Disable demo auth when SSO providers are configured (#77)

initstring · web-flow · commit 7dd574d253c6 · 2026-01-17T21:24:39.000+11:00
### Motivation - Prevent the insecure demo login from remaining enabled when any SSO provider is configured, reducing risk of accidental public demo access. - Align provider registration to the validated `env` surface so server-side feature gating uses the same canonical env values. ### Description - Compute `ssoProvidersEnabled` and make `demoModeEnabled` require no SSO in `src/server/auth/config.ts`, and register providers using `env.*` instead of `process.env.*`. - Update the sign-in page `src/app/(public-routes)/auth/signin/page.tsx` to hide the demo button when any SSO provider is enabled by computing `ssoEnabled` and gating `demoEnabled` accordingly. - Add a short note to `docs/installation.md` explaining that demo mode is automatically disabled when any SSO provider is configured. ### Testing - No automated tests were run as part of this change. ------ [Codex Task](https://chatgpt.com/codex/tasks/task_e_696b5fbdbcfc8323ab20ae16f2ea516b)
diff --git a/docs/installation.md b/docs/installation.md
@@ -29,7 +29,7 @@ Minimum values to edit:
 RTAP supports SSO or a demo login button. Supported SSO providers today are Google, GitHub, GitLab, Keycloak, and Okta. If you need another provider, open an issue and we can add it.
 
 - **SSO (recommended):** configure your provider's details (client ID/secret, plus issuer for Keycloak/Okta) using the variable names provided in the .env file.
-- **Demo mode:** set `ENABLE_DEMO_MODE=true`. This exposes a “Sign in as Demo Admin” button and **anyone with access to the sign-in page can log in without an account**. Use only for isolated testing or demos.
+- **Demo mode:** set `ENABLE_DEMO_MODE=true`. This exposes a “Sign in as Demo Admin” button and **anyone with access to the sign-in page can log in without an account**. Use only for isolated testing or demos. Demo mode is automatically disabled when any SSO provider is configured.
 
 For any SSO provider, configure the following in your identity provider console:
 
diff --git a/src/app/(public-routes)/auth/signin/page.tsx b/src/app/(public-routes)/auth/signin/page.tsx
@@ -10,12 +10,13 @@ export default async function SignInPage(props: { searchParams?: Promise<{ callb
   }
 
   const { callbackUrl = "/", error } = (await props.searchParams) ?? {};
-  const demoEnabled = env.ENABLE_DEMO_MODE === "true";
   const googleEnabled = Boolean(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET);
   const githubEnabled = Boolean(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET);
   const gitlabEnabled = Boolean(env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET);
   const keycloakEnabled = Boolean(env.KEYCLOAK_CLIENT_ID && env.KEYCLOAK_CLIENT_SECRET && env.KEYCLOAK_ISSUER);
   const oktaEnabled = Boolean(env.OKTA_CLIENT_ID && env.OKTA_CLIENT_SECRET && env.OKTA_ISSUER);
+  const ssoEnabled = googleEnabled || githubEnabled || gitlabEnabled || keycloakEnabled || oktaEnabled;
+  const demoEnabled = env.ENABLE_DEMO_MODE === "true" && !ssoEnabled;
 
   return (
     <SignInPageClient
diff --git a/src/server/auth/config.ts b/src/server/auth/config.ts
@@ -43,7 +43,14 @@ declare module "@auth/core/adapters" {
 // Local extension for JWT to carry role information
 type AugmentedJWT = NextAuthJWT & { role?: UserRole };
 
-const demoModeEnabled = env.ENABLE_DEMO_MODE === "true";
+const ssoProvidersEnabled = [
+  env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET,
+  env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET,
+  env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET,
+  env.KEYCLOAK_CLIENT_ID && env.KEYCLOAK_CLIENT_SECRET && env.KEYCLOAK_ISSUER,
+  env.OKTA_CLIENT_ID && env.OKTA_CLIENT_SECRET && env.OKTA_ISSUER,
+].some(Boolean);
+const demoModeEnabled = env.ENABLE_DEMO_MODE === "true" && !ssoProvidersEnabled;
 const oauthProviders = new Set(["google", "github", "gitlab", "keycloak", "okta"]);
 
 const isRecord = (value: unknown): value is Record<string, unknown> =>
@@ -196,51 +203,51 @@ export const authConfig = {
       : []),
     // Conditionally register providers when env credentials are available.
     // Actual enablement is enforced via DB in the signIn callback/UI.
-    ...(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET
+    ...(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET
       ? [
           GoogleProvider({
-            clientId: process.env.GOOGLE_CLIENT_ID,
-            clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+            clientId: env.GOOGLE_CLIENT_ID,
+            clientSecret: env.GOOGLE_CLIENT_SECRET,
             // We trust the locally provisioned accounts and block unknown e-mails in the
             // sign-in callback, so allow Auth.js to link Google users directly by e-mail.
             allowDangerousEmailAccountLinking: true,
           }),
         ]
       : []),
-    ...(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET
+    ...(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET
       ? [
           GitHubProvider({
-            clientId: process.env.GITHUB_CLIENT_ID,
-            clientSecret: process.env.GITHUB_CLIENT_SECRET,
+            clientId: env.GITHUB_CLIENT_ID,
+            clientSecret: env.GITHUB_CLIENT_SECRET,
             allowDangerousEmailAccountLinking: true,
           }),
         ]
       : []),
-    ...(process.env.GITLAB_CLIENT_ID && process.env.GITLAB_CLIENT_SECRET
+    ...(env.GITLAB_CLIENT_ID && env.GITLAB_CLIENT_SECRET
       ? [
           GitLabProvider({
-            clientId: process.env.GITLAB_CLIENT_ID,
-            clientSecret: process.env.GITLAB_CLIENT_SECRET,
+            clientId: env.GITLAB_CLIENT_ID,
+            clientSecret: env.GITLAB_CLIENT_SECRET,
             allowDangerousEmailAccountLinking: true,
           }),
         ]
       : []),
-    ...(process.env.KEYCLOAK_CLIENT_ID && process.env.KEYCLOAK_CLIENT_SECRET && process.env.KEYCLOAK_ISSUER
+    ...(env.KEYCLOAK_CLIENT_ID && env.KEYCLOAK_CLIENT_SECRET && env.KEYCLOAK_ISSUER
       ? [
           KeycloakProvider({
-            clientId: process.env.KEYCLOAK_CLIENT_ID,
-            clientSecret: process.env.KEYCLOAK_CLIENT_SECRET,
-            issuer: process.env.KEYCLOAK_ISSUER,
+            clientId: env.KEYCLOAK_CLIENT_ID,
+            clientSecret: env.KEYCLOAK_CLIENT_SECRET,
+            issuer: env.KEYCLOAK_ISSUER,
             allowDangerousEmailAccountLinking: true,
           }),
         ]
       : []),
-    ...(process.env.OKTA_CLIENT_ID && process.env.OKTA_CLIENT_SECRET && process.env.OKTA_ISSUER
+    ...(env.OKTA_CLIENT_ID && env.OKTA_CLIENT_SECRET && env.OKTA_ISSUER
       ? [
           OktaProvider({
-            clientId: process.env.OKTA_CLIENT_ID,
-            clientSecret: process.env.OKTA_CLIENT_SECRET,
-            issuer: process.env.OKTA_ISSUER,
+            clientId: env.OKTA_CLIENT_ID,
+            clientSecret: env.OKTA_CLIENT_SECRET,
+            issuer: env.OKTA_ISSUER,
             allowDangerousEmailAccountLinking: true,
           }),
         ]
