migrate anonymous access logic out of ee

Author: msukkari

demo-site-config.json

@@ -238,7 +238,6 @@
         }
     },
     "settings": {
-        "reindexIntervalMs": 86400000, // 24 hours
-        "enablePublicAccess": true
+        "reindexIntervalMs": 86400000 // 24 hours
     }
 }

docs/snippets/schemas/v3/index.schema.mdx

@@ -63,11 +63,6 @@
           "type": "number",
           "description": "The timeout (in milliseconds) for a repo indexing to timeout. Defaults to 2 hours.",
           "minimum": 1
-        },
-        "enablePublicAccess": {
-          "type": "boolean",
-          "description": "[Sourcebot EE] When enabled, allows unauthenticated users to access Sourcebot. Requires an enterprise license with an unlimited number of seats.",
-          "default": false
         }
       },
       "additionalProperties": false
@@ -177,11 +172,6 @@
           "type": "number",
           "description": "The timeout (in milliseconds) for a repo indexing to timeout. Defaults to 2 hours.",
           "minimum": 1
-        },
-        "enablePublicAccess": {
-          "type": "boolean",
-          "description": "[Sourcebot EE] When enabled, allows unauthenticated users to access Sourcebot. Requires an enterprise license with an unlimited number of seats.",
-          "default": false
         }
       },
       "additionalProperties": false

packages/backend/src/constants.ts

@@ -15,5 +15,4 @@ export const DEFAULT_SETTINGS: Settings = {
     maxRepoGarbageCollectionJobConcurrency: 8,
     repoGarbageCollectionGracePeriodMs: 10 * 1000, // 10 seconds
     repoIndexTimeoutMs: 1000 * 60 * 60 * 2, // 2 hours
-    enablePublicAccess: false,
 }

packages/schemas/src/v2/index.schema.ts

@@ -2258,4 +2258,4 @@ const schema = {
   },
   "additionalProperties": false
 } as const;
-export { schema as indexSchema };
+export { schema as indexSchema };

packages/schemas/src/v3/index.schema.ts

@@ -62,11 +62,6 @@ const schema = {
           "type": "number",
           "description": "The timeout (in milliseconds) for a repo indexing to timeout. Defaults to 2 hours.",
           "minimum": 1
-        },
-        "enablePublicAccess": {
-          "type": "boolean",
-          "description": "[Sourcebot EE] When enabled, allows unauthenticated users to access Sourcebot. Requires an enterprise license with an unlimited number of seats.",
-          "default": false
         }
       },
       "additionalProperties": false
@@ -176,11 +171,6 @@ const schema = {
           "type": "number",
           "description": "The timeout (in milliseconds) for a repo indexing to timeout. Defaults to 2 hours.",
           "minimum": 1
-        },
-        "enablePublicAccess": {
-          "type": "boolean",
-          "description": "[Sourcebot EE] When enabled, allows unauthenticated users to access Sourcebot. Requires an enterprise license with an unlimited number of seats.",
-          "default": false
         }
       },
       "additionalProperties": false

packages/schemas/src/v3/index.type.ts

@@ -79,10 +79,6 @@ export interface Settings {
    * The timeout (in milliseconds) for a repo indexing to timeout. Defaults to 2 hours.
    */
   repoIndexTimeoutMs?: number;
-  /**
-   * [Sourcebot EE] When enabled, allows unauthenticated users to access Sourcebot. Requires an enterprise license with an unlimited number of seats.
-   */
-  enablePublicAccess?: boolean;
 }
 /**
  * Search context

packages/shared/src/entitlements.ts

@@ -33,7 +33,7 @@ export type Plan = keyof typeof planLabels;
 const entitlements = [
     "search-contexts",
     "billing",
-    "public-access",
+    "anonymous-access",
     "multi-tenancy",
     "sso",
     "code-nav",
@@ -43,12 +43,12 @@ const entitlements = [
 export type Entitlement = (typeof entitlements)[number];
 
