mirror of
https://github.com/documenso/documenso.git
synced 2026-07-11 13:35:20 +10:00
feat: add granular signin disable flags and OIDC auto-redirect (#2857)
This commit is contained in:
@@ -180,6 +180,20 @@ NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=
|
||||
NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=
|
||||
# OPTIONAL: Comma-separated list of email domains allowed to sign up (e.g., example.com,acme.org).
|
||||
NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=
|
||||
# OPTIONAL: Set to "true" to disable all signin methods (email, Google, Microsoft, OIDC).
|
||||
NEXT_PUBLIC_DISABLE_SIGNIN=
|
||||
# OPTIONAL: Set to "true" to disable email/password signin only. Also closes /forgot-password and /reset-password.
|
||||
NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=
|
||||
# OPTIONAL: Set to "true" to hide the Google signin button.
|
||||
NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=
|
||||
# OPTIONAL: Set to "true" to hide the Microsoft signin button.
|
||||
NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=
|
||||
# OPTIONAL: Set to "true" to hide the OIDC signin button.
|
||||
NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=
|
||||
# OPTIONAL: When OIDC is the only enabled signin transport, /signin auto-redirects
|
||||
# to the OIDC provider (rendering only a spinner). Set to "true" to disable this
|
||||
# and keep showing the signin page.
|
||||
NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=
|
||||
# OPTIONAL: Set to true to use internal webapp url in browserless requests.
|
||||
NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS=false
|
||||
|
||||
|
||||
@@ -272,6 +272,12 @@ For detailed certificate setup, see [Signing Certificate](/docs/self-hosting/con
|
||||
| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP` | Block new accounts via Microsoft. Existing linked users can still sign in | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP` | Block new accounts via OIDC, including the organisation portal | `false` |
|
||||
| `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS` | Comma-separated list of email domains allowed to sign up (e.g., `example.com,acme.org`) | |
|
||||
| `NEXT_PUBLIC_DISABLE_SIGNIN` | Master switch. Disable all signin methods application-wide | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN` | Disable email/password signin. Also closes `/forgot-password` and `/reset-password` | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN` | Hide the Google signin button | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN` | Hide the Microsoft signin button | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN` | Hide the OIDC signin button | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT` | Disable the automatic `/signin` redirect when OIDC is the only enabled transport | `false` |
|
||||
| `NEXT_PUBLIC_POSTHOG_KEY` | PostHog API key for analytics and feature flags | |
|
||||
| `NEXT_PUBLIC_FEATURE_BILLING_ENABLED` | Enable billing features | `false` |
|
||||
|
||||
@@ -303,6 +309,44 @@ NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP="true"
|
||||
NEXT_PUBLIC_DISABLE_SIGNUP="true"
|
||||
```
|
||||
|
||||
### Sign-in Restrictions
|
||||
|
||||
You can control which methods are available for users to sign in with the following environment variables:
|
||||
|
||||
- **`NEXT_PUBLIC_DISABLE_SIGNIN`** (master switch): Set to `true` to block all signin methods (email/password, Google, Microsoft, OIDC). Hides every signin entry point on `/signin` and rejects email/password signin server-side with a `SIGNIN_DISABLED` error.
|
||||
- **`NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN`**: Set to `true` to disable email/password signin only. The email/password form is hidden, the `/forgot-password` and `/reset-password` pages redirect to `/signin`, and the corresponding server endpoints reject requests. SSO signin is unaffected.
|
||||
- **`NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`**, **`NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`**, **`NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`**: Set to `true` to hide the matching SSO button on the signin page. Useful when an SSO provider is kept configured for account linking but not advertised as a signin entry point.
|
||||
|
||||
These flags are opt-in: when none are set, signin behaviour is unchanged from a stock Documenso instance.
|
||||
|
||||
```bash
|
||||
# Allow only OIDC signin (e.g. enterprise SSO-only)
|
||||
NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
|
||||
NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
|
||||
NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
|
||||
|
||||
# Or disable signin entirely
|
||||
NEXT_PUBLIC_DISABLE_SIGNIN="true"
|
||||
```
|
||||
|
||||
### OIDC Auto-redirect
|
||||
|
||||
When OIDC is the only enabled signin transport on your instance, `/signin` automatically redirects users straight to the OIDC provider instead of showing the signin form. The page renders a spinner while the redirect happens. No extra configuration is required — disabling every other signin method is enough to trigger it.
