feat(whitelist): add email & domain-based whitelisting for signups #908
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
1 Skipped Deployment
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Greptile Summary
This PR introduces email and domain-based whitelisting functionality for user authentication. The implementation adds two new optional environment variables (ALLOWED_LOGIN_EMAILS and ALLOWED_LOGIN_DOMAINS) to control which emails or domains can sign up or sign in to the application.
The feature is implemented through a middleware hook in the authentication system that intercepts sign-in and sign-up requests. When configured, it validates the incoming email against comma-separated lists of allowed emails and domains. The validation includes proper normalization (lowercase conversion and trimming) and supports both specific email address whitelisting and entire domain whitelisting.
The implementation is designed to be completely backward-compatible - if the environment variables are not set, the system ignores the whitelist checks entirely. This allows existing deployments to continue functioning unchanged while giving new deployments the option to implement access control.
The whitelist logic first checks specific email addresses, then falls back to domain checking if the specific email isn't found. This hierarchical approach allows for granular control where organizations can whitelist entire domains while still having the ability to explicitly allow or deny specific addresses within those domains.
Confidence score: 4/5
- This PR is safe to merge with low risk as it implements optional access control that doesn't affect existing functionality
- Score reflects well-structured implementation with proper error handling and backward compatibility, though lacks automated tests
- Pay close attention to the authentication middleware logic in auth.ts to ensure the whitelist validation works as expected
2 files reviewed, 2 comments
Comment on lines
+23
to
+24
| ALLOWED_LOGIN_EMAILS: z.string().optional(), // Comma-separated list of allowed email addresses for login | ||
| ALLOWED_LOGIN_DOMAINS: z.string().optional(), // Comma-separated list of allowed email domains for login |
Contributor
There was a problem hiding this comment.
style: Consider using z.string().min(1) instead of just z.string() to ensure non-empty values when these variables are provided
Comment on lines
+207
to
+208
| const emailDomain = requestEmail.split('@')[1] | ||
| isAllowed = emailDomain && allowedDomains.includes(emailDomain) |
Contributor
There was a problem hiding this comment.
logic: Should validate email format before domain extraction. requestEmail.split('@')[1] could fail on malformed emails.
Suggested change
| const emailDomain = requestEmail.split('@')[1] | |
| isAllowed = emailDomain && allowedDomains.includes(emailDomain) | |
| const emailDomain = requestEmail.includes('@') ? requestEmail.split('@')[1] : null | |
| isAllowed = emailDomain && allowedDomains.includes(emailDomain) |
waleedlatif1
added a commit
that referenced
this pull request
Aug 8, 2025
waleedlatif1
added a commit
that referenced
this pull request
Aug 9, 2025
…ypes (#919) * feat(execution-filesystem): system to pass files between blocks (#866) * feat(files): pass files between blocks * presigned URL for downloads * Remove latest migration before merge * starter block file upload wasn't getting logged * checkpoint in human readable form * checkpoint files / file type outputs * file downloads working for block outputs * checkpoint file download * fix type issues * remove filereference interface with simpler user file interface * show files in the tag dropdown for start block * more migration to simple url object, reduce presigned time to 5 min * Remove migration 0065_parallel_nightmare and related files - Deleted apps/sim/db/migrations/0065_parallel_nightmare.sql - Deleted apps/sim/db/migrations/meta/0065_snapshot.json - Removed 0065 entry from apps/sim/db/migrations/meta/_journal.json Preparing for merge with origin/staging and migration regeneration * add migration files * fix tests * Update apps/sim/lib/uploads/setup.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update apps/sim/lib/workflows/execution-file-storage.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update apps/sim/lib/workflows/execution-file-storage.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * cleanup types * fix lint * fix logs typing for file refs * open download in new tab * fixed * Update apps/sim/tools/index.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * fix file block * cleanup unused code * fix bugs * remove hacky file id logic * fix drag and drop * fix tests --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * feat(trigger-mode): added trigger-mode to workflow_blocks table (#902) * fix(schedules-perms): use regular perm system to view/edit schedule info (#901) * fix(schedules-perms): use regular perm system to view schedule info * fix perms * improve logging * feat(webhooks): deprecate singular webhook block + add trigger mode to blocks (#903) * feat(triggers): added new trigger mode for blocks, added socket event, ran migrations * Rename old trigger/ directory to background/ * cleaned up, ensured that we display active webhook at the block-level * fix submenu in tag dropdown * keyboard nav on tag dropdown submenu * feat(triggers): add outlook to new triggers system * cleanup * add types to tag dropdown, type