublicFileView
        end
    end

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant C as Client
    participant P as /f/[token] page.tsx
    participant M as GET /api/files/public/[token]
    participant O as POST/PUT /otp
    participant S as POST /sso
    participant A as validateDeploymentAuth

    C->>P: Visit share URL
    P->>P: resolveShare(token)
    P->>P: renderAuthGate(share)

    alt "authType = public"
        P-->>C: PublicFileView
    else "authType = password"
        P-->>C: PublicFileAuth gate
        C->>M: POST password
        M->>A: validateDeploymentAuth
        A-->>M: authorized true
        M-->>C: Set file_auth cookie
        C->>P: router.refresh()
        P-->>C: PublicFileView
    else "authType = email"
        P-->>C: PublicFileEmailAuth
        C->>O: POST email request OTP
        O-->>C: 200 message
        C->>O: PUT email otp verify
        O-->>C: Set file_auth cookie
        C->>P: router.refresh()
        P-->>C: PublicFileView
    else "authType = sso"
        P->>P: getSession + isEmailAllowed
        alt not authorized
            P-->>C: PublicFileSSOAuth
            C->>S: POST email eligibility
            S-->>C: eligible true
            C->>C: redirect to SSO
            C->>P: return from SSO
            P-->>C: PublicFileView
        else authorized
            P-->>C: PublicFileView
        end
    end

_{Reviews (4): Last reviewed commit: "fix(security): make isEmailAllowed case-..." | Re-trigger Greptile}

Addressed the review feedback in 7578702:

• [Bugbot / Greptile P1 — filename leak in previews] The OG card + generateMetadata only suppressed the filename for password shares; email/sso fell through and leaked file.originalName pre-auth. Both now go generic for any non-public mode (authType !== 'public') — "Protected file" / "Authentication is required to view this file". noindex unchanged.
• [Greptile P2 — stale JSDoc] Updated the validateDeploymentAuth doc comment: file shares now support all four modes (public/password/email/sso), not just public/password.

Also rebased onto latest staging (resolved the @sim/platform-authz rename + renumbered the migration to 0244_public_share_auth).

@greptile review

Round 2 of bot feedback addressed:

• [Bugbot Medium — OTP email casing] The file OTP POST/PUT and SSO eligibility now normalize the email to trim().toLowerCase() before isEmailAllowed / storeOTP / getOTP, matching the lowercase allow-list and the rate-limit key. Added a regression test (mixed-case User@ACME.com → lowercased for matching + storage).
• [Bugbot Low — "this chat" wording] The shared validateDeploymentAuth SSO-denied message is now generic ("…not authorized to access this resource") since it serves both chat and file shares. Updated the chat test assertion.

@greptile review

Round 3 (email casing, root-caused):

• [Bugbot Medium — SSO session email casing] Root cause was that the shared isEmailAllowed compared raw-cased emails against the lowercase allow-list. Made isEmailAllowed case-insensitive (lowercases both sides) — this fixes the SSO session-email path in page.tsx and the metadata/content gates and chat in one place, instead of normalizing at each callsite.
• [Bugbot Medium — client sends untrimmed email] The email + SSO gates now send email.trim().toLowerCase() to requestJson, consistent with server-side normalization.

Net: allow-list matching is now case-insensitive everywhere; OTP storage keys off the normalized email on both store and verify.

@greptile review

Re the two Bugbot comments still showing on the latest commit (SSO session email casing @ page.tsx:87 and OTP email casing @ otp/route.ts): these are the earlier findings rolled forward by GitHub — their location anchors point at pre-82db6c2d0 commits. Both are already resolved on HEAD:

• isEmailAllowed is now case-insensitive (lowercases the email and every allow-list entry), so the SSO session email (any IdP casing) and OTP allow-list matching work in page.tsx, the metadata/content gates, and chat — fixed centrally, not per-callsite.
• The OTP route normalizes the email before storeOTP/getOTP (store + verify key consistently); the email/SSO client gates send the normalized email.

Added a direct unit test for isEmailAllowed (mixed-case exact + domain match) in 990bc03d3.

[Bugbot High — "Public cookie bypasses email gate"] Fixed — good catch. Two layers:

1. Root cause: validateAuthToken ignored the token's auth type, so an empty-slot public cookie satisfied an email/sso gate. It now binds the token to the auth type (storedType !== authType → reject), so a cookie minted under one mode can't authorize another after the share's auth type changes. Updated all 5 callers (file page + content/metadata gate, chat config GET, chat TTS, chat speech) to pass the current auth type.
2. Direct fix: the password POST /api/files/public/[token] now rejects any non-password share with 400, so it never mints a file_auth cookie for a public share in the first place.

Added a route test (password POST on a public share → 400, no cookie) and updated the chat auth-token assertion.

Also rebased onto latest staging (migration renumbered to 0245_public_share_auth; api-validation baseline → 859).

The 'Share upsert validation returns 500' comment is already resolved as of 32afa713b (Bugbot re-anchored the original to the latest commit — its line refs still point at the pre-fix code). On HEAD: upsertFileShare throws a typed ShareValidationError, and the PUT route catches it → 400 (route.ts:146-147). The remaining 500s are genuine server-error fallbacks. Also fixed alongside it: disabling a share no longer runs auth-config validation, so turning sharing off always succeeds.