|
||||
|
||||
- **`NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`**: Set to `true` to opt out of the automatic redirect and keep rendering the signin page even when OIDC is the only enabled transport.
|
||||
|
||||
The redirect only triggers when OIDC is configured and email/password, Google, and Microsoft signin are all disabled. If any other transport remains enabled, the signin form is shown as normal.
|
||||
|
||||
```bash
|
||||
# OIDC-only signin: disabling all other methods auto-redirects to the provider
|
||||
NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
|
||||
NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
|
||||
NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
|
||||
|
||||
# Opt out of the auto-redirect while still OIDC-only
|
||||
# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT="true"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## AI Features
|
||||
@@ -446,6 +490,16 @@ NEXT_PRIVATE_SIGNING_PASSPHRASE="your-certificate-password"
|
||||
# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP="true"
|
||||
# NEXT_PUBLIC_DISABLE_OIDC_SIGNUP="true"
|
||||
# NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS="example.com,acme.org"
|
||||
|
||||
# Sign-in restrictions (optional)
|
||||
# NEXT_PUBLIC_DISABLE_SIGNIN="true"
|
||||
# NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
|
||||
# NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
|
||||
# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
|
||||
# NEXT_PUBLIC_DISABLE_OIDC_SIGNIN="true"
|
||||
|
||||
# Opt out of the automatic OIDC redirect when OIDC is the only enabled transport (optional)
|
||||
# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT="true"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
@@ -163,6 +163,19 @@ NEXT_PUBLIC_DISABLE_SIGNUP=false
|
||||
# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=true
|
||||
# NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=true
|
||||
# NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=example.com,acme.org
|
||||
|
||||
# Signin restrictions (optional)
|
||||
# Master switch — disables every signin method
|
||||
# NEXT_PUBLIC_DISABLE_SIGNIN=true
|
||||
# Per-method switches (optional). Each disables that signin path.
|
||||
# NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=true
|
||||
# NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=true
|
||||
# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=true
|
||||
# NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=true
|
||||
|
||||
# When OIDC is the only enabled transport, /signin auto-redirects to the provider.
|
||||
# Set this to opt out and keep showing the signin page (optional).
|
||||
# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=true
|
||||
```
|
||||
|
||||
<Callout type="info">Generate secure secrets using: `openssl rand -base64 32`</Callout>
|
||||
|
||||
@@ -112,6 +112,12 @@ See [Email Configuration](/docs/self-hosting/configuration/email) for other tran
|
||||
| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP` | Block new accounts via Microsoft OAuth | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP` | Block new accounts via OIDC (incl. organisation portal) | `false` |
|
||||
| `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS` | Comma-separated list of allowed signup email domains | |
|
||||
| `NEXT_PUBLIC_DISABLE_SIGNIN` | Master switch — disable all signin methods | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN` | Disable email/password signin only | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN` | Hide the Google signin button | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN` | Hide the Microsoft signin button | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN` | Hide the OIDC signin button | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT` | Disable auto-redirect to OIDC when it is the only transport | `false` |
|
||||
|
||||
For the complete list, see [Environment Variables](/docs/self-hosting/configuration/environment).
