Skip to content
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .env.development
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ CTAGS_COMMAND=ctags
# @see: https://authjs.dev/getting-started/deployment#auth_secret
AUTH_SECRET="00000000000000000000000000000000000000000000"
AUTH_URL="http://localhost:3000"
# AUTH_CREDENTIALS_LOGIN_ENABLED=true

DATA_CACHE_DIR=${PWD}/.sourcebot # Path to the sourcebot cache dir (ex. ~/sourcebot/.sourcebot)
SOURCEBOT_PUBLIC_KEY_PATH=${PWD}/public.pem
Expand Down
6 changes: 5 additions & 1 deletion docs/docs/configuration/auth/providers.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@ If there's an authentication provider you'd like us to support, please [reach ou

### Email / Password
---
Email / password authentication is enabled by default. It can be **disabled** by setting `AUTH_CREDENTIALS_LOGIN_ENABLED` to `false`.
Email / password authentication is enabled by default. You can toggle it from **Settings → Access** using the **Email login** setting.
Comment thread
brendan-kellam marked this conversation as resolved.
Outdated

The `AUTH_CREDENTIALS_LOGIN_ENABLED` environment variable is deprecated. It still works, but when it is set it overrides the UI setting and locks the toggle. Leave it unset to manage email login from the UI.

Email login can't be disabled when no other login method is configured (no SSO identity provider and no email-code login), since that would leave no way to sign in.

### Email codes
---
Expand Down
1 change: 0 additions & 1 deletion docs/docs/configuration/config-file.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,6 @@ The following are settings that can be provided in your config file to modify So
| `maxRepoGarbageCollectionJobConcurrency` | number | 8 | 1 | Concurrent repo‑garbage‑collection jobs. |
| `repoGarbageCollectionGracePeriodMs` | number | 10 seconds | 1 | Grace period to avoid deleting shards while loading. |
| `repoIndexTimeoutMs` | number | 2 hours | 1 | Timeout for a single repo‑indexing run. |
| `enablePublicAccess` **(deprecated)** | boolean | false | — | Use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead. |
| `repoDrivenPermissionSyncIntervalMs` | number | 24 hours | 1 | Interval at which the repo permission syncer should run. |
| `userDrivenPermissionSyncIntervalMs` | number | 24 hours | 1 | Interval at which the user permission syncer should run. |
| `experiment_repoDrivenPermissionSyncIntervalMs` **(deprecated)** | number | 24 hours | 1 | Use `repoDrivenPermissionSyncIntervalMs` instead. |
Expand Down
4 changes: 0 additions & 4 deletions docs/docs/configuration/environment-variables.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ The following environment variables allow you to configure your Sourcebot deploy

| Variable | Default | Description |
| :------- | :------ | :---------- |
| `AUTH_CREDENTIALS_LOGIN_ENABLED` | `true` | <p>Enables/disables authentication with basic credentials. Username and passwords are stored encrypted at rest within the postgres database. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info</p> |
| `AUTH_EMAIL_CODE_LOGIN_ENABLED` | `false` | <p>Enables/disables authentication with a login code that's sent to a users email. `SMTP_CONNECTION_URL` and `EMAIL_FROM_ADDRESS` must also be set. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info </p> |
| `AUTH_SECRET` **(required)** | - | <p>Used to validate login session cookies. Genearte one with `openssl rand -base64 33`.</p> |
| `AUTH_SESSION_MAX_AGE_SECONDS` | `2592000` (30 days) | <p>Relative time from now in seconds when to expire the session.</p> |
Expand All @@ -24,7 +23,6 @@ The following environment variables allow you to configure your Sourcebot deploy
| `DATA_DIR` | `/data` | <p>The directory within the container to store all persistent data. Typically, this directory will be volume mapped such that data is persisted across container restarts (e.g., `docker run -v $(pwd):/data`)</p> |
| `DATABASE_URL` **(required)** | - | <p>Connection string of your Postgres database, e.g. `postgresql://user:password@host:5432/sourcebot`.</p><p>If you'd like to use a non-default schema, you can provide it as a parameter in the database url.</p><p>You can also use `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` to construct the database url.</p> |
| `EMAIL_FROM_ADDRESS` | `-` | <p>The email address that transactional emails will be sent from. See [this doc](/docs/configuration/transactional-emails) for more info.</p> |
| `FORCE_ENABLE_ANONYMOUS_ACCESS` | `false` | <p>When enabled, [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) to the organization will always be enabled</p>
| `REQUIRE_APPROVAL_NEW_MEMBERS` | - | <p>When set, controls whether new users require approval before accessing your deployment. If not set, the setting can be configured via the UI. See [member approval](/docs/configuration/auth/access-settings#member-approval) for more info.</p>
| `REDIS_URL` **(required)** | - | <p>Connection string of your Redis instance, e.g. `redis://host:6379`.</p><p>To enable TLS, see [this doc](/docs/deployment/infrastructure/redis#tls).</p> |
| `REDIS_REMOVE_ON_COMPLETE` | `0` | <p>Controls how many completed jobs are allowed to remain in Redis queues</p> |
Expand Down Expand Up @@ -54,10 +52,8 @@ The following environment variables allow you to configure your Sourcebot deploy
| `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> |
| `PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
| `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` **(deprecated)** | `false` | <p>Deprecated. Use `PERMISSION_SYNC_ENABLED` instead.</p> |
| `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
| `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create API keys. Non-owner members will receive a `403` error if they attempt to create one.</p> |
| `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` **(deprecated)** | `false` | <p>Deprecated. Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
| `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create or use API keys. Non-owner members will receive a `403` error if they attempt to create or authenticate with an API key. If you only want to restrict creation (not usage), use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |


Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
-- AlterTable
ALTER TABLE "Org" ADD COLUMN "isAnonymousAccessEnabled" BOOLEAN NOT NULL DEFAULT false,
ADD COLUMN "isCredentialsLoginEnabled" BOOLEAN NOT NULL DEFAULT true,
ADD COLUMN "isEmailCodeLoginEnabled" BOOLEAN NOT NULL DEFAULT false;

-- Backfill the new dedicated column from the legacy `metadata.anonymousAccessEnabled`
-- value (see orgMetadataSchema in packages/web/src/types.ts) so existing deployments
-- that had anonymous access enabled keep it after upgrading.
UPDATE "Org"
SET "isAnonymousAccessEnabled" = true
WHERE "metadata"->>'anonymousAccessEnabled' = 'true';
24 changes: 23 additions & 1 deletion packages/db/prisma/schema.prisma
Original file line number Diff line number Diff line change
Expand Up @@ -274,10 +274,32 @@ model Org {
apiKeys ApiKey[]
isOnboarded Boolean @default(false)
imageUrl String?
metadata Json? // For schema see orgMetadataSchema in packages/web/src/types.ts
metadata Json?

/// @deprecated This property can be controlled by the environment
/// variable `REQUIRE_APPROVAL_NEW_MEMBERS`. To ensure that we use
/// the correct setting, use the helper function `isMemberApprovalRequired`
/// in shared/src/utils.ts
memberApprovalRequired Boolean @default(true)

/// @deprecated This property can be controlled by the environment
/// variable `AUTH_CREDENTIALS_LOGIN_ENABLED`. To ensure that we use
/// the correct setting, use the helper function `isCredentialsLoginEnabled`
/// in shared/src/utils.ts
isCredentialsLoginEnabled Boolean @default(true)

/// @deprecated This property can be controlled by the environment
/// variable `AUTH_EMAIL_CODE_LOGIN_ENABLED`. To ensure that we use
/// the correct setting, use the helper function `isEmailCodeLoginEnabled`
/// in shared/src/utils.ts
isEmailCodeLoginEnabled Boolean @default(false)

/// @deprecated This property can be overriden by the environment
/// variable `FORCE_ENABLE_ANONYMOUS_ACCESS`, as well as the org's
/// available entitlements. Use the helper function `isAnonymousAccessEnabled`
/// in web/src/lib/entitlements.ts
isAnonymousAccessEnabled Boolean @default(false)

/// List of pending invites to this organization
invites Invite[]

Expand Down
37 changes: 33 additions & 4 deletions packages/shared/src/env.server.ts
Original file line number Diff line number Diff line change
Expand Up @@ -173,12 +173,8 @@ const options = {
ZOEKT_WEBSERVER_URL: z.string().url().default("http://localhost:6070"),

// Auth
FORCE_ENABLE_ANONYMOUS_ACCESS: booleanSchema.default('false'),
REQUIRE_APPROVAL_NEW_MEMBERS: booleanSchema.optional(),
AUTH_SECRET: z.string(),
AUTH_URL: z.string().url(),
AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.default('true'),
AUTH_EMAIL_CODE_LOGIN_ENABLED: booleanSchema.default('false'),