 const entitlementsByPlan: Record<Plan, Entitlement[]> = {
-    oss: [],
+    oss: ["anonymous-access"],
     "cloud:team": ["billing", "multi-tenancy", "sso", "code-nav"],
     "self-hosted:enterprise": ["search-contexts", "sso", "code-nav", "audit", "analytics"],
-    "self-hosted:enterprise-unlimited": ["search-contexts", "public-access", "sso", "code-nav", "audit", "analytics"],
+    "self-hosted:enterprise-unlimited": ["search-contexts", "anonymous-access", "sso", "code-nav", "audit", "analytics"],
     // Special entitlement for https://demo.sourcebot.dev
-    "cloud:demo": ["public-access", "code-nav", "search-contexts"],
+    "cloud:demo": ["anonymous-access", "code-nav", "search-contexts"],
 } as const;
 
 

packages/web/src/actions.ts

@@ -32,12 +32,13 @@ import { decrementOrgSeatCount, getSubscriptionForOrg } from "./ee/features/bill
 import { bitbucketSchema } from "@sourcebot/schemas/v3/bitbucket.schema";
 import { genericGitHostSchema } from "@sourcebot/schemas/v3/genericGitHost.schema";
 import { getPlan, hasEntitlement } from "@sourcebot/shared";
-import { getPublicAccessStatus } from "./ee/features/publicAccess/publicAccess";
 import JoinRequestSubmittedEmail from "./emails/joinRequestSubmittedEmail";
 import JoinRequestApprovedEmail from "./emails/joinRequestApprovedEmail";
 import { createLogger } from "@sourcebot/logger";
 import { getAuditService } from "@/ee/features/audit/factory";
 import { addUserToOrganization, orgHasAvailability } from "@/lib/authUtils";
+import { orgMetadataSchema } from "@/types";
+import { getOrgFromDomain } from "./data/org";
 
 const ajv = new Ajv({
     validateFormats: false,
@@ -62,13 +63,13 @@ export const sew = async <T>(fn: () => Promise<T>): Promise<T | ServiceError> =>
     }
 }
 
-export const withAuth = async <T>(fn: (userId: string, apiKeyHash: string | undefined) => Promise<T>, allowSingleTenantUnauthedAccess: boolean = false, apiKey: ApiKeyPayload | undefined = undefined) => {
+export const withAuth = async <T>(fn: (userId: string, apiKeyHash: string | undefined) => Promise<T>, allowAnonymousAccess: boolean = false, apiKey: ApiKeyPayload | undefined = undefined) => {
     const session = await auth();
 
     if (!session) {
         // First we check if public access is enabled and supported. If not, then we check if an api key was provided. If not,
         // then this is an invalid unauthed request and we return a 401.
-        const publicAccessEnabled = await getPublicAccessStatus(SINGLE_TENANT_ORG_DOMAIN);
+        const anonymousAccessEnabled = await getAnonymousAccessStatus(SINGLE_TENANT_ORG_DOMAIN);
         if (apiKey) {
             const apiKeyOrError = await verifyApiKey(apiKey);
             if (isServiceError(apiKeyOrError)) {
@@ -98,18 +99,17 @@ export const withAuth = async <T>(fn: (userId: string, apiKeyHash: string | unde
 
             return fn(user.id, apiKeyOrError.apiKey.hash);
         } else if (
-            env.SOURCEBOT_TENANCY_MODE === 'single' &&
-            allowSingleTenantUnauthedAccess &&
-            !isServiceError(publicAccessEnabled) &&
-            publicAccessEnabled
+            allowAnonymousAccess &&
+            !isServiceError(anonymousAccessEnabled) &&
+            anonymousAccessEnabled
         ) {
-            if (!hasEntitlement("public-access")) {
+            if (!hasEntitlement("anonymous-access")) {
                 const plan = getPlan();
-                logger.error(`Public access isn't supported in your current plan: ${plan}. If you have a valid enterprise license key, pass it via SOURCEBOT_EE_LICENSE_KEY. For support, contact ${SOURCEBOT_SUPPORT_EMAIL}.`);
+                logger.error(`Anonymous access isn't supported in your current plan: ${plan}. For support, contact ${SOURCEBOT_SUPPORT_EMAIL}.`);
                 return notAuthenticated();
             }
 
