mirror of
https://github.com/dograh-hq/dograh.git
synced 2026-07-13 11:22:14 +02:00
feat(auth): gate OSS signup behind ENABLE_SIGNUP flag (#514)
* feat(auth): gate OSS signup behind ENABLE_SIGNUP flag
## Problem
The `POST /api/v1/auth/signup` endpoint is unconditionally exposed on
every OSS install. Operators running an invite-only deployment (private
customer instances, staging environments, internal-only tenants) have
no way to disable public account creation without patching the codebase.
The UI also shows the "Sign up" link on `/auth/login` regardless of
whether signup is available, so a locked-down deployment leaves broken
navigation on the login page.
## Fix
Introduce a single `ENABLE_SIGNUP` env var (default `true` — no behavior
change for existing installs) that controls signup end-to-end:
- **Backend** — `api/constants.ENABLE_SIGNUP` is read at module load.
The signup handler returns 403 when it's false. Also exposed on
`GET /api/v1/health` as `signup_enabled: bool` so the UI can mirror
the operator's choice at runtime instead of at bundle-build time.
- **UI** — `getSignupEnabled()` in `lib/auth/config.ts` proxies the
health field, `/api/config/auth` surfaces it to the browser, the
login page conditionally renders the "Sign up" link via a one-shot
`fetch("/api/config/auth")` in `useEffect`, and the middleware
redirects `/auth/signup` → `/auth/login` when disabled (fires before
Next.js can serve the statically-prerendered signup page).
- **Helm** — `config.enableSignup` (default `true`) is rendered into
the ConfigMap as `ENABLE_SIGNUP` so operators can flip it via
`--set config.enableSignup=false` at install/upgrade time.
Fallbacks default to `signupEnabled: true` in every layer so a fresh
install "just works" and matches the backend default.
* address review: rollout on ConfigMap change, cache TTL, no signup-link flash
Four review points on #514:
**P1 — ConfigMap Change Skips Rollout** (`configmap.yaml`). `helm upgrade
--set config.enableSignup=false` updated the ConfigMap but did NOT roll
the api pods, so running processes kept the ENABLE_SIGNUP env from
startup and continued serving the old signup behavior — including
divergence between replicas mid-upgrade.
Fix: add the standard `checksum/config` pod-template annotation on the
four backend Deployments that `envFrom` the ConfigMap (`web`,
`arq-worker`, `ari-manager`, `campaign-orchestrator`). Verified with
`helm template`: all four Deployments share the same checksum on any
given render, and flipping `config.enableSignup` changes the checksum
uniformly so kubectl sees a pod-template diff and rolls all four.
**P1 — Signup Flag Stays Cached (server)** (`ui/src/lib/auth/config.ts`).
Module-scoped cache had no TTL. `revalidate: 300` was passed on the
underlying `fetch()` but the in-memory short-circuit above ran first, so
the value never refreshed until the UI pod restarted.
Fix: add `AUTH_CONFIG_TTL_MS = 5 * 60 * 1000` (matching the fetch
revalidate hint) so the module cache and the Next fetch cache stay in
sync. Backend flag flips propagate within 5 minutes without a pod
restart.
**P1 — Middleware Redirect Uses Stale State** (`ui/src/middleware.ts`).
Same shape as above — a separate module cache with no expiry could keep
redirecting `/auth/signup → /auth/login` after signup was re-enabled, or
keep serving the statically-prerendered signup page after lockdown.
Fix: same `SERVER_CONFIG_TTL_MS = 5 * 60 * 1000` TTL on the middleware
cache.
**P2 — Signup link flash on login page** (`ui/src/app/auth/login/page.tsx`).
Initial `signupEnabled` state was `null`, so `{signupEnabled && ...}`
hid the link on first paint and it popped in after the fetch resolved
— a CLS on every login-page load on stock installs where signup is
enabled.
Fix: initialise the state to `true` (matches the backend default). The
fetch still overrides to `false` when the operator has actually
disabled signup, so the lockdown UI behavior is unchanged; only the
happy-path flash is gone.
