feat: add granular signin disable flags and OIDC auto-redirect (#2857 )

fix: french translation for confirmation message (#3050 )
fix: add additional team group permission checks (#3052 )
2026-07-01 00:30:53 +10:00 · 2026-06-30 16:08:09 +10:00 · 2026-06-30 15:52:59 +10:00 · 2026-06-30 15:45:48 +10:00
56 changed files with 740 additions and 634 deletions
@@ -180,6 +180,20 @@ NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=
 NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=
 # OPTIONAL: Comma-separated list of email domains allowed to sign up (e.g., example.com,acme.org).
 NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=
+# OPTIONAL: Set to "true" to disable all signin methods (email, Google, Microsoft, OIDC).
+NEXT_PUBLIC_DISABLE_SIGNIN=
+# OPTIONAL: Set to "true" to disable email/password signin only. Also closes /forgot-password and /reset-password.
+NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=
+# OPTIONAL: Set to "true" to hide the Google signin button.
+NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=
+# OPTIONAL: Set to "true" to hide the Microsoft signin button.
+NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=
+# OPTIONAL: Set to "true" to hide the OIDC signin button.
+NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=
+# OPTIONAL: When OIDC is the only enabled signin transport, /signin auto-redirects
+# to the OIDC provider (rendering only a spinner). Set to "true" to disable this
+# and keep showing the signin page.
+NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=
 # OPTIONAL: Set to true to use internal webapp url in browserless requests.
 NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS=false

@@ -272,6 +272,12 @@ For detailed certificate setup, see [Signing Certificate](/docs/self-hosting/con
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`       | Block new accounts via Microsoft. Existing linked users can still sign in           | `false` |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`            | Block new accounts via OIDC, including the organisation portal                      | `false` |
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS`        | Comma-separated list of email domains allowed to sign up (e.g., `example.com,acme.org`) |         |
+| `NEXT_PUBLIC_DISABLE_SIGNIN`                 | Master switch. Disable all signin methods application-wide                          | `false` |
+| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN`  | Disable email/password signin. Also closes `/forgot-password` and `/reset-password` | `false` |
+| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`          | Hide the Google signin button                                                       | `false` |
+| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`       | Hide the Microsoft signin button                                                    | `false` |
+| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`            | Hide the OIDC signin button                                                         | `false` |
+| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`     | Disable the automatic `/signin` redirect when OIDC is the only enabled transport    | `false` |
 | `NEXT_PUBLIC_POSTHOG_KEY`             | PostHog API key for analytics and feature flags                                     |         |
 | `NEXT_PUBLIC_FEATURE_BILLING_ENABLED` | Enable billing features                                                             | `false` |

@@ -303,6 +309,44 @@ NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP="true"
 NEXT_PUBLIC_DISABLE_SIGNUP="true"
 ```

+### Sign-in Restrictions
+
+You can control which methods are available for users to sign in with the following environment variables:
+
+- **`NEXT_PUBLIC_DISABLE_SIGNIN`** (master switch): Set to `true` to block all signin methods (email/password, Google, Microsoft, OIDC). Hides every signin entry point on `/signin` and rejects email/password signin server-side with a `SIGNIN_DISABLED` error.
+- **`NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN`**: Set to `true` to disable email/password signin only. The email/password form is hidden, the `/forgot-password` and `/reset-password` pages redirect to `/signin`, and the corresponding server endpoints reject requests. SSO signin is unaffected.
+- **`NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`**, **`NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`**, **`NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`**: Set to `true` to hide the matching SSO button on the signin page. Useful when an SSO provider is kept configured for account linking but not advertised as a signin entry point.
+
+These flags are opt-in: when none are set, signin behaviour is unchanged from a stock Documenso instance.
+
+```bash
+# Allow only OIDC signin (e.g. enterprise SSO-only)
+NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
+NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
+NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
+
+# Or disable signin entirely
+NEXT_PUBLIC_DISABLE_SIGNIN="true"
+```
+
+### OIDC Auto-redirect
+
+When OIDC is the only enabled signin transport on your instance, `/signin` automatically redirects users straight to the OIDC provider instead of showing the signin form. The page renders a spinner while the redirect happens. No extra configuration is required — disabling every other signin method is enough to trigger it.
+
+- **`NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`**: Set to `true` to opt out of the automatic redirect and keep rendering the signin page even when OIDC is the only enabled transport.
+
+The redirect only triggers when OIDC is configured and email/password, Google, and Microsoft signin are all disabled. If any other transport remains enabled, the signin form is shown as normal.
+
+```bash
+# OIDC-only signin: disabling all other methods auto-redirects to the provider
+NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
+NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
+NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
+
+# Opt out of the auto-redirect while still OIDC-only
+# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT="true"
+```
+
 ---

 ## AI Features
@@ -446,6 +490,16 @@ NEXT_PRIVATE_SIGNING_PASSPHRASE="your-certificate-password"
 # NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP="true"
 # NEXT_PUBLIC_DISABLE_OIDC_SIGNUP="true"
 # NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS="example.com,acme.org"
+
+# Sign-in restrictions (optional)
+# NEXT_PUBLIC_DISABLE_SIGNIN="true"
+# NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
+# NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
+# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
+# NEXT_PUBLIC_DISABLE_OIDC_SIGNIN="true"
+
+# Opt out of the automatic OIDC redirect when OIDC is the only enabled transport (optional)
+# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT="true"
 ```

 ---
@@ -163,6 +163,19 @@ NEXT_PUBLIC_DISABLE_SIGNUP=false
 # NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=true
 # NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=true
 # NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=example.com,acme.org
+
+# Signin restrictions (optional)
+# Master switch — disables every signin method
+# NEXT_PUBLIC_DISABLE_SIGNIN=true
+# Per-method switches (optional). Each disables that signin path.
+# NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=true
+# NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=true
+# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=true
+# NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=true
+
+# When OIDC is the only enabled transport, /signin auto-redirects to the provider.
+# Set this to opt out and keep showing the signin page (optional).
+# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=true
 ```

 <Callout type="info">Generate secure secrets using: `openssl rand -base64 32`</Callout>
@@ -112,6 +112,12 @@ See [Email Configuration](/docs/self-hosting/configuration/email) for other tran
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`      | Block new accounts via Microsoft OAuth                         | `false`                   |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`           | Block new accounts via OIDC (incl. organisation portal)        | `false`                   |
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS`       | Comma-separated list of allowed signup email domains           |                           |
+| `NEXT_PUBLIC_DISABLE_SIGNIN`                | Master switch — disable all signin methods                     | `false`                   |
+| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN` | Disable email/password signin only                             | `false`                   |
+| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`         | Hide the Google signin button                                  | `false`                   |
+| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`      | Hide the Microsoft signin button                               | `false`                   |
+| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`           | Hide the OIDC signin button                                    | `false`                   |
+| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`    | Disable auto-redirect to OIDC when it is the only transport     | `false`                   |

 For the complete list, see [Environment Variables](/docs/self-hosting/configuration/environment).

