feat(auth): add execute-on-submit Turnstile, conditional harmony, and feature flag

- Switch Turnstile to execution: 'execute' mode so challenge runs on
  form submit (fresh token every time, no expiry issues)
- Make emailHarmony conditional via SIGNUP_EMAIL_VALIDATION_ENABLED
  feature flag so self-hosted users can opt out
- Add isSignupEmailValidationEnabled to feature-flags.ts following
  existing pattern
- Add better-auth-harmony to Next.js transpilePackages (required for
  validator.js ESM compatibility)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/(auth)/login/login-form.tsx

@@ -89,6 +89,8 @@ export default function LoginPage({
   const [showValidationError, setShowValidationError] = useState(false)
   const [captchaToken, setCaptchaToken] = useState<string | null>(null)
   const turnstileRef = useRef<TurnstileInstance>(null)
+  const captchaResolveRef = useRef<((token: string) => void) | null>(null)
+  const captchaRejectRef = useRef<((reason: unknown) => void) | null>(null)
   const turnstileSiteKey = useMemo(() => getEnv('NEXT_PUBLIC_TURNSTILE_SITE_KEY'), [])
   const buttonClass = useBrandedButtonClass()
 
@@ -182,6 +184,24 @@ export default function LoginPage({
       const safeCallbackUrl = callbackUrl
       let errorHandled = false
 
+      // Execute Turnstile challenge on submit and get a fresh token
+      let token = captchaToken
+      if (turnstileSiteKey && turnstileRef.current) {
+        try {
+          turnstileRef.current.reset()
+          token = await new Promise<string>((resolve, reject) => {
+            captchaResolveRef.current = resolve
+            captchaRejectRef.current = reject
+            turnstileRef.current?.execute()
+          })
+        } catch {
+          setPasswordErrors(['Captcha verification failed. Please try again.'])
+          setShowValidationError(true)
+          setIsLoading(false)
+          return
+        }
+      }
+
       const result = await client.signIn.email(
         {
           email,
@@ -191,7 +211,7 @@ export default function LoginPage({
         {
           fetchOptions: {
             headers: {
-              ...(captchaToken ? { 'x-captcha-response': captchaToken } : {}),
+              ...(token ? { 'x-captcha-response': token } : {}),
             },
           },
           onError: (ctx) => {
@@ -475,10 +495,20 @@ export default function LoginPage({
             <Turnstile
               ref={turnstileRef}
               siteKey={turnstileSiteKey}
-              onSuccess={setCaptchaToken}
-              onError={() => setCaptchaToken(null)}
+              onSuccess={(token) => {
+                setCaptchaToken(token)
+                captchaResolveRef.current?.(token)
+                captchaResolveRef.current = null
+                captchaRejectRef.current = null
+              }}
+              onError={() => {
+                setCaptchaToken(null)
+                captchaRejectRef.current?.(new Error('Captcha failed'))
+                captchaResolveRef.current = null
+                captchaRejectRef.current = null
+              }}
               onExpire={() => setCaptchaToken(null)}
-              options={{ size: 'invisible' }}
+              options={{ size: 'invisible', execution: 'execute' }}
             />
           )}
 

apps/sim/app/(auth)/signup/signup-form.tsx

@@ -93,6 +93,8 @@ function SignupFormContent({
   const [showEmailValidationError, setShowEmailValidationError] = useState(false)
   const [captchaToken, setCaptchaToken] = useState<string | null>(null)
   const turnstileRef = useRef<TurnstileInstance>(null)
+  const captchaResolveRef = useRef<((token: string) => void) | null>(null)
+  const captchaRejectRef = useRef<((reason: unknown) => void) | null>(null)
   const turnstileSiteKey = useMemo(() => getEnv('NEXT_PUBLIC_TURNSTILE_SITE_KEY'), [])
   const buttonClass = useBrandedButtonClass()
 
