refactor(auth): drop bannedEmails; gate AppConfig on isHosted

- Remove the bannedEmails denylist entirely (better-auth banning + blockedSignupDomains cover the cases).
- Move isAppConfigEnabled into feature-flags.ts and gate it on isHosted, so AppConfig is hosted-only; self-hosted/OSS always uses the env-var fallback and never constructs the AWS client.

Author: TheodoreSpeaks

apps/sim/lib/auth/access-control.test.ts

@@ -4,16 +4,17 @@
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 import type { AccessControlConfig } from '@/lib/auth/access-control'
 
-const { mockFetch, envRef } = vi.hoisted(() => ({
+const { mockFetch, envRef, flagRef } = vi.hoisted(() => ({
   mockFetch: vi.fn(),
   envRef: {
-    APPCONFIG_APPLICATION: undefined as string | undefined,
-    APPCONFIG_ENVIRONMENT: undefined as string | undefined,
+    APPCONFIG_APPLICATION: 'sim-staging' as string | undefined,
+    APPCONFIG_ENVIRONMENT: 'staging' as string | undefined,
     BLOCKED_SIGNUP_DOMAINS: undefined as string | undefined,
     ALLOWED_LOGIN_EMAILS: undefined as string | undefined,
     ALLOWED_LOGIN_DOMAINS: undefined as string | undefined,
     BLOCKED_EMAIL_MX_HOSTS: undefined as string | undefined,
   },
+  flagRef: { isAppConfigEnabled: false },
 }))
 
 vi.mock('@/lib/core/config/appconfig', () => ({
@@ -26,30 +27,34 @@ vi.mock('@/lib/core/config/env', () => ({
   },
 }))
 
+vi.mock('@/lib/core/config/feature-flags', () => ({
+  get isAppConfigEnabled() {
+    return flagRef.isAppConfigEnabled
+  },
+}))
+
 import { getAccessControlConfig } from '@/lib/auth/access-control'
 
 const empty: AccessControlConfig = {
   blockedSignupDomains: [],
   allowedLoginEmails: [],
   allowedLoginDomains: [],
   blockedEmailMxHosts: [],
-  bannedEmails: [],
 }
 
 describe('getAccessControlConfig', () => {
   beforeEach(() => {
     vi.clearAllMocks()
+    flagRef.isAppConfigEnabled = false
     Object.assign(envRef, {
-      APPCONFIG_APPLICATION: undefined,
-      APPCONFIG_ENVIRONMENT: undefined,
       BLOCKED_SIGNUP_DOMAINS: undefined,
       ALLOWED_LOGIN_EMAILS: undefined,
       ALLOWED_LOGIN_DOMAINS: undefined,
       BLOCKED_EMAIL_MX_HOSTS: undefined,
     })
   })
 
-  describe('env fallback (AppConfig not configured)', () => {
+  describe('env fallback (AppConfig disabled)', () => {
     it('returns empty lists when nothing is set', async () => {
       expect(await getAccessControlConfig()).toEqual(empty)
       expect(mockFetch).not.toHaveBeenCalled()
@@ -61,15 +66,13 @@ describe('getAccessControlConfig', () => {
       const result = await getAccessControlConfig()
       expect(result.blockedSignupDomains).toEqual(['gmail.com', 'yahoo.com'])
       expect(result.allowedLoginDomains).toEqual(['sim.ai'])
-      expect(result.bannedEmails).toEqual([])
       expect(mockFetch).not.toHaveBeenCalled()
     })
   })
 
