fix(admin): concurrent pending users Set, session loading guard, domain blocking

- Replace pendingUserId scalar with pendingUserIds Set (useMemo) so concurrent
  mutations across different users each disable their own row correctly
- Add sessionLoading guard to admin section redirect to prevent flash on direct
  /settings/admin navigation before session resolves
- Add BLOCKED_SIGNUP_DOMAINS env var and before-hook for email domain denylist,
  parsed once at module init as a Set for O(1) per-request lookups
- Add trailing newline to migration file

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/workspace/[workspaceId]/settings/[section]/settings.tsx

@@ -158,13 +158,13 @@ interface SettingsPageProps {
 export function SettingsPage({ section }: SettingsPageProps) {
   const searchParams = useSearchParams()
   const mcpServerId = searchParams.get('mcpServerId')
-  const { data: session } = useSession()
+  const { data: session, isPending: sessionLoading } = useSession()
 
   const isAdminRole = session?.user?.role === 'admin'
   const effectiveSection =
     !isBillingEnabled && (section === 'subscription' || section === 'team')
       ? 'general'
-      : section === 'admin' && !isAdminRole
+      : section === 'admin' && !sessionLoading && !isAdminRole
         ? 'general'
         : section
 

apps/sim/app/workspace/[workspaceId]/settings/components/admin/admin.tsx

@@ -70,12 +70,23 @@ export function Admin() {
     }
   }
 
-  const actionPending = setUserRole.isPending || banUser.isPending || unbanUser.isPending
-  const pendingUserId =
-    (setUserRole.isPending ? (setUserRole.variables as { userId?: string })?.userId : undefined) ??
-    (banUser.isPending ? (banUser.variables as { userId?: string })?.userId : undefined) ??
-    (unbanUser.isPending ? (unbanUser.variables as { userId?: string })?.userId : undefined) ??
-    null
+  const pendingUserIds = useMemo(() => {
+    const ids = new Set<string>()
+    if (setUserRole.isPending && (setUserRole.variables as { userId?: string })?.userId)
+      ids.add((setUserRole.variables as { userId: string }).userId)
+    if (banUser.isPending && (banUser.variables as { userId?: string })?.userId)
+      ids.add((banUser.variables as { userId: string }).userId)
+    if (unbanUser.isPending && (unbanUser.variables as { userId?: string })?.userId)
+      ids.add((unbanUser.variables as { userId: string }).userId)
+    return ids
+  }, [
+    setUserRole.isPending,
+    setUserRole.variables,
+    banUser.isPending,
+    banUser.variables,
+    unbanUser.isPending,
+    unbanUser.variables,
+  ])
   return (
     <div className='flex h-full flex-col gap-[24px]'>
       <div className='flex items-center justify-between'>
@@ -204,7 +215,7 @@ export function Admin() {
                               role: u.role === 'admin' ? 'user' : 'admin',
                             })
                           }
-                          disabled={actionPending && pendingUserId === u.id}
+                          disabled={pendingUserIds.has(u.id)}
                         >
                           {u.role === 'admin' ? 'Demote' : 'Promote'}
                         </Button>
@@ -213,7 +224,7 @@ export function Admin() {
                             variant='active'
                             className='h-[28px] px-[8px] text-[12px]'
                             onClick={() => unbanUser.mutate({ userId: u.id })}
-                            disabled={actionPending && pendingUserId === u.id}
+                            disabled={pendingUserIds.has(u.id)}
                           >
                             Unban
                           </Button>
@@ -242,7 +253,7 @@ export function Admin() {
                                   }
                                 )
                               }}
-                              disabled={actionPending && pendingUserId === u.id}
+                              disabled={pendingUserIds.has(u.id)}
                             >
                               Confirm
                             </Button>
@@ -265,7 +276,7 @@ export function Admin() {
                               setBanUserId(u.id)
                               setBanReason('')
                             }}
-                            disabled={actionPending && pendingUserId === u.id}
+                            disabled={pendingUserIds.has(u.id)}
                           >
                             Ban
                           </Button>

apps/sim/lib/auth/auth.ts

@@ -79,6 +79,10 @@ const logger = createLogger('Auth')
 import { getMicrosoftRefreshTokenExpiry, isMicrosoftProvider } from '@/lib/oauth/microsoft'
 import { getCanonicalScopesForProvider } from '@/lib/oauth/utils'
 
+const blockedSignupDomains = env.BLOCKED_SIGNUP_DOMAINS
+  ? new Set(env.BLOCKED_SIGNUP_DOMAINS.split(',').map((d) => d.trim().toLowerCase()))
+  : null
+
 const validStripeKey = env.STRIPE_SECRET_KEY
 
 let stripeClient = null
@@ -599,6 +603,16 @@ export const auth = betterAuth({
         }
       }
 
+      if (ctx.path.startsWith('/sign-up') && blockedSignupDomains) {
+        const requestEmail = ctx.body?.email?.toLowerCase()
+        if (requestEmail) {
+          const emailDomain = requestEmail.split('@')[1]
+          if (emailDomain && blockedSignupDomains.has(emailDomain)) {
+            throw new Error('Sign-ups from this email domain are not allowed.')
+          }
+        }
+      }
+
       if (ctx.path === '/oauth2/authorize' || ctx.path === '/oauth2/token') {
         const clientId = (ctx.query?.client_id ?? ctx.body?.client_id) as string | undefined
         if (clientId && isMetadataUrl(clientId)) {

apps/sim/lib/core/config/env.ts

@@ -24,6 +24,7 @@ export const env = createEnv({
     DISABLE_AUTH:                          z.boolean().optional(),                 // Bypass authentication entirely (self-hosted only, creates anonymous session)
     ALLOWED_LOGIN_EMAILS:                  z.string().optional(),                  // Comma-separated list of allowed email addresses for login
     ALLOWED_LOGIN_DOMAINS:                 z.string().optional(),                  // Comma-separated list of allowed email domains for login
+    BLOCKED_SIGNUP_DOMAINS:                z.string().optional(),                  // Comma-separated list of email domains blocked from signing up (e.g., "gmail.com,yahoo.com")
     ENCRYPTION_KEY:                        z.string().min(32),                     // Key for encrypting sensitive data
     API_ENCRYPTION_KEY:                    z.string().min(32).optional(),          // Dedicated key for encrypting API keys (optional for OSS)
     INTERNAL_API_SECRET:                   z.string().min(32),                     // Secret for internal API authentication

packages/db/migrations/0177_wise_puma.sql

@@ -4,4 +4,4 @@ UPDATE "user" SET "role" = 'admin' WHERE "is_super_user" = true;--> statement-br
 ALTER TABLE "user" ADD COLUMN "banned" boolean DEFAULT false;--> statement-breakpoint
 ALTER TABLE "user" ADD COLUMN "ban_reason" text;--> statement-breakpoint
 ALTER TABLE "user" ADD COLUMN "ban_expires" timestamp;--> statement-breakpoint
-ALTER TABLE "user" DROP COLUMN "is_super_user";
+ALTER TABLE "user" DROP COLUMN "is_super_user";