fix failing tests, cleanup

waleedlatif1 · waleedlatif1 · commit 020086156fdb · 2025-08-08T16:54:29.000-07:00
diff --git a/apps/sim/app/(auth)/signup/signup-form.test.tsx b/apps/sim/app/(auth)/signup/signup-form.test.tsx
@@ -211,10 +211,8 @@ describe('SignupPage', () => {
       fireEvent.click(submitButton)
 
       await waitFor(() => {
-        expect(mockSendOtp).toHaveBeenCalledWith({
-          email: 'user@company.com',
-          type: 'email-verification',
-        })
+        // With sendVerificationOnSignUp: true, OTP is sent automatically by Better Auth
+        // No manual OTP sending in the component anymore
         expect(mockRouter.push).toHaveBeenCalledWith('/verify?fromSignup=true')
       })
     })
@@ -390,7 +388,9 @@ describe('SignupPage', () => {
       fireEvent.click(submitButton)
 
       await waitFor(() => {
-        expect(mockRouter.push).toHaveBeenCalledWith('/invite/123')
+        // Security fix: ALL signups now go to /verify first to prevent bypass
+        // The invite redirect happens AFTER email verification is completed
+        expect(mockRouter.push).toHaveBeenCalledWith('/verify?fromSignup=true')
       })
     })
 
diff --git a/apps/sim/app/(auth)/signup/signup-form.tsx b/apps/sim/app/(auth)/signup/signup-form.tsx
@@ -327,13 +327,12 @@ function SignupFormContent({
         return
       }
 
-      // For new signups, always require verification to prevent bypass
-      // sendVerificationOnSignUp: true will automatically send the OTP
+      // For new signups, always require verification
       if (typeof window !== 'undefined') {
         sessionStorage.setItem('verificationEmail', emailValue)
         localStorage.setItem('has_logged_in_before', 'true')
 
-        // Set cookie flag for middleware check (prevents bypass)
+        // Set cookie flag for middleware check
         document.cookie = 'requiresEmailVerification=true; path=/; max-age=900; SameSite=Lax' // 15 min expiry
         document.cookie = 'has_logged_in_before=true; path=/; max-age=31536000; SameSite=Lax'
 
diff --git a/apps/sim/app/(auth)/verify/use-verification.ts b/apps/sim/app/(auth)/verify/use-verification.ts
@@ -125,7 +125,7 @@ export function useVerification({
         if (typeof window !== 'undefined') {
           sessionStorage.removeItem('verificationEmail')
 
-          // Clear the verification requirement flag - this prevents the bypass
+          // Clear the verification requirement flag
           document.cookie =
             'requiresEmailVerification=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT'
 
diff --git a/apps/sim/lib/auth.ts b/apps/sim/lib/auth.ts
@@ -156,8 +156,8 @@ export const auth = betterAuth({
   },
   emailAndPassword: {
     enabled: true,
-    requireEmailVerification: false, // Keep false - don't break existing users
-    sendVerificationOnSignUp: true, // Auto-send verification emails
+    requireEmailVerification: false,
+    sendVerificationOnSignUp: true,
     throwOnMissingCredentials: true,
     throwOnInvalidCredentials: true,
     sendResetPassword: async ({ user, url, token }, request) => {
@@ -238,7 +238,7 @@ export const auth = betterAuth({
             throw new Error('Email is required')
           }
 
-          // Validate email before sending OTP (using quick validation for performance)
+          // Validate email before sending OTP
           const validation = quickValidateEmail(data.email)
           if (!validation.isValid) {
             logger.warn('Email validation failed', {
diff --git a/apps/sim/lib/email/validation.test.ts b/apps/sim/lib/email/validation.test.ts
@@ -2,28 +2,28 @@ import { quickValidateEmail, validateEmail } from './validation'
 
 describe('Email Validation', () => {
   describe('validateEmail', () => {
-    it('should validate a correct email', async () => {
+    it.concurrent('should validate a correct email', async () => {
       const result = await validateEmail('user@example.com')
       expect(result.isValid).toBe(true)
       expect(result.checks.syntax).toBe(true)
       expect(result.checks.disposable).toBe(true)
     })
 