@@ -159,6 +159,12 @@ NEXT_PRIVATE_SMTP_FROM_ADDRESS=noreply@yourdomain.com
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`| Block new accounts via Microsoft OAuth                 | `false` |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`     | Block new accounts via OIDC (incl. organisation portal)| `false` |
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS` | Comma-separated list of allowed signup email domains   |         |
+| `NEXT_PUBLIC_DISABLE_SIGNIN`          | Master switch — disable all signin methods             | `false` |
+| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN` | Disable email/password signin only                     | `false` |
+| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`   | Hide the Google signin button                          | `false` |
+| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`| Hide the Microsoft signin button                       | `false` |
+| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`     | Hide the OIDC signin button                            | `false` |
+| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT` | Disable auto-redirect to OIDC when it is the only transport | `false` |
 | `NEXT_PRIVATE_SIGNING_PASSPHRASE`     | Passphrase for signing certificate                     | -       |
 | `DOCUMENSO_DISABLE_TELEMETRY`     | Disable anonymous telemetry        | `false` |

@@ -1,10 +1,5 @@
 import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/organisation';
 import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
-import {
-  BRANDING_LOGO_ALLOWED_TYPES,
-  BRANDING_LOGO_MAX_SIZE_BYTES,
-  BRANDING_LOGO_MAX_SIZE_MB,
-} from '@documenso/lib/constants/branding';
 import { DEFAULT_BRAND_COLORS, DEFAULT_BRAND_RADIUS } from '@documenso/lib/constants/theme';
 import { ZCssVarsSchema } from '@documenso/lib/types/css-vars';
 import { cn } from '@documenso/ui/lib/utils';
@@ -26,15 +21,15 @@ import { z } from 'zod';
 import { useOptionalCurrentTeam } from '~/providers/team';
 import { useCspNonce } from '~/utils/nonce';

+const MAX_FILE_SIZE = 5 * 1024 * 1024; // 5MB
+const ACCEPTED_FILE_TYPES = ['image/jpeg', 'image/png', 'image/webp'];
+
 const ZBrandingPreferencesFormSchema = z.object({
  brandingEnabled: z.boolean().nullable(),
  brandingLogo: z
    .instanceof(File)
-    .refine(
-      (file) => file.size <= BRANDING_LOGO_MAX_SIZE_BYTES,
-      `File size must be less than ${BRANDING_LOGO_MAX_SIZE_MB}MB`,
-    )
-    .refine((file) => BRANDING_LOGO_ALLOWED_TYPES.includes(file.type), 'Only .jpg, .png, and .webp files are accepted')
+    .refine((file) => file.size <= MAX_FILE_SIZE, 'File size must be less than 5MB')
+    .refine((file) => ACCEPTED_FILE_TYPES.includes(file.type), 'Only .jpg, .png, and .webp files are accepted')
    .nullish(),
  brandingUrl: z.string().url().optional().or(z.literal('')),
  brandingCompanyDetails: z.string().max(500).optional(),
@@ -204,7 +199,7 @@ export function BrandingPreferencesForm({
                      <FormControl className="relative">
                        <Input
                          type="file"
-                          accept={BRANDING_LOGO_ALLOWED_TYPES.join(',')}
+                          accept={ACCEPTED_FILE_TYPES.join(',')}
                          disabled={!isBrandingEnabled}
                          onChange={(e) => {
                            const file = e.target.files?.[0];
@@ -58,6 +58,7 @@ export type TSignInFormSchema = z.infer<typeof ZSignInFormSchema>;
 export type SignInFormProps = {
  className?: string;
  initialEmail?: string;
+  isEmailPasswordSigninEnabled?: boolean;
  isGoogleSSOEnabled?: boolean;
  isMicrosoftSSOEnabled?: boolean;
  isOIDCSSOEnabled?: boolean;
@@ -68,6 +69,7 @@ export type SignInFormProps = {
 export const SignInForm = ({
  className,
  initialEmail,
+  isEmailPasswordSigninEnabled = true,
  isGoogleSSOEnabled,
  isMicrosoftSSOEnabled,
  isOIDCSSOEnabled,
@@ -324,66 +326,78 @@ export const SignInForm = ({
    <Form {...form}>
      <form className={cn('flex w-full flex-col gap-y-4', className)} onSubmit={form.handleSubmit(onFormSubmit)}>
        <fieldset className="flex w-full flex-col gap-y-4" disabled={isSubmitting || isPasskeyLoading}>
-          <FormField
-            control={form.control}
-            name="email"
-            render={({ field }) => (
-              <FormItem>
-                <FormLabel>
-                  <Trans>Email</Trans>
-                </FormLabel>
+          {isEmailPasswordSigninEnabled && (
+            <>
+              <FormField
+                control={form.control}
+                name="email"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>
+                      <Trans>Email</Trans>
+                    </FormLabel>

-                <FormControl>
-                  <Input type="email" {...field} />
-                </FormControl>
+                    <FormControl>
+                      <Input type="email" {...field} />
+                    </FormControl>

-                <FormMessage />
-              </FormItem>
-            )}
-          />
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />

-          <FormField
-            control={form.control}
-            name="password"
-            render={({ field }) => (
-              <FormItem>
-                <FormLabel>
-                  <Trans>Password</Trans>
-                </FormLabel>
+              <FormField
+                control={form.control}
+                name="password"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>
+                      <Trans>Password</Trans>
+                    </FormLabel>

-                <FormControl>
-                  <PasswordInput {...field} />
-                </FormControl>
+                    <FormControl>
+                      <PasswordInput {...field} />
+                    </FormControl>

-                <FormMessage />
+                    <FormMessage />

-                <p className="mt-2 text-right">
-                  <Link to="/forgot-password" className="text-muted-foreground text-sm duration-200 hover:opacity-70">
-                    <Trans>Forgot your password?</Trans>
-                  </Link>
-                </p>
-              </FormItem>
-            )}
-          />
+                    <p className="mt-2 text-right">
+                      <Link
+                        to="/forgot-password"
+                        className="text-muted-foreground text-sm duration-200 hover:opacity-70"
+                      >
+                        <Trans>Forgot your password?</Trans>
+                      </Link>
+                    </p>
+                  </FormItem>
+                )}
+              />

-          {turnstileSiteKey && !isTwoFactorAuthenticationDialogOpen && (
-            <Turnstile
-              ref={turnstileRef}
-              siteKey={turnstileSiteKey}
-              options={{
-                size: 'flexible',
-                appearance: 'always',
-              }}
-            />
+              {turnstileSiteKey && !isTwoFactorAuthenticationDialogOpen && (
+                <Turnstile
+                  ref={turnstileRef}
+                  siteKey={turnstileSiteKey}
+                  options={{
+                    size: 'flexible',
+                    appearance: 'always',
+                  }}
+                />
+              )}
+
+              <Button
+                type="submit"
+                size="lg"
+                loading={isSubmitting}
+                className="dark:bg-documenso dark:hover:opacity-90"
+              >
+                {isSubmitting ? <Trans>Signing in...</Trans> : <Trans>Sign In</Trans>}
+              </Button>
+            </>
          )}

-          <Button type="submit" size="lg" loading={isSubmitting} className="dark:bg-documenso dark:hover:opacity-90">
-            {isSubmitting ? <Trans>Signing in...</Trans> : <Trans>Sign In</Trans>}
-          </Button>
-
          {!isEmbeddedRedirect && (
            <>
-              {hasSocialAuthEnabled && (
+              {isEmailPasswordSigninEnabled && hasSocialAuthEnabled && (
                <div className="relative flex items-center justify-center gap-x-4 py-2 text-xs uppercase">
                  <div className="h-px flex-1 bg-border" />
                  <span className="bg-transparent text-muted-foreground">
@@ -1,6 +1,7 @@
 import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/organisation';
 import { useSession } from '@documenso/lib/client-only/providers/session';
 import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { putFile } from '@documenso/lib/universal/upload/put-file';
 import { canExecuteOrganisationAction, isPersonalLayout } from '@documenso/lib/utils/organisations';
 import type { SanitizeBrandingCssWarning } from '@documenso/lib/utils/sanitize-branding-css';
 import { trpc } from '@documenso/trpc/react';
@@ -48,29 +49,26 @@ export default function OrganisationSettingsBrandingPage() {

  const { mutateAsync: updateOrganisationSettings } = trpc.organisation.settings.update.useMutation();

-  const { mutateAsync: updateOrganisationBrandingLogo } = trpc.organisation.settings.updateBrandingLogo.useMutation();
-
  const onBrandingPreferencesFormSubmit = async (data: TBrandingPreferencesFormSchema) => {
    try {
      const { brandingEnabled, brandingLogo, brandingUrl, brandingCompanyDetails, brandingColors, brandingCss } = data;

-      // Upload (or clear) the logo through the dedicated, server-validated route.
-      if (brandingLogo instanceof File || brandingLogo === null) {
-        const formData = new FormData();
+      let uploadedBrandingLogo: string | undefined;

-        formData.append('payload', JSON.stringify({ organisationId: organisation.id }));
+      if (brandingLogo) {
+        uploadedBrandingLogo = JSON.stringify(await putFile(brandingLogo));
+      }

-        if (brandingLogo instanceof File) {
-          formData.append('brandingLogo', brandingLogo);
-        }
-
-        await updateOrganisationBrandingLogo(formData);
+      // Empty the branding logo if the user unsets it.
+      if (brandingLogo === null) {
+        uploadedBrandingLogo = '';
      }

      const result = await updateOrganisationSettings({
        organisationId: organisation.id,
        data: {
          brandingEnabled: brandingEnabled ?? undefined,
+          brandingLogo: uploadedBrandingLogo,
          brandingUrl,
          brandingCompanyDetails,
          brandingColors,
@@ -1,5 +1,6 @@
 import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/organisation';
 import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { putFile } from '@documenso/lib/universal/upload/put-file';
 import { canExecuteOrganisationAction } from '@documenso/lib/utils/organisations';
 import type { SanitizeBrandingCssWarning } from '@documenso/lib/utils/sanitize-branding-css';
 import { trpc } from '@documenso/trpc/react';
@@ -37,7 +38,6 @@ export default function TeamsSettingsPage() {
  });

  const { mutateAsync: updateTeamSettings } = trpc.team.settings.update.useMutation();
-  const { mutateAsync: updateTeamBrandingLogo } = trpc.team.settings.updateBrandingLogo.useMutation();

  const canConfigureBranding = organisation.organisationClaim.flags.allowCustomBranding || !IS_BILLING_ENABLED();

@@ -48,23 +48,22 @@ export default function TeamsSettingsPage() {
    try {
      const { brandingEnabled, brandingLogo, brandingUrl, brandingCompanyDetails, brandingColors, brandingCss } = data;

-      // Upload (or clear) the logo through the dedicated, server-validated route.
-      if (brandingLogo instanceof File || brandingLogo === null) {
-        const formData = new FormData();
+      let uploadedBrandingLogo: string | undefined;

-        formData.append('payload', JSON.stringify({ teamId: team.id }));
+      if (brandingLogo) {
+        uploadedBrandingLogo = JSON.stringify(await putFile(brandingLogo));
+      }

-        if (brandingLogo instanceof File) {
-          formData.append('brandingLogo', brandingLogo);
-        }
-
-        await updateTeamBrandingLogo(formData);
+      // Empty the branding logo if the user unsets it.
