remove anonymous-access entitlement

Author: brendan-kellam

packages/shared/src/entitlements.ts

@@ -23,7 +23,6 @@ type LicenseKeyPayload = z.infer<typeof eeLicenseKeyPayloadSchema>;
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 const ALL_ENTITLEMENTS = [
     "search-contexts",
-    "anonymous-access",
     "sso",
     "code-nav",
     "audit",
@@ -84,6 +83,16 @@ export const hasEntitlement = (entitlement: Entitlement, license: License | null
     return entitlements.includes(entitlement);
 }
 
+export const isAnonymousAccessAvailable = (license: License | null): boolean => {
+    if (getOfflineLicenseKey()) {
+        return false;
+    }
+    if (license && isLicenseActive(license)) {
+        return false;
+    }
+    return true;
+}
+
 export const getEntitlements = (license: License | null): Entitlement[] => {
     const licenseKey = getOfflineLicenseKey();
     if (licenseKey) {

packages/shared/src/index.server.ts

@@ -2,6 +2,7 @@ export {
     hasEntitlement,
     getOfflineLicenseKey,
     getEntitlements,
+    isAnonymousAccessAvailable as isAnonymousAccessEnabled,
 } from "./entitlements.js";
 export type {
     Entitlement,

packages/web/src/actions.ts

@@ -14,7 +14,7 @@ import { createLogger } from "@sourcebot/shared";
 import { GiteaConnectionConfig } from "@sourcebot/schemas/v3/gitea.type";
 import { GithubConnectionConfig } from "@sourcebot/schemas/v3/github.type";
 import { GitlabConnectionConfig } from "@sourcebot/schemas/v3/gitlab.type";
-import { hasEntitlement } from "@/lib/entitlements";
+import { isAnonymousAccessAvailable } from "@/lib/entitlements";
 import { StatusCodes } from "http-status-codes";
 import { cookies } from "next/headers";
 import { createTransport } from "nodemailer";
@@ -1158,40 +1158,11 @@ export const getRepoImage = async (repoId: number): Promise<ArrayBuffer | Servic
     })
 });
 
-export const getAnonymousAccessStatus = async (): Promise<boolean | ServiceError> => sew(async () => {
-    const org = await __unsafePrisma.org.findUnique({
-        where: { id: SINGLE_TENANT_ORG_ID },
-    });
-    if (!org) {
-        return {
-            statusCode: StatusCodes.NOT_FOUND,
-            errorCode: ErrorCode.NOT_FOUND,
-            message: "Organization not found",
-        } satisfies ServiceError;
-    }
-
-    // If no metadata is set we don't try to parse it since it'll result in a parse error
-    if (org.metadata === null) {
-        return false;
-    }
-
-    const orgMetadata = getOrgMetadata(org);
-    if (!orgMetadata) {
-        return {
-            statusCode: StatusCodes.INTERNAL_SERVER_ERROR,
-            errorCode: ErrorCode.INVALID_ORG_METADATA,
-            message: "Invalid organization metadata",
-        } satisfies ServiceError;
-    }
-
-    return !!orgMetadata.anonymousAccessEnabled;
-});
-
 export const setAnonymousAccessStatus = async (enabled: boolean): Promise<ServiceError | boolean> => sew(async () => {
     return await withAuth(async ({ org, role, prisma }) => {
         return await withMinimumOrgRole(role, OrgRole.OWNER, async () => {
-            const hasAnonymousAccessEntitlement = await hasEntitlement("anonymous-access");
-            if (!hasAnonymousAccessEntitlement) {
+            const anonymousAccessAvailable = await isAnonymousAccessAvailable();
+            if (!anonymousAccessAvailable) {
                 console.error(`Anonymous access isn't supported in your current plan. For support, contact ${SOURCEBOT_SUPPORT_EMAIL}.`);
                 return {
                     statusCode: StatusCodes.FORBIDDEN,