|
||||
|
||||
|
||||
@@ -159,6 +159,12 @@ NEXT_PRIVATE_SMTP_FROM_ADDRESS=noreply@yourdomain.com
|
||||
| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`| Block new accounts via Microsoft OAuth | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP` | Block new accounts via OIDC (incl. organisation portal)| `false` |
|
||||
| `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS` | Comma-separated list of allowed signup email domains | |
|
||||
| `NEXT_PUBLIC_DISABLE_SIGNIN` | Master switch — disable all signin methods | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN` | Disable email/password signin only | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN` | Hide the Google signin button | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`| Hide the Microsoft signin button | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN` | Hide the OIDC signin button | `false` |
|
||||
| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT` | Disable auto-redirect to OIDC when it is the only transport | `false` |
|
||||
| `NEXT_PRIVATE_SIGNING_PASSPHRASE` | Passphrase for signing certificate | - |
|
||||
| `DOCUMENSO_DISABLE_TELEMETRY` | Disable anonymous telemetry | `false` |
|
||||
|
||||
|
||||
@@ -58,6 +58,7 @@ export type TSignInFormSchema = z.infer<typeof ZSignInFormSchema>;
|
||||
export type SignInFormProps = {
|
||||
className?: string;
|
||||
initialEmail?: string;
|
||||
isEmailPasswordSigninEnabled?: boolean;
|
||||
isGoogleSSOEnabled?: boolean;
|
||||
isMicrosoftSSOEnabled?: boolean;
|
||||
isOIDCSSOEnabled?: boolean;
|
||||
@@ -68,6 +69,7 @@ export type SignInFormProps = {
|
||||
export const SignInForm = ({
|
||||
className,
|
||||
initialEmail,
|
||||
isEmailPasswordSigninEnabled = true,
|
||||
isGoogleSSOEnabled,
|
||||
isMicrosoftSSOEnabled,
|
||||
isOIDCSSOEnabled,
|
||||
@@ -324,66 +326,78 @@ export const SignInForm = ({
|
||||
<Form {...form}>
|
||||
<form className={cn('flex w-full flex-col gap-y-4', className)} onSubmit={form.handleSubmit(onFormSubmit)}>
|
||||
<fieldset className="flex w-full flex-col gap-y-4" disabled={isSubmitting || isPasskeyLoading}>
|
||||
<FormField
|
||||
control={form.control}
|
||||
name="email"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
<Trans>Email</Trans>
|
||||
</FormLabel>
|
||||
{isEmailPasswordSigninEnabled && (
|
||||
<>
|
||||
<FormField
|
||||
control={form.control}
|
||||
name="email"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
<Trans>Email</Trans>
|
||||
</FormLabel>
|
||||
|
||||
<FormControl>
|
||||
<Input type="email" {...field} />
|
||||
</FormControl>
|
||||
<FormControl>
|
||||
<Input type="email" {...field} />
|
||||
</FormControl>
|
||||
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
<FormMessage />
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
|
||||
<FormField
|
||||
control={form.control}
|
||||
name="password"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
<Trans>Password</Trans>
|
||||
</FormLabel>
|
||||
<FormField
|
||||
control={form.control}
|
||||
name="password"
|
||||
render={({ field }) => (
|
||||
<FormItem>
|
||||
<FormLabel>
|
||||
<Trans>Password</Trans>
|
||||
</FormLabel>
|
||||
|
||||
<FormControl>
|
||||
<PasswordInput {...field} />
|
||||
</FormControl>
|
||||
<FormControl>
|
||||
<PasswordInput {...field} />
|
||||
</FormControl>
|
||||
|
||||
<FormMessage />
|
||||
<FormMessage />
|
||||
|
||||
<p className="mt-2 text-right">
|
||||
<Link to="/forgot-password" className="text-muted-foreground text-sm duration-200 hover:opacity-70">
|
||||
<Trans>Forgot your password?</Trans>
|
||||
</Link>
|
||||
</p>
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
<p className="mt-2 text-right">
|
||||
<Link
|
||||
to="/forgot-password"
|
||||
className="text-muted-foreground text-sm duration-200 hover:opacity-70"
|
||||
>
|
||||
<Trans>Forgot your password?</Trans>
|
||||
</Link>
|
||||
</p>
|
||||
</FormItem>
|
||||
)}
|
||||
/>
|
||||
|
||||
{turnstileSiteKey && !isTwoFactorAuthenticationDialogOpen && (
|
||||
<Turnstile
|
||||
ref={turnstileRef}
|
||||
siteKey={turnstileSiteKey}
|
||||
options={{
|
||||
size: 'flexible',
|
||||
appearance: 'always',
|
||||
}}
|
||||
/>
|
||||
{turnstileSiteKey && !isTwoFactorAuthenticationDialogOpen && (
|
||||