+      if (brandingLogo === null) {
+        uploadedBrandingLogo = '';
      }

      const result = await updateTeamSettings({
        teamId: team.id,
        data: {
          brandingEnabled,
+          brandingLogo: uploadedBrandingLogo,
          brandingUrl: brandingUrl || null,
          brandingCompanyDetails: brandingCompanyDetails || null,
          brandingColors,
@@ -1,6 +1,7 @@
+import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
 import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
-import { Link } from 'react-router';
+import { Link, redirect } from 'react-router';

 import { ForgotPasswordForm } from '~/components/forms/forgot-password';
 import { appMetaTags } from '~/utils/meta';
@@ -9,6 +10,14 @@ export function meta() {
  return appMetaTags(msg`Forgot Password`);
 }

+export async function loader() {
+  if (!isSigninEnabledForProvider('email')) {
+    throw redirect('/signin');
+  }
+
+  return null;
+}
+
 export default function ForgotPasswordPage() {
  return (
    <div className="w-screen max-w-lg px-4">
@@ -1,3 +1,4 @@
+import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
 import { getResetTokenValidity } from '@documenso/lib/server-only/user/get-reset-token-validity';
 import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
@@ -13,6 +14,10 @@ export function meta() {
 }

 export async function loader({ params }: Route.LoaderArgs) {
+  if (!isSigninEnabledForProvider('email')) {
+    throw redirect('/signin');
+  }
+
  const { token } = params;

  const isValid = await getResetTokenValidity({ token });
@@ -1,7 +1,8 @@
+import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
 import { Button } from '@documenso/ui/primitives/button';
 import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
-import { Link } from 'react-router';
+import { Link, redirect } from 'react-router';

 import { appMetaTags } from '~/utils/meta';

@@ -9,6 +10,14 @@ export function meta() {
  return appMetaTags(msg`Reset Password`);
 }

+export async function loader() {
+  if (!isSigninEnabledForProvider('email')) {
+    throw redirect('/signin');
+  }
+
+  return null;
+}
+
 export default function ResetPasswordPage() {
  return (
    <div className="w-screen max-w-lg px-4">
@@ -1,8 +1,11 @@
+import { authClient } from '@documenso/auth/client';
 import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
 import {
  IS_GOOGLE_SSO_ENABLED,
  IS_MICROSOFT_SSO_ENABLED,
+  IS_OIDC_AUTO_REDIRECT_DISABLED,
  IS_OIDC_SSO_ENABLED,
+  isSigninEnabledForProvider,
  isSignupEnabledForProvider,
  OIDC_PROVIDER_LABEL,
 } from '@documenso/lib/constants/auth';
@@ -11,6 +14,7 @@ import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
 import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
 import { Trans } from '@lingui/react/macro';
+import { Loader2Icon } from 'lucide-react';
 import { useEffect, useState } from 'react';
 import { Link, redirect, useSearchParams } from 'react-router';

@@ -28,10 +32,20 @@ export async function loader({ request }: Route.LoaderArgs) {
  const { isAuthenticated } = await getOptionalSession(request);

  // SSR env variables.
-  const isGoogleSSOEnabled = IS_GOOGLE_SSO_ENABLED;
-  const isMicrosoftSSOEnabled = IS_MICROSOFT_SSO_ENABLED;
-  const isOIDCSSOEnabled = IS_OIDC_SSO_ENABLED;
+  const isEmailPasswordSigninEnabled = isSigninEnabledForProvider('email');
+  const isGoogleSSOEnabled = IS_GOOGLE_SSO_ENABLED && isSigninEnabledForProvider('google');
+  const isMicrosoftSSOEnabled = IS_MICROSOFT_SSO_ENABLED && isSigninEnabledForProvider('microsoft');
+  const isOIDCSSOEnabled = IS_OIDC_SSO_ENABLED && isSigninEnabledForProvider('oidc');
+
+  // Automatically redirect to OIDC when it is the only enabled signin transport,
+  // unless the redirect has been explicitly disabled via env.
+  const isOIDCOnlyTransport =
+    isOIDCSSOEnabled && !isEmailPasswordSigninEnabled && !isGoogleSSOEnabled && !isMicrosoftSSOEnabled;
+
+  const shouldAutoRedirectToOIDC = isOIDCOnlyTransport && !IS_OIDC_AUTO_REDIRECT_DISABLED;
+
  const oidcProviderLabel = OIDC_PROVIDER_LABEL;
+
  const isSignupEnabled =
    isSignupEnabledForProvider('email') ||
    (IS_GOOGLE_SSO_ENABLED && isSignupEnabledForProvider('google')) ||
@@ -47,18 +61,28 @@ export async function loader({ request }: Route.LoaderArgs) {
  }

  return {
+    isEmailPasswordSigninEnabled,
    isGoogleSSOEnabled,
    isMicrosoftSSOEnabled,
    isOIDCSSOEnabled,
    isSignupEnabled,
    oidcProviderLabel,
    returnTo,
+    shouldAutoRedirectToOIDC,
  };
 }

 export default function SignIn({ loaderData }: Route.ComponentProps) {
-  const { isGoogleSSOEnabled, isMicrosoftSSOEnabled, isOIDCSSOEnabled, isSignupEnabled, oidcProviderLabel, returnTo } =
-    loaderData;
+  const {
+    isEmailPasswordSigninEnabled,
+    isGoogleSSOEnabled,
+    isMicrosoftSSOEnabled,
+    isOIDCSSOEnabled,
+    isSignupEnabled,
+    oidcProviderLabel,
+    returnTo,
+    shouldAutoRedirectToOIDC,
+  } = loaderData;

  const { _ } = useLingui();

@@ -76,6 +100,27 @@ export default function SignIn({ loaderData }: Route.ComponentProps) {
    setIsEmbeddedRedirect(params.get('embedded') === 'true');
  }, []);

+  useEffect(() => {
+    if (!shouldAutoRedirectToOIDC) {
+      return;
+    }
+
+    void authClient.oidc.signIn({ redirectPath: returnTo ?? '/' });
+  }, [shouldAutoRedirectToOIDC, returnTo]);
+
+  if (shouldAutoRedirectToOIDC) {
+    return (
+      <div className="w-screen max-w-lg px-4">
+        <div className="flex flex-col items-center justify-center gap-y-4 py-12">
+          <Loader2Icon className="h-8 w-8 animate-spin text-muted-foreground" />
+          <p className="text-muted-foreground text-sm">
+            <Trans>Redirecting to {oidcProviderLabel || 'OIDC'}...</Trans>
+          </p>
+        </div>
+      </div>
+    );
+  }
+
  return (
    <div className="w-screen max-w-lg px-4">
      <div className="z-10 rounded-xl border border-border bg-neutral-100 p-6 dark:bg-background">
@@ -95,6 +140,7 @@ export default function SignIn({ loaderData }: Route.ComponentProps) {
        <hr className="-mx-6 my-4" />

        <SignInForm
+          isEmailPasswordSigninEnabled={isEmailPasswordSigninEnabled}
          isGoogleSSOEnabled={isGoogleSSOEnabled}
          isMicrosoftSSOEnabled={isMicrosoftSSOEnabled}
          isOIDCSSOEnabled={isOIDCSSOEnabled}
@@ -1,8 +1,9 @@
 import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
 import { APP_DOCUMENT_UPLOAD_SIZE_LIMIT } from '@documenso/lib/constants/app';
-import { AppError } from '@documenso/lib/errors/app-error';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { verifyEmbeddingPresignToken } from '@documenso/lib/server-only/embedding-presign/verify-embedding-presign-token';
 import { putNormalizedPdfFileServerSide } from '@documenso/lib/universal/upload/put-file.server';
+import { getPresignPostUrl } from '@documenso/lib/universal/upload/server-actions';
 import { prisma } from '@documenso/prisma';
 import { sValidator } from '@hono/standard-validator';
 import type { Prisma } from '@prisma/client';
@@ -11,11 +12,14 @@ import { Hono } from 'hono';
 import type { HonoEnv } from '../../router';
 import { checkEnvelopeFileAccess, handleEnvelopeItemFileRequest, resolveFileUploadUserId } from './files.helpers';
 import {
+  isAllowedUploadContentType,
+  type TGetPresignedPostUrlResponse,
  ZGetEnvelopeItemFileDownloadRequestParamsSchema,
  ZGetEnvelopeItemFileRequestParamsSchema,
  ZGetEnvelopeItemFileRequestQuerySchema,
  ZGetEnvelopeItemFileTokenDownloadRequestParamsSchema,
  ZGetEnvelopeItemFileTokenRequestParamsSchema,
+  ZGetPresignedPostUrlRequestSchema,
  ZUploadPdfRequestSchema,
 } from './files.types';
 import getEnvelopeItemPdfRoute from './routes/get-envelope-item-pdf';
@@ -57,6 +61,29 @@ export const filesRoute = new Hono<HonoEnv>()
      return c.json({ error: 'Upload failed' }, 500);
    }
  })
+  .post('/presigned-post-url', sValidator('json', ZGetPresignedPostUrlRequestSchema), async (c) => {
+    const userId = await resolveFileUploadUserId(c);
+
+    if (!userId) {
+      return c.json({ error: 'Unauthorized' }, 401);
+    }
+
+    const { fileName, contentType } = c.req.valid('json');
+
+    if (!isAllowedUploadContentType(contentType)) {
+      return c.json({ error: 'Unsupported content type' }, 400);
+    }
+
+    try {
+      const { key, url } = await getPresignPostUrl(fileName, contentType, userId);
+
+      return c.json({ key, url } satisfies TGetPresignedPostUrlResponse);
+    } catch (err) {
+      console.error(err);
+
+      throw new AppError(AppErrorCode.UNKNOWN_ERROR);
+    }
+  })
  .get(
    '/envelope/:envelopeId/envelopeItem/:envelopeItemId',
    sValidator('param', ZGetEnvelopeItemFileRequestParamsSchema),
@@ -13,6 +13,27 @@ export const ZUploadPdfResponseSchema = DocumentDataSchema.pick({
 export type TUploadPdfRequest = z.infer<typeof ZUploadPdfRequestSchema>;
 export type TUploadPdfResponse = z.infer<typeof ZUploadPdfResponseSchema>;

+export const ALLOWED_UPLOAD_CONTENT_TYPES = ['application/pdf', 'image/jpeg', 'image/png', 'image/webp'] as const;
+
+export const isAllowedUploadContentType = (contentType: string): boolean => {
+  const normalizedContentType = contentType.split(';').at(0)?.trim().toLowerCase();
+
+  return ALLOWED_UPLOAD_CONTENT_TYPES.some((allowed) => allowed === normalizedContentType);
+};
+
+export const ZGetPresignedPostUrlRequestSchema = z.object({
+  fileName: z.string().min(1),
+  contentType: z.string().min(1),
+});
+
+export const ZGetPresignedPostUrlResponseSchema = z.object({
+  key: z.string().min(1),
+  url: z.string().min(1),
+});
+
+export type TGetPresignedPostUrlRequest = z.infer<typeof ZGetPresignedPostUrlRequestSchema>;
+export type TGetPresignedPostUrlResponse = z.infer<typeof ZGetPresignedPostUrlResponseSchema>;
+
 export const ZGetEnvelopeItemFileRequestParamsSchema = z.object({
  envelopeId: z.string().min(1),
  envelopeItemId: z.string().min(1),
@@ -105,6 +105,7 @@ app.route('/api/auth', auth);

 // Files route.
