feat(registration): allow self-hosted users to disable registration altogether

[waleedlatif1]

Summary

• add feature flag option to bypass auth altogether
• renamed environment.ts to feature-flags.ts and brought in all other server-side feature flags into it

Fixes #2361

Type of Change

• New feature

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
docs	Skipped		Dec 14, 2025 1:34am

[greptile-apps]

Greptile Overview

Greptile Summary

Added DISABLE_AUTH feature flag to allow self-hosted deployments behind private networks to bypass authentication entirely. Renamed environment.ts to feature-flags.ts and consolidated all server-side feature flags into a single location.

• Implemented anonymous user system with hardcoded UUID (00000000-0000-0000-0000-000000000000) that auto-creates in database when auth is disabled
• Auth bypass applies to all layers: web UI (redirects login/signup to workspace), REST APIs (returns anonymous user), Socket.IO (accepts anonymous token), and V1 API routes
• UI properly hides sign-out and reset password buttons when anonymous mode detected
• Refactored 62 files to import from renamed feature-flags.ts instead of environment.ts
• Added environment variable documentation with clear security context in .env.example

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation is clean, comprehensive, and properly handles the auth bypass at all application layers. The anonymous user approach with database seeding is solid, the feature flag naming is clear, and the refactoring is mechanical with no logic changes beyond the rename.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/lib/core/config/feature-flags.ts	5/5	renamed from environment.ts, added new feature flags (isAuthDisabled, isRegistrationDisabled, isTriggerDevEnabled, isSsoEnabled, isE2bEnabled)
apps/sim/lib/auth/anonymous.ts	5/5	new file providing anonymous user session logic for DISABLE_AUTH mode with hardcoded anonymous user ID
apps/sim/lib/auth/auth.ts	5/5	updated getSession() to return anonymous session when auth disabled, imports from renamed feature-flags.ts
apps/sim/app/api/auth/[...all]/route.ts	5/5	added get-session endpoint bypass for anonymous session when DISABLE_AUTH is enabled
apps/sim/app/api/v1/auth.ts	5/5	updated V1 API auth to return anonymous user ID when DISABLE_AUTH is enabled
apps/sim/socket-server/middleware/auth.ts	5/5	added socket authentication bypass returning anonymous user when DISABLE_AUTH is enabled
apps/sim/app/(auth)/login/page.tsx	5/5	added redirect to workspace when DISABLE_AUTH is enabled to bypass login page
apps/sim/app/(auth)/signup/page.tsx	5/5	added redirects for both DISABLE_AUTH and DISABLE_REGISTRATION flags
apps/sim/.env.example	5/5	added DISABLE_AUTH environment variable documentation with security context
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/general/general.tsx	5/5	hides sign out and reset password buttons when anonymous user detected

Sequence Diagram

sequenceDiagram
    participant User
    participant Browser
    participant LoginPage as Login/Signup Page
    participant AuthAPI as Auth API Route
    participant AuthLib as Auth Library
    participant SocketAuth as Socket Auth Middleware
    participant V1API as V1 API Routes
    participant AnonymousModule as Anonymous Module
    participant DB as Database

    alt Normal Authentication Flow
        User->>Browser: Navigate to /login
        Browser->>LoginPage: Load login page
        LoginPage->>User: Show login form
        User->>AuthAPI: Submit credentials
        AuthAPI->>AuthLib: Authenticate
        AuthLib->>DB: Verify credentials
        DB-->>AuthLib: User data
        AuthLib-->>AuthAPI: Session created
        AuthAPI-->>Browser: Set session cookie
        Browser->>User: Redirect to workspace
    end

    alt Auth Bypass Mode (isAuthDisabled)
        User->>Browser: Navigate to /login
        Browser->>LoginPage: Load login page
        LoginPage->>LoginPage: Check isAuthDisabled flag
        LoginPage->>Browser: Redirect to /workspace
        Browser->>AuthAPI: Request session (GET /api/auth/get-session)
        AuthAPI->>AuthAPI: Check isAuthDisabled flag
        AuthAPI->>AnonymousModule: ensureAnonymousUserExists()
        AnonymousModule->>DB: Check for anonymous user
        alt Anonymous user doesn't exist
            AnonymousModule->>DB: INSERT anonymous user (id: 00000000...)
        end
        AnonymousModule-->>AuthAPI: User exists
        AuthAPI->>AnonymousModule: createAnonymousSession()
        AnonymousModule-->>AuthAPI: Anonymous session object
        AuthAPI-->>Browser: Return anonymous session
        Browser->>User: Display workspace with anonymous user
    end

    alt Socket.IO Connection (isAuthDisabled)
        Browser->>Browser: Request socket token
        Browser->>AuthAPI: POST /api/auth/socket-token
        AuthAPI->>AuthAPI: Check isAuthDisabled flag
        AuthAPI-->>Browser: Return 'anonymous-socket-token'
        Browser->>SocketAuth: Connect with token
        SocketAuth->>SocketAuth: Check isAuthDisabled flag
        SocketAuth->>SocketAuth: Set userId to ANONYMOUS_USER_ID
        SocketAuth-->>Browser: Connection established
    end

    alt V1 API Request (isAuthDisabled)
        User->>V1API: API request (no x-api-key header)
        V1API->>V1API: authenticateV1Request()
        V1API->>V1API: Check isAuthDisabled flag
        V1API-->>User: Return authenticated with ANONYMOUS_USER_ID
    end

Loading

[greptile-apps]

_{60 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}