@@ -249,6 +251,24 @@ function SignupFormContent({
 
       const sanitizedName = trimmedName
 
+      // Execute Turnstile challenge on submit and get a fresh token
+      let token = captchaToken
+      if (turnstileSiteKey && turnstileRef.current) {
+        try {
+          turnstileRef.current.reset()
+          token = await new Promise<string>((resolve, reject) => {
+            captchaResolveRef.current = resolve
+            captchaRejectRef.current = reject
+            turnstileRef.current?.execute()
+          })
+        } catch {
+          setPasswordErrors(['Captcha verification failed. Please try again.'])
+          setShowValidationError(true)
+          setIsLoading(false)
+          return
+        }
+      }
+
       const response = await client.signUp.email(
         {
           email: emailValue,
@@ -258,7 +278,7 @@ function SignupFormContent({
         {
           fetchOptions: {
             headers: {
-              ...(captchaToken ? { 'x-captcha-response': captchaToken } : {}),
+              ...(token ? { 'x-captcha-response': token } : {}),
             },
           },
           onError: (ctx) => {
@@ -468,10 +488,20 @@ function SignupFormContent({
             <Turnstile
               ref={turnstileRef}
               siteKey={turnstileSiteKey}
-              onSuccess={setCaptchaToken}
-              onError={() => setCaptchaToken(null)}
+              onSuccess={(token) => {
+                setCaptchaToken(token)
+                captchaResolveRef.current?.(token)
+                captchaResolveRef.current = null
+                captchaRejectRef.current = null
+              }}
+              onError={() => {
+                setCaptchaToken(null)
+                captchaRejectRef.current?.(new Error('Captcha failed'))
+                captchaResolveRef.current = null
+                captchaRejectRef.current = null
+              }}
               onExpire={() => setCaptchaToken(null)}
-              options={{ size: 'invisible' }}
+              options={{ size: 'invisible', execution: 'execute' }}
             />
           )}
 

apps/sim/lib/auth/auth.ts

@@ -65,6 +65,7 @@ import {
   isHosted,
   isOrganizationsEnabled,
   isRegistrationDisabled,
+  isSignupEmailValidationEnabled,
 } from '@/lib/core/config/feature-flags'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { getBaseUrl } from '@/lib/core/utils/urls'
@@ -664,7 +665,7 @@ export const auth = betterAuth({
   },
   plugins: [
     nextCookies(),
-    emailHarmony(),
+    ...(isSignupEmailValidationEnabled ? [emailHarmony()] : []),
     ...(env.TURNSTILE_SECRET_KEY
       ? [
           captcha({

apps/sim/lib/core/config/env.ts

@@ -26,6 +26,7 @@ export const env = createEnv({
     ALLOWED_LOGIN_DOMAINS:                 z.string().optional(),                  // Comma-separated list of allowed email domains for login
     BLOCKED_SIGNUP_DOMAINS:                z.string().optional(),                  // Comma-separated list of email domains blocked from signing up (e.g., "gmail.com,yahoo.com")
     TURNSTILE_SECRET_KEY:                  z.string().min(1).optional(),           // Cloudflare Turnstile secret key for captcha verification
+    SIGNUP_EMAIL_VALIDATION_ENABLED:       z.boolean().optional(),                 // Enable disposable email blocking via better-auth-harmony (55K+ domains)
     ENCRYPTION_KEY:                        z.string().min(32),                     // Key for encrypting sensitive data
     API_ENCRYPTION_KEY:                    z.string().min(32).optional(),          // Dedicated key for encrypting API keys (optional for OSS)
     INTERNAL_API_SECRET:                   z.string().min(32),                     // Secret for internal API authentication

apps/sim/lib/core/config/feature-flags.ts

@@ -70,6 +70,11 @@ export const isRegistrationDisabled = isTruthy(env.DISABLE_REGISTRATION)
  */
 export const isEmailPasswordEnabled = !isFalsy(env.EMAIL_PASSWORD_SIGNUP_ENABLED)
 
+/**
+ * Is signup email validation enabled (disposable email blocking via better-auth-harmony)
+ */
+export const isSignupEmailValidationEnabled = isTruthy(env.SIGNUP_EMAIL_VALIDATION_ENABLED)
+
 /**
  * Is Trigger.dev enabled for async job processing
  */

apps/sim/next.config.ts

@@ -120,6 +120,7 @@ const nextConfig: NextConfig = {
     '@t3-oss/env-nextjs',
     '@t3-oss/env-core',
     '@sim/db',
+    'better-auth-harmony',
   ],
   async headers() {
     return [