 app.use('/api/files/upload-pdf', fileRateLimitMiddleware);
+app.use('/api/files/presigned-post-url', fileRateLimitMiddleware);
 app.route('/api/files', filesRoute);

 // AI route.
@@ -64,6 +64,12 @@ services:
      - NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=${NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP}
      - NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=${NEXT_PUBLIC_DISABLE_OIDC_SIGNUP}
      - NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=${NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS}
+      - NEXT_PUBLIC_DISABLE_SIGNIN=${NEXT_PUBLIC_DISABLE_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=${NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=${NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=${NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=${NEXT_PUBLIC_DISABLE_OIDC_SIGNIN}
+      - NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=${NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT}
      - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH:-/opt/documenso/cert.p12}
      - NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE}
      - NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS=${NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS}
@@ -44,6 +44,46 @@ test.describe('File upload endpoint authorization', () => {
    expect(res.status()).toBe(401);
  });

+  test('rejects an unauthenticated presigned-post-url request', async ({ request }) => {
+    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/presigned-post-url`, {
+      headers: { 'Content-Type': 'application/json' },
+      data: { fileName: 'test.pdf', contentType: 'application/pdf' },
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(401);
+  });
+
+  test('rejects a presigned-post-url request with an invalid presign token', async ({ request }) => {
+    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/presigned-post-url`, {
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: 'Bearer not-a-real-token',
+      },
+      data: { fileName: 'test.pdf', contentType: 'application/pdf' },
+    });
+
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(401);
+  });
+
+  test('rejects a presigned-post-url request with a disallowed content type', async ({ request }) => {
+    const { user, team } = await seedUser();
+    const presignToken = await createPresignTokenForUser(user.id, team.id);
+
+    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/presigned-post-url`, {
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${presignToken}`,
+      },
+      data: { fileName: 'malware.exe', contentType: 'application/x-msdownload' },
+    });
+
+    // Authenticated, but the content type is not on the allow-list.
+    expect(res.ok()).toBeFalsy();
+    expect(res.status()).toBe(400);
+  });
+
  test('allows an upload-pdf request authorized by a valid presign token', async ({ request }) => {
    const { user, team } = await seedUser();
    const presignToken = await createPresignTokenForUser(user.id, team.id);
@@ -1,37 +0,0 @@
-import { optimiseBrandingLogo } from '@documenso/lib/utils/images/logo';
-import { expect, test } from '@playwright/test';
-import sharp from 'sharp';
-
-const makePng = async (width = 1200, height = 1200) =>
-  sharp({
-    create: { width, height, channels: 3, background: { r: 10, g: 20, b: 30 } },
-  })
-    .png()
-    .toBuffer();
-
-test.describe('optimiseBrandingLogo', () => {
-  test('re-encodes a valid image to a PNG buffer', async () => {
-    const input = await makePng();
-
-    const output = await optimiseBrandingLogo(input);
-
-    const metadata = await sharp(output).metadata();
-
-    expect(metadata.format).toBe('png');
-  });
-
-  test('bounds the image to a maximum of 512px on its largest side', async () => {
-    const input = await makePng(2000, 1000);
-
-    const output = await optimiseBrandingLogo(input);
-
-    const metadata = await sharp(output).metadata();
-
-    expect(metadata.width).toBeLessThanOrEqual(512);
-    expect(metadata.height).toBeLessThanOrEqual(512);
-  });
-
-  test('rejects input that is not a valid image', async () => {
-    await expect(optimiseBrandingLogo(Buffer.from('this is not an image'))).rejects.toThrow();
-  });
-});
@@ -1,225 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-
-import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
-import { prisma } from '@documenso/prisma';
-import { seedUser } from '@documenso/prisma/seed/users';
-import { expect, type Page, test } from '@playwright/test';
-
-import { apiSignin } from './fixtures/authentication';
-
-test.describe.configure({ mode: 'parallel' });
-
-const LOGO_PATH = path.join(__dirname, '../../assets/logo.png');
-
-type MultipartFile = { name: string; mimeType: string; buffer: Buffer };
-
-const enableBrandingAndUpload = async (page: Page) => {
-  // Enable custom branding so the file input is no longer disabled.
-  await page.getByTestId('enable-branding').click();
-  await page.getByRole('option', { name: 'Yes' }).click();
-
-  // Upload the logo file through the real multipart route.
-  await page.locator('input[type="file"]').setInputFiles(LOGO_PATH);
-
-  await page.getByRole('button', { name: 'Update' }).first().click();
-  await expect(page.getByText('Your branding preferences have been updated').first()).toBeVisible();
-};
-
-/**
- * POST a logo straight to the dedicated multipart tRPC route using the
- * authenticated browser cookies. This bypasses the client-side form validation,
- * which is the only way to exercise the server-side image validation /
- * sanitisation (`zfdBrandingImageFile` + `optimiseBrandingLogo`) and the entitlement gate.
- */
-const postOrganisationBrandingLogo = async (page: Page, organisationId: string, file: MultipartFile | null) => {
-  const multipart: Record<string, string | MultipartFile> = {
-    payload: JSON.stringify({ organisationId }),
-  };
-
-  if (file) {
-    multipart.brandingLogo = file;
-  }
-
-  return await page
-    .context()
-    .request.post(`${NEXT_PUBLIC_WEBAPP_URL()}/api/trpc/organisation.settings.updateBrandingLogo`, { multipart });
-};
-
-/**
- * Grant the organisation the custom-branding entitlement. The positive branding
- * flows require it whenever billing is enabled; with billing disabled the gate is
- * bypassed, so this keeps these tests valid in both modes.
- */
-const grantCustomBranding = async (organisationClaimId: string) => {
-  await prisma.organisationClaim.update({
-    where: { id: organisationClaimId },
-    data: { flags: { allowLegacyEnvelopes: true, allowCustomBranding: true } },
-  });
-};
-
-test('[BRANDING_LOGO]: uploads an organisation branding logo via the dedicated route', async ({ page }) => {
-  const { user, organisation } = await seedUser({ isPersonalOrganisation: false });
-
-  await grantCustomBranding(organisation.organisationClaim.id);
-
-  await apiSignin({
-    page,
-    email: user.email,
-    redirectPath: `/o/${organisation.url}/settings/branding`,
-  });
-
-  await enableBrandingAndUpload(page);
-
-  const settings = await prisma.organisationGlobalSettings.findUniqueOrThrow({
-    where: { id: organisation.organisationGlobalSettingsId },
-  });
-
-  expect(settings.brandingLogo).toBeTruthy();
-
-  const parsed = JSON.parse(settings.brandingLogo);
-  expect(parsed).toHaveProperty('type');
-  expect(parsed).toHaveProperty('data');
-});
-
-test('[BRANDING_LOGO]: uploads a team branding logo via the dedicated route', async ({ page }) => {
-  const { user, team, organisation } = await seedUser({ isPersonalOrganisation: false });
-
-  await grantCustomBranding(organisation.organisationClaim.id);
-
-  await apiSignin({
-    page,
-    email: user.email,
-    redirectPath: `/t/${team.url}/settings/branding`,
-  });
-
-  await enableBrandingAndUpload(page);
-
-  // TeamGlobalSettings has no `teamId` column (the FK lives on Team), so read it
-  // through the team relation.
-  const teamWithSettings = await prisma.team.findUniqueOrThrow({
-    where: { id: team.id },
-    include: { teamGlobalSettings: true },
-  });
-
-  expect(teamWithSettings.teamGlobalSettings?.brandingLogo).toBeTruthy();
-
-  const parsed = JSON.parse(teamWithSettings.teamGlobalSettings?.brandingLogo ?? '');
-  expect(parsed).toHaveProperty('type');
-  expect(parsed).toHaveProperty('data');
-});
-
-test('[BRANDING_LOGO]: clears the organisation branding logo when the user removes it', async ({ page }) => {
-  const { user, organisation } = await seedUser({ isPersonalOrganisation: false });
-
-  await grantCustomBranding(organisation.organisationClaim.id);
-
-  await apiSignin({
-    page,
-    email: user.email,
-    redirectPath: `/o/${organisation.url}/settings/branding`,
-  });
-
-  await enableBrandingAndUpload(page);
-
-  // Confirm the logo was stored before we clear it.
