Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable account creation after initial setup #27

Open
h7sj opened this issue Jun 10, 2024 · 3 comments
Open

Disable account creation after initial setup #27

h7sj opened this issue Jun 10, 2024 · 3 comments

Comments

@h7sj
Copy link

h7sj commented Jun 10, 2024
edited
Loading

Is there an easy way to block account creation after the initial setup?

I vaguely remember reading about a solution for sync-server to limit the number of users but I can't find anything for the auth-server.

Edit - looks like this is going to be rough. There's a lot of clues to suggest it's not possible.
@h7sj
Copy link
Author

h7sj commented Jun 10, 2024

Hacky solution:

Add a trigger to the database to prevent INSERT on accounts table.

In docker-compose.tmpl.yml, merge this diff to get access to the mysql server from the outside:

@@ -25,6 +25,8 @@
       - MYSQL_ROOT_HOST=%
     expose:
       - "3306"
+    ports:
+      - "3307:3306"

Run init.sh and docker-compose up -d again. Your mysql should now be exposed on 3307.

Connect with mysql -u root -h 127.0.0.1 -P 3307;

use fxa;

DELIMITER //

CREATE TRIGGER block_new_users
BEFORE INSERT ON accounts
FOR EACH ROW
BEGIN
    SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'No new users';
END;
//

DELIMITER ;

Keep mysql open, and go try add a user. It will go through to the password step, but if you try to progress beyond that you should expect to see "Unexpected error" in scary red.

Verify only expected users are in your table.

select email from accounts;

I don't think there is a way to disable this temporarily. You just have to drop the trigger and add again when creating new users.

@jackyzy823
Copy link
Owner

Some solutions (no tested)
1)
mozilla/fxa#3652 (comment)

since mozllia use fxa as a public service, i dont think they designed a principal to forbid some email addresses to register.

So the only way i found is to configure your email sender to only send mails to allowed domains which makes that user can not proceed the verfication step and can not using sync service.

  1. block the register endpoint in nginx proxy side (fxa-auth-server and fxa-graphql-api).

@h7sj
Copy link
Author

h7sj commented Jun 10, 2024

Thanks for the reply, jackyzy823. And thank you for this awesome work, you made this process easy!

I actually think I prefer my hack to (1). The benefit of adding the database trigger is that it protects the database from filing up with unverified accounts.

I don't really understand (2). Will try to figure that one out after some sleep.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jackyzy823 @h7sj