feat(auth): dynamic signup/login ban lists via AWS AppConfig

- Move blocked-domain/allowlist/MX gating from env vars into AWS AppConfig (queried at runtime via the AppConfig Data SDK with a 30s in-process cache); env vars remain a fallback for self-hosted/OSS.
- Add a new bannedEmails denylist that blocks a specific address at both sign-in and sign-up.
- Generic, profile-agnostic AppConfig client so future config (feature flags) reuses the same plumbing; AppConfig client shares the same credential resolution as the S3 client.
- Defense in depth: authenticateApiKeyFromHeader now rejects keys belonging to banned users.

Author: TheodoreSpeaks

apps/sim/lib/api-key/service.test.ts

@@ -108,6 +108,18 @@ describe('authenticateApiKeyFromHeader', () => {
     expect(dbChainMockFns.where).toHaveBeenCalledTimes(1)
   })
 
+  it('returns invalid when the key belongs to a banned user', async () => {
+    const record = personalKeyRecord({ userBanned: true })
+    dbChainMockFns.where.mockResolvedValueOnce([record])
+
+    const result = await authenticateApiKeyFromHeader('sk-sim-plain-key', {
+      userId: 'user-1',
+    })
+
+    expect(result).toEqual({ success: false, error: 'Invalid API key' })
+    expect(dbChainMockFns.where).toHaveBeenCalledTimes(1)
+  })
+
   it('returns invalid when the hash lookup finds no row', async () => {
     dbChainMockFns.where.mockResolvedValueOnce([])
 

apps/sim/lib/api-key/service.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { apiKey as apiKeyTable } from '@sim/db/schema'
+import { apiKey as apiKeyTable, user as userTable } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { hashApiKey } from '@/lib/api-key/crypto'
@@ -47,6 +47,7 @@ interface HashCandidate {
   workspaceId: string | null
   type: string
   expiresAt: Date | null
+  userBanned: boolean | null
 }
 
 /**
@@ -82,15 +83,20 @@ export async function authenticateApiKeyFromHeader(
         workspaceId: apiKeyTable.workspaceId,
         type: apiKeyTable.type,
         expiresAt: apiKeyTable.expiresAt,
+        userBanned: userTable.banned,
       })
       .from(apiKeyTable)
+      .leftJoin(userTable, eq(apiKeyTable.userId, userTable.id))
       .where(eq(apiKeyTable.keyHash, keyHash))
 
     if (rows.length === 0) return INVALID
 
     const record = rows[0]
     const keyType = record.type as 'personal' | 'workspace'
 
+    // Defense in depth: banning deletes a user's keys, but reject any survivor too.
+    if (record.userBanned) return INVALID
+
     if (options.userId && record.userId !== options.userId) return INVALID
     if (options.keyTypes?.length && !options.keyTypes.includes(keyType)) return INVALID
     if (record.expiresAt && record.expiresAt < new Date()) return INVALID