-  const settings = await prisma.organisationGlobalSettings.findUniqueOrThrow({
-    where: { id: organisation.organisationGlobalSettingsId },
-  });
-
-  expect(settings.brandingLogo).toBeTruthy();
-
-  // Remove the logo and save again.
-  await page.getByRole('button', { name: 'Remove' }).click();
-  await page.getByRole('button', { name: 'Update' }).first().click();
-
-  // Clearing the logo persists an empty string via the dedicated route.
-  await expect
-    .poll(async () => {
-      const updated = await prisma.organisationGlobalSettings.findUniqueOrThrow({
-        where: { id: organisation.organisationGlobalSettingsId },
-      });
-
-      return updated.brandingLogo;
-    })
-    .toBe('');
-});
-
-test('[BRANDING_LOGO]: validates and sanitises the logo on the server', async ({ page }) => {
-  const { user, organisation } = await seedUser({ isPersonalOrganisation: false });
-
-  await grantCustomBranding(organisation.organisationClaim.id);
-
-  await apiSignin({
-    page,
-    email: user.email,
-    redirectPath: `/o/${organisation.url}/settings/branding`,
-  });
-
-  // Positive control: a genuine PNG is accepted and stored. This also proves the
-  // direct multipart request shape matches what the route expects.
-  const validResponse = await postOrganisationBrandingLogo(page, organisation.id, {
-    name: 'logo.png',
-    mimeType: 'image/png',
-    buffer: fs.readFileSync(LOGO_PATH),
-  });
-
-  expect(validResponse.ok()).toBeTruthy();
-
-  const afterValid = await prisma.organisationGlobalSettings.findUniqueOrThrow({
-    where: { id: organisation.organisationGlobalSettingsId },
-  });
-
-  expect(afterValid.brandingLogo).toBeTruthy();
-
-  // Bytes that pass the MIME/size allowlist but are not a real image must be
-  // rejected by the server (the `sharp` re-encode) without changing stored state.
-  const invalidResponse = await postOrganisationBrandingLogo(page, organisation.id, {
-    name: 'fake.png',
-    mimeType: 'image/png',
-    buffer: Buffer.from('this is definitely not a valid png'),
-  });
-
-  expect(invalidResponse.ok()).toBeFalsy();
-  expect(invalidResponse.status()).toBeGreaterThanOrEqual(400);
-  expect(invalidResponse.status()).toBeLessThan(500);
-
-  const afterInvalid = await prisma.organisationGlobalSettings.findUniqueOrThrow({
-    where: { id: organisation.organisationGlobalSettingsId },
-  });
-
-  // The previously stored, valid logo is left untouched by the rejected upload.
-  expect(afterInvalid.brandingLogo).toBe(afterValid.brandingLogo);
-});
-
-test('[BRANDING_LOGO]: rejects setting a logo without the custom-branding entitlement', async ({ page }) => {
-  // The entitlement is only enforced when billing is enabled; with billing off
-  // the check is intentionally skipped server-side, so this can't be exercised.
-  test.skip(
-    process.env.NEXT_PUBLIC_FEATURE_BILLING_ENABLED !== 'true',
-    'Entitlement is only enforced when billing is enabled.',
-  );
-
-  // Seeded organisations have no `allowCustomBranding` claim flag.
-  const { user, organisation } = await seedUser({ isPersonalOrganisation: false });
-
-  await apiSignin({
-    page,
-    email: user.email,
-    redirectPath: `/o/${organisation.url}/settings/branding`,
-  });
-
-  const response = await postOrganisationBrandingLogo(page, organisation.id, {
-    name: 'logo.png',
-    mimeType: 'image/png',
-    buffer: fs.readFileSync(LOGO_PATH),
-  });
-
-  expect(response.ok()).toBeFalsy();
-
-  const settings = await prisma.organisationGlobalSettings.findUniqueOrThrow({
-    where: { id: organisation.organisationGlobalSettingsId },
-  });
-
-  expect(settings.brandingLogo).toBeFalsy();
-});
@@ -142,38 +142,3 @@ test('[SIGNING_BRANDING]: embedded signing does not render custom logo Brand Web
  await expect(page.locator(`a[href="${BRANDING_URL}"]`)).toHaveCount(0);
  await expect(page.getByRole('link', { name: `${team.name}'s Logo` })).toHaveCount(0);
 });
-
-test('[SIGNING_BRANDING]: custom logo renders when branding is enabled and is hidden when disabled', async ({
-  page,
-}) => {
-  const { user, team, organisation } = await seedUser();
-
-  await enableOrganisationBranding({
-    organisationGlobalSettingsId: organisation.organisationGlobalSettingsId,
-  });
-
-  const { recipients } = await seedPendingDocumentWithFullFields({
-    owner: user,
-    teamId: team.id,
-    recipients: ['enabled-disabled-branding-signer@test.documenso.com'],
-    fields: [FieldType.SIGNATURE],
-    updateDocumentOptions: { internalVersion: 2 },
-  });
-
-  // Branding enabled → the custom logo is rendered on the signing page.
-  await page.goto(`/sign/${recipients[0].token}`);
-  await expectPlainBrandingLogo(page, `${team.name}'s Logo`);
-
-  // Disable branding while keeping the stored logo (the team inherits this).
-  await prisma.organisationGlobalSettings.update({
-    where: { id: organisation.organisationGlobalSettingsId },
-    data: { brandingEnabled: false },
-  });
-
-  // Branding disabled → the custom logo is gone and the Documenso fallback
-  // (an internal link to "/") is shown instead.
-  await page.goto(`/sign/${recipients[0].token}`);
-
-  await expect(page.getByRole('img', { name: `${team.name}'s Logo` })).toHaveCount(0);
-  await expect(page.locator('a[href="/"]').first()).toBeVisible();
-});
@@ -0,0 +1,163 @@
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { generateDatabaseId } from '@documenso/lib/universal/id';
+import { prisma } from '@documenso/prisma';
+import { seedTeamMember } from '@documenso/prisma/seed/teams';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, type Page, test } from '@playwright/test';
+import { OrganisationGroupType, OrganisationMemberRole, TeamMemberRole } from '@prisma/client';
+
+import { apiSignin } from '../fixtures/authentication';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+
+test.describe.configure({ mode: 'parallel' });
+
+/**
+ * Calls a team-group tRPC mutation directly, bypassing the UI.
+ *
+ * The UI only ever surfaces CUSTOM / INTERNAL_ORGANISATION groups, so these
+ * authorisation rules must be enforced on the server - a crafted request can
+ * target any `teamGroupId`, including the system-managed INTERNAL_TEAM groups.
+ */
+const callTeamGroupMutation = (
+  page: Page,
+  procedure: 'team.group.delete' | 'team.group.update',
+  teamId: number,
+  input: Record<string, unknown>,
+) =>
+  page.context().request.post(`${WEBAPP_BASE_URL}/api/trpc/${procedure}`, {
+    headers: { 'content-type': 'application/json', 'x-team-id': teamId.toString() },
+    data: JSON.stringify({ json: input }),
+  });
+
+/**
+ * Every team is created with three system-managed INTERNAL_TEAM groups
+ * (admin/manager/member). They are the backbone of team-specific access and,
+ * like organisation internal groups, must not be deletable - deleting them
+ * silently strips team members of access while leaving the team row in place.
+ */
+test('[TEAMS]: internal team groups cannot be deleted via the API', async ({ page }) => {
+  // Member inheritance OFF: membership is granted exclusively through the team's
+  // INTERNAL_TEAM groups, so removing them is what causes the access loss.
+  const { user: owner, team } = await seedUser({ inheritMembers: false });
+
+  // A direct team member whose access depends on the INTERNAL_TEAM member group.
+  const directMember = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
+
+  await apiSignin({ page, email: owner.email });
+
+  const internalTeamGroups = await prisma.teamGroup.findMany({
+    where: {
+      teamId: team.id,
+      organisationGroup: { type: OrganisationGroupType.INTERNAL_TEAM },
+    },
+  });
+
+  // admin + manager + member.
+  expect(internalTeamGroups).toHaveLength(3);
+
+  for (const group of internalTeamGroups) {
+    const response = await callTeamGroupMutation(page, 'team.group.delete', team.id, {
+      teamId: team.id,
+      teamGroupId: group.id,
+    });
+
+    expect(response.status(), `INTERNAL_TEAM ${group.teamRole} group must not be deletable`).not.toBe(200);
+  }
+
+  // None of the internal groups were removed.
+  const remaining = await prisma.teamGroup.count({
+    where: {
+      teamId: team.id,
+      organisationGroup: { type: OrganisationGroupType.INTERNAL_TEAM },
+    },
+  });
+
+  expect(remaining).toBe(3);
+
+  // The direct member therefore keeps their team access.