packages/web/src/app/(app)/layout.tsx

@@ -19,9 +19,9 @@ import { notFound, redirect } from "next/navigation";
 import { PendingApprovalCard } from "./components/pendingApproval";
 import { SubmitJoinRequest } from "./components/submitJoinRequest";
 import { env } from "@sourcebot/shared";
-import { hasEntitlement } from "@/lib/entitlements";
+import { hasEntitlement, isAnonymousAccessEnabled } from "@/lib/entitlements";
 import { GcpIapAuth } from "./components/gcpIapAuth";
-import { getAnonymousAccessStatus, getMemberApprovalRequired } from "@/actions";
+import { getMemberApprovalRequired } from "@/actions";
 import { JoinOrganizationCard } from "@/app/components/joinOrganizationCard";
 import { LogoutEscapeHatch } from "@/app/components/logoutEscapeHatch";
 import { GitHubStarToast } from "./components/githubStarToast";
@@ -53,18 +53,7 @@ export default async function Layout(props: LayoutProps) {
     }
 
     const session = await auth();
-    const anonymousAccessEnabled = await (async () => {
-        if (!await hasEntitlement("anonymous-access")) {
-            return false;
-        }
-
-        const status = await getAnonymousAccessStatus();
-        if (isServiceError(status)) {
-            return false;
-        }
-
-        return status;
-    })();
+    const anonymousAccessEnabled = await isAnonymousAccessEnabled();
 
     // If the user is authenticated, we must check if they're a member of the org
     if (session) {

packages/web/src/app/components/anonymousAccessToggle.tsx

@@ -7,13 +7,13 @@ import { isServiceError } from "@/lib/utils"
 import { useToast } from "@/components/hooks/use-toast"
 
 interface AnonymousAccessToggleProps {
-    hasAnonymousAccessEntitlement: boolean;
+    anonymousAccessAvailable: boolean;
     anonymousAccessEnabled: boolean
     forceEnableAnonymousAccess: boolean
     onToggleChange?: (checked: boolean) => void
 }
 
-export function AnonymousAccessToggle({ hasAnonymousAccessEntitlement, anonymousAccessEnabled, forceEnableAnonymousAccess, onToggleChange }: AnonymousAccessToggleProps) {
+export function AnonymousAccessToggle({ anonymousAccessAvailable, anonymousAccessEnabled, forceEnableAnonymousAccess, onToggleChange }: AnonymousAccessToggleProps) {
     const [enabled, setEnabled] = useState(anonymousAccessEnabled)
     const [isLoading, setIsLoading] = useState(false)
     const { toast } = useToast()
@@ -45,12 +45,12 @@ export function AnonymousAccessToggle({ hasAnonymousAccessEntitlement, anonymous
             setIsLoading(false)
         }
     }
-    const isDisabled = isLoading || !hasAnonymousAccessEntitlement || forceEnableAnonymousAccess;
-    const showPlanMessage = !hasAnonymousAccessEntitlement;
+    const isDisabled = isLoading || !anonymousAccessAvailable || forceEnableAnonymousAccess;
+    const showPlanMessage = !anonymousAccessAvailable;
     const showForceEnableMessage = !showPlanMessage && forceEnableAnonymousAccess;
 
     return (
-        <div className={`p-4 rounded-lg border border-[var(--border)] bg-[var(--card)] ${(!hasAnonymousAccessEntitlement || forceEnableAnonymousAccess) ? 'opacity-60' : ''}`}>
+        <div className={`p-4 rounded-lg border border-[var(--border)] bg-[var(--card)] ${(!anonymousAccessAvailable || forceEnableAnonymousAccess) ? 'opacity-60' : ''}`}>
             <div className="flex items-start justify-between gap-4">
                 <div className="flex-1 min-w-0">
                     <h3 className="font-medium text-[var(--foreground)] mb-2">
@@ -108,7 +108,7 @@ export function AnonymousAccessToggle({ hasAnonymousAccessEntitlement, anonymous
                                         />
                                     </svg>
                                     <span>
-                                        The <code className="bg-[var(--secondary)] px-1 py-0.5 rounded text-xs font-mono">forceEnableAnonymousAccess</code> is set, so this cannot be changed from the UI.
+                                        <code className="bg-[var(--secondary)] px-1 py-0.5 rounded text-xs font-mono">FORCE_ENABLE_ANONYMOUS_ACCESS</code> is set, so this cannot be changed from the UI.
                                     </span>
                                 </p>
                             </div>

