Fix SSO provider 404 in production when credentials not configured

[Copilot]

• Understand the issue - SSO env vars resolved at build-time
• Identify root cause in auth.ts module initialization
• Change SSO provider default from enabled to disabled in auth-flags.ts
• Add SSO env vars to backend service in docker-compose.preview.yml
• Add SSO visibility flags as build args to Dockerfile
• Update docker-compose to pass flags at build time
• Create release entry
• Run typecheck and linting (both pass)
• Run code review and address feedback (no issues remaining)
• Run CodeQL security scan (0 alerts found)
• Address PR review feedback - set .env.example flags to false
• Clarify build-time vs runtime in release notes
• All validation complete

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Bug]: issue on production when trying to register / login with an external account (Better Auth SSO)</issue_title>
<issue_description>## Summary
[Bug]: issue on production when trying to register / login with an external account (Better Auth SSO)

Steps to reproduce

1. go to corpsim.altitude-interactive.com
2. Try to register with any SSO method
3. "Google sign in failed, provider not found" which also gives this in browser console (see logs below)

Expected behavior

Should login / register normally

Environment

• App version or commit: v0.9.0
• Browser (if applicable): brave (no shields)
• Next.js version (if applicable): Next.js 15.5.12

Screenshots or logs

corpsim-api.altitude-interactive.com/api/auth/sign-in/social:1  Failed to load resource: the server responded with a status of 404 ()
5680-931553094170b2d3.js:1  POST https://corpsim-api.altitude-interactive.com/api/auth/sign-in/social 404 (Not Found)
H @ 5680-931553094170b2d3.js:1
await in H
(anonymous) @ 5680-931553094170b2d3.js:1
apply @ 5680-931553094170b2d3.js:1
$ @ page-e8cb971ae8482f64.js:1
onClick @ page-e8cb971ae8482f64.js:1
i8 @ 2b318b70-b5618ac25a246165.js:1
(anonymous) @ 2b318b70-b5618ac25a246165.js:1
nz @ 2b318b70-b5618ac25a246165.js:1
sn @ 2b318b70-b5618ac25a246165.js:1
cc @ 2b318b70-b5618ac25a246165.js:1
ci @ 2b318b70-b5618ac25a246165.js:1

Additional context

This issue happened to me in localhost when no values had been configured for specified SSO. One good start to search would be if these values are taken when building the image, and not actually the env file on Dokploy like it should.</issue_description>

<agent_instructions>Read AGENTS.md</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [Bug]: issue on production when trying to register / login with an external account (Better Auth SSO) #55

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[greptile-apps]

Greptile Summary

This PR fixes a production bug where SSO login buttons were visible even when the backend lacked OAuth credentials, causing "provider not found" 404 errors. The fix correctly flips the default from true to false in auth-flags.ts and threads the necessary build args through the Dockerfile and docker-compose.preview.yml.

Key changes and issues found:

• Core logic fix (auth-flags.ts): Correct and clean — changing the nullish-coalescing fallback to false for all four SSO flags is the right fix.
• Dockerfile (docker/app.Dockerfile): Correctly adds ARG/ENV declarations for the four new flags so they are available during next build.
• docker-compose.preview.yml backend env vars: Correctly wires GOOGLE_CLIENT_ID/SECRET, GITHUB_CLIENT_ID/SECRET, MICROSOFT_CLIENT_ID/SECRET, and DISCORD_CLIENT_ID/SECRET to the backend service so Better Auth can initialize the providers.
• .env.example contradiction: The example file sets all four SSO flags to true, directly contradicting the safe-default intent of this PR. Operators seeding from this file will re-enable all providers and recreate the original bug if credentials are absent.
• Misleading runtime env vars for Next.js (docker-compose.preview.yml frontend): The NEXT_PUBLIC_AUTH_*_ENABLED flags added to the frontend service's environment: block have no runtime effect for Next.js (which bakes NEXT_PUBLIC_* at build time). This could mislead operators into thinking a container restart is sufficient when an image rebuild is required.

Confidence Score: 3/5

• The PR partially fixes the bug but contains a direct contradiction in .env.example that can recreate the original issue for users following the example file.
• The core logic change in auth-flags.ts and the Dockerfile wiring are correct. However, setting all four SSO flags to true in .env.example directly contradicts the fix's safe-default principle and will mislead operators. The runtime env var additions for NEXT_PUBLIC_* in the frontend service are harmless but confusing. The .env.example issue is a meaningful defect that should be corrected before merge.
• .env.example requires correction — the SSO flags should be set to false to match the new default behavior.

_{Last reviewed commit: 2822702}

[greptile-apps]

_{5 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[Copilot]

Pull request overview

This PR addresses production “provider not found” 404s by ensuring SSO login options are hidden unless explicitly enabled, and by wiring OAuth credential environment variables into the preview Docker Compose setup.

Changes:

• Default SSO provider visibility flags to disabled (false) unless NEXT_PUBLIC_AUTH_*_ENABLED=true is set.
• Pass NEXT_PUBLIC_AUTH_*_ENABLED into the Next.js build via Docker build args / Dockerfile env.
• Add OAuth credential env vars to the backend service in docker-compose.preview.yml, plus add an ops release note and update .env.example.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
docker/app.Dockerfile	Adds NEXT_PUBLIC_AUTH_*_ENABLED build args and env exports for Next.js build-time injection.
docker-compose.preview.yml	Passes SSO build args to the image build and provides OAuth credential env vars to the backend service.
apps/web/src/lib/auth-flags.ts	Switches provider visibility defaults from enabled to disabled unless explicitly set.
.releases/unreleased/fix-sso-production-env-vars.md	Adds a patch release note describing the operational change.
.env.example	Updates example env documentation/values for SSO visibility flags.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[BENZOOgataga]

.env.example SSO flags contradict the fix's safe-default intent

The core change in this PR sets the fallback in auth-flags.ts to false, meaning SSO buttons are hidden unless explicitly enabled. However, .env.example sets all four flags to true, which means any developer or operator who seeds their environment from this file will immediately re-enable all SSO providers — recreating the "provider not found" 404 error if credentials are not configured.

The example file values should be false to match the new safe-default behavior and the explanatory comments added directly above them on lines 103–105.
@copilot

[Copilot]

.env.example SSO flags contradict the fix's safe-default intent

The core change in this PR sets the fallback in auth-flags.ts to false, meaning SSO buttons are hidden unless explicitly en...

Fixed in 9ab723b - changed all SSO flags in .env.example from true to false to align with the safe-default behavior in auth-flags.ts.

[BENZOOgataga]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

All changes from the review thread have already been applied in commit 9ab723b:

• .env.example SSO flags set to false (lines 106-109)
• Release note summary updated to clarify build-time vs runtime distinction (line 4)