-            // To support unauthed access a guest user is created in initialize.ts, which we return here
+            // To support anonymous access a guest user is created in initialize.ts, which we return here
             return fn(SOURCEBOT_GUEST_USER_ID, undefined);
         }
         return notAuthenticated();
@@ -672,7 +672,7 @@ export const getRepos = async (domain: string, filter: { status?: RepoIndexingSt
                 indexedAt: repo.indexedAt ?? undefined,
                 repoIndexingStatus: repo.repoIndexingStatus,
             }));
-        }, /* minRequiredRole = */ OrgRole.GUEST), /* allowSingleTenantUnauthedAccess = */ true
+        }, /* minRequiredRole = */ OrgRole.GUEST), /* allowAnonymousAccess = */ true
     ));
 
 export const getRepoInfoByName = async (repoName: string, domain: string) => sew(() =>
@@ -734,7 +734,7 @@ export const getRepoInfoByName = async (repoName: string, domain: string) => sew
                 indexedAt: repo.indexedAt ?? undefined,
                 repoIndexingStatus: repo.repoIndexingStatus,
             }
-        }, /* minRequiredRole = */ OrgRole.GUEST), /* allowSingleTenantUnauthedAccess = */ true
+        }, /* minRequiredRole = */ OrgRole.GUEST), /* allowAnonymousAccess = */ true
     ));
 
 export const createConnection = async (name: string, type: CodeHostType, connectionConfig: string, domain: string): Promise<{ id: number } | ServiceError> => sew(() =>
@@ -933,7 +933,7 @@ export const getCurrentUserRole = async (domain: string): Promise<OrgRole | Serv
     withAuth((userId) =>
         withOrgMembership(userId, domain, async ({ userRole }) => {
             return userRole;
-        }, /* minRequiredRole = */ OrgRole.GUEST), /* allowSingleTenantUnauthedAccess = */ true
+        }, /* minRequiredRole = */ OrgRole.GUEST), /* allowAnonymousAccess = */ true
     ));
 
 export const createInvites = async (emails: string[], domain: string): Promise<{ success: boolean } | ServiceError> => sew(() =>
@@ -1863,7 +1863,7 @@ export const getSearchContexts = async (domain: string) => sew(() =>
                 name: context.name,
                 description: context.description ?? undefined,
             }));
-        }, /* minRequiredRole = */ OrgRole.GUEST), /* allowSingleTenantUnauthedAccess = */ true
+        }, /* minRequiredRole = */ OrgRole.GUEST), /* allowAnonymousAccess = */ true
     ));
 