+  const memberStillHasAccess = await prisma.teamGroup.findFirst({
+    where: {
+      teamId: team.id,
+      organisationGroup: {
+        type: OrganisationGroupType.INTERNAL_TEAM,
+        organisationGroupMembers: {
+          some: { organisationMember: { userId: directMember.id } },
+        },
+      },
+    },
+  });
+
+  expect(memberStillHasAccess).not.toBeNull();
+});
+
+/**
+ * Guards against over-blocking: user-created (CUSTOM) team groups are not
+ * internal and must remain removable by team managers/admins.
+ */
+test('[TEAMS]: custom team groups can still be deleted', async ({ page }) => {
+  const { user: owner, organisation, team } = await seedUser({ inheritMembers: false });
+
+  const customGroup = await prisma.organisationGroup.create({
+    data: {
+      id: generateDatabaseId('org_group'),
+      name: `custom-${team.url}`,
+      type: OrganisationGroupType.CUSTOM,
+      organisationRole: OrganisationMemberRole.MEMBER,
+      organisationId: organisation.id,
+      teamGroups: {
+        create: {
+          id: generateDatabaseId('team_group'),
+          teamId: team.id,
+          teamRole: TeamMemberRole.MEMBER,
+        },
+      },
+    },
+    include: { teamGroups: true },
+  });
+
+  const customTeamGroup = customGroup.teamGroups[0];
+
+  await apiSignin({ page, email: owner.email });
+
+  const response = await callTeamGroupMutation(page, 'team.group.delete', team.id, {
+    teamId: team.id,
+    teamGroupId: customTeamGroup.id,
+  });
+
+  expect(response.status()).toBe(200);
+
+  const deleted = await prisma.teamGroup.findUnique({ where: { id: customTeamGroup.id } });
+
+  expect(deleted).toBeNull();
+});
+
+/**
+ * The same root cause affects updates: an INTERNAL_TEAM group's role must not be
+ * editable either, otherwise a team admin could rewrite the backbone roles
+ * (e.g. promote the member group to admin).
+ */
+test('[TEAMS]: internal team groups cannot be updated via the API', async ({ page }) => {
+  const { user: owner, team } = await seedUser({ inheritMembers: false });
+
+  await apiSignin({ page, email: owner.email });
+
+  const internalMemberGroup = await prisma.teamGroup.findFirstOrThrow({
+    where: {
+      teamId: team.id,
+      teamRole: TeamMemberRole.MEMBER,
+      organisationGroup: { type: OrganisationGroupType.INTERNAL_TEAM },
+    },
+  });
+
+  const response = await callTeamGroupMutation(page, 'team.group.update', team.id, {
+    id: internalMemberGroup.id,
+    data: { teamRole: TeamMemberRole.ADMIN },
+  });
+
+  expect(response.status()).not.toBe(200);
+
+  const reloaded = await prisma.teamGroup.findUniqueOrThrow({ where: { id: internalMemberGroup.id } });
+
+  expect(reloaded.teamRole).toBe(TeamMemberRole.MEMBER);
+});
@@ -17,6 +17,7 @@ export const AuthenticationErrorCode = {
  // TwoFactorMissingSecret: 'TWO_FACTOR_MISSING_SECRET',
  // TwoFactorMissingCredentials: 'TWO_FACTOR_MISSING_CREDENTIALS',
  InvalidTwoFactorCode: 'INVALID_TWO_FACTOR_CODE',
+  SigninDisabled: 'SIGNIN_DISABLED',
  SignupDisabled: 'SIGNUP_DISABLED',
  SignupDisposableEmail: 'SIGNUP_DISPOSABLE_EMAIL',
  // IncorrectTwoFactorBackupCode: 'INCORRECT_TWO_FACTOR_BACKUP_CODE',
@@ -1,6 +1,7 @@
 import {
  isDisposableEmail,
  isEmailDomainAllowedForSignup,
+  isSigninEnabledForProvider,
  isSignupEnabledForProvider,
 } from '@documenso/lib/constants/auth';
 import { EMAIL_VERIFICATION_STATE } from '@documenso/lib/constants/email';
@@ -64,6 +65,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
  .post('/authorize', sValidator('json', ZSignInSchema), async (c) => {
    const requestMetadata = c.get('requestMetadata');

+    if (!isSigninEnabledForProvider('email')) {
+      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
+        statusCode: 400,
+      });
+    }
+
    const { email, password, totpCode, backupCode, csrfToken, captchaToken } = c.req.valid('json');

    const loginLimitResult = await loginRateLimit.check({
@@ -244,6 +251,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
    const { password, currentPassword } = c.req.valid('json');
    const requestMetadata = c.get('requestMetadata');

+    if (!isSigninEnabledForProvider('email')) {
+      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
+        statusCode: 400,
+      });
+    }
+
    const { session, user } = await getSession(c);

    await updatePassword({
@@ -346,6 +359,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
  .post('/forgot-password', sValidator('json', ZForgotPasswordSchema), async (c) => {
    const requestMetadata = c.get('requestMetadata');

+    if (!isSigninEnabledForProvider('email')) {
+      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
+        statusCode: 400,
+      });
+    }
+
    const { email } = c.req.valid('json');

    const forgotLimitResult = await forgotPasswordRateLimit.check({
@@ -377,6 +396,12 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
  .post('/reset-password', sValidator('json', ZResetPasswordSchema), async (c) => {
    const requestMetadata = c.get('requestMetadata');

+    if (!isSigninEnabledForProvider('email')) {
+      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
+        statusCode: 400,
+      });
+    }
+
    const { token, password } = c.req.valid('json');

    const resetLimitResult = await resetPasswordRateLimit.check({
@@ -41,6 +41,14 @@ export const IS_OIDC_SSO_ENABLED = Boolean(

 export const OIDC_PROVIDER_LABEL = env('NEXT_PRIVATE_OIDC_PROVIDER_LABEL');

+/**
+ * Opt-out flag for the automatic OIDC redirect.
+ *
+ * When OIDC is the only enabled signin transport we redirect to the provider
+ * automatically. Set this to "true" to keep rendering the signin page instead.
+ */
+export const IS_OIDC_AUTO_REDIRECT_DISABLED = env('NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT') === 'true';
+
 export const USER_SECURITY_AUDIT_LOG_MAP: Record<string, string> = {
  ACCOUNT_SSO_LINK: 'Linked account to SSO',
  ACCOUNT_SSO_UNLINK: 'Unlinked account from SSO',
@@ -188,3 +196,22 @@ export const isSignupEnabledForProvider = (provider: 'email' | 'google' | 'micro

  return env(flagMap[provider]) !== 'true';
 };
+
+/**
+ * Check if signin is enabled for the given provider.
+ * The master switch takes precedence over the per-provider flags.
+ */
+export const isSigninEnabledForProvider = (provider: 'email' | 'google' | 'microsoft' | 'oidc'): boolean => {
+  if (env('NEXT_PUBLIC_DISABLE_SIGNIN') === 'true') {
+    return false;
+  }
+
+  const flagMap = {
+    email: 'NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN',
+    google: 'NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN',
+    microsoft: 'NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN',
+    oidc: 'NEXT_PUBLIC_DISABLE_OIDC_SIGNIN',
+  } as const;
+
+  return env(flagMap[provider]) !== 'true';
+};
@@ -9,13 +9,3 @@
 * cap so a malicious or runaway payload can't exhaust PostCSS/server memory.
 */
 export const BRANDING_CSS_MAX_LENGTH = 256 * 1024;
-
-/**
- * Branding logo upload constraints. Enforced server-side at the TRPC request
- * boundary (`zfdBrandingImageFile`) and reused by the client form for matching UX.
- */
-export const BRANDING_LOGO_MAX_SIZE_MB = 5;
-
-export const BRANDING_LOGO_MAX_SIZE_BYTES = BRANDING_LOGO_MAX_SIZE_MB * 1024 * 1024;
-
-export const BRANDING_LOGO_ALLOWED_TYPES: string[] = ['image/jpeg', 'image/png', 'image/webp'];
@@ -1,26 +0,0 @@
-import { AppError, AppErrorCode } from '../../errors/app-error';
-import { putFileServerSide } from '../../universal/upload/put-file.server';
-import { optimiseBrandingLogo } from '../../utils/images/logo';
-
-/**
- * Validate, sanitise and store an uploaded branding logo. Returns the
- * `JSON.stringify({ type, data })` reference persisted in the `brandingLogo`
- * column (the same format the serving endpoints already expect).
- */
-export const buildBrandingLogoData = async (file: File): Promise<string> => {
-  const buffer = Buffer.from(await file.arrayBuffer());
-
-  const optimised = await optimiseBrandingLogo(buffer).catch(() => {
-    throw new AppError(AppErrorCode.INVALID_BODY, {
-      message: 'The branding logo must be a valid image file.',
-    });
-  });
-
-  const documentData = await putFileServerSide({
-    name: 'branding-logo.png',
-    type: 'image/png',
-    arrayBuffer: async () => Promise.resolve(optimised),
-  });
-
-  return JSON.stringify(documentData);
-};
@@ -8917,6 +8917,11 @@ msgstr "Weiterleitungs-URL"
 msgid "Redirecting"
 msgstr "Weiterleitung"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8908,6 +8908,11 @@ msgstr "Redirect URL"
 msgid "Redirecting"
 msgstr "Redirecting"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr "Redirecting to {0}..."
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8917,6 +8917,11 @@ msgstr "URL de redirección"
 msgid "Redirecting"
 msgstr "Redireccionando"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8424,7 +8424,7 @@ msgstr "Veuillez réessayer ou contacter notre support."
