From 1527611239edf56dcfca35d6dffb478eacb0fbee Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 15:08:36 +0100
Subject: [PATCH] Default production SSO provider source to YAML to avoid
 boot-time schema errors (#1278)

* Initial plan

* Default production SSO provider source to YAML

Co-authored-by: jjmata <187772+jjmata@users.noreply.github.com>
Agent-Logs-Url: https://github.com/we-promise/sure/sessions/d3a36ca8-e936-4687-a466-9b4c93c19150

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jjmata <187772+jjmata@users.noreply.github.com>
---
 docs/hosting/oidc.md           |  1 +
 lib/feature_flags.rb           | 11 ++++++++---
 test/lib/feature_flags_test.rb | 26 ++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 test/lib/feature_flags_test.rb

diff --git a/docs/hosting/oidc.md b/docs/hosting/oidc.md
index 9100bb5f9..91318c907 100644
--- a/docs/hosting/oidc.md
+++ b/docs/hosting/oidc.md
@@ -346,6 +346,7 @@ When enabled:
 When disabled (default):
 - Providers are loaded from `config/auth.yml`
 - Changes require a server restart
+- In production, YAML is the default unless `AUTH_PROVIDERS_SOURCE=db` is explicitly set
 
 ### 6.2 Admin UI for SSO providers
 
diff --git a/lib/feature_flags.rb b/lib/feature_flags.rb
index e20472e81..bd9c648eb 100644
--- a/lib/feature_flags.rb
+++ b/lib/feature_flags.rb
@@ -3,9 +3,14 @@
 module FeatureFlags
   class << self
     def db_sso_providers?
-      auth_source = ENV.fetch("AUTH_PROVIDERS_SOURCE") do
-        Rails.configuration.app_mode.self_hosted? ? "db" : "yaml"
-      end
+      auth_source = ENV["AUTH_PROVIDERS_SOURCE"]
+      return auth_source.to_s.downcase == "db" if auth_source.present?
+
+      # In production, prefer YAML by default so boot-time tasks (e.g. db:prepare)
+      # do not attempt to query SSO provider tables before migrations run.
+      return false if Rails.env.production?
+
+      auth_source = Rails.configuration.app_mode.self_hosted? ? "db" : "yaml"
 
       auth_source.to_s.downcase == "db"
     end
diff --git a/test/lib/feature_flags_test.rb b/test/lib/feature_flags_test.rb
new file mode 100644
index 000000000..85d0a5f90
--- /dev/null
+++ b/test/lib/feature_flags_test.rb
@@ -0,0 +1,26 @@
+require "test_helper"
+
+class FeatureFlagsTest < ActiveSupport::TestCase
+  test "db_sso_providers? is true when AUTH_PROVIDERS_SOURCE is db in production" do
+    with_env_overrides("AUTH_PROVIDERS_SOURCE" => "db") do
+      Rails.stubs(:env).returns(ActiveSupport::StringInquirer.new("production"))
+      assert FeatureFlags.db_sso_providers?
+    end
+  end
+
+  test "db_sso_providers? defaults to yaml in production when AUTH_PROVIDERS_SOURCE is unset" do
+    with_env_overrides("AUTH_PROVIDERS_SOURCE" => nil) do
+      Rails.stubs(:env).returns(ActiveSupport::StringInquirer.new("production"))
+      assert_not FeatureFlags.db_sso_providers?
+    end
+  end
+
+  test "db_sso_providers? defaults to db for self hosted mode outside production" do
+    with_env_overrides("AUTH_PROVIDERS_SOURCE" => nil) do
+      Rails.stubs(:env).returns(ActiveSupport::StringInquirer.new("development"))
+      with_self_hosting do
+        assert FeatureFlags.db_sso_providers?
+      end
+    end
+  end
+end