[member approval] configurable via environment

drew-u410 · drew-u410 · commit baf2caadb7df · 2025-09-26T08:22:47.000-04:00
diff --git a/.env.development b/.env.development
@@ -23,6 +23,8 @@ AUTH_URL="http://localhost:3000"
 # AUTH_EE_GOOGLE_CLIENT_ID=""
 # AUTH_EE_GOOGLE_CLIENT_SECRET=""
 
+# MEMBER_APPROVAL_REQUIRED="true"
+
 DATA_CACHE_DIR=${PWD}/.sourcebot  # Path to the sourcebot cache dir (ex. ~/sourcebot/.sourcebot)
 SOURCEBOT_PUBLIC_KEY_PATH=${PWD}/public.pem
 # CONFIG_PATH=${PWD}/config.json # Path to the sourcebot config file (if one exists)
diff --git a/docs/docs/configuration/environment-variables.mdx b/docs/docs/configuration/environment-variables.mdx
@@ -22,6 +22,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `DATABASE_URL` | `postgresql://postgres@ localhost:5432/sourcebot` | <p>Connection string of your Postgres database. By default, a Postgres database is automatically provisioned at startup within the container.</p><p>If you'd like to use a non-default schema, you can provide it as a parameter in the database url </p> |
 | `EMAIL_FROM_ADDRESS` | `-` | <p>The email address that transactional emails will be sent from. See [this doc](/docs/configuration/transactional-emails) for more info.</p> | 
 | `FORCE_ENABLE_ANONYMOUS_ACCESS` | `false` | <p>When enabled, [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) to the organization will always be enabled</p>
+| `MEMBER_APPROVAL_REQUIRED` | `true` | <p>When enabled, new users will need approval from an organization owner before they can access your deployment. See [access settings docs](/docs/configuration/auth/access-settings) for more info</p>
 | `REDIS_DATA_DIR` | `$DATA_CACHE_DIR/redis` | <p>The data directory for the default Redis instance.</p> |
 | `REDIS_URL` | `redis://localhost:6379` | <p>Connection string of your Redis instance. By default, a Redis database is automatically provisioned at startup within the container.</p> |
 | `REDIS_REMOVE_ON_COMPLETE` | `0` | <p>Controls how many completed jobs are allowed to remain in Redis queues</p> |
diff --git a/packages/web/src/env.mjs b/packages/web/src/env.mjs
@@ -21,6 +21,7 @@ export const env = createEnv({
         
         // Auth
         FORCE_ENABLE_ANONYMOUS_ACCESS: booleanSchema.default('false'),
+        MEMBER_APPROVAL_REQUIRED: booleanSchema.default('true'),
         
         AUTH_SECRET: z.string(),
         AUTH_URL: z.string().url(),
diff --git a/packages/web/src/initialize.ts b/packages/web/src/initialize.ts
@@ -180,6 +180,7 @@ const initSingleTenancy = async () => {
                     name: SINGLE_TENANT_ORG_NAME,
                     domain: SINGLE_TENANT_ORG_DOMAIN,
                     inviteLinkId: crypto.randomUUID(),
+                    memberApprovalRequired: env.MEMBER_APPROVAL_REQUIRED === 'true',
                 }
             });
         } else if (!org.inviteLinkId) {
@@ -220,6 +221,17 @@ const initSingleTenancy = async () => {
         }
     }
 
+    // Apply MEMBER_APPROVAL_REQUIRED environment variable setting
+    const memberApprovalRequired = env.MEMBER_APPROVAL_REQUIRED === 'true';
+    const org = await getOrgFromDomain(SINGLE_TENANT_ORG_DOMAIN);
+    if (org) {
+        await prisma.org.update({
+            where: { id: org.id },
+            data: { memberApprovalRequired },
+        });
+        logger.info(`Member approval required set to ${memberApprovalRequired} via MEMBER_APPROVAL_REQUIRED environment variable`);
+    }
+
     // Load any connections defined declaratively in the config file.
     const configPath = env.CONFIG_PATH;
     if (configPath) {
