chore(web): Improved security settings

.env.development

@@ -13,7 +13,6 @@ CTAGS_COMMAND=ctags
 # @see: https://authjs.dev/getting-started/deployment#auth_secret
 AUTH_SECRET="00000000000000000000000000000000000000000000"
 AUTH_URL="http://localhost:3000"
-# AUTH_CREDENTIALS_LOGIN_ENABLED=true
 
 DATA_CACHE_DIR=${PWD}/.sourcebot  # Path to the sourcebot cache dir (ex. ~/sourcebot/.sourcebot)
 SOURCEBOT_PUBLIC_KEY_PATH=${PWD}/public.pem

docs/docs/configuration/auth/providers.mdx

@@ -11,7 +11,11 @@ If there's an authentication provider you'd like us to support, please [reach ou
 
 ### Email / Password
 ---
-Email / password authentication is enabled by default. It can be **disabled** by setting `AUTH_CREDENTIALS_LOGIN_ENABLED` to `false`.
+Email / password authentication is enabled by default. You can toggle it from **Settings → Access** using the **Email login** setting.
+
+The `AUTH_CREDENTIALS_LOGIN_ENABLED` environment variable is deprecated. It still works, but when it is set it overrides the UI setting and locks the toggle. Leave it unset to manage email login from the UI.
+
+Email login can't be disabled when no other login method is configured (no SSO identity provider and no email-code login), since that would leave no way to sign in.
 
 ### Email codes
 ---

docs/docs/configuration/config-file.mdx

@@ -49,7 +49,6 @@ The following are settings that can be provided in your config file to modify So
 | `maxRepoGarbageCollectionJobConcurrency`        | number  | 8          | 1       | Concurrent repo‑garbage‑collection jobs.                                               |
 | `repoGarbageCollectionGracePeriodMs`            | number  | 10 seconds | 1       | Grace period to avoid deleting shards while loading.                                   |
 | `repoIndexTimeoutMs`                            | number  | 2 hours    | 1       | Timeout for a single repo‑indexing run.                                                |
-| `enablePublicAccess` **(deprecated)**           | boolean | false      | —       | Use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.                  |
 | `repoDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the repo permission syncer should run.                               |
 | `userDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the user permission syncer should run.                               |
 | `experiment_repoDrivenPermissionSyncIntervalMs` **(deprecated)** | number  | 24 hours   | 1       | Use `repoDrivenPermissionSyncIntervalMs` instead.             |

docs/docs/configuration/environment-variables.mdx

@@ -10,7 +10,6 @@ The following environment variables allow you to configure your Sourcebot deploy
 
 | Variable | Default | Description |
 | :------- | :------ | :---------- |
-| `AUTH_CREDENTIALS_LOGIN_ENABLED` | `true` | <p>Enables/disables authentication with basic credentials. Username and passwords are stored encrypted at rest within the postgres database. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info</p> |
 | `AUTH_EMAIL_CODE_LOGIN_ENABLED` | `false` | <p>Enables/disables authentication with a login code that's sent to a users email. `SMTP_CONNECTION_URL` and `EMAIL_FROM_ADDRESS` must also be set. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info </p> |
 | `AUTH_SECRET` **(required)** | - | <p>Used to validate login session cookies. Genearte one with `openssl rand -base64 33`.</p> |
 | `AUTH_SESSION_MAX_AGE_SECONDS` | `2592000` (30 days) | <p>Relative time from now in seconds when to expire the session.</p> |
@@ -24,7 +23,6 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `DATA_DIR` | `/data` | <p>The directory within the container to store all persistent data. Typically, this directory will be volume mapped such that data is persisted across container restarts (e.g., `docker run -v $(pwd):/data`)</p> |
 | `DATABASE_URL` **(required)** | - | <p>Connection string of your Postgres database, e.g. `postgresql://user:password@host:5432/sourcebot`.</p><p>If you'd like to use a non-default schema, you can provide it as a parameter in the database url.</p><p>You can also use `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` to construct the database url.</p> |
 | `EMAIL_FROM_ADDRESS` | `-` | <p>The email address that transactional emails will be sent from. See [this doc](/docs/configuration/transactional-emails) for more info.</p> | 
-| `FORCE_ENABLE_ANONYMOUS_ACCESS` | `false` | <p>When enabled, [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) to the organization will always be enabled</p>
 | `REQUIRE_APPROVAL_NEW_MEMBERS` | - | <p>When set, controls whether new users require approval before accessing your deployment. If not set, the setting can be configured via the UI. See [member approval](/docs/configuration/auth/access-settings#member-approval) for more info.</p>
 | `REDIS_URL` **(required)** | - | <p>Connection string of your Redis instance, e.g. `redis://host:6379`.</p><p>To enable TLS, see [this doc](/docs/deployment/infrastructure/redis#tls).</p> |
 | `REDIS_REMOVE_ON_COMPLETE` | `0` | <p>Controls how many completed jobs are allowed to remain in Redis queues</p> |
@@ -54,10 +52,8 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
 | `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
-| `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` **(deprecated)** | `false` | <p>Deprecated. Use `PERMISSION_SYNC_ENABLED` instead.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 | `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create API keys. Non-owner members will receive a `403` error if they attempt to create one.</p> |
-| `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` **(deprecated)** | `false` | <p>Deprecated. Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
 | `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create or use API keys. Non-owner members will receive a `403` error if they attempt to create or authenticate with an API key. If you only want to restrict creation (not usage), use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
 