/**
* Relative time from now in seconds when to expire the session.
Expand Down Expand Up @@ -425,6 +421,39 @@ const options = {
* ignored.
*/
SOURCEBOT_TELEMETRY_PII_COLLECTION_ENABLED: booleanSchema.default('false'),

//////////// Deprecated ////////////
/**
* @deprecated Configure this setting via the "Require approval
* for new members" toggle in Settings → Security intsead.
*/
REQUIRE_APPROVAL_NEW_MEMBERS: booleanSchema.optional(),

/**
* @deprecated Configure email + password login via the "Email & password login"
* toggle in Settings → Security instead. When set, this env var overrides the UI
* setting and locks the toggle; when unset, the DB-backed
* `Org.isCredentialsLoginEnabled` setting is used.
*/
AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.optional(),

/**
* @deprecated Configure email code login via the UI in Settings → Security
* instead. When set, this env var overrides the UI setting and locks the toggle;
* when unset, the DB-backed `Org.isEmailCodeLoginEnabled` setting is used. Left
* optional (rather than defaulting to 'false') so we can detect whether it was
* explicitly set.
*/
AUTH_EMAIL_CODE_LOGIN_ENABLED: booleanSchema.optional(),

/**
* @deprecated Configure anonymous access via the UI in Settings → Security
* instead. When set, this env var overrides the UI setting and locks the toggle;
* when unset, the DB-backed `Org.isAnonymousAccessEnabled` setting is used. Left
* optional (rather than defaulting to 'false') so we can detect whether it was
* explicitly set.
*/
FORCE_ENABLE_ANONYMOUS_ACCESS: booleanSchema.optional(),
},
runtimeEnv,
emptyStringAsUndefined: true,
Expand Down
3 changes: 3 additions & 0 deletions packages/shared/src/index.server.ts
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ export {
getConfigSettings,
getRepoPath,
getRepoIdFromPath,
isCredentialsLoginEnabled,
isEmailCodeLoginEnabled,
isMemberApprovalRequired,
} from "./utils.js";
export * from "./constants.js";
export {
Expand Down
27 changes: 26 additions & 1 deletion packages/shared/src/utils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@ import stripJsonComments from 'strip-json-comments';
import { z } from "zod";
import { DEFAULT_CONFIG_SETTINGS } from "./constants.js";
import { ConfigSettings } from "./types.js";
import { Repo } from "@sourcebot/db";
import { Org, Repo } from "@sourcebot/db";
import path from "path";
import { env, isRemotePath, loadConfig } from "./env.server.js";
import { isAnonymousAccessAvailable } from './entitlements.js';

// From https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
export const base64Decode = (base64: string): string => {
Expand Down Expand Up @@ -118,4 +119,28 @@ export const getRepoPath = (repo: Repo): { path: string, isReadOnly: boolean } =
path: path.join(reposPath, repo.id.toString()),
isReadOnly: false,
}
}

export const isCredentialsLoginEnabled = (org: Org): boolean => {
if (env.AUTH_CREDENTIALS_LOGIN_ENABLED !== undefined) {
return env.AUTH_CREDENTIALS_LOGIN_ENABLED === 'true';
}

return org.isCredentialsLoginEnabled;
}

export const isEmailCodeLoginEnabled = (org: Org): boolean => {
if (env.AUTH_EMAIL_CODE_LOGIN_ENABLED !== undefined) {
return env.AUTH_EMAIL_CODE_LOGIN_ENABLED === 'true';
}

return org.isEmailCodeLoginEnabled;
}

export const isMemberApprovalRequired = (org: Org): boolean => {
if (env.REQUIRE_APPROVAL_NEW_MEMBERS !== undefined) {
return env.REQUIRE_APPROVAL_NEW_MEMBERS === 'true';
}

return org.memberApprovalRequired;
}
3 changes: 3 additions & 0 deletions packages/web/src/__mocks__/prisma.ts
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ export const MOCK_ORG: Org = {
imageUrl: null,
metadata: null,
memberApprovalRequired: false,
isCredentialsLoginEnabled: true,
isEmailCodeLoginEnabled: false,
isAnonymousAccessEnabled: false,
inviteLinkEnabled: false,
inviteLinkId: null,
}
Expand Down
Loading
Loading