<Turnstile
|
||||
ref={turnstileRef}
|
||||
siteKey={turnstileSiteKey}
|
||||
options={{
|
||||
size: 'flexible',
|
||||
appearance: 'always',
|
||||
}}
|
||||
/>
|
||||
)}
|
||||
|
||||
<Button
|
||||
type="submit"
|
||||
size="lg"
|
||||
loading={isSubmitting}
|
||||
className="dark:bg-documenso dark:hover:opacity-90"
|
||||
>
|
||||
{isSubmitting ? <Trans>Signing in...</Trans> : <Trans>Sign In</Trans>}
|
||||
</Button>
|
||||
</>
|
||||
)}
|
||||
|
||||
<Button type="submit" size="lg" loading={isSubmitting} className="dark:bg-documenso dark:hover:opacity-90">
|
||||
{isSubmitting ? <Trans>Signing in...</Trans> : <Trans>Sign In</Trans>}
|
||||
</Button>
|
||||
|
||||
{!isEmbeddedRedirect && (
|
||||
<>
|
||||
{hasSocialAuthEnabled && (
|
||||
{isEmailPasswordSigninEnabled && hasSocialAuthEnabled && (
|
||||
<div className="relative flex items-center justify-center gap-x-4 py-2 text-xs uppercase">
|
||||
<div className="h-px flex-1 bg-border" />
|
||||
<span className="bg-transparent text-muted-foreground">
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
|
||||
import { msg } from '@lingui/core/macro';
|
||||
import { Trans } from '@lingui/react/macro';
|
||||
import { Link } from 'react-router';
|
||||
import { Link, redirect } from 'react-router';
|
||||
|
||||
import { ForgotPasswordForm } from '~/components/forms/forgot-password';
|
||||
import { appMetaTags } from '~/utils/meta';
|
||||
@@ -9,6 +10,14 @@ export function meta() {
|
||||
return appMetaTags(msg`Forgot Password`);
|
||||
}
|
||||
|
||||
export async function loader() {
|
||||
if (!isSigninEnabledForProvider('email')) {
|
||||
throw redirect('/signin');
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
export default function ForgotPasswordPage() {
|
||||
return (
|
||||
<div className="w-screen max-w-lg px-4">
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
|
||||
import { getResetTokenValidity } from '@documenso/lib/server-only/user/get-reset-token-validity';
|
||||
import { msg } from '@lingui/core/macro';
|
||||
import { Trans } from '@lingui/react/macro';
|
||||
@@ -13,6 +14,10 @@ export function meta() {
|
||||
}
|
||||
|
||||
export async function loader({ params }: Route.LoaderArgs) {
|
||||
if (!isSigninEnabledForProvider('email')) {
|
||||
throw redirect('/signin');
|
||||
}
|
||||
|
||||
const { token } = params;
|
||||
|
||||
const isValid = await getResetTokenValidity({ token });
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
|
||||
import { Button } from '@documenso/ui/primitives/button';
|
||||
import { msg } from '@lingui/core/macro';
|
||||
import { Trans } from '@lingui/react/macro';
|
||||
import { Link } from 'react-router';
|
||||
import { Link, redirect } from 'react-router';
|
||||
|
||||
import { appMetaTags } from '~/utils/meta';
|
||||
|
||||
@@ -9,6 +10,14 @@ export function meta() {
|
||||
return appMetaTags(msg`Reset Password`);
|
||||
}
|
||||
|
||||
export async function loader() {
|
||||
if (!isSigninEnabledForProvider('email')) {
|
||||
throw redirect('/signin');
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
export default function ResetPasswordPage() {
|
||||
return (
|
||||
<div className="w-screen max-w-lg px-4">
|
||||
|
||||
@@ -1,8 +1,11 @@
|
||||
import { authClient } from '@documenso/auth/client';
|
||||
import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
|
||||
import {
|
||||
IS_GOOGLE_SSO_ENABLED,
|
||||
IS_MICROSOFT_SSO_ENABLED,
|
||||
IS_OIDC_AUTO_REDIRECT_DISABLED,
|
||||
IS_OIDC_SSO_ENABLED,
|
||||
isSigninEnabledForProvider,
|
||||
isSignupEnabledForProvider,
|
||||
OIDC_PROVIDER_LABEL,
|
||||
} from '@documenso/lib/constants/auth';
|
||||
@@ -11,6 +14,7 @@ import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
|
||||
import { msg } from '@lingui/core/macro';
|
||||
import { useLingui } from '@lingui/react';
|
||||
import { Trans } from '@lingui/react/macro';
|
||||
import { Loader2Icon } from 'lucide-react';
|
||||
import { useEffect, useState } from 'react';
|
||||
import { Link, redirect, useSearchParams } from 'react-router';
|
||||
|
||||
@@ -28,10 +32,20 @@ export async function loader({ request }: Route.LoaderArgs) {
|
||||
const { isAuthenticated } = await getOptionalSession(request);
|
||||
|
||||
// SSR env variables.
