fix(sso): scope domain conflict query with indexed lower(domain) filter

waleedlatif1 · claude · waleedlatif1 · commit 18e88aaf79de · 2026-05-30T12:04:41.000-07:00
Address PR review: avoid a full-table scan on every SSO provider
registration by filtering candidate rows in SQL with
lower(domain) = &lt;normalized&gt;, keeping the in-memory ownership check.
Also tighten the normalizeSSODomain TSDoc.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/auth/sso/register/route.ts b/apps/sim/app/api/auth/sso/register/route.ts
@@ -1,7 +1,7 @@
 import { db, member, ssoProvider } from '@sim/db'
 import { createLogger } from '@sim/logger'
 import { getErrorMessage } from '@sim/utils/errors'
-import { and, eq } from 'drizzle-orm'
+import { and, eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { ssoRegistrationContract } from '@/lib/api/contracts/auth'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
@@ -88,6 +88,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         organizationId: ssoProvider.organizationId,
       })
       .from(ssoProvider)
+      .where(eq(sql`lower(${ssoProvider.domain})`, domain))
     const conflictingProvider = existingProviders.find(
       (provider) => normalizeSSODomain(provider.domain) === domain && !isOwnedByCaller(provider)
     )
diff --git a/apps/sim/lib/auth/sso/domain.ts b/apps/sim/lib/auth/sso/domain.ts
@@ -1,14 +1,8 @@
 /**
- * Normalizes a user-supplied SSO email domain to a canonical, comparable form.
- *
- * Strips protocol, path, query, port, leading wildcard/`@`, an email local
- * part, surrounding whitespace, and a trailing dot, then lowercases the result.
- * Returns `null` when the input does not look like a registrable domain
- * (`example.com`), which callers should treat as a validation error.
- *
- * Used to compare a requested SSO domain against already-registered providers
- * so a tenant cannot claim a domain another tenant already owns via casing or
- * formatting variants.
+ * Normalizes a user-supplied SSO email domain to a canonical, comparable form:
+ * strips protocol, path, query, port, a leading wildcard/`@`, an email local
+ * part, and a trailing dot, then lowercases. Returns `null` for inputs that are
+ * not a registrable domain (e.g. `example.com`), which callers treat as invalid.
  */
 export function normalizeSSODomain(input: string): string | null {
   if (typeof input !== 'string') return null
