fix(auth): Redirect to login if user session doesn't exist

[TheodoreSpeaks]

Summary

• When impersonation (or any other session) expired while a user was on /workspace/[workspaceId]/..., the page rendered blank — the layout fetched the session but never handled the null case, so client hooks below it ran with no auth and produced empty UI.
• Instead, just switch to login page if user session not found

Type of Change

• Bug fix

Testing

Tested manually. bun run lint and bun run check:api-validation:strict pass.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 7, 2026 8:29pm

[cursor]

PR Summary

Medium Risk
Adds a server-side auth gate in the workspace layout; risk is moderate because it changes routing behavior for unauthenticated/expired sessions and could expose redirect/blank-screen edge cases if session shape differs.

Overview
Adds a server-side authentication check in apps/sim/app/workspace/[workspaceId]/layout.tsx that redirects to /login when getSession() returns no user, preventing workspace rendering with an invalid/expired session.

After enforcing the session presence, it simplifies org ID extraction by removing optional chaining on session.session before loading whitelabel org settings.

^{Reviewed by Cursor Bugbot for commit f81eba9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a blank-screen bug that occurs when an admin impersonates a user, forgets to log out, and later revisits the app with an expired session cookie — by extending the impersonation session lifetime from the default to 100 years.

• admin({ impersonationSessionDuration: 60 * 60 * 24 * 365 * 100 }) sets the impersonation session to ~3.15 billion seconds, making it effectively non-expiring.
• The root UX bug (blank screen on expired impersonation session) is not addressed at the source; proper handling of the expired-session state (e.g. redirect to login) would fix the issue without removing the expiry boundary.

Confidence Score: 3/5

The change trades a real UX regression for a permanent impersonation session that has no natural expiry — the blank-screen bug is not fixed at its source.

The only changed line makes impersonation sessions last 100 years. Any impersonation token that is leaked — via XSS, server logs, network capture, or a compromised device — will remain valid indefinitely. The original blank-screen problem stems from the app not handling an expired session gracefully; removing the expiry boundary is a workaround that avoids the symptom without fixing the underlying redirect/error-handling logic.

apps/sim/lib/auth/auth.ts — the impersonation session duration and the session-expiry handling path that triggers the blank screen.

Security Review

• Indefinite impersonation token lifetime: impersonationSessionDuration is set to ~100 years in apps/sim/lib/auth/auth.ts. A leaked impersonation session cookie (XSS, log/network exposure) would grant an attacker permanent access to the impersonated user's account with no natural expiry window to limit damage.

Important Files Changed

Filename	Overview
apps/sim/lib/auth/auth.ts	Impersonation session duration increased from default to 100 years (3,153,600,000 s), making impersonation tokens effectively non-expiring and widening the blast radius of any token leak.

_{Reviews (1): Last reviewed commit: "feat(admin): Increase impersonation time..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9d4bf16. Configure here.}