fix(chat): close SSO GET cookie replay and add eligibility rate limit

waleedlatif1 · waleedlatif1 · commit 92ee9fe4373d · 2026-05-02T11:05:59.000-07:00
- Skip chat_auth cookie validation for SSO in GET handler (replay vector for pre-fix cookies)
- Route SSO GET through getSession() instead of always returning auth_required_sso so post-IdP config fetch works
- Add per-IP rate limiting to /api/chat/[identifier]/sso to prevent allowlist enumeration
diff --git a/apps/sim/app/api/chat/[identifier]/route.ts b/apps/sim/app/api/chat/[identifier]/route.ts
@@ -360,6 +360,7 @@ export const GET = withRouteHandler(
 
       if (
         deployment.authType !== 'public' &&
+        deployment.authType !== 'sso' &&
         authCookie &&
         validateAuthToken(authCookie.value, deployment.id, deployment.password)
       ) {
diff --git a/apps/sim/app/api/chat/[identifier]/sso/route.ts b/apps/sim/app/api/chat/[identifier]/sso/route.ts
@@ -5,8 +5,10 @@ import { and, eq, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { chatSSOContract } from '@/lib/api/contracts/chats'
 import { parseRequest } from '@/lib/api/server'
+import type { TokenBucketConfig } from '@/lib/core/rate-limiter'
+import { RateLimiter } from '@/lib/core/rate-limiter'
 import { addCorsHeaders, isEmailAllowed } from '@/lib/core/security/deployment'
-import { generateRequestId } from '@/lib/core/utils/request'
+import { generateRequestId, getClientIp } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 
@@ -15,10 +17,35 @@ const logger = createLogger('ChatSSOAPI')
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
 
+const rateLimiter = new RateLimiter()
+
+const SSO_IP_RATE_LIMIT: TokenBucketConfig = {
+  maxTokens: 20,
+  refillRate: 20,
+  refillIntervalMs: 15 * 60_000,
+}
+
 export const POST = withRouteHandler(
   async (request: NextRequest, context: { params: Promise<{ identifier: string }> }) => {
     const requestId = generateRequestId()
 
+    const ip = getClientIp(request)
+    if (ip !== 'unknown') {
+      const ipRateLimit = await rateLimiter.checkRateLimitDirect(
+        `chat-sso:ip:${ip}`,
+        SSO_IP_RATE_LIMIT
+      )
+      if (!ipRateLimit.allowed) {
+        logger.warn(`[${requestId}] SSO eligibility rate limit exceeded from ${ip}`)
+        const retryAfter = Math.ceil(
+          (ipRateLimit.retryAfterMs ?? SSO_IP_RATE_LIMIT.refillIntervalMs) / 1000
+        )
+        const response = createErrorResponse('Too many requests. Please try again later.', 429)
+        response.headers.set('Retry-After', String(retryAfter))
+        return addCorsHeaders(response, request)
+      }
+    }
+
     const parsed = await parseRequest(chatSSOContract, request, context)
     if (!parsed.success) return parsed.response
 
diff --git a/apps/sim/app/api/chat/utils.ts b/apps/sim/app/api/chat/utils.ts
@@ -175,12 +175,8 @@ export async function validateChatAuth(
   }
 
   if (authType === 'sso') {
-    if (request.method === 'GET') {
-      return { authorized: false, error: 'auth_required_sso' }
-    }
-
     try {
-      if (!parsedBody) {
+      if (request.method !== 'GET' && !parsedBody) {
         return { authorized: false, error: 'SSO authentication is required' }
       }
 

Original file line number	Diff line number	Diff line change
`@@ -175,12 +175,8 @@ export async function validateChatAuth(`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`if (authType === 'sso') {`
`178`		`- if (request.method === 'GET') {`
`179`		`- return { authorized: false, error: 'auth_required_sso' }`
`180`		`- }`
`181`		`-`
`182`	`178`	`try {`
`183`		`- if (!parsedBody) {`
	`179`	`+ if (request.method !== 'GET' && !parsedBody) {`
`184`	`180`	`return { authorized: false, error: 'SSO authentication is required' }`
`185`	`181`	`}`
`186`	`182`