packages/web/src/app/components/organizationAccessSettings.tsx

@@ -1,33 +1,30 @@
 import { createInviteLink } from "@/lib/utils"
 import { AnonymousAccessToggle } from "./anonymousAccessToggle"
 import { OrganizationAccessSettingsWrapper } from "./organizationAccessSettingsWrapper"
-import { getOrgMetadata } from "@/lib/utils"
 import { SINGLE_TENANT_ORG_ID } from "@/lib/constants"
 import { __unsafePrisma } from "@/prisma"
 import { env } from "@sourcebot/shared"
-import { hasEntitlement } from "@/lib/entitlements"
+import { isAnonymousAccessAvailable, isAnonymousAccessEnabled } from "@/lib/entitlements"
 
 export async function OrganizationAccessSettings() {
     const org = await __unsafePrisma.org.findUnique({ where: { id: SINGLE_TENANT_ORG_ID } });
     if (!org) {
         return <div>Error loading organization</div>
     }
 
-    const metadata = getOrgMetadata(org);
-    const anonymousAccessEnabled = metadata?.anonymousAccessEnabled ?? false;
-
     const baseUrl = env.AUTH_URL;
     const inviteLink = createInviteLink(baseUrl, org.inviteLinkId)
 
-    const hasAnonymousAccessEntitlement = await hasEntitlement("anonymous-access");
+    const anonymousAccessEnabled = await isAnonymousAccessEnabled();
+    const anonymousAccessAvailable = await isAnonymousAccessAvailable();
 
     const forceEnableAnonymousAccess = env.FORCE_ENABLE_ANONYMOUS_ACCESS === 'true';
     const memberApprovalEnvVarSet = env.REQUIRE_APPROVAL_NEW_MEMBERS !== undefined;
 
     return (
         <div className="space-y-6">
             <AnonymousAccessToggle
-                hasAnonymousAccessEntitlement={hasAnonymousAccessEntitlement}
+                anonymousAccessAvailable={anonymousAccessAvailable}
                 anonymousAccessEnabled={anonymousAccessEnabled}
                 forceEnableAnonymousAccess={forceEnableAnonymousAccess}
             />

packages/web/src/app/login/page.tsx

@@ -5,9 +5,8 @@ import { Footer } from "@/app/components/footer";
 import { getIdentityProviderMetadata } from "@/lib/identityProviders";
 import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
 import { __unsafePrisma } from "@/prisma";
-import { getAnonymousAccessStatus } from "@/actions";
-import { isServiceError } from "@/lib/utils";
 import { env } from "@sourcebot/shared";
+import { isAnonymousAccessEnabled } from "@/lib/entitlements";
 
 interface LoginProps {
     searchParams: Promise<{
@@ -29,8 +28,7 @@ export default async function Login(props: LoginProps) {
     }
 
     const providers = await getIdentityProviderMetadata();
-    const anonymousAccessStatus = await getAnonymousAccessStatus();
-    const isAnonymousAccessEnabled = !isServiceError(anonymousAccessStatus) && anonymousAccessStatus;
+    const anonymousAccessEnabled = await isAnonymousAccessEnabled();
 
     return (
         <div className="flex flex-col min-h-screen bg-backgroundSecondary">
@@ -40,7 +38,7 @@ export default async function Login(props: LoginProps) {
                     error={searchParams.error}
                     providers={providers}
                     context="login"
-                    isAnonymousAccessEnabled={isAnonymousAccessEnabled}
+                    isAnonymousAccessEnabled={anonymousAccessEnabled}
                     hideSecurityNotice={env.EXPERIMENT_ASK_GH_ENABLED === 'true'}
                 />
             </div>

packages/web/src/app/signup/page.tsx

@@ -6,8 +6,7 @@ import { getIdentityProviderMetadata } from "@/lib/identityProviders";
 import { createLogger, env } from "@sourcebot/shared";
 import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
 import { __unsafePrisma } from "@/prisma";
-import { getAnonymousAccessStatus } from "@/actions";
-import { isServiceError } from "@/lib/utils";
+import { isAnonymousAccessEnabled } from "@/lib/entitlements";
 
 const logger = createLogger('signup-page');
 