all outputs for tools and use that over block outputs * update doc generator to truly reflect outputs * fix docs * add trigger handler * fix active webhook tag * tag dropdown fix for triggers * remove trigger mode schema change * feat(execution-filesystem): system to pass files between blocks (#866) * feat(files): pass files between blocks * presigned URL for downloads * Remove latest migration before merge * starter block file upload wasn't getting logged * checkpoint in human readable form * checkpoint files / file type outputs * file downloads working for block outputs * checkpoint file download * fix type issues * remove filereference interface with simpler user file interface * show files in the tag dropdown for start block * more migration to simple url object, reduce presigned time to 5 min * Remove migration 0065_parallel_nightmare and related files - Deleted apps/sim/db/migrations/0065_parallel_nightmare.sql - Deleted apps/sim/db/migrations/meta/0065_snapshot.json - Removed 0065 entry from apps/sim/db/migrations/meta/_journal.json Preparing for merge with origin/staging and migration regeneration * add migration files * fix tests * Update apps/sim/lib/uploads/setup.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update apps/sim/lib/workflows/execution-file-storage.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update apps/sim/lib/workflows/execution-file-storage.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * cleanup types * fix lint * fix logs typing for file refs * open download in new tab * fixed * Update apps/sim/tools/index.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * fix file block * cleanup unused code * fix bugs * remove hacky file id logic * fix drag and drop * fix tests --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * feat(trigger-mode): added trigger-mode to workflow_blocks table (#902) * fix(schedules-perms): use regular perm system to view/edit schedule info (#901) * fix(schedules-perms): use regular perm system to view schedule info * fix perms * improve logging * cleanup * prevent tooltip showing up on modal open * updated trigger config * fix type issues --------- Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com> Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> * fix(helm): fix helm charts migrations using wrong image (#907) * fix(helm): fix helm charts migrations using wrong image * fixed migrations * feat(whitelist): add email & domain-based whitelisting for signups (#908) * improvement(helm): fix duplicate SOCKET_SERVER_URL and add additional envvars to template (#909) * improvement(helm): fix duplicate SOCKET_SERVER_URL and add additional envvars to template * rm serper & freestyle * improvement(tag-dropdown): typed tag dropdown values (#910) * fix(min-chunk): remove minsize for chunk (#911) * fix(min-chunk): remove minsize for chunk * fix tests * improvement(chunk-config): migrate unused default for consistency (#913) * fix(mailer): update mailer to use the EMAIL_DOMAIN (#914) * fix(mailer): update mailer to use the EMAIL_DOMAIn * add more * Improvement(cc): added cc to gmail and outlook (#900) * changed just gmail * bun run lint * fixed bcc * updated docs --------- Co-authored-by: Adam Gough <adamgough@Mac.attlocal.net> Co-authored-by: waleedlatif1 <walif6@gmail.com> * fix(email-validation): add email validation to prevent bouncing, fixed OTP validation (#916) * feat(email-validation): add email validation to prevent bouncing * removed suspicious patterns * fix(verification): fixed OTP verification * fix failing tests, cleanup * fix(otp): fix email not sending (#917) * fix(email): manual OTP instead of better-auth (#921) * fix(email): manual OTP instead of better-auth * lint --------- Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com> Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> Co-authored-by: Adam Gough <77861281+aadamgough@users.noreply.github.com> Co-authored-by: Adam Gough <adamgough@Mac.attlocal.net>
arenadeveloper02
pushed a commit
to arenadeveloper02/p2-sim
that referenced
this pull request
Sep 19, 2025
arenadeveloper02
pushed a commit
to arenadeveloper02/p2-sim
that referenced
this pull request
Sep 19, 2025
…ypes (simstudioai#919) * feat(execution-filesystem): system to pass files between blocks (simstudioai#866) * feat(files): pass files between blocks * presigned URL for downloads * Remove latest migration before merge * starter block file upload wasn't getting logged * checkpoint in human readable form * checkpoint files / file type outputs * file downloads working for block outputs * checkpoint file download * fix type issues * remove filereference interface with simpler user file interface * show files in the tag dropdown for start block * more migration to simple url object, reduce presigned time to 5 min * Remove migration 0065_parallel_nightmare and related files - Deleted apps/sim/db/migrations/0065_parallel_nightmare.sql - Deleted apps/sim/db/migrations/meta/0065_snapshot.json - Removed 0065 entry from apps/sim/db/migrations/meta/_journal.json Preparing for merge with origin/staging and migration regeneration * add migration files * fix tests * Update apps/sim/lib/uploads/setup.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update apps/sim/lib/workflows/execution-file-storage.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update apps/sim/lib/workflows/execution-file-storage.