|
||||
const isGoogleSSOEnabled = IS_GOOGLE_SSO_ENABLED;
|
||||
const isMicrosoftSSOEnabled = IS_MICROSOFT_SSO_ENABLED;
|
||||
const isOIDCSSOEnabled = IS_OIDC_SSO_ENABLED;
|
||||
const isEmailPasswordSigninEnabled = isSigninEnabledForProvider('email');
|
||||
const isGoogleSSOEnabled = IS_GOOGLE_SSO_ENABLED && isSigninEnabledForProvider('google');
|
||||
const isMicrosoftSSOEnabled = IS_MICROSOFT_SSO_ENABLED && isSigninEnabledForProvider('microsoft');
|
||||
const isOIDCSSOEnabled = IS_OIDC_SSO_ENABLED && isSigninEnabledForProvider('oidc');
|
||||
|
||||
// Automatically redirect to OIDC when it is the only enabled signin transport,
|
||||
// unless the redirect has been explicitly disabled via env.
|
||||
const isOIDCOnlyTransport =
|
||||
isOIDCSSOEnabled && !isEmailPasswordSigninEnabled && !isGoogleSSOEnabled && !isMicrosoftSSOEnabled;
|
||||
|
||||
const shouldAutoRedirectToOIDC = isOIDCOnlyTransport && !IS_OIDC_AUTO_REDIRECT_DISABLED;
|
||||
|
||||
const oidcProviderLabel = OIDC_PROVIDER_LABEL;
|
||||
|
||||
const isSignupEnabled =
|
||||
isSignupEnabledForProvider('email') ||
|
||||
(IS_GOOGLE_SSO_ENABLED && isSignupEnabledForProvider('google')) ||
|
||||
@@ -47,18 +61,28 @@ export async function loader({ request }: Route.LoaderArgs) {
|
||||
}
|
||||
|
||||
return {
|
||||
isEmailPasswordSigninEnabled,
|
||||
isGoogleSSOEnabled,
|
||||
isMicrosoftSSOEnabled,
|
||||
isOIDCSSOEnabled,
|
||||
isSignupEnabled,
|
||||
oidcProviderLabel,
|
||||
returnTo,
|
||||
shouldAutoRedirectToOIDC,
|
||||
};
|
||||
}
|
||||
|
||||
export default function SignIn({ loaderData }: Route.ComponentProps) {
|
||||
const { isGoogleSSOEnabled, isMicrosoftSSOEnabled, isOIDCSSOEnabled, isSignupEnabled, oidcProviderLabel, returnTo } =
|
||||
loaderData;
|
||||
const {
|
||||
isEmailPasswordSigninEnabled,
|
||||
isGoogleSSOEnabled,
|
||||
isMicrosoftSSOEnabled,
|
||||
isOIDCSSOEnabled,
|
||||
isSignupEnabled,
|
||||
oidcProviderLabel,
|
||||
returnTo,
|
||||
shouldAutoRedirectToOIDC,
|
||||
} = loaderData;
|
||||
|
||||
const { _ } = useLingui();
|
||||
|
||||
@@ -76,6 +100,27 @@ export default function SignIn({ loaderData }: Route.ComponentProps) {
|
||||
setIsEmbeddedRedirect(params.get('embedded') === 'true');
|
||||
}, []);
|
||||
|
||||
useEffect(() => {
|
||||
if (!shouldAutoRedirectToOIDC) {
|
||||
return;
|
||||
}
|
||||
|
||||
void authClient.oidc.signIn({ redirectPath: returnTo ?? '/' });
|
||||
}, [shouldAutoRedirectToOIDC, returnTo]);
|
||||
|
||||
if (shouldAutoRedirectToOIDC) {
|
||||
return (
|
||||
<div className="w-screen max-w-lg px-4">
|
||||
<div className="flex flex-col items-center justify-center gap-y-4 py-12">
|
||||
<Loader2Icon className="h-8 w-8 animate-spin text-muted-foreground" />
|
||||
<p className="text-muted-foreground text-sm">
|
||||
<Trans>Redirecting to {oidcProviderLabel || 'OIDC'}...</Trans>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
|
||||
return (
|
||||
<div className="w-screen max-w-lg px-4">
|
||||
<div className="z-10 rounded-xl border border-border bg-neutral-100 p-6 dark:bg-background">
|
||||
@@ -95,6 +140,7 @@ export default function SignIn({ loaderData }: Route.ComponentProps) {
|
||||
<hr className="-mx-6 my-4" />
|
||||
|
||||