* simplify signup flag: drop TTL caches and middleware redirect
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
* resolve signup flag server-side to avoid signup link flicker
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---------
Co-authored-by: prabhat pankaj <prabhatiitbhu@gmail.com>
Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
2c803bbea9
commit
e7494e9c21
18 changed files with 184 additions and 101 deletions
|
|
@ -25,10 +25,13 @@ spec:
|
|||
labels:
|
||||
{{- include "dograh.selectorLabels" . | nindent 8 }}
|
||||
app.kubernetes.io/component: ari-manager
|
||||
{{- with .Values.ariManager.podAnnotations }}
|
||||
annotations:
|
||||
# Roll pods when the ConfigMap changes. See web-deployment.yaml for
|
||||
# the full rationale.
|
||||
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||
{{- with .Values.ariManager.podAnnotations }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "dograh.serviceAccountName" . }}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
|
|
|
|||
|
|
@ -22,10 +22,13 @@ spec:
|
|||
labels:
|
||||
{{- include "dograh.selectorLabels" . | nindent 8 }}
|
||||
app.kubernetes.io/component: arq-worker
|
||||
{{- with .Values.workers.podAnnotations }}
|
||||
annotations:
|
||||
# Roll pods when the ConfigMap changes. See web-deployment.yaml for
|
||||
# the full rationale.
|
||||
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||
{{- with .Values.workers.podAnnotations }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "dograh.serviceAccountName" . }}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
|
|
|
|||
|
|
@ -25,10 +25,13 @@ spec:
|
|||
labels:
|
||||
{{- include "dograh.selectorLabels" . | nindent 8 }}
|
||||
app.kubernetes.io/component: campaign-orchestrator
|
||||
{{- with .Values.campaignOrchestrator.podAnnotations }}
|
||||
annotations:
|
||||
# Roll pods when the ConfigMap changes. See web-deployment.yaml for
|
||||
# the full rationale.
|
||||
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||
{{- with .Values.campaignOrchestrator.podAnnotations }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "dograh.serviceAccountName" . }}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ data:
|
|||
FORCE_TURN_RELAY: {{ .Values.config.forceTurnRelay | quote }}
|
||||
TURN_HOST: {{ .Values.config.turnHost | quote }}
|
||||
FASTAPI_WORKERS: {{ .Values.config.fastapiWorkers | quote }}
|
||||
ENABLE_SIGNUP: {{ .Values.config.enableSignup | quote }}
|
||||
{{- /* MinIO endpoints derived from storage mode. */ -}}
|
||||
{{- if eq .Values.storage.mode "internalMinio" }}
|
||||
MINIO_ENDPOINT: {{ printf "%s:9000" (include "dograh.minioHost" .) | quote }}
|
||||
|
|
|
|||
|
|
@ -24,10 +24,15 @@ spec:
|
|||
labels:
|
||||
{{- include "dograh.selectorLabels" . | nindent 8 }}
|
||||
app.kubernetes.io/component: web
|
||||
{{- with .Values.web.podAnnotations }}
|
||||
annotations:
|
||||
# Roll pods when the ConfigMap changes (e.g. `helm upgrade --set
|
||||
# config.enableSignup=false`). envFrom values are otherwise only read
|
||||
# at pod startup, so a ConfigMap-only upgrade would leave running pods
|
||||
# on the stale value until an unrelated restart.
|
||||
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||
{{- with .Values.web.podAnnotations }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "dograh.serviceAccountName" . }}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
|
|
|
|||
|
|
@ -117,6 +117,7 @@ config:
|
|||
forceTurnRelay: false
|
||||
turnHost: "" # public hostname/IP of coturn (the LoadBalancer address)
|
||||
fastapiWorkers: 1 # informational only; web tier scales by pod, not in-pod workers
|
||||
enableSignup: true # set false to 403 the /api/v1/auth/signup endpoint (invite-only lockdown)
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Secrets — rendered into a Kubernetes Secret unless secrets.existingSecret is
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue