fix(auth): fail closed for enforced SSO domains

[BunsDev]

Motivation

• Prevent a server-side SSO enforcement bypass where runtime unavailability (tier downgrade or missing client secret) previously caused enforced verified domains to fall back to password/magic-link, allowing direct credential or OAuth callback sign-ins that bypass the IdP.

Description

• Change isHardBound to use admin intent (isSsoConfigured(authConfig?.ssoOidc)) instead of runtime provider registration so enforced verified domains remain SSO-only when ssoOidc.enabled === true.
• Remove runtime isSsoActuallyRegistered checks from the Layer-B pre-session gate (hooks.before), Layer-C callback cleanup (hooks.after), and the profile fetchUserProfile flow so server-side enforcement fails closed for enforced domains.
• Update tests to assert fail-closed behavior for credential, magic-link, and non-SSO OAuth callback paths while preserving the explicit ssoOidc.enabled=false stale-row escape.
• Key modified files: apps/web/src/lib/server/auth/auth-restrictions.ts, apps/web/src/lib/server/auth/hooks.ts, apps/web/src/lib/server/functions/settings.ts, and related tests under apps/web/src/lib/server/auth/__tests__.

Testing

• Ran bunx prettier --check over the changed files and it passed.
• Ran git diff --check / formatting checks and there were no diff/check failures.
• Attempted to run unit tests with vitest, but running tests was blocked in this environment because the local vitest binary is not available and registry fetch returned 403, so tests could not be executed here; test sources were updated to reflect the new fail-closed expectation.
• Ran tsc --noEmit (project typecheck) but it failed in this environment due to missing local type definitions (@testing-library/jest-dom, bun), so full typechecking was not completed here.

---

Codex Task

[Copilot]

Pull request overview

This PR tightens server-side SSO enforcement so verified domains marked as enforced remain SSO-only based on admin intent (ssoOidc.enabled === true), even when runtime SSO provider registration is unavailable (e.g., missing secret, tier downgrade), preventing sign-in bypass via password/magic-link or non-SSO OAuth callbacks.

Changes:

• Updates isHardBound to key off isSsoConfigured(authConfig?.ssoOidc) (admin intent) instead of runtime registration viability.
• Removes runtime “SSO actually registered” checks from Layer B (hooks.before), Layer C (hooks.after cleanup), and fetchUserProfile.
• Updates unit tests to assert fail-closed behavior for enforced verified domains while preserving the explicit ssoOidc.enabled=false escape hatch.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
apps/web/src/lib/server/functions/settings.ts	Ensures profile UI uses enforcement based on admin intent, not runtime registration state.
apps/web/src/lib/server/auth/hooks.ts	Removes runtime SSO viability gating from pre-session and callback cleanup enforcement, making enforced domains fail closed.
apps/web/src/lib/server/auth/auth-restrictions.ts	Changes isHardBound to depend on ssoOidc.enabled (intent) and updates documentation accordingly.
apps/web/src/lib/server/auth/tests/hooks-callback-cleanup.test.ts	Updates callback cleanup expectations to fail closed for enforced domains even when runtime SSO registration is false.
apps/web/src/lib/server/auth/tests/hooks-before.test.ts	Updates pre-session gate tests to expect fail-closed behavior on runtime registration failures.
apps/web/src/lib/server/auth/tests/auth-restrictions.test.ts	Adjusts predicate tests to reflect intent-based enforcement and removes runtime-registration parameterization.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.