<SignInForm
|
||||
isEmailPasswordSigninEnabled={isEmailPasswordSigninEnabled}
|
||||
isGoogleSSOEnabled={isGoogleSSOEnabled}
|
||||
isMicrosoftSSOEnabled={isMicrosoftSSOEnabled}
|
||||
isOIDCSSOEnabled={isOIDCSSOEnabled}
|
||||
|
||||
@@ -64,6 +64,12 @@ services:
|
||||
- NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=${NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP}
|
||||
- NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=${NEXT_PUBLIC_DISABLE_OIDC_SIGNUP}
|
||||
- NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=${NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS}
|
||||
- NEXT_PUBLIC_DISABLE_SIGNIN=${NEXT_PUBLIC_DISABLE_SIGNIN}
|
||||
- NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=${NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN}
|
||||
- NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=${NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN}
|
||||
- NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=${NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN}
|
||||
- NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=${NEXT_PUBLIC_DISABLE_OIDC_SIGNIN}
|
||||
- NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=${NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT}
|
||||
- NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH:-/opt/documenso/cert.p12}
|
||||
- NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE}
|
||||
- NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS=${NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS}
|
||||
|
||||
@@ -17,6 +17,7 @@ export const AuthenticationErrorCode = {
|
||||
// TwoFactorMissingSecret: 'TWO_FACTOR_MISSING_SECRET',
|
||||
// TwoFactorMissingCredentials: 'TWO_FACTOR_MISSING_CREDENTIALS',
|
||||
InvalidTwoFactorCode: 'INVALID_TWO_FACTOR_CODE',
|
||||
SigninDisabled: 'SIGNIN_DISABLED',
|
||||
SignupDisabled: 'SIGNUP_DISABLED',
|
||||
SignupDisposableEmail: 'SIGNUP_DISPOSABLE_EMAIL',
|
||||
// IncorrectTwoFactorBackupCode: 'INCORRECT_TWO_FACTOR_BACKUP_CODE',
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import {
|
||||
isDisposableEmail,
|
||||
isEmailDomainAllowedForSignup,
|
||||
isSigninEnabledForProvider,
|
||||
isSignupEnabledForProvider,
|
||||
} from '@documenso/lib/constants/auth';
|
||||
import { EMAIL_VERIFICATION_STATE } from '@documenso/lib/constants/email';
|
||||
@@ -64,6 +65,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
|
||||
.post('/authorize', sValidator('json', ZSignInSchema), async (c) => {
|
||||
const requestMetadata = c.get('requestMetadata');
|
||||
|
||||
if (!isSigninEnabledForProvider('email')) {
|
||||
throw new AppError(AuthenticationErrorCode.SigninDisabled, {
|
||||
statusCode: 400,
|
||||
});
|
||||
}
|
||||
|
||||
const { email, password, totpCode, backupCode, csrfToken, captchaToken } = c.req.valid('json');
|
||||
|
||||
const loginLimitResult = await loginRateLimit.check({
|
||||
@@ -244,6 +251,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
|
||||
const { password, currentPassword } = c.req.valid('json');
|
||||
const requestMetadata = c.get('requestMetadata');
|
||||
|
||||
if (!isSigninEnabledForProvider('email')) {
|
||||
throw new AppError(AuthenticationErrorCode.SigninDisabled, {