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * cleanup types * fix lint * fix logs typing for file refs * open download in new tab * fixed * Update apps/sim/tools/index.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * fix file block * cleanup unused code * fix bugs * remove hacky file id logic * fix drag and drop * fix tests --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * feat(trigger-mode): added trigger-mode to workflow_blocks table (simstudioai#902) * fix(schedules-perms): use regular perm system to view/edit schedule info (simstudioai#901) * fix(schedules-perms): use regular perm system to view schedule info * fix perms * improve logging * feat(webhooks): deprecate singular webhook block + add trigger mode to blocks (simstudioai#903) * feat(triggers): added new trigger mode for blocks, added socket event, ran migrations * Rename old trigger/ directory to background/ * cleaned up, ensured that we display active webhook at the block-level * fix submenu in tag dropdown * keyboard nav on tag dropdown submenu * feat(triggers): add outlook to new triggers system * cleanup * add types to tag dropdown, type all outputs for tools and use that over block outputs * update doc generator to truly reflect outputs * fix docs * add trigger handler * fix active webhook tag * tag dropdown fix for triggers * remove trigger mode schema change * feat(execution-filesystem): system to pass files between blocks (simstudioai#866) * feat(files): pass files between blocks * presigned URL for downloads * Remove latest migration before merge * starter block file upload wasn't getting logged * checkpoint in human readable form * checkpoint files / file type outputs * file downloads working for block outputs * checkpoint file download * fix type issues * remove filereference interface with simpler user file interface * show files in the tag dropdown for start block * more migration to simple url object, reduce presigned time to 5 min * Remove migration 0065_parallel_nightmare and related files - Deleted apps/sim/db/migrations/0065_parallel_nightmare.sql - Deleted apps/sim/db/migrations/meta/0065_snapshot.json - Removed 0065 entry from apps/sim/db/migrations/meta/_journal.json Preparing for merge with origin/staging and migration regeneration * add migration files * fix tests * Update apps/sim/lib/uploads/setup.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update apps/sim/lib/workflows/execution-file-storage.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update apps/sim/lib/workflows/execution-file-storage.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * cleanup types * fix lint * fix logs typing for file refs * open download in new tab * fixed * Update apps/sim/tools/index.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * fix file block * cleanup unused code * fix bugs * remove hacky file id logic * fix drag and drop * fix tests --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * feat(trigger-mode): added trigger-mode to workflow_blocks table (simstudioai#902) * fix(schedules-perms): use regular perm system to view/edit schedule info (simstudioai#901) * fix(schedules-perms): use regular perm system to view schedule info * fix perms * improve logging * cleanup * prevent tooltip showing up on modal open * updated trigger config * fix type issues --------- Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com> Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> * fix(helm): fix helm charts migrations using wrong image (simstudioai#907) * fix(helm): fix helm charts migrations using wrong image * fixed migrations * feat(whitelist): add email & domain-based whitelisting for signups (simstudioai#908) * improvement(helm): fix duplicate SOCKET_SERVER_URL and add additional envvars to template (simstudioai#909) * improvement(helm): fix duplicate SOCKET_SERVER_URL and add additional envvars to template * rm serper & freestyle * improvement(tag-dropdown): typed tag dropdown values (simstudioai#910) * fix(min-chunk): remove minsize for chunk (simstudioai#911) * fix(min-chunk): remove minsize for chunk * fix tests * improvement(chunk-config): migrate unused default for consistency (simstudioai#913) * fix(mailer): update mailer to use the EMAIL_DOMAIN (simstudioai#914) * fix(mailer): update mailer to use the EMAIL_DOMAIn * add more * Improvement(cc): added cc to gmail and outlook (simstudioai#900) * changed just gmail * bun run lint * fixed bcc * updated docs --------- Co-authored-by: Adam Gough <adamgough@Mac.attlocal.net> Co-authored-by: waleedlatif1 <walif6@gmail.com> * fix(email-validation): add email validation to prevent bouncing, fixed OTP validation (simstudioai#916) * feat(email-validation): add email validation to prevent bouncing * removed suspicious patterns * fix(verification): fixed OTP verification * fix failing tests, cleanup * fix(otp): fix email not sending (simstudioai#917) * fix(email): manual OTP instead of better-auth (simstudioai#921) * fix(email): manual OTP instead of better-auth * lint --------- Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com> Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> Co-authored-by: Adam Gough <77861281+aadamgough@users.noreply.github.com> Co-authored-by: Adam Gough <adamgough@Mac.attlocal.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
add email & domain-based whitelisting for signups
if it is not configured, then it is ignored
Type of Change
Testing
Tested manually by setting up a whitelist and testing with allowed & disallowed domains & emails
Checklist