apps/sim/lib/auth/access-control.test.ts

@@ -0,0 +1,105 @@
+/**
+ * @vitest-environment node
+ */
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+import type { AccessControlConfig } from '@/lib/auth/access-control'
+
+const { mockFetch, envRef } = vi.hoisted(() => ({
+  mockFetch: vi.fn(),
+  envRef: {
+    APPCONFIG_APPLICATION: undefined as string | undefined,
+    APPCONFIG_ENVIRONMENT: undefined as string | undefined,
+    BLOCKED_SIGNUP_DOMAINS: undefined as string | undefined,
+    ALLOWED_LOGIN_EMAILS: undefined as string | undefined,
+    ALLOWED_LOGIN_DOMAINS: undefined as string | undefined,
+    BLOCKED_EMAIL_MX_HOSTS: undefined as string | undefined,
+  },
+}))
+
+vi.mock('@/lib/core/config/appconfig', () => ({
+  fetchAppConfigProfile: mockFetch,
+}))
+
+vi.mock('@/lib/core/config/env', () => ({
+  get env() {
+    return envRef
+  },
+}))
+
+import { getAccessControlConfig } from '@/lib/auth/access-control'
+
+const empty: AccessControlConfig = {
+  blockedSignupDomains: [],
+  allowedLoginEmails: [],
+  allowedLoginDomains: [],
+  blockedEmailMxHosts: [],
+  bannedEmails: [],
+}
+
+describe('getAccessControlConfig', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    Object.assign(envRef, {
+      APPCONFIG_APPLICATION: undefined,
+      APPCONFIG_ENVIRONMENT: undefined,
+      BLOCKED_SIGNUP_DOMAINS: undefined,
+      ALLOWED_LOGIN_EMAILS: undefined,
+      ALLOWED_LOGIN_DOMAINS: undefined,
+      BLOCKED_EMAIL_MX_HOSTS: undefined,
+    })
+  })
+
+  describe('env fallback (AppConfig not configured)', () => {
+    it('returns empty lists when nothing is set', async () => {
+      expect(await getAccessControlConfig()).toEqual(empty)
+      expect(mockFetch).not.toHaveBeenCalled()
+    })
+
+    it('parses, trims, lowercases, and dedupes csv env vars', async () => {
+      envRef.BLOCKED_SIGNUP_DOMAINS = 'Gmail.com, yahoo.com ,gmail.com,'
+      envRef.ALLOWED_LOGIN_DOMAINS = 'Sim.ai'
+      const result = await getAccessControlConfig()
+      expect(result.blockedSignupDomains).toEqual(['gmail.com', 'yahoo.com'])
+      expect(result.allowedLoginDomains).toEqual(['sim.ai'])
+      expect(result.bannedEmails).toEqual([])
+      expect(mockFetch).not.toHaveBeenCalled()
+    })
+  })
+
+  describe('AppConfig source', () => {
+    beforeEach(() => {
+      envRef.APPCONFIG_APPLICATION = 'sim-staging'
+      envRef.APPCONFIG_ENVIRONMENT = 'staging'
+    })
+
+    it('reads the access-control profile and normalizes the payload', async () => {
+      mockFetch.mockImplementation((_ids, parse) =>
+        Promise.resolve(
+          parse({
+            blockedSignupDomains: ['X.com'],
+            allowedLoginDomains: ['sim.ai'],
+            bannedEmails: ['A@B.com', 'a@b.com', ' '],
+            blockedEmailMxHosts: 'not-an-array',
+          })
+        )
+      )
+
+      const result = await getAccessControlConfig()
+      expect(result.blockedSignupDomains).toEqual(['x.com'])
+      expect(result.allowedLoginDomains).toEqual(['sim.ai'])
+      expect(result.bannedEmails).toEqual(['a@b.com'])
+      expect(result.blockedEmailMxHosts).toEqual([])
+      expect(mockFetch).toHaveBeenCalledWith(
+        { application: 'sim-staging', environment: 'staging', profile: 'access-control' },
+        expect.any(Function)
+      )
+    })
+
+    it('falls back to env vars when the fetch yields null', async () => {
+      envRef.BLOCKED_SIGNUP_DOMAINS = 'spam.example'
+      mockFetch.mockResolvedValue(null)
+      const result = await getAccessControlConfig()
+      expect(result.blockedSignupDomains).toEqual(['spam.example'])
+    })
+  })
+})