 export const getRepoImage = async (repoId: number, domain: string): Promise<ArrayBuffer | ServiceError> => sew(async () => {
@@ -1934,7 +1934,68 @@ export const getRepoImage = async (repoId: number, domain: string): Promise<Arra
                 return notFound();
             }
         }, /* minRequiredRole = */ OrgRole.GUEST);
-    }, /* allowSingleTenantUnauthedAccess = */ true);
+    }, /* allowAnonymousAccess = */ true);
+});
+
+export const getAnonymousAccessStatus = async (domain: string): Promise<boolean | ServiceError> => sew(async () => {
+    const org = await getOrgFromDomain(domain);
+    if (!org) {
+        return {
+            statusCode: StatusCodes.NOT_FOUND,
+            errorCode: ErrorCode.NOT_FOUND,
+            message: "Organization not found",
+        } satisfies ServiceError;
+    }
+
+    // If no metadata is set we don't try to parse it since it'll result in a parse error
+    if (org.metadata === null) {
+        return false;
+    }
+
+    const orgMetadata = orgMetadataSchema.safeParse(org.metadata);
+    if (!orgMetadata.success) {
+        return {
+            statusCode: StatusCodes.INTERNAL_SERVER_ERROR,
+            errorCode: ErrorCode.INVALID_ORG_METADATA,
+            message: "Invalid organization metadata",
+        } satisfies ServiceError;
+    }
+
+    return !!orgMetadata.data.anonymousAccessEnabled;
+});
+
+export const setAnonymousAccessStatus = async (domain: string, enabled: boolean): Promise<ServiceError | boolean> => sew(async () => {
+    return await withAuth(async (userId) => {
+        return await withOrgMembership(userId, domain, async ({ org }) => {
+            const hasAnonymousAccessEntitlement = hasEntitlement("anonymous-access");
+            if (!hasAnonymousAccessEntitlement) {
+                const plan = getPlan();
+                console.error(`Anonymous access isn't supported in your current plan: ${plan}. For support, contact ${SOURCEBOT_SUPPORT_EMAIL}.`);
+                return {
+                    statusCode: StatusCodes.FORBIDDEN,
+                    errorCode: ErrorCode.INSUFFICIENT_PERMISSIONS,
+                    message: "Anonymous access is not supported in your current plan",
+                } satisfies ServiceError;
+            }
+
+            const currentMetadata = orgMetadataSchema.safeParse(org.metadata);
+            const mergedMetadata = {
+                ...(currentMetadata.success ? currentMetadata.data : {}),
+                anonymousAccessEnabled: enabled,
+            };
+
+            await prisma.org.update({
+                where: {
+                    id: org.id,
+                },
+                data: {
+                    metadata: mergedMetadata,
+                },
+            });
+
+            return true;
+        }, /* minRequiredRole = */ OrgRole.OWNER);
+    });
 });
 
 ////// Helpers ///////

packages/web/src/app/[domain]/layout.tsx

@@ -16,10 +16,9 @@ import { getSubscriptionInfo } from "@/ee/features/billing/actions";
 import { PendingApprovalCard } from "./components/pendingApproval";
 import { SubmitJoinRequest } from "./components/submitJoinRequest";
 import { hasEntitlement } from "@sourcebot/shared";
-import { getPublicAccessStatus } from "@/ee/features/publicAccess/publicAccess";
 import { env } from "@/env.mjs";
 import { GcpIapAuth } from "./components/gcpIapAuth";
-import { getMemberApprovalRequired } from "@/actions";
+import { getAnonymousAccessStatus, getMemberApprovalRequired } from "@/actions";
 import { JoinOrganizationCard } from "@/app/components/joinOrganizationCard";
 import { LogoutEscapeHatch } from "@/app/components/logoutEscapeHatch";
 
@@ -39,7 +38,7 @@ export default async function Layout({
     }
 
     const session = await auth();
-    const publicAccessEnabled = hasEntitlement("public-access") && await getPublicAccessStatus(domain);
+    const anonymousAccessEnabled = hasEntitlement("anonymous-access") && await getAnonymousAccessStatus(domain);
 
     // If the user is authenticated, we must check if they're a member of the org
     if (session) {
@@ -84,8 +83,8 @@ export default async function Layout({
             }
         }
     } else {
-        // If the user isn't authenticated and public access isn't enabled, we need to redirect them to the login page.
-        if (!publicAccessEnabled) {
+        // If the user isn't authenticated and anonymous access isn't enabled, we need to redirect them to the login page.
+        if (!anonymousAccessEnabled) {
             const ssoEntitlement = await hasEntitlement("sso");
             if (ssoEntitlement && env.AUTH_EE_GCP_IAP_ENABLED && env.AUTH_EE_GCP_IAP_AUDIENCE) {
                 return <GcpIapAuth callbackUrl={`/${domain}`} />;

packages/web/src/ee/features/analytics/actions.ts

@@ -99,5 +99,5 @@ export const getAnalytics = async (domain: string, apiKey: string | undefined =
 
 
       return rows;
-    }, /* minRequiredRole = */ OrgRole.MEMBER), /* allowSingleTenantUnauthedAccess = */ true, apiKey ? { apiKey, domain } : undefined)
+    }, /* minRequiredRole = */ OrgRole.MEMBER), /* allowAnonymousAccess = */ true, apiKey ? { apiKey, domain } : undefined)
 );