feat(auth): add ALLOW_SIGNUPS env var to gate self-service sign-ups

.env.dev.example

@@ -1,42 +1,50 @@
-# Securely manage and sync environment variables with Phase.
+# phase.dev - Keep secrets.
+#
+#              /$$
+#             | $$
+#     /$$$$$$ | $$$$$$$   /$$$$$$   /$$$$$$$  /$$$$$$
+#    /$$__  $$| $$__  $$ |____  $$ /$$_____/ /$$__  $$
+#   | $$  \ $$| $$  \ $$  /$$$$$$$|  $$$$$$ | $$$$$$$$
+#   | $$  | $$| $$  | $$ /$$__  $$ \____  $$| $$_____/
+#   | $$$$$$$/| $$  | $$|  $$$$$$$ /$$$$$$$/|  $$$$$$$
+#   | $$____/ |__/  |__/ \_______/|_______/  \_______/
+#   | $$
+#   |__/
+#
+# For the complete list of secrets and deployment configuration options, see:
+# https://docs.phase.dev/self-hosting/configuration/envars
+# Warning: For production deployments, use a more secure method than a .env file to store secrets.
 
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⠔⠋⣳⣖⠚⣲⢖⠙⠳⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⡴⠉⢀⡼⠃⢘⣞⠁⠙⡆⠀⠘⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⢀⡜⠁⢠⠞⠀⢠⠞⠸⡆⠀⠹⡄⠀⠹⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⢀⠞⠀⢠⠏⠀⣠⠏⠀⠀⢳⠀⠀⢳⠀⠀⢧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⢠⠎⠀⣠⠏⠀⣰⠃⠀⠀⠀⠈⣇⠀⠘⡇⠀⠘⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⢠⠏⠀⣰⠇⠀⣰⠃⠀⠀⠀⠀⠀⢺⡀⠀⢹⠀⠀⢽⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⢠⠏⠀⣰⠃⠀⣰⠃⠀⠀⠀⠀⠀⠀⠀⣇⠀⠈⣇⠀⠘⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⢠⠏⠀⢰⠃⠀⣰⠃⠀⠀⠀⠀⠀⠀⠀⠀⢸⡀⠀⢹⡀⠀⢹⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⢠⠏⠀⢰⠃⠀⣰⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣇⠀⠈⣇⠀⠈⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠛⠒⠚⠛⠒⠓⠚⠒⠒⠓⠒⠓⠚⠒⠓⠚⠒⠓⢻⡒⠒⢻⡒⠒⢻⡒⠒⠒⠒⠒⠒⠒⠒⠒⠒⣲⠒⠒⣲⠒⠒⡲⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢧⠀⠀⢧⠀⠈⣇⠀⠀⠀⠀⠀⠀⠀⠀⢠⠇⠀⣰⠃⠀⣰⠃⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⡆⠀⠘⡆⠀⠸⡄⠀⠀⠀⠀⠀⠀⣠⠇⠀⣰⠃⠀⣴⠃⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠹⡄⠀⠹⡄⠀⠹⡄⠀⠀⠀⠀⡴⠃⢀⡼⠁⢀⡼⠁⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⣆⠀⠙⣆⠀⠹⣄⠀⣠⠎⠁⣠⠞⠀⡤⠏⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠳⢤⣈⣳⣤⣼⣹⢥⣰⣋⡥⡴⠊⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀
-
-# Replace with your domain or host
+# Replace with your domain or host.
+# Use the domain or IP address where users will access Phase.
 HOST=localhost
 HTTP_PROTOCOL=https://
 
-# Whitelist email domains that users are allowed to sign-in with, as a comma separated list. 
-# Leave commented to allow all email domains
+# Whitelist email domains that users are allowed to sign in with, as a comma-separated list.
+# Leave commented to allow all email domains.
 #USER_EMAIL_DOMAIN_WHITELIST=mydomain.com,subdomain.mydomain.com
 
 # Frontend dev
 NEXTAUTH_URL=https://localhost
 OAUTH_REDIRECT_URI=https://localhost
 BACKEND_API_BASE=http://backend:8000
 NEXT_PUBLIC_BACKEND_API_BASE=https://localhost/service
-SSO_PROVIDERS=google,github,gitlab
 
-# WARNING: Replace these with a cryptographically strong random values. You can use `openssl rand -hex 32` to generate these.
+# OAuth providers to enable on the sign-in page (optional).
+# Leave empty for password-only local development.
+# Example: SSO_PROVIDERS=google,github,gitlab
+SSO_PROVIDERS=
+
+# Allow new users to sign themselves up (default: true). Set to "false"
+# to require an invite for any new account.
+#ALLOW_SIGNUPS=true
+
+# WARNING: Replace these with cryptographically strong random values. You can use `openssl rand -hex 32` to generate them.
 NEXTAUTH_SECRET=82031b3760ac58352bb2d48fd9f32e9f72a0614343b669038139f18652ed1447
 SECRET_KEY=92d44efc4f9a4c0556cc67d2d033d3217829c263d5ab7d1954cf4b5bfd533e58
 SERVER_SECRET=9e760539415af07b22249b5878593bd4deb9b8961c7dd0570117549f2c4f32a2
 
-# OAuth provider credentials. Add your own credentials here for each provider you wish to use 
+# OAuth provider credentials. Add credentials for each provider you enable in SSO_PROVIDERS.
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 
@@ -48,6 +56,7 @@ GITLAB_CLIENT_SECRET=
 
 
 # Integrations
+# GitHub secret sync integration OAuth credentials.
 GITHUB_INTEGRATION_CLIENT_ID=
 NEXT_PUBLIC_GITHUB_INTEGRATION_CLIENT_ID=
 GITHUB_INTEGRATION_CLIENT_SECRET=
@@ -57,7 +66,7 @@ ALLOWED_HOSTS=localhost,backend
 ALLOWED_ORIGINS=https://localhost
 SESSION_COOKIE_DOMAIN=localhost
 
-# Database credentials. Change all these values if required, but you may need to update the healthcheck in dev-docker-compose.yml services.postgres as well
+# Database credentials. Change these values as needed, but update the postgres healthcheck in dev-docker-compose.yml as well.
 DATABASE_HOST=postgres
 DATABASE_PORT=5432
 DATABASE_NAME=postgres-db-name
@@ -67,6 +76,3 @@ DATABASE_PASSWORD=postgres-password
 REDIS_HOST=redis
 REDIS_PORT=6379
 REDIS_PASSWORD=
-
-# Disable NextJs telemtry
-NEXT_TELEMETRY_DISABLED=1

.env.example

@@ -1,40 +1,46 @@
-# Securely manage and sync environment variables with Phase.
+# phase.dev - Keep secrets.
+#
+#              /$$
+#             | $$
+#     /$$$$$$ | $$$$$$$   /$$$$$$   /$$$$$$$  /$$$$$$
+#    /$$__  $$| $$__  $$ |____  $$ /$$_____/ /$$__  $$
+#   | $$  \ $$| $$  \ $$  /$$$$$$$|  $$$$$$ | $$$$$$$$
+#   | $$  | $$| $$  | $$ /$$__  $$ \____  $$| $$_____/
+#   | $$$$$$$/| $$  | $$|  $$$$$$$ /$$$$$$$/|  $$$$$$$
+#   | $$____/ |__/  |__/ \_______/|_______/  \_______/
+#   | $$
+#   |__/
+#
+# For the complete list of secrets and deployment configuration options, see:
+# https://docs.phase.dev/self-hosting/configuration/envars
+# Warning: For production deployments, use a more secure method than a .env file to store secrets.
 
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⠔⠋⣳⣖⠚⣲⢖⠙⠳⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⡴⠉⢀⡼⠃⢘⣞⠁⠙⡆⠀⠘⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⢀⡜⠁⢠⠞⠀⢠⠞⠸⡆⠀⠹⡄⠀⠹⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⢀⠞⠀⢠⠏⠀⣠⠏⠀⠀⢳⠀⠀⢳⠀⠀⢧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⢠⠎⠀⣠⠏⠀⣰⠃⠀⠀⠀⠈⣇⠀⠘⡇⠀⠘⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⢠⠏⠀⣰⠇⠀⣰⠃⠀⠀⠀⠀⠀⢺⡀⠀⢹⠀⠀⢽⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⢠⠏⠀⣰⠃⠀⣰⠃⠀⠀⠀⠀⠀⠀⠀⣇⠀⠈⣇⠀⠘⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⢠⠏⠀⢰⠃⠀⣰⠃⠀⠀⠀⠀⠀⠀⠀⠀⢸⡀⠀⢹⡀⠀⢹⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⢠⠏⠀⢰⠃⠀⣰⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣇⠀⠈⣇⠀⠈⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠛⠒⠚⠛⠒⠓⠚⠒⠒⠓⠒⠓⠚⠒⠓⠚⠒⠓⢻⡒⠒⢻⡒⠒⢻⡒⠒⠒⠒⠒⠒⠒⠒⠒⠒⣲⠒⠒⣲⠒⠒⡲⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢧⠀⠀⢧⠀⠈⣇⠀⠀⠀⠀⠀⠀⠀⠀⢠⠇⠀⣰⠃⠀⣰⠃⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⡆⠀⠘⡆⠀⠸⡄⠀⠀⠀⠀⠀⠀⣠⠇⠀⣰⠃⠀⣴⠃⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠹⡄⠀⠹⡄⠀⠹⡄⠀⠀⠀⠀⡴⠃⢀⡼⠁⢀⡼⠁⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⣆⠀⠙⣆⠀⠹⣄⠀⣠⠎⠁⣠⠞⠀⡤⠏⠀⠀⠀⠀⠀⠀⠀⠀
-# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠳⢤⣈⣳⣤⣼⣹⢥⣰⣋⡥⡴⠊⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀
-
-
-# Replace with your domain or host
+# Replace with your domain or host.
+# Use the domain or IP address where users will access Phase.
 HOST=localhost
 HTTP_PROTOCOL=https://
 
-# Whitelist email domains that users are allowed to sign-in with, as a comma separated list. 
-# Leave commented to allow all email domains
+# Whitelist email domains that users are allowed to sign in with, as a comma-separated list.
+# Leave commented to allow all email domains.
 #USER_EMAIL_DOMAIN_WHITELIST=mydomain.com,subdomain.mydomain.com
 
-# WARNING: Replace these with a cryptographically strong random values. You can use `openssl rand -hex 32` to generate these.
+# WARNING: Replace these with cryptographically strong random values. You can use `openssl rand -hex 32` to generate them.
 NEXTAUTH_SECRET=82031b3760ac58352bb2d48fd9f32e9f72a0614343b669038139f18652ed1447
 SECRET_KEY=92d44efc4f9a4c0556cc67d2d033d3217829c263d5ab7d1954cf4b5bfd533e58
 SERVER_SECRET=9e760539415af07b22249b5878593bd4deb9b8961c7dd0570117549f2c4f32a2
 
-# OAuth providers to enable on sign-in page (remove any that aren't required)
+# OAuth providers to enable on the sign-in page (optional).
+# Leave empty for password-only signup and login.
 # Example: SSO_PROVIDERS=google,github,gitlab
-SSO_PROVIDERS=google,github,gitlab
+SSO_PROVIDERS=
+
+# Allow new users to sign themselves up (default: true). Set to "false" to
+# require an invite for any new account — existing users keep signing in
+# normally, and invited emails always pass through. Useful once your team
+# is fully onboarded and you want to close the door on strangers.
+#ALLOW_SIGNUPS=true
 
-# OAuth provider credentials. Add your own credentials here for each provider you wish to use 
+# OAuth provider credentials. Add credentials for each provider you enable in SSO_PROVIDERS.
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 
@@ -45,11 +51,13 @@ GITLAB_CLIENT_ID=
 GITLAB_CLIENT_SECRET=
 
 # Integrations
+# GitHub secret sync integration OAuth credentials.
 GITHUB_INTEGRATION_CLIENT_ID=
 GITHUB_INTEGRATION_CLIENT_SECRET=
 
-# Database credentials. Change all these values as required, except DATABASE_HOST
-DATABASE_HOST=postgres # don't change this
+# Database credentials. Change these values as needed, except DATABASE_HOST.
+# Do not change DATABASE_HOST for the default Docker Compose setup.
+DATABASE_HOST=postgres
 DATABASE_PORT=5432
 DATABASE_NAME=postgres-db-name
 DATABASE_USER=postgres-user
@@ -58,7 +66,3 @@ DATABASE_PASSWORD=a765b221799be364c53c8a32acccf5dd90d5fc832607bdd14fccaaaa0062ad
 REDIS_HOST=redis
 REDIS_PORT=6379
 REDIS_PASSWORD=
-
-
-# Disable NextJs telemtry
-NEXT_TELEMETRY_DISABLED=1

.gitignore

@@ -158,6 +158,7 @@ yarn-error.log*
 # local env files
 .env*.local
 .env.dev
+
 # vercel
 .vercel
 

backend/api/apps.py

@@ -4,3 +4,7 @@
 class ApiConfig(AppConfig):
     default_auto_field = 'django.db.models.BigAutoField'
     name = 'api'
+
+    def ready(self):
+        from api.utils.access.org_resolution import register_invalidation_signals
+        register_invalidation_signals()

backend/api/authentication/adapters/generic/views.py

@@ -3,7 +3,11 @@
 import logging
 from allauth.socialaccount.providers.oauth2.views import OAuth2Adapter, OAuth2Error
 from allauth.socialaccount.models import SocialAccount
+from django.conf import settings
 from django.contrib.auth import get_user_model
+from django.core.exceptions import ValidationError
+
+from api.utils.network import validate_url_is_safe
 
 
 logger = logging.getLogger(__name__)
@@ -28,27 +32,58 @@ def _fetch_oidc_config(self):
             if not self.oidc_config_url:
                 raise ValueError("OIDC configuration URL not set")
 
-            oidc_config_response = requests.get(self.oidc_config_url)
+            self._assert_url_safe(self.oidc_config_url)
+            oidc_config_response = requests.get(
+                self.oidc_config_url, allow_redirects=False
+            )
             oidc_config = oidc_config_response.json()
 