apps/sim/lib/auth/access-control.ts

@@ -0,0 +1,86 @@
+import { fetchAppConfigProfile } from '@/lib/core/config/appconfig'
+import { env } from '@/lib/core/config/env'
+
+/**
+ * Name of the AppConfig configuration profile holding the signup/login gating
+ * lists. This is a cross-repo contract: it must match the `CfnConfigurationProfile`
+ * name created by the infra stack.
+ */
+const ACCESS_CONTROL_PROFILE = 'access-control'
+
+/**
+ * Normalized signup/login gating lists. All entries are trimmed, lowercased, and
+ * de-duplicated. Domains are bare hostnames; emails are full addresses; MX hosts
+ * are substrings matched against resolved MX exchanges.
+ */
+export interface AccessControlConfig {
+  blockedSignupDomains: string[]
+  allowedLoginEmails: string[]
+  allowedLoginDomains: string[]
+  blockedEmailMxHosts: string[]
+  bannedEmails: string[]
+}
+
+function normalizeList(values: unknown): string[] {
+  if (!Array.isArray(values)) return []
+  return Array.from(new Set(values.map((v) => String(v).trim().toLowerCase()).filter(Boolean)))
+}
+
+function parseCsv(value: string | undefined): string[] {
+  return normalizeList(value?.split(','))
+}
+
+/**
+ * Fallback source for self-hosted/OSS/local deployments that have no AppConfig.
+ * Reads the same env vars the app used before AppConfig. There is no env
+ * equivalent for `bannedEmails` — that list is AppConfig-only.
+ */
+function fromEnv(): AccessControlConfig {
+  return {
+    blockedSignupDomains: parseCsv(env.BLOCKED_SIGNUP_DOMAINS),
+    allowedLoginEmails: parseCsv(env.ALLOWED_LOGIN_EMAILS),
+    allowedLoginDomains: parseCsv(env.ALLOWED_LOGIN_DOMAINS),
+    blockedEmailMxHosts: parseCsv(env.BLOCKED_EMAIL_MX_HOSTS),
+    bannedEmails: [],
+  }
+}
+
+function parseConfig(json: unknown): AccessControlConfig {
+  const obj = (json && typeof json === 'object' ? json : {}) as Record<string, unknown>
+  return {
+    blockedSignupDomains: normalizeList(obj.blockedSignupDomains),
+    allowedLoginEmails: normalizeList(obj.allowedLoginEmails),
+    allowedLoginDomains: normalizeList(obj.allowedLoginDomains),
+    blockedEmailMxHosts: normalizeList(obj.blockedEmailMxHosts),
+    bannedEmails: normalizeList(obj.bannedEmails),
+  }
+}
+
+/**
+ * AppConfig is the source of truth only when both identifiers are present
+ * (injected by the infra stack). Mirrors the `hasS3Config` presence-check
+ * pattern — the AppConfig client is never constructed otherwise.
+ */
+function isAppConfigEnabled(): boolean {
+  return Boolean(env.APPCONFIG_APPLICATION && env.APPCONFIG_ENVIRONMENT)
+}
+
+/**
+ * Resolve the current signup/login gating lists. Reads from AWS AppConfig when
+ * configured (cached, ~30s TTL, never blocks after the first fetch), otherwise
+ * falls back to env vars so self-hosted/OSS deployments work with no AWS.
+ */
+export async function getAccessControlConfig(): Promise<AccessControlConfig> {
+  if (!isAppConfigEnabled()) return fromEnv()
+
+  const value = await fetchAppConfigProfile(
+    {
+      application: env.APPCONFIG_APPLICATION as string,
+      environment: env.APPCONFIG_ENVIRONMENT as string,
+      profile: ACCESS_CONTROL_PROFILE,
+    },
+    parseConfig
+  )
+
+  return value ?? fromEnv()
+}

apps/sim/lib/auth/auth.ts

@@ -30,6 +30,7 @@ import {
   renderPasswordResetEmail,
   renderWelcomeEmail,
 } from '@/components/emails'
+import { getAccessControlConfig } from '@/lib/auth/access-control'
 import { sendPlanWelcomeEmail } from '@/lib/billing'
 import { authorizeSubscriptionReference } from '@/lib/billing/authorization'
 import {
@@ -137,16 +138,6 @@ function getMicrosoftUserInfoFromIdToken(tokens: { accessToken?: string }, provi
   }
 }
 
-const blockedSignupDomains = env.BLOCKED_SIGNUP_DOMAINS
-  ? Array.from(
-      new Set(
-        env.BLOCKED_SIGNUP_DOMAINS.split(',')
-          .map((d) => d.trim().toLowerCase())
-          .filter(Boolean)
-      )
-    )
-  : null
-
 export function isEmailInDenylist(
   email: string | undefined | null,
   denylist: readonly string[] | null
@@ -157,10 +148,6 @@ export function isEmailInDenylist(
   return denylist.some((entry) => domain === entry || domain.endsWith(`.${entry}`))
 }
 
