You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've observed a significant hurdle in preventing unauthorized sign-ups on self-hosted Langfuse instances.
Scenario 1
Imagine a scenario where you want only invited users to sign up, not random individuals. Unfortunately, the current setup doesn't support this effectively. Enabling NEXT_PUBLIC_SIGN_UP_DISABLED restricts all new users, invited or not, from logging in.
Scenario 2
In another situation, you might wish to limit sign-ups to users within your organization who can access and view data. Currently, you can disable username-password authentication using the AUTH_DISABLE_USERNAME_PASSWORD environment variable. You can then configure Google OAuth and set your OAuth application with user_type as Internal, as illustrated below. However, this method requires Google Workspace for managing organization email accounts.
Note: An inherent limitation in this workaround is that it allows anyone within your organization to sign up, which might not be desirable.
Proposed Solutions
To address these challenges and create a more user-friendly experience, I suggest the following solutions:
Invitation-based Sign-Up:
Implement a system where users receive invitations when added to a project.
Invited users can then sign up using the exclusive invite link received in their email.
This allows for sign-ups even when NEXT_PUBLIC_SIGN_UP_DISABLED is enabled, providing a secure and controlled onboarding process.
Domain-Specific Validation:
Introduce an additional VALID_EMAIL_DOMAINS environment variable.
This variable will validate the domains allowed for self-signup across all supported authentication mechanisms.
Offers flexibility in defining specific domains, ensuring that only users from approved email domains can sign up.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Langfuse
-
The Challenge
We've observed a significant hurdle in preventing unauthorized sign-ups on self-hosted Langfuse instances.
Scenario 1
Imagine a scenario where you want only invited users to sign up, not random individuals. Unfortunately, the current setup doesn't support this effectively. Enabling
NEXT_PUBLIC_SIGN_UP_DISABLEDrestricts all new users, invited or not, from logging in.Scenario 2
In another situation, you might wish to limit sign-ups to users within your organization who can access and view data. Currently, you can disable username-password authentication using the
AUTH_DISABLE_USERNAME_PASSWORDenvironment variable. You can then configure Google OAuth and set your OAuth application with user_type as Internal, as illustrated below. However, this method requires Google Workspace for managing organization email accounts.Proposed Solutions
To address these challenges and create a more user-friendly experience, I suggest the following solutions:
NEXT_PUBLIC_SIGN_UP_DISABLEDis enabled, providing a secure and controlled onboarding process.VALID_EMAIL_DOMAINSenvironment variable.Beta Was this translation helpful? Give feedback.
All reactions