-  describe('AppConfig source', () => {
+  describe('AppConfig source (enabled)', () => {
     beforeEach(() => {
-      envRef.APPCONFIG_APPLICATION = 'sim-staging'
-      envRef.APPCONFIG_ENVIRONMENT = 'staging'
+      flagRef.isAppConfigEnabled = true
     })
 
     it('reads the access-control profile and normalizes the payload', async () => {
@@ -78,7 +81,6 @@ describe('getAccessControlConfig', () => {
           parse({
             blockedSignupDomains: ['X.com'],
             allowedLoginDomains: ['sim.ai'],
-            bannedEmails: ['A@B.com', 'a@b.com', ' '],
             blockedEmailMxHosts: 'not-an-array',
           })
         )
@@ -87,7 +89,6 @@ describe('getAccessControlConfig', () => {
       const result = await getAccessControlConfig()
       expect(result.blockedSignupDomains).toEqual(['x.com'])
       expect(result.allowedLoginDomains).toEqual(['sim.ai'])
-      expect(result.bannedEmails).toEqual(['a@b.com'])
       expect(result.blockedEmailMxHosts).toEqual([])
       expect(mockFetch).toHaveBeenCalledWith(
         { application: 'sim-staging', environment: 'staging', profile: 'access-control' },

apps/sim/lib/auth/access-control.ts

@@ -1,5 +1,6 @@
 import { fetchAppConfigProfile } from '@/lib/core/config/appconfig'
 import { env } from '@/lib/core/config/env'
+import { isAppConfigEnabled } from '@/lib/core/config/feature-flags'
 
 /**
  * Name of the AppConfig configuration profile holding the signup/login gating
@@ -10,15 +11,14 @@ const ACCESS_CONTROL_PROFILE = 'access-control'
 
 /**
  * Normalized signup/login gating lists. All entries are trimmed, lowercased, and
- * de-duplicated. Domains are bare hostnames; emails are full addresses; MX hosts
- * are substrings matched against resolved MX exchanges.
+ * de-duplicated. Domains are bare hostnames; MX hosts are substrings matched
+ * against resolved MX exchanges; emails are full addresses.
  */
 export interface AccessControlConfig {
   blockedSignupDomains: string[]
   allowedLoginEmails: string[]
   allowedLoginDomains: string[]
   blockedEmailMxHosts: string[]
-  bannedEmails: string[]
 }
 
 function normalizeList(values: unknown): string[] {
@@ -32,16 +32,14 @@ function parseCsv(value: string | undefined): string[] {
 
 /**
  * Fallback source for self-hosted/OSS/local deployments that have no AppConfig.
- * Reads the same env vars the app used before AppConfig. There is no env
- * equivalent for `bannedEmails` — that list is AppConfig-only.
+ * Reads the same env vars the app used before AppConfig.
  */
 function fromEnv(): AccessControlConfig {
   return {
     blockedSignupDomains: parseCsv(env.BLOCKED_SIGNUP_DOMAINS),
     allowedLoginEmails: parseCsv(env.ALLOWED_LOGIN_EMAILS),
     allowedLoginDomains: parseCsv(env.ALLOWED_LOGIN_DOMAINS),
     blockedEmailMxHosts: parseCsv(env.BLOCKED_EMAIL_MX_HOSTS),
-    bannedEmails: [],
   }
 }
 
@@ -52,26 +50,16 @@ function parseConfig(json: unknown): AccessControlConfig {
     allowedLoginEmails: normalizeList(obj.allowedLoginEmails),
     allowedLoginDomains: normalizeList(obj.allowedLoginDomains),
     blockedEmailMxHosts: normalizeList(obj.blockedEmailMxHosts),
-    bannedEmails: normalizeList(obj.bannedEmails),
   }
 }
 