 

packages/db/prisma/migrations/20260611195453_add_org_access_settings/migration.sql

@@ -0,0 +1,11 @@
+-- AlterTable
+ALTER TABLE "Org" ADD COLUMN     "isAnonymousAccessEnabled" BOOLEAN NOT NULL DEFAULT false,
+ADD COLUMN     "isCredentialsLoginEnabled" BOOLEAN NOT NULL DEFAULT true,
+ADD COLUMN     "isEmailCodeLoginEnabled" BOOLEAN NOT NULL DEFAULT false;
+
+-- Backfill the new dedicated column from the legacy `metadata.anonymousAccessEnabled`
+-- value (see orgMetadataSchema in packages/web/src/types.ts) so existing deployments
+-- that had anonymous access enabled keep it after upgrading.
+UPDATE "Org"
+SET "isAnonymousAccessEnabled" = true
+WHERE "metadata"->>'anonymousAccessEnabled' = 'true';

packages/db/prisma/schema.prisma

@@ -274,10 +274,32 @@ model Org {
   apiKeys     ApiKey[]
   isOnboarded Boolean      @default(false)
   imageUrl    String?
-  metadata    Json? // For schema see orgMetadataSchema in packages/web/src/types.ts
+  metadata    Json?
 
+  /// @deprecated This property can be controlled by the environment
+  /// variable `REQUIRE_APPROVAL_NEW_MEMBERS`. To ensure that we use
+  /// the correct setting, use the helper function `isMemberApprovalRequired`
+  /// in shared/src/utils.ts
   memberApprovalRequired Boolean @default(true)
 
+  /// @deprecated This property can be controlled by the environment
+  /// variable `AUTH_CREDENTIALS_LOGIN_ENABLED`. To ensure that we use
+  /// the correct setting, use the helper function `isCredentialsLoginEnabled`
+  /// in shared/src/utils.ts
+  isCredentialsLoginEnabled Boolean @default(true)
+
+  /// @deprecated This property can be controlled by the environment
+  /// variable `AUTH_EMAIL_CODE_LOGIN_ENABLED`. To ensure that we use
+  /// the correct setting, use the helper function `isEmailCodeLoginEnabled`
+  /// in shared/src/utils.ts
+  isEmailCodeLoginEnabled Boolean @default(false)
+
+  /// @deprecated This property can be overriden by the environment
+  /// variable `FORCE_ENABLE_ANONYMOUS_ACCESS`, as well as the org's
+  /// available entitlements. Use the helper function `isAnonymousAccessEnabled`
+  /// in web/src/lib/entitlements.ts
+  isAnonymousAccessEnabled Boolean @default(false)
+
   /// List of pending invites to this organization
   invites Invite[]
 

packages/shared/src/env.server.ts

@@ -173,12 +173,8 @@ const options = {
         ZOEKT_WEBSERVER_URL: z.string().url().default("http://localhost:6070"),
 
         // Auth
-        FORCE_ENABLE_ANONYMOUS_ACCESS: booleanSchema.default('false'),
-        REQUIRE_APPROVAL_NEW_MEMBERS: booleanSchema.optional(),
         AUTH_SECRET: z.string(),
         AUTH_URL: z.string().url(),
-        AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.default('true'),
-        AUTH_EMAIL_CODE_LOGIN_ENABLED: booleanSchema.default('false'),
 
         /**
          * Relative time from now in seconds when to expire the session.
@@ -425,6 +421,39 @@ const options = {
          * ignored.
          */
         SOURCEBOT_TELEMETRY_PII_COLLECTION_ENABLED: booleanSchema.default('false'),
+
+        //////////// Deprecated ////////////
+        /**
+         * @deprecated Configure this setting via the "Require approval
+         * for new members" toggle in Settings → Security intsead.
+         */
+        REQUIRE_APPROVAL_NEW_MEMBERS: booleanSchema.optional(),
+
+        /**
+         * @deprecated Configure email + password login via the "Email & password login"
+         * toggle in Settings → Security instead. When set, this env var overrides the UI
+         * setting and locks the toggle; when unset, the DB-backed
+         * `Org.isCredentialsLoginEnabled` setting is used.
+         */
+        AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.optional(),
+
+        /**
+         * @deprecated Configure email code login via the UI in Settings → Security
+         * instead. When set, this env var overrides the UI setting and locks the toggle;
+         * when unset, the DB-backed `Org.isEmailCodeLoginEnabled` setting is used. Left
+         * optional (rather than defaulting to 'false') so we can detect whether it was
+         * explicitly set.
+         */
+        AUTH_EMAIL_CODE_LOGIN_ENABLED: booleanSchema.optional(),
+
+        /**
+         * @deprecated Configure anonymous access via the UI in Settings → Security
+         * instead. When set, this env var overrides the UI setting and locks the toggle;
+         * when unset, the DB-backed `Org.isAnonymousAccessEnabled` setting is used. Left
+         * optional (rather than defaulting to 'false') so we can detect whether it was
+         * explicitly set.
+         */
+        FORCE_ENABLE_ANONYMOUS_ACCESS: booleanSchema.optional(),
     },
     runtimeEnv,
     emptyStringAsUndefined: true,

packages/shared/src/index.server.ts

@@ -31,6 +31,9 @@ export {
     getConfigSettings,
     getRepoPath,
     getRepoIdFromPath,
+    isCredentialsLoginEnabled,
+    isEmailCodeLoginEnabled,
+    isMemberApprovalRequired,
 } from "./utils.js";
 export * from "./constants.js";
 export {

packages/shared/src/utils.ts

@@ -3,9 +3,10 @@ import stripJsonComments from 'strip-json-comments';
 import { z } from "zod";
 import { DEFAULT_CONFIG_SETTINGS } from "./constants.js";
 import { ConfigSettings } from "./types.js";
-import { Repo } from "@sourcebot/db";
+import { Org, Repo } from "@sourcebot/db";
 import path from "path";
 import { env, isRemotePath, loadConfig } from "./env.server.js";
+import { isAnonymousAccessAvailable } from './entitlements.js';
 
 // From https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
 export const base64Decode = (base64: string): string => {
@@ -118,4 +119,28 @@ export const getRepoPath = (repo: Repo): { path: string, isReadOnly: boolean } =
         path: path.join(reposPath, repo.id.toString()),
         isReadOnly: false,
     }
+}
+
+export const isCredentialsLoginEnabled = (org: Org): boolean => {
+    if (env.AUTH_CREDENTIALS_LOGIN_ENABLED !== undefined) {
+        return env.AUTH_CREDENTIALS_LOGIN_ENABLED === 'true';
+    }
+
+    return org.isCredentialsLoginEnabled;
+}
+
+export const isEmailCodeLoginEnabled = (org: Org): boolean => {
+    if (env.AUTH_EMAIL_CODE_LOGIN_ENABLED !== undefined) {
+        return env.AUTH_EMAIL_CODE_LOGIN_ENABLED === 'true';
+    }
+
+    return org.isEmailCodeLoginEnabled;
+}
+
+export const isMemberApprovalRequired = (org: Org): boolean => {
+    if (env.REQUIRE_APPROVAL_NEW_MEMBERS !== undefined) {
+        return env.REQUIRE_APPROVAL_NEW_MEMBERS === 'true';
+    }
+
+    return org.memberApprovalRequired;
 }

packages/web/src/__mocks__/prisma.ts

@@ -19,6 +19,9 @@ export const MOCK_ORG: Org = {
     imageUrl: null,
     metadata: null,
     memberApprovalRequired: false,
+    isCredentialsLoginEnabled: true,
+    isEmailCodeLoginEnabled: false,
+    isAnonymousAccessEnabled: false,
     inviteLinkEnabled: false,
     inviteLinkId: null,
 }