-            self.access_token_url = oidc_config["token_endpoint"]
+            token_endpoint = oidc_config["token_endpoint"]
+            jwks_uri = oidc_config["jwks_uri"]
+            userinfo_endpoint = oidc_config["userinfo_endpoint"]
+            # Endpoints returned by discovery flow back out to server-side
+            # fetches (token exchange, userinfo, JWKS). Validate before
+            # trusting any of them.
+            self._assert_url_safe(token_endpoint)
+            self._assert_url_safe(jwks_uri)
+            self._assert_url_safe(userinfo_endpoint)
+
+            self.access_token_url = token_endpoint
             self.authorize_url = oidc_config["authorization_endpoint"]
-            self.profile_url = oidc_config["userinfo_endpoint"]
-            self.jwks_url = oidc_config["jwks_uri"]
+            self.profile_url = userinfo_endpoint
+            self.jwks_url = jwks_uri
             self.issuer = oidc_config["issuer"]
         except Exception as e:
             logger.error(f"Failed to fetch OIDC configuration: {e}")
             if not self.default_config:
                 raise
             self._set_default_config()
 
+    @staticmethod
+    def _assert_url_safe(url):
+        """Reject URLs that resolve to private networks on cloud.
+        Self-hosted deployments may legitimately use internal OIDC."""
+        if settings.APP_HOST != "cloud":
+            return
+        try:
+            validate_url_is_safe(url)
+        except ValidationError:
+            raise OAuth2Error(f"URL rejected by safety check: {url}")
+
     def _set_default_config(self):
         for key, value in self.default_config.items():
             setattr(self, key, value)
 
-    def _get_user_data(self, token, id_token, app):
+    def _get_user_data(self, token, id_token, app, expected_nonce=None):
         if id_token:
-            return self._process_id_token(id_token, app)
+            return self._process_id_token(id_token, app, expected_nonce=expected_nonce)
+        # Userinfo fallback can't bind to the auth request — refuse if
+        # a nonce was issued (replay would be undetectable).
+        if expected_nonce is not None:
+            raise OAuth2Error(
+                "id_token required for nonce verification; refusing to "
+                "accept userinfo claims without it."
+            )
         return self._fetch_user_info(token)
 
     def _fetch_user_info(self, token):
@@ -57,13 +92,13 @@ def _fetch_user_info(self, token):
         resp.raise_for_status()
         return resp.json()
 
-    def _process_id_token(self, id_token, app):
-        jwks_response = requests.get(self.jwks_url)
-        jwks = jwks_response.json()
+    def _process_id_token(self, id_token, app, expected_nonce=None):
         try:
-            return jwt.decode(
+            jwk_client = jwt.PyJWKClient(self.jwks_url)
+            signing_key = jwk_client.get_signing_key_from_jwt(id_token)
+            claims = jwt.decode(
                 id_token,
-                key=jwks,
+                key=signing_key.key,
                 algorithms=["RS256"],
                 audience=app.client_id,
                 issuer=self.issuer,
@@ -72,6 +107,19 @@ def _process_id_token(self, id_token, app):
             logger.error(f"ID token validation failed: {e}")
             raise OAuth2Error(f"Invalid ID token: {e}")
 
+        # OIDC nonce: anchors the ID token to the specific authorize
+        # request initiated by this session. Without it, a stolen token
+        # could be replayed. When a nonce was sent, it MUST match.
+        if expected_nonce is not None:
+            if claims.get("nonce") != expected_nonce:
+                logger.error(
+                    "ID token nonce mismatch — possible replay or "
+                    "cross-session attack"
+                )
+                raise OAuth2Error("Invalid ID token: nonce mismatch")
+
+        return claims
+
     def pre_social_login(self, request, sociallogin):
         User = get_user_model()
 
@@ -111,7 +159,14 @@ def complete_login(self, request, app, token, **kwargs):
             if not id_token and isinstance(kwargs.get("response"), dict):
                 id_token = kwargs["response"].get("id_token")
 
-            extra_data = self._get_user_data(token, id_token, app)
+            expected_nonce = (
+                request.session.get("sso_nonce")
+                if hasattr(request, "session")
+                else None
+            )
+            extra_data = self._get_user_data(
+                token, id_token, app, expected_nonce=expected_nonce
+            )
             logger.debug(
                 f"User authentication data received for email: {extra_data.get('email')}"
             )
@@ -121,6 +176,8 @@ def complete_login(self, request, app, token, **kwargs):
 
             return login
 
+        except OAuth2Error:
+            raise
         except Exception as e:
             logger.error(f"OIDC login failed: {str(e)}")
             raise OAuth2Error(str(e))