@@ -32,8 +31,7 @@ export default async function Signup(props: LoginProps) {
     }
 
     const providers = await getIdentityProviderMetadata();
-    const anonymousAccessStatus = await getAnonymousAccessStatus();
-    const isAnonymousAccessEnabled = !isServiceError(anonymousAccessStatus) && anonymousAccessStatus;
+    const anonymousAccessEnabled = await isAnonymousAccessEnabled();
 
     return (
         <div className="flex flex-col min-h-screen bg-backgroundSecondary">
@@ -43,7 +41,7 @@ export default async function Signup(props: LoginProps) {
                     error={searchParams.error}
                     providers={providers}
                     context="signup"
-                    isAnonymousAccessEnabled={isAnonymousAccessEnabled}
+                    isAnonymousAccessEnabled={anonymousAccessEnabled}
                     hideSecurityNotice={env.EXPERIMENT_ASK_GH_ENABLED === 'true'}
                 />
             </div>

packages/web/src/initialize.ts

@@ -1,30 +1,12 @@
 import { __unsafePrisma } from "@/prisma";
 import { startServicePingCronJob } from '@/ee/features/lighthouse/servicePing';
-import { createLogger, env, loadConfig } from "@sourcebot/shared";
+import { createLogger, env } from "@sourcebot/shared";
 import { hasEntitlement } from '@/lib/entitlements';
 import { SINGLE_TENANT_ORG_ID } from './lib/constants';
-import { getOrgMetadata } from './lib/utils';
 
 const logger = createLogger('web-initialize');
 
 const init = async () => {
-    const hasAnonymousAccessEntitlement = await hasEntitlement("anonymous-access");
-    if (!hasAnonymousAccessEntitlement) {
-        // If anonymous access entitlement is not enabled, set the flag to false in the org on init
-        const org = await __unsafePrisma.org.findUnique({ where: { id: SINGLE_TENANT_ORG_ID } });
-        if (org) {
-            const currentMetadata = getOrgMetadata(org);
-            const mergedMetadata = {
-                ...(currentMetadata ?? {}),
-                anonymousAccessEnabled: false,
-            };
-            await __unsafePrisma.org.update({
-                where: { id: org.id },
-                data: { metadata: mergedMetadata },
-            });
-        }
-    }
-
     // If we don't have the search context entitlement then wipe any existing
     // search contexts that may be present in the DB. This could happen if a deployment had
     // the entitlement, synced search contexts, and then no longer had the entitlement
@@ -37,33 +19,6 @@ const init = async () => {
         });
     }
 
-    // Sync anonymous access config from the config file
-    const config = await loadConfig(env.CONFIG_PATH);
-    const forceEnableAnonymousAccess = config.settings?.enablePublicAccess ?? env.FORCE_ENABLE_ANONYMOUS_ACCESS === 'true';
-
-    if (forceEnableAnonymousAccess) {
-        if (!hasAnonymousAccessEntitlement) {
-            logger.warn(`FORCE_ENABLE_ANONYMOUS_ACCESS env var is set to true but anonymous access entitlement is not available. Setting will be ignored.`);
-        } else {
-            const org = await __unsafePrisma.org.findUnique({ where: { id: SINGLE_TENANT_ORG_ID } });
-            if (org) {
-                const currentMetadata = getOrgMetadata(org);
-                const mergedMetadata = {
-                    ...(currentMetadata ?? {}),
-                    anonymousAccessEnabled: true,
-                };
-
-                await __unsafePrisma.org.update({
-                    where: { id: org.id },
-                    data: {
-                        metadata: mergedMetadata,
-                    },
-                });
-                logger.info(`Anonymous access enabled via FORCE_ENABLE_ANONYMOUS_ACCESS environment variable`);
-            }
-        }
-    }
-
     // Sync member approval setting from env var (only if explicitly set)
     if (env.REQUIRE_APPROVAL_NEW_MEMBERS !== undefined) {
         const requireApprovalNewMembers = env.REQUIRE_APPROVAL_NEW_MEMBERS === 'true';