|
||||
statusCode: 400,
|
||||
});
|
||||
}
|
||||
|
||||
const { session, user } = await getSession(c);
|
||||
|
||||
await updatePassword({
|
||||
@@ -346,6 +359,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
|
||||
.post('/forgot-password', sValidator('json', ZForgotPasswordSchema), async (c) => {
|
||||
const requestMetadata = c.get('requestMetadata');
|
||||
|
||||
if (!isSigninEnabledForProvider('email')) {
|
||||
throw new AppError(AuthenticationErrorCode.SigninDisabled, {
|
||||
statusCode: 400,
|
||||
});
|
||||
}
|
||||
|
||||
const { email } = c.req.valid('json');
|
||||
|
||||
const forgotLimitResult = await forgotPasswordRateLimit.check({
|
||||
@@ -377,6 +396,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
|
||||
.post('/reset-password', sValidator('json', ZResetPasswordSchema), async (c) => {
|
||||
const requestMetadata = c.get('requestMetadata');
|
||||
|
||||
if (!isSigninEnabledForProvider('email')) {
|
||||
throw new AppError(AuthenticationErrorCode.SigninDisabled, {
|
||||
statusCode: 400,
|
||||
});
|
||||
}
|
||||
|
||||
const { token, password } = c.req.valid('json');
|
||||
|
||||
const resetLimitResult = await resetPasswordRateLimit.check({
|
||||
|
||||
@@ -41,6 +41,14 @@ export const IS_OIDC_SSO_ENABLED = Boolean(
|
||||
|
||||
export const OIDC_PROVIDER_LABEL = env('NEXT_PRIVATE_OIDC_PROVIDER_LABEL');
|
||||
|
||||
/**
|
||||
* Opt-out flag for the automatic OIDC redirect.
|
||||
*
|
||||
* When OIDC is the only enabled signin transport we redirect to the provider
|
||||
* automatically. Set this to "true" to keep rendering the signin page instead.
|
||||
*/
|
||||
export const IS_OIDC_AUTO_REDIRECT_DISABLED = env('NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT') === 'true';
|
||||
|
||||
export const USER_SECURITY_AUDIT_LOG_MAP: Record<string, string> = {
|
||||
ACCOUNT_SSO_LINK: 'Linked account to SSO',
|
||||
ACCOUNT_SSO_UNLINK: 'Unlinked account from SSO',
|
||||
@@ -188,3 +196,22 @@ export const isSignupEnabledForProvider = (provider: 'email' | 'google' | 'micro
|
||||
|
||||
return env(flagMap[provider]) !== 'true';
|
||||
};
|
||||
|
||||
/**
|
||||
* Check if signin is enabled for the given provider.
|
||||
* The master switch takes precedence over the per-provider flags.
|
||||
*/
|
||||
export const isSigninEnabledForProvider = (provider: 'email' | 'google' | 'microsoft' | 'oidc'): boolean => {
|
||||
if (env('NEXT_PUBLIC_DISABLE_SIGNIN') === 'true') {
|
||||
return false;
|
||||
}
|
||||
|
||||
const flagMap = {
|
||||
email: 'NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN',
|
||||
google: 'NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN',
|
||||
microsoft: 'NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN',
|
||||
oidc: 'NEXT_PUBLIC_DISABLE_OIDC_SIGNIN',
|
||||
} as const;
|
||||
|
||||
return env(flagMap[provider]) !== 'true';
|
||||
};
|
||||
|
||||
@@ -8917,6 +8917,11 @@ msgstr "Weiterleitungs-URL"
|
||||
msgid "Redirecting"
|
||||
msgstr "Weiterleitung"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8908,6 +8908,11 @@ msgstr "Redirect URL"
|
||||
msgid "Redirecting"
|
||||
msgstr "Redirecting"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr "Redirecting to {0}..."
