diff --git a/.env b/.env index 581af6d97..eb1c594ed 100644 --- a/.env +++ b/.env @@ -1,5 +1,8 @@ _APP_ENV=production _APP_ENV=development +_APP_CONSOLE_WHITELIST_GOD=enabled +_APP_CONSOLE_WHITELIST_EMAILS= +_APP_CONSOLE_WHITELIST_IPS= _APP_SYSTEM_EMAIL_NAME=Appwrite _APP_SYSTEM_EMAIL_ADDRESS=team@appwrite.io _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io diff --git a/Dockerfile b/Dockerfile index c7316bd1d..52dbeaff7 100755 --- a/Dockerfile +++ b/Dockerfile @@ -72,6 +72,13 @@ ENV _APP_SERVER=swoole \ _APP_DOMAIN_TARGET=localhost \ _APP_HOME=https://appwrite.io \ _APP_EDITION=community \ + _APP_CONSOLE_WHITELIST_GOD=enabled \ + _APP_CONSOLE_WHITELIST_EMAILS= \ + _APP_CONSOLE_WHITELIST_IPS= \ + _APP_SYSTEM_EMAIL_NAME= \ + _APP_SYSTEM_EMAIL_ADDRESS= \ + _APP_SYSTEM_RESPONSE_FORMAT= \ + _APP_SYSTEM_SECURITY_EMAIL_ADDRESS= \ _APP_OPTIONS_ABUSE=enabled \ _APP_OPTIONS_FORCE_HTTPS=disabled \ _APP_OPENSSL_KEY_V1=your-secret-key \ diff --git a/app/config/collections.php b/app/config/collections.php index 9170b0757..ec735a278 100644 --- a/app/config/collections.php +++ b/app/config/collections.php @@ -43,6 +43,7 @@ $collections = [ 'legalCity' => '', 'legalAddress' => '', 'legalTaxId' => '', + 'authWhitelistGod' => App::getEnv('_APP_CONSOLE_WHITELIST_GOD', 'enabled'), 'authWhitelistEmails' => (!empty(App::getEnv('_APP_CONSOLE_WHITELIST_EMAILS', null))) ? \explode(',', App::getEnv('_APP_CONSOLE_WHITELIST_EMAILS', null)) : [], 'authWhitelistIPs' => (!empty(App::getEnv('_APP_CONSOLE_WHITELIST_IPS', null))) ? \explode(',', App::getEnv('_APP_CONSOLE_WHITELIST_IPS', null)) : [], 'authWhitelistDomains' => (!empty(App::getEnv('_APP_CONSOLE_WHITELIST_DOMAINS', null))) ? \explode(',', App::getEnv('_APP_CONSOLE_WHITELIST_DOMAINS', null)) : [], diff --git a/app/config/variables.php b/app/config/variables.php index 722796c6f..c8f571e1f 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -55,9 +55,17 @@ return [ 'required' => true, 'question' => 'Enter a DNS A record hostname to serve as a CNAME for your custom domains.\nYou can use the same value as used for the Appwrite hostname.', ], + [ + 'name' => '_APP_CONSOLE_WHITELIST_GOD', + 'description' => 'This option allows you to disable the creation of new users on the Appwrite console. When enabled only 1 user will be able to use the registartion form. New users can be added by invting them to your project. By default this option is enabled.', + 'introduction' => '', + 'default' => 'enabled', + 'required' => false, + 'question' => '', + ], [ 'name' => '_APP_CONSOLE_WHITELIST_EMAILS', - 'description' => 'This option allows you to limit creation of users to Appwrite console. This option is very useful for small teams or sole developers. To enable it, pass a list of allowed email addresses separated by a comma.', + 'description' => 'This option allows you to limit creation of new users on the Appwrite console. This option is very useful for small teams or sole developers. To enable it, pass a list of allowed email addresses separated by a comma.', 'introduction' => '', 'default' => '', 'required' => false, diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index e8ae76312..9c6516f91 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -58,10 +58,24 @@ App::post('/v1/account') /** @var Appwrite\Event\Event $audits */ if ('console' === $project->getId()) { + $whitlistGod = $project->getAttribute('authWhitelistGod'); $whitlistEmails = $project->getAttribute('authWhitelistEmails'); $whitlistIPs = $project->getAttribute('authWhitelistIPs'); $whitlistDomains = $project->getAttribute('authWhitelistDomains'); + if($whitlistGod !