 /**
- * AppConfig is the source of truth only when both identifiers are present
- * (injected by the infra stack). Mirrors the `hasS3Config` presence-check
- * pattern — the AppConfig client is never constructed otherwise.
- */
-function isAppConfigEnabled(): boolean {
-  return Boolean(env.APPCONFIG_APPLICATION && env.APPCONFIG_ENVIRONMENT)
-}
-
-/**
- * Resolve the current signup/login gating lists. Reads from AWS AppConfig when
- * configured (cached, ~30s TTL, never blocks after the first fetch), otherwise
- * falls back to env vars so self-hosted/OSS deployments work with no AWS.
+ * Resolve the current signup/login gating lists. Reads from AWS AppConfig on
+ * hosted deployments (cached, ~30s TTL, never blocks after the first fetch),
+ * otherwise falls back to env vars so self-hosted/OSS works with no AWS.
  */
 export async function getAccessControlConfig(): Promise<AccessControlConfig> {
-  if (!isAppConfigEnabled()) return fromEnv()
+  if (!isAppConfigEnabled) return fromEnv()
 
   const value = await fetchAppConfigProfile(
     {

apps/sim/lib/auth/auth.ts

@@ -234,10 +234,6 @@ export const auth = betterAuth({
       create: {
         before: async (user) => {
           const accessControl = await getAccessControlConfig()
-          const email = user.email?.toLowerCase()
-          if (email && accessControl.bannedEmails.includes(email)) {
-            throw new Error('Sign-ups from this email domain are not allowed.')
-          }
           if (isEmailInDenylist(user.email, accessControl.blockedSignupDomains)) {
             throw new Error('Sign-ups from this email domain are not allowed.')
           }
@@ -812,10 +808,9 @@ export const auth = betterAuth({
         const accessControl = await getAccessControlConfig()
         const requestEmail = ctx.body?.email?.toLowerCase()
 
-        // Note: banning an existing account is owned by better-auth's admin plugin
-        // (a `session.create.before` hook that blocks banned users at sign-in across
-        // all providers). `bannedEmails` here is a signup-only denylist enforced in
-        // `databaseHooks.user.create.before`, so it is not checked on sign-in.
+        // Banning an existing account is owned by better-auth's admin plugin (a
+        // `session.create.before` hook that blocks banned users at sign-in across
+        // all providers), so it is not re-checked here.
         const hasAllowlist =
           accessControl.allowedLoginEmails.length > 0 ||
           accessControl.allowedLoginDomains.length > 0

apps/sim/lib/core/config/env.ts

@@ -223,7 +223,7 @@ export const env = createEnv({
     S3_FORCE_PATH_STYLE:                   z.string().optional(),                  // Force path-style addressing (MinIO/Ceph RGW). Defaults to false (AWS S3, R2). Coerced via envBoolean at the consumption site
 
     // Dynamic config - AWS AppConfig (hosted source of truth for signup/login gating lists; unset => env-var fallback)
-    APPCONFIG_APPLICATION:                 z.string().optional(),                  // AppConfig application id/name. When set with APPCONFIG_ENVIRONMENT, gating lists come from AppConfig instead of env vars
+    APPCONFIG_APPLICATION:                 z.string().optional(),                  // AppConfig application id/name. On hosted deployments, when set with APPCONFIG_ENVIRONMENT, gating lists come from AppConfig instead of env vars
     APPCONFIG_ENVIRONMENT:                 z.string().optional(),                  // AppConfig environment id/name. Profile name is an app-side constant ('access-control'), not an env var
 
     // Cloud Storage - Azure Blob

apps/sim/lib/core/config/feature-flags.ts

@@ -96,6 +96,15 @@ export const isSignupEmailValidationEnabled = isTruthy(env.SIGNUP_EMAIL_VALIDATI
  */
 export const isSignupMxValidationEnabled = isTruthy(env.SIGNUP_MX_VALIDATION_ENABLED)
 
+/**
+ * Is AWS AppConfig the source of truth for the signup/login gating lists.
+ * Hosted-only and requires both AppConfig identifiers (injected by the infra
+ * stack). Self-hosted/OSS deployments always use the env-var fallback, so the
+ * AppConfig client is never reached off-hosted.
+ */
+export const isAppConfigEnabled =
+  isHosted && Boolean(env.APPCONFIG_APPLICATION && env.APPCONFIG_ENVIRONMENT)
+
 /**
  * Is Trigger.dev enabled for async job processing
  */