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8917,6 +8917,11 @@ msgstr "URL de redirección"
|
||||
msgid "Redirecting"
|
||||
msgstr "Redireccionando"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8917,6 +8917,11 @@ msgstr "URL de redirection"
|
||||
msgid "Redirecting"
|
||||
msgstr "Redirection"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8917,6 +8917,11 @@ msgstr "URL di reindirizzamento"
|
||||
msgid "Redirecting"
|
||||
msgstr "Reindirizzamento"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8917,6 +8917,11 @@ msgstr "リダイレクト URL"
|
||||
msgid "Redirecting"
|
||||
msgstr "リダイレクト中"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8917,6 +8917,11 @@ msgstr "리디렉션 URL"
|
||||
msgid "Redirecting"
|
||||
msgstr "리디렉션 중"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8917,6 +8917,11 @@ msgstr "Redirect-URL"
|
||||
msgid "Redirecting"
|
||||
msgstr "Doorsturen"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8918,6 +8918,11 @@ msgstr "Adres URL przekierowania"
|
||||
msgid "Redirecting"
|
||||
msgstr "Przekierowywanie"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8908,6 +8908,11 @@ msgstr "URL de Redirecionamento"
|
||||
msgid "Redirecting"
|
||||
msgstr "Redirecionando"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
@@ -8917,6 +8917,11 @@ msgstr "重定向 URL"
|
||||
msgid "Redirecting"
|
||||
msgstr "正在重定向"
|
||||
|
||||
#. placeholder {0}: oidcProviderLabel || 'OIDC'
|
||||
#: apps/remix/app/routes/_unauthenticated+/signin.tsx
|
||||
msgid "Redirecting to {0}..."
|
||||
msgstr ""
|
||||
|
||||
#: apps/remix/app/components/forms/signup.tsx
|
||||
#: apps/remix/app/components/general/claim-account.tsx
|
||||
msgid "Registration Successful"
|
||||
|
||||
Vendored
+7
@@ -93,6 +93,13 @@ declare namespace NodeJS {
|
||||
NEXT_PUBLIC_DISABLE_OIDC_SIGNUP?: string;
|
||||
NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS?: string;
|
||||
|
||||
NEXT_PUBLIC_DISABLE_SIGNIN?: string;
|
||||
NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN?: string;
|
||||
NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN?: string;
|
||||
NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN?: string;
|
||||
NEXT_PUBLIC_DISABLE_OIDC_SIGNIN?: string;
|
||||
NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT?: string;
|
||||
|
||||
NEXT_PRIVATE_BROWSERLESS_URL?: string;
|
||||
|
||||
NEXT_PRIVATE_JOBS_PROVIDER?: 'inngest' | 'local' | 'bullmq';
|
||||
|
||||
+12
@@ -163,6 +163,18 @@ services:
|
||||
sync: false
|
||||
- key: NEXT_PUBLIC_DISABLE_OIDC_SIGNUP
|
||||
sync: false
|
||||
- key: NEXT_PUBLIC_DISABLE_SIGNIN
|
||||
sync: false
|
||||
- key: NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN
|
||||
sync: false
|
||||
- key: NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN
|
||||
sync: false
|
||||
- key: NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN
|
||||
sync: false
|
||||
- key: NEXT_PUBLIC_DISABLE_OIDC_SIGNIN
|
||||
sync: false
|
||||
- key: NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT
|
||||
sync: false
|
||||
- key: NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS
|
||||
sync: false
|
||||
|
||||
|
||||
@@ -53,6 +53,12 @@
|
||||
"NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP",
|
||||
"NEXT_PUBLIC_DISABLE_OIDC_SIGNUP",
|
||||
"NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS",
|
||||
"NEXT_PUBLIC_DISABLE_SIGNIN",
|
||||
"NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN",
|
||||
"NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN",
|
||||
"NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN",
|
||||
"NEXT_PUBLIC_DISABLE_OIDC_SIGNIN",
|
||||
"NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT",
|
||||
"NEXT_PRIVATE_PLAIN_API_KEY",
|
||||
"NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT",
|
||||
"NEXT_PRIVATE_DOCUMENSO_LICENSE_KEY",
|
||||
|
||||
Reference in New Issue
Block a user