-function isSignupEmailBlocked(email: string | undefined | null): boolean {
-  return isEmailInDenylist(email, blockedSignupDomains)
-}
-
 const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) =>
   logger.warn('Ignoring invalid entry in TRUSTED_ORIGINS', { value })
 )
@@ -246,7 +233,12 @@ export const auth = betterAuth({
     user: {
       create: {
         before: async (user) => {
-          if (isSignupEmailBlocked(user.email)) {
+          const accessControl = await getAccessControlConfig()
+          const email = user.email?.toLowerCase()
+          if (email && accessControl.bannedEmails.includes(email)) {
+            throw new Error('Sign-ups from this email domain are not allowed.')
+          }
+          if (isEmailInDenylist(user.email, accessControl.blockedSignupDomains)) {
             throw new Error('Sign-ups from this email domain are not allowed.')
           }
           return { data: user }
@@ -813,51 +805,55 @@ export const auth = betterAuth({
           })
       }
 
-      if (
-        (ctx.path.startsWith('/sign-in') || ctx.path.startsWith('/sign-up')) &&
-        (env.ALLOWED_LOGIN_EMAILS || env.ALLOWED_LOGIN_DOMAINS)
-      ) {
-        const requestEmail = ctx.body?.email?.toLowerCase()
-
-        if (requestEmail) {
-          let isAllowed = false
+      const isSignIn = ctx.path.startsWith('/sign-in')
+      const isSignUp = ctx.path.startsWith('/sign-up')
 
-          if (env.ALLOWED_LOGIN_EMAILS) {
-            const allowedEmails = env.ALLOWED_LOGIN_EMAILS.split(',').map((email) =>
-              email.trim().toLowerCase()
-            )
-            isAllowed = allowedEmails.includes(requestEmail)
-          }
+      if (isSignIn || isSignUp) {
+        const accessControl = await getAccessControlConfig()
+        const requestEmail = ctx.body?.email?.toLowerCase()
 
-          if (!isAllowed && env.ALLOWED_LOGIN_DOMAINS) {
-            const allowedDomains = env.ALLOWED_LOGIN_DOMAINS.split(',').map((domain) =>
-              domain.trim().toLowerCase()
-            )
-            const emailDomain = requestEmail.split('@')[1]
-            isAllowed = emailDomain && allowedDomains.includes(emailDomain)
-          }
+        if (requestEmail && accessControl.bannedEmails.includes(requestEmail)) {
+          throw new APIError('FORBIDDEN', {
+            message: 'Access restricted. Please contact your administrator.',
+          })
+        }
 
+        const hasAllowlist =
+          accessControl.allowedLoginEmails.length > 0 ||
+          accessControl.allowedLoginDomains.length > 0
+        if (hasAllowlist && requestEmail) {
+          const emailDomain = requestEmail.split('@')[1]
+          const isAllowed =
+            accessControl.allowedLoginEmails.includes(requestEmail) ||
+            (!!emailDomain && accessControl.allowedLoginDomains.includes(emailDomain))
           if (!isAllowed) {
             throw new APIError('FORBIDDEN', {
               message: 'Access restricted. Please contact your administrator.',
             })
           }
         }
-      }
-
-      if (ctx.path.startsWith('/sign-up') && isSignupEmailBlocked(ctx.body?.email)) {
-        throw new APIError('FORBIDDEN', {
-          message: 'Sign-ups from this email domain are not allowed.',
-        })
-      }
 
-      if (isSignupMxValidationEnabled && ctx.path.startsWith('/sign-up/email') && ctx.body?.email) {
-        const mxCheck = await validateSignupEmailMx(ctx.body.email)
-        if (!mxCheck.allowed) {
+        if (isSignUp && isEmailInDenylist(ctx.body?.email, accessControl.blockedSignupDomains)) {
           throw new APIError('FORBIDDEN', {
             message: 'Sign-ups from this email domain are not allowed.',
           })
         }
+
+        if (
+          isSignupMxValidationEnabled &&
+          ctx.path.startsWith('/sign-up/email') &&
+          ctx.body?.email
+        ) {
+          const mxCheck = await validateSignupEmailMx(
+            ctx.body.email,
+            accessControl.blockedEmailMxHosts
+          )
+          if (!mxCheck.allowed) {
+            throw new APIError('FORBIDDEN', {
+              message: 'Sign-ups from this email domain are not allowed.',
+            })
+          }
+        }
       }
 
       if (ctx.path === '/sign-up/email' && ctx.body?.email) {