-    it('should reject invalid syntax', async () => {
+    it.concurrent('should reject invalid syntax', async () => {
       const result = await validateEmail('invalid-email')
       expect(result.isValid).toBe(false)
       expect(result.reason).toBe('Invalid email format')
       expect(result.checks.syntax).toBe(false)
     })
 
-    it('should reject disposable email addresses', async () => {
+    it.concurrent('should reject disposable email addresses', async () => {
       const result = await validateEmail('test@10minutemail.com')
       expect(result.isValid).toBe(false)
       expect(result.reason).toBe('Disposable email addresses are not allowed')
       expect(result.checks.disposable).toBe(false)
     })
 
-    it('should accept legitimate business emails', async () => {
+    it.concurrent('should accept legitimate business emails', async () => {
       const legitimateEmails = [
         'test@gmail.com',
         'noreply@gmail.com',
@@ -38,13 +38,13 @@ describe('Email Validation', () => {
       }
     })
 
-    it('should reject consecutive dots (RFC violation)', async () => {
+    it.concurrent('should reject consecutive dots (RFC violation)', async () => {
       const result = await validateEmail('user..name@example.com')
       expect(result.isValid).toBe(false)
       expect(result.reason).toBe('Email contains suspicious patterns')
     })
 
-    it('should reject very long local parts (RFC violation)', async () => {
+    it.concurrent('should reject very long local parts (RFC violation)', async () => {
       const longLocalPart = 'a'.repeat(65)
       const result = await validateEmail(`${longLocalPart}@example.com`)
       expect(result.isValid).toBe(false)
@@ -53,20 +53,20 @@ describe('Email Validation', () => {
   })
 
   describe('quickValidateEmail', () => {
-    it('should validate quickly without MX check', () => {
+    it.concurrent('should validate quickly without MX check', () => {
       const result = quickValidateEmail('user@example.com')
       expect(result.isValid).toBe(true)
       expect(result.checks.mxRecord).toBe(true) // Skipped, so assumed true
       expect(result.confidence).toBe('medium')
     })
 
-    it('should reject invalid emails quickly', () => {
+    it.concurrent('should reject invalid emails quickly', () => {
       const result = quickValidateEmail('invalid-email')
       expect(result.isValid).toBe(false)
       expect(result.reason).toBe('Invalid email format')
     })
 
-    it('should reject disposable emails quickly', () => {
+    it.concurrent('should reject disposable emails quickly', () => {
       const result = quickValidateEmail('test@tempmail.org')
       expect(result.isValid).toBe(false)
       expect(result.reason).toBe('Disposable email addresses are not allowed')
diff --git a/apps/sim/middleware.ts b/apps/sim/middleware.ts
@@ -94,7 +94,7 @@ export async function middleware(request: NextRequest) {
       return NextResponse.redirect(new URL('/login', request.url))
     }
 
-    // Check if user needs email verification (prevents the bypass vulnerability)
+    // Check if user needs email verification
     const requiresVerification = request.cookies.get('requiresEmailVerification')
     if (requiresVerification?.value === 'true') {
       return NextResponse.redirect(new URL('/verify', request.url))

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ export async function middleware(request: NextRequest) {`
`94`	`94`	`return NextResponse.redirect(new URL('/login', request.url))`
`95`	`95`	`}`
`96`	`96`
`97`		`- // Check if user needs email verification (prevents the bypass vulnerability)`
	`97`	`+ // Check if user needs email verification`
`98`	`98`	`const requiresVerification = request.cookies.get('requiresEmailVerification')`
`99`	`99`	`if (requiresVerification?.value === 'true') {`
`100`	`100`	`return NextResponse.redirect(new URL('/verify', request.url))`