 #. placeholder {0}: `'${t(deleteMessage)}'`
 #: apps/remix/app/components/dialogs/envelope-delete-dialog.tsx
 msgid "Please type {0} to confirm"
-msgstr "Veuiillez taper {0} pour confirmer"
+msgstr "Veuillez taper {0} pour confirmer"

 #. placeholder {0}: user.email
 #: apps/remix/app/components/dialogs/account-delete-dialog.tsx
@@ -8917,6 +8917,11 @@ msgstr "URL de redirection"
 msgid "Redirecting"
 msgstr "Redirection"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8917,6 +8917,11 @@ msgstr "URL di reindirizzamento"
 msgid "Redirecting"
 msgstr "Reindirizzamento"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8917,6 +8917,11 @@ msgstr "リダイレクト URL"
 msgid "Redirecting"
 msgstr "リダイレクト中"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8917,6 +8917,11 @@ msgstr "리디렉션 URL"
 msgid "Redirecting"
 msgstr "리디렉션 중"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8917,6 +8917,11 @@ msgstr "Redirect-URL"
 msgid "Redirecting"
 msgstr "Doorsturen"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8918,6 +8918,11 @@ msgstr "Adres URL przekierowania"
 msgid "Redirecting"
 msgstr "Przekierowywanie"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8908,6 +8908,11 @@ msgstr "URL de Redirecionamento"
 msgid "Redirecting"
 msgstr "Redirecionando"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -8917,6 +8917,11 @@ msgstr "重定向 URL"
 msgid "Redirecting"
 msgstr "正在重定向"

+#. placeholder {0}: oidcProviderLabel || 'OIDC'
+#: apps/remix/app/routes/_unauthenticated+/signin.tsx
+msgid "Redirecting to {0}..."
+msgstr ""
+
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"
@@ -1,5 +1,10 @@
-import type { TUploadPdfResponse } from '@documenso/remix/server/api/files/files.types';
+import { env } from '@documenso/lib/utils/env';
+import type { TGetPresignedPostUrlResponse, TUploadPdfResponse } from '@documenso/remix/server/api/files/files.types';
+import { DocumentDataType } from '@prisma/client';
+import { base64 } from '@scure/base';
+import { match } from 'ts-pattern';

+import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { AppError } from '../../errors/app-error';

 type File = {
@@ -53,3 +58,68 @@ export const putPdfFile = async (file: File, options?: PutFileOptions) => {

  return result;
 };
+
+/**
+ * Uploads a file to the appropriate storage location.
+ */
+export const putFile = async (file: File, options?: PutFileOptions) => {
+  const NEXT_PUBLIC_UPLOAD_TRANSPORT = env('NEXT_PUBLIC_UPLOAD_TRANSPORT');
+
+  return await match(NEXT_PUBLIC_UPLOAD_TRANSPORT)
+    .with('s3', async () => putFileInObjectStorage(file, {}, options))
+    .with('azure-blob', async () => putFileInObjectStorage(file, { 'x-ms-blob-type': 'BlockBlob' }, options))
+    .otherwise(async () => putFileInDatabase(file));
+};
+
+const putFileInDatabase = async (file: File) => {
+  const contents = await file.arrayBuffer();
+
+  const binaryData = new Uint8Array(contents);
+
+  const asciiData = base64.encode(binaryData);
+
+  return {
+    type: DocumentDataType.BYTES_64,
+    data: asciiData,
+  };
+};
+
+const putFileInObjectStorage = async (file: File, extraHeaders: Record<string, string>, options?: PutFileOptions) => {
+  const getPresignedUrlResponse = await fetch(`${NEXT_PUBLIC_WEBAPP_URL()}/api/files/presigned-post-url`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      ...buildUploadAuthHeaders(options),
+    },
+    body: JSON.stringify({
+      fileName: file.name,
+      contentType: file.type,
+    }),
+  });
+
+  if (!getPresignedUrlResponse.ok) {
+    throw new Error(`Failed to get presigned post url, failed with status code ${getPresignedUrlResponse.status}`);
+  }
+
+  const { url, key }: TGetPresignedPostUrlResponse = await getPresignedUrlResponse.json();
+
+  const body = await file.arrayBuffer();
+
+  const response = await fetch(url, {
+    method: 'PUT',
+    headers: {
+      'Content-Type': 'application/octet-stream',
+      ...extraHeaders,
+    },
+    body,
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to upload file "${file.name}", failed with status code ${response.status}`);
+  }
+
+  return {
+    type: DocumentDataType.S3_PATH,
+    data: key,
+  };
+};
@@ -8,15 +8,3 @@ export const loadLogo = async (file: Uint8Array) => {
    content,
  };
 };
-
-/**
- * Validate and sanitise an uploaded branding logo. Re-encoding through `sharp`
- * proves the bytes are a real raster image and strips any embedded payloads.
- * Throws if the input cannot be parsed as an image.
- */
-export const optimiseBrandingLogo = async (input: Buffer | Uint8Array): Promise<Buffer> => {
-  return await sharp(input)
-    .resize(512, 512, { fit: 'inside', withoutEnlargement: true })
-    .png({ quality: 80 })
-    .toBuffer();
-};
@@ -20,7 +20,6 @@ import { getOrganisationsRoute } from './get-organisations';
 import { leaveOrganisationRoute } from './leave-organisation';
 import { resendOrganisationMemberInviteRoute } from './resend-organisation-member-invite';
 import { updateOrganisationRoute } from './update-organisation';
-import { updateOrganisationBrandingLogoRoute } from './update-organisation-branding-logo';
 import { updateOrganisationGroupRoute } from './update-organisation-group';
 import { updateOrganisationMemberRoute } from './update-organisation-members';
 import { updateOrganisationSettingsRoute } from './update-organisation-settings';
@@ -56,7 +55,6 @@ export const organisationRouter = router({
  },
  settings: {
    update: updateOrganisationSettingsRoute,
-    updateBrandingLogo: updateOrganisationBrandingLogoRoute,
  },
  internal: {
    getOrganisationSession: getOrganisationSessionRoute,
@@ -1,69 +0,0 @@
-import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
-import { ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/organisations';
-import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
-import { buildBrandingLogoData } from '@documenso/lib/server-only/branding/store-branding-logo';
-import { getOrganisationClaim } from '@documenso/lib/server-only/organisation/get-organisation-claims';
-import { buildOrganisationWhereQuery } from '@documenso/lib/utils/organisations';
-import { prisma } from '@documenso/prisma';
-
-import { authenticatedProcedure } from '../trpc';
-import {
-  ZUpdateOrganisationBrandingLogoRequestSchema,
-  ZUpdateOrganisationBrandingLogoResponseSchema,
-} from './update-organisation-branding-logo.types';
-
-export const updateOrganisationBrandingLogoRoute = authenticatedProcedure
-  .input(ZUpdateOrganisationBrandingLogoRequestSchema)
-  .output(ZUpdateOrganisationBrandingLogoResponseSchema)
-  .mutation(async ({ ctx, input }) => {
-    const { user } = ctx;
-    const { payload, brandingLogo } = input;
-    const { organisationId } = payload;
-
-    ctx.logger.info({
-      input: {
-        organisationId,
-      },
-    });
-
-    const organisation = await prisma.organisation.findFirst({
-      where: buildOrganisationWhereQuery({
-        organisationId,
-        userId: user.id,
-        roles: ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_ORGANISATION'],
-      }),
-    });
-
-    if (!organisation) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to update this organisation.',
-      });
-    }
-
-    // Setting a logo requires the custom-branding entitlement; clearing it is
-    // always allowed so a downgraded organisation can still remove its logo.
-    if (brandingLogo && IS_BILLING_ENABLED()) {
-      const claim = await getOrganisationClaim({ organisationId });
-
-      if (claim.flags?.allowCustomBranding !== true) {
-        throw new AppError(AppErrorCode.UNAUTHORIZED, {
-          message: 'Your plan does not allow custom branding.',
-        });
-      }
-    }
-
-    const brandingLogoValue = brandingLogo ? await buildBrandingLogoData(brandingLogo) : '';
-
-    await prisma.organisation.update({
-      where: {
-        id: organisation.id,
-      },
-      data: {
-        organisationGlobalSettings: {
-          update: {
-            brandingLogo: brandingLogoValue,
-          },
-        },
-      },
-    });
-  });
@@ -1,17 +0,0 @@
-import { z } from 'zod';
-import { zfd } from 'zod-form-data';
-
-import { zfdBrandingImageFile, zodFormData } from '../../utils/zod-form-data';
-
-export const ZUpdateOrganisationBrandingLogoRequestSchema = zodFormData({
-  payload: zfd.json(
-    z.object({
-      organisationId: z.string(),
-    }),
-  ),
-  brandingLogo: zfdBrandingImageFile().optional(),
-});
-
-export const ZUpdateOrganisationBrandingLogoResponseSchema = z.void();
-
-export type TUpdateOrganisationBrandingLogoRequest = z.infer<typeof ZUpdateOrganisationBrandingLogoRequestSchema>;
@@ -44,6 +44,7 @@ export const updateOrganisationSettingsRoute = authenticatedProcedure

      // Branding related settings.
      brandingEnabled,
+      brandingLogo,
      brandingUrl,
      brandingCompanyDetails,
      brandingColors,
@@ -173,6 +174,7 @@ export const updateOrganisationSettingsRoute = authenticatedProcedure

            // Branding related settings.
            brandingEnabled,
+            brandingLogo,
            brandingUrl,
            brandingCompanyDetails,
            brandingColors: normalizedBrandingColors === null ? Prisma.DbNull : normalizedBrandingColors,
@@ -32,6 +32,7 @@ export const ZUpdateOrganisationSettingsRequestSchema = z.object({

    // Branding related settings.
    brandingEnabled: z.boolean().optional(),
+    brandingLogo: z.string().optional(),
    brandingUrl: z.string().optional(),
    brandingCompanyDetails: z.string().optional(),
    brandingColors: ZCssVarsSchema.nullish(),
@@ -53,6 +53,15 @@ export const deleteTeamGroupRoute = authenticatedProcedure
      });
    }

+    // You cannot delete internal team groups. These are the system-managed
+    // admin/manager/member groups that back the team's role-based access, and
+    // deleting them would silently strip team members of their access.