== 'disabled') { + $sum = $projectDB->getCount([ // Count users + 'limit' => 1, + 'filters' => [ + '$collection='.Database::SYSTEM_COLLECTION_USERS, + ], + ]); + + if($sum !== 0) { + throw new Exception('Console registration is restricted. Contact your administrator for more information.', 401); + } + } + if (!empty($whitlistEmails) && !\in_array($email, $whitlistEmails)) { throw new Exception('Console registration is restricted to specific emails. Contact your administrator for more information.', 401); } diff --git a/app/controllers/web/home.php b/app/controllers/web/home.php index f302f0af3..18231e4a0 100644 --- a/app/controllers/web/home.php +++ b/app/controllers/web/home.php @@ -1,5 +1,6 @@ label('permission', 'public') ->label('scope', 'home') ->inject('response') - ->action(function ($response) { + ->inject('project') + ->inject('projectDB') + ->action(function ($response, $projectDB, $project) { /** @var Appwrite\Utopia\Response $response */ + /** @var Appwrite\Database\Database $projectDB */ + /** @var Appwrite\Database\Document $project */ - $response->redirect('/auth/signin'); + $response + ->addHeader('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0') + ->addHeader('Expires', 0) + ->addHeader('Pragma', 'no-cache') + ; + + if ('console' === $project->getId()) { + $whitlistGod = $project->getAttribute('authWhitelistGod'); + + if($whitlistGod !== 'disabled') { + $sum = $projectDB->getCount([ // Count users + 'limit' => 1, + 'filters' => [ + '$collection='.Database::SYSTEM_COLLECTION_USERS, + ], + ]); + + if($sum !== 0) { + return $response->redirect('/auth/signin'); + } + } + } + + $response->redirect('/auth/signup'); }); App::get('/auth/signin') @@ -58,6 +86,10 @@ App::get('/auth/signin') $page = new View(__DIR__.'/../../views/home/auth/signin.phtml'); + $page + ->setParam('god', App::getEnv('_APP_CONSOLE_WHITELIST_GOD', 'enabled')) + ; + $layout ->setParam('title', 'Sign In - '.APP_NAME) ->setParam('body', $page); @@ -72,6 +104,10 @@ App::get('/auth/signup') /** @var Utopia\View $layout */ $page = new View(__DIR__.'/../../views/home/auth/signup.phtml'); + $page + ->setParam('god', App::getEnv('_APP_CONSOLE_WHITELIST_GOD', 'enabled')) + ; + $layout ->setParam('title', 'Sign Up - '.APP_NAME) ->setParam('body', $page); diff --git a/app/tasks/doctor.php b/app/tasks/doctor.php index 2918d4f1e..a6231daca 100644 --- a/app/tasks/doctor.php +++ b/app/tasks/doctor.php @@ -61,11 +61,13 @@ $cli Console::log('🟢 Abuse protection is enabled'); } + $authWhitelistGod = App::getEnv('_APP_CONSOLE_WHITELIST_GOD', null); $authWhitelistEmails = App::getEnv('_APP_CONSOLE_WHITELIST_EMAILS', null); $authWhitelistIPs = App::getEnv('_APP_CONSOLE_WHITELIST_IPS', null); $authWhitelistDomains = App::getEnv('_APP_CONSOLE_WHITELIST_DOMAINS', null); - if(empty($authWhitelistEmails) + if(empty($authWhitelistGod) + && empty($authWhitelistEmails) && empty($authWhitelistDomains) && empty($authWhitelistIPs) ) { diff --git a/app/views/home/auth/signin.phtml b/app/views/home/auth/signin.phtml index 405256a60..d89f7e41d 100644 --- a/app/views/home/auth/signin.phtml +++ b/app/views/home/auth/signin.phtml @@ -1,3 +1,6 @@ +getParam('god') !== 'disabled'); +?>
- Forgot password? or don't have an account? Sign up now + Forgot password? or don't have an account? Sign up now
diff --git a/app/views/home/auth/signup.phtml b/app/views/home/auth/signup.phtml index b5aac0143..03613746e 100644 --- a/app/views/home/auth/signup.phtml +++ b/app/views/home/auth/signup.phtml @@ -1,3 +1,6 @@ +getParam('god') !== 'disabled'); +?>

Sign Up @@ -44,6 +47,8 @@

+
Already have an account? -
\ No newline at end of file + + \ No newline at end of file