dograh/ui
prabhatlepton e7494e9c21
feat(auth): gate OSS signup behind ENABLE_SIGNUP flag (#514)
* feat(auth): gate OSS signup behind ENABLE_SIGNUP flag

## Problem

The `POST /api/v1/auth/signup` endpoint is unconditionally exposed on
every OSS install. Operators running an invite-only deployment (private
customer instances, staging environments, internal-only tenants) have
no way to disable public account creation without patching the codebase.
The UI also shows the "Sign up" link on `/auth/login` regardless of
whether signup is available, so a locked-down deployment leaves broken
navigation on the login page.

## Fix

Introduce a single `ENABLE_SIGNUP` env var (default `true` — no behavior
change for existing installs) that controls signup end-to-end:

- **Backend** — `api/constants.ENABLE_SIGNUP` is read at module load.
  The signup handler returns 403 when it's false. Also exposed on
  `GET /api/v1/health` as `signup_enabled: bool` so the UI can mirror
  the operator's choice at runtime instead of at bundle-build time.

- **UI** — `getSignupEnabled()` in `lib/auth/config.ts` proxies the
  health field, `/api/config/auth` surfaces it to the browser, the
  login page conditionally renders the "Sign up" link via a one-shot
  `fetch("/api/config/auth")` in `useEffect`, and the middleware
  redirects `/auth/signup` → `/auth/login` when disabled (fires before
  Next.js can serve the statically-prerendered signup page).

- **Helm** — `config.enableSignup` (default `true`) is rendered into
  the ConfigMap as `ENABLE_SIGNUP` so operators can flip it via
  `--set config.enableSignup=false` at install/upgrade time.

Fallbacks default to `signupEnabled: true` in every layer so a fresh
install "just works" and matches the backend default.

* address review: rollout on ConfigMap change, cache TTL, no signup-link flash

Four review points on #514:

**P1 — ConfigMap Change Skips Rollout** (`configmap.yaml`). `helm upgrade
--set config.enableSignup=false` updated the ConfigMap but did NOT roll
the api pods, so running processes kept the ENABLE_SIGNUP env from
startup and continued serving the old signup behavior — including
divergence between replicas mid-upgrade.

Fix: add the standard `checksum/config` pod-template annotation on the
four backend Deployments that `envFrom` the ConfigMap (`web`,
`arq-worker`, `ari-manager`, `campaign-orchestrator`). Verified with
`helm template`: all four Deployments share the same checksum on any
given render, and flipping `config.enableSignup` changes the checksum
uniformly so kubectl sees a pod-template diff and rolls all four.

**P1 — Signup Flag Stays Cached (server)** (`ui/src/lib/auth/config.ts`).
Module-scoped cache had no TTL. `revalidate: 300` was passed on the
underlying `fetch()` but the in-memory short-circuit above ran first, so
the value never refreshed until the UI pod restarted.

Fix: add `AUTH_CONFIG_TTL_MS = 5 * 60 * 1000` (matching the fetch
revalidate hint) so the module cache and the Next fetch cache stay in
sync. Backend flag flips propagate within 5 minutes without a pod
restart.

**P1 — Middleware Redirect Uses Stale State** (`ui/src/middleware.ts`).
Same shape as above — a separate module cache with no expiry could keep
redirecting `/auth/signup → /auth/login` after signup was re-enabled, or
keep serving the statically-prerendered signup page after lockdown.

Fix: same `SERVER_CONFIG_TTL_MS = 5 * 60 * 1000` TTL on the middleware
cache.

**P2 — Signup link flash on login page** (`ui/src/app/auth/login/page.tsx`).
Initial `signupEnabled` state was `null`, so `{signupEnabled && ...}`
hid the link on first paint and it popped in after the fetch resolved
— a CLS on every login-page load on stock installs where signup is
enabled.

Fix: initialise the state to `true` (matches the backend default). The
fetch still overrides to `false` when the operator has actually
disabled signup, so the lockdown UI behavior is unchanged; only the
happy-path flash is gone.

* simplify signup flag: drop TTL caches and middleware redirect

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* resolve signup flag server-side to avoid signup link flicker

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

---------

Co-authored-by: prabhat pankaj <prabhatiitbhu@gmail.com>
Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
2026-07-13 14:08:25 +05:30
..
public embed cal and chatwoot bubble missing fix (#483) 2026-06-29 23:02:55 +05:30
scripts feat: refactor node spec and add mcp tools (#244) 2026-04-21 07:56:16 +05:30
src feat(auth): gate OSS signup behind ENABLE_SIGNUP flag (#514) 2026-07-13 14:08:25 +05:30
.dockerignore Initial Commit 🚀 🚀 2025-09-09 14:37:32 +05:30
.env.example feat: UI refresh and user onboarding (#430) 2026-06-17 19:49:33 +05:30
.gitignore chore: setup worktree script 2026-06-30 15:59:18 +05:30
.pre-commit-config.yaml Initial Commit 🚀 🚀 2025-09-09 14:37:32 +05:30
AGENTS.md fix: support object and array parameters in custom HTTP tools (#373) 2026-06-02 11:35:38 +05:30
CLAUDE.md Chore/add setup and contributing docs (#90) 2025-12-27 09:25:20 +05:30
components.json Initial Commit 🚀 🚀 2025-09-09 14:37:32 +05:30
Dockerfile feat: enable stack auth config from backend 2026-06-18 14:17:28 +05:30
eslint.config.mjs feat: agent versioning and model configurations override (#227) 2026-04-08 19:20:31 +05:30
next.config.ts chore: improve upon mcp prompts (#494) 2026-07-03 18:14:03 +05:30
openapi-ts.config.ts chore: improve upon mcp prompts (#494) 2026-07-03 18:14:03 +05:30
package-lock.json fix: fix org scoped access for resources (#517) 2026-07-09 23:04:33 +05:30
package.json fix: fix org scoped access for resources (#517) 2026-07-09 23:04:33 +05:30
postcss.config.mjs Initial Commit 🚀 🚀 2025-09-09 14:37:32 +05:30
README.md Initial Commit 🚀 🚀 2025-09-09 14:37:32 +05:30
sentry.edge.config.ts chore: fix ui and add "Get Help" button (#27) 2025-10-07 17:40:01 +05:30
sentry.server.config.ts chore: fix ui and add "Get Help" button (#27) 2025-10-07 17:40:01 +05:30
tsconfig.json Initial Commit 🚀 🚀 2025-09-09 14:37:32 +05:30
vitest.config.mts fix: fix org scoped access for resources (#517) 2026-07-09 23:04:33 +05:30

This is a Next.js project bootstrapped with create-next-app.

Getting Started

First, run the development server:

npm run dev
# or
yarn dev
# or
pnpm dev
# or
bun dev

Login Flow

  1. The redirection happens server side using ui/src/stack.tsx after the user has logged in.

Sentry and PostHog

  1. Initialized in ui/src/instrumentation-client.ts