+    if (group.organisationGroup.type === OrganisationGroupType.INTERNAL_TEAM) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, {
+        message: 'You are not allowed to delete internal team groups',
+      });
+    }
+
    // You cannot delete internal organisation groups.
    // The only exception is deleting the "member" organisation group which is used to allow
    // all organisation members to access a team.
@@ -25,7 +25,6 @@ import {
  ZUpdateTeamEmailMutationSchema,
 } from './schema';
 import { updateTeamRoute } from './update-team';
-import { updateTeamBrandingLogoRoute } from './update-team-branding-logo';
 import { updateTeamGroupRoute } from './update-team-group';
 import { updateTeamMemberRoute } from './update-team-member';
 import { updateTeamSettingsRoute } from './update-team-settings';
@@ -51,7 +50,6 @@ export const teamRouter = router({
  },
  settings: {
    update: updateTeamSettingsRoute,
-    updateBrandingLogo: updateTeamBrandingLogoRoute,
  },

  // Old routes (to be migrated)
@@ -1,69 +0,0 @@
-import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
-import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/teams';
-import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
-import { buildBrandingLogoData } from '@documenso/lib/server-only/branding/store-branding-logo';
-import { getOrganisationClaimByTeamId } from '@documenso/lib/server-only/organisation/get-organisation-claims';
-import { buildTeamWhereQuery } from '@documenso/lib/utils/teams';
-import { prisma } from '@documenso/prisma';
-
-import { authenticatedProcedure } from '../trpc';
-import {
-  ZUpdateTeamBrandingLogoRequestSchema,
-  ZUpdateTeamBrandingLogoResponseSchema,
-} from './update-team-branding-logo.types';
-
-export const updateTeamBrandingLogoRoute = authenticatedProcedure
-  .input(ZUpdateTeamBrandingLogoRequestSchema)
-  .output(ZUpdateTeamBrandingLogoResponseSchema)
-  .mutation(async ({ ctx, input }) => {
-    const { user } = ctx;
-    const { payload, brandingLogo } = input;
-    const { teamId } = payload;
-
-    ctx.logger.info({
-      input: {
-        teamId,
-      },
-    });
-
-    const team = await prisma.team.findFirst({
-      where: buildTeamWhereQuery({
-        teamId,
-        userId: user.id,
-        roles: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
-      }),
-    });
-
-    if (!team) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to update this team.',
-      });
-    }
-
-    // Setting a logo requires the custom-branding entitlement; clearing it is
-    // always allowed so a downgraded team can still remove its logo.
-    if (brandingLogo && IS_BILLING_ENABLED()) {
-      const claim = await getOrganisationClaimByTeamId({ teamId });
-
-      if (claim.flags?.allowCustomBranding !== true) {
-        throw new AppError(AppErrorCode.UNAUTHORIZED, {
-          message: 'Your plan does not allow custom branding.',
-        });
-      }
-    }
-
-    const brandingLogoValue = brandingLogo ? await buildBrandingLogoData(brandingLogo) : '';
-
-    await prisma.team.update({
-      where: {
-        id: team.id,
-      },
-      data: {
-        teamGlobalSettings: {
-          update: {
-            brandingLogo: brandingLogoValue,
-          },
-        },
-      },
-    });
-  });
@@ -1,17 +0,0 @@
-import { z } from 'zod';
-import { zfd } from 'zod-form-data';
-
-import { zfdBrandingImageFile, zodFormData } from '../../utils/zod-form-data';
-
-export const ZUpdateTeamBrandingLogoRequestSchema = zodFormData({
-  payload: zfd.json(
-    z.object({
-      teamId: z.number(),
-    }),
-  ),
-  brandingLogo: zfdBrandingImageFile().optional(),
-});
-
-export const ZUpdateTeamBrandingLogoResponseSchema = z.void();
-
-export type TUpdateTeamBrandingLogoRequest = z.infer<typeof ZUpdateTeamBrandingLogoRequestSchema>;
@@ -45,9 +45,12 @@ export const updateTeamGroupRoute = authenticatedProcedure
      });
    }

-    if (teamGroup.organisationGroup.type === OrganisationGroupType.INTERNAL_ORGANISATION) {
+    if (
+      teamGroup.organisationGroup.type === OrganisationGroupType.INTERNAL_ORGANISATION ||
+      teamGroup.organisationGroup.type === OrganisationGroupType.INTERNAL_TEAM
+    ) {
      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You are not allowed to update internal organisation groups',
+        message: 'You are not allowed to update internal groups',
      });
    }

@@ -42,6 +42,7 @@ export const updateTeamSettingsRoute = authenticatedProcedure

      // Branding related settings.
      brandingEnabled,
+      brandingLogo,
      brandingUrl,
      brandingCompanyDetails,
      brandingColors,
@@ -175,6 +176,7 @@ export const updateTeamSettingsRoute = authenticatedProcedure

            // Branding related settings.
            brandingEnabled,
+            brandingLogo,
            brandingUrl,
            brandingCompanyDetails,
            brandingColors: normalizedBrandingColors === null ? Prisma.DbNull : normalizedBrandingColors,
@@ -35,6 +35,7 @@ export const ZUpdateTeamSettingsRequestSchema = z.object({

    // Branding related settings.
    brandingEnabled: z.boolean().nullish(),
+    brandingLogo: z.string().nullish(),
    brandingUrl: z.string().nullish(),
    brandingCompanyDetails: z.string().nullish(),
    brandingColors: ZCssVarsSchema.nullish(),
@@ -1,9 +1,4 @@
 import { APP_DOCUMENT_UPLOAD_SIZE_LIMIT } from '@documenso/lib/constants/app';
-import {
-  BRANDING_LOGO_ALLOWED_TYPES,
-  BRANDING_LOGO_MAX_SIZE_BYTES,
-  BRANDING_LOGO_MAX_SIZE_MB,
-} from '@documenso/lib/constants/branding';
 import { megabytesToBytes } from '@documenso/lib/universal/unit-convertions';
 import type { ZodRawShape } from 'zod';
 import z from 'zod';
@@ -22,21 +17,6 @@ export const zfdFile = () => {
  });
 };

-/**
- * A `zfd.file()` schema constrained to branding-logo images: size-limited and
- * restricted to a MIME allowlist. Use for server-side branding logo uploads.
- */
-export const zfdBrandingImageFile = () => {
-  return zfd
-    .file()
-    .refine((file) => file.size <= BRANDING_LOGO_MAX_SIZE_BYTES, {
-      message: `File cannot be larger than ${BRANDING_LOGO_MAX_SIZE_MB}MB`,
-    })
-    .refine((file) => BRANDING_LOGO_ALLOWED_TYPES.includes(file.type), {
-      message: 'File must be a JPG, PNG, or WebP image',
-    });
-};
-
 /**
 * This helper takes the place of the `z.object` at the root of your schema.
 * It wraps your schema in a `z.preprocess` that extracts all the data out of a `FormData`
@@ -93,6 +93,13 @@ declare namespace NodeJS {
    NEXT_PUBLIC_DISABLE_OIDC_SIGNUP?: string;
    NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS?: string;

+    NEXT_PUBLIC_DISABLE_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_OIDC_SIGNIN?: string;
+    NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT?: string;
+
    NEXT_PRIVATE_BROWSERLESS_URL?: string;

    NEXT_PRIVATE_JOBS_PROVIDER?: 'inngest' | 'local' | 'bullmq';
@@ -163,6 +163,18 @@ services:
        sync: false
      - key: NEXT_PUBLIC_DISABLE_OIDC_SIGNUP
        sync: false
+      - key: NEXT_PUBLIC_DISABLE_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_OIDC_SIGNIN
+        sync: false
+      - key: NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT
+        sync: false
      - key: NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS
        sync: false

@@ -53,6 +53,12 @@
    "NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP",
    "NEXT_PUBLIC_DISABLE_OIDC_SIGNUP",
    "NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS",
+    "NEXT_PUBLIC_DISABLE_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_OIDC_SIGNIN",
+    "NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT",
    "NEXT_PRIVATE_PLAIN_API_KEY",
    "NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT",
    "NEXT_PRIVATE_DOCUMENSO_LICENSE_KEY",
Author	SHA1	Message	Date
Kendry Grullon	562d78e2d7	feat: add granular signin disable flags and OIDC auto-redirect (#2857 )	2026-06-30 16:08:09 +10:00
Grégory Chevalier	3b110cf70d	fix: french translation for confirmation message (#3050 )	2026-06-30 15:52:59 +10:00
David Nguyen	7062fadf0b	fix: add additional team group permission checks (#3052 )	2026-06-30 15:45:48 +10:00