Commit 8e02e09

geroplona-agent

and

authored

[CLC-2041] Block signups for Classic PAYG sunset (#21114)

Block new user signups when Classic PAYG sunset is enabled: - Add isUserSignupBlockedBySunset() function in featureflags.ts - Checks if sunset is enabled for the installation - Exempts dedicated installations - Blocks all signups (new users don't have orgs/roles yet) - Add signup blocking in generic-auth-provider.ts callback - Check before createNewUser() is called - Redirect blocked signups to https://app.ona.com/login - Log blocked signup attempts This complements the existing login and workspace operation blocks from CLC-2032, closing the signup path that was previously unblocked. Co-authored-by: Ona <no-reply@ona.com>

1 parent 7421edc commit 8e02e09Copy full SHA for 8e02e09

File tree

2 files changed

+24

-0

lines changed

components/server/src
- auth
  - generic-auth-provider.ts
- util
  - featureflags.ts

2 files changed

+24

-0

lines changed

`‎components/server/src/auth/generic-auth-provider.ts‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ import { SignInJWT } from "./jwt";`
`37`	`37`	`import { UserService } from "../user/user-service";`
`38`	`38`	`import { reportLoginCompleted } from "../prometheus-metrics";`
`39`	`39`	`import { TrustedValue } from "@gitpod/gitpod-protocol/lib/util/scrubbing";`
	`40`	`+import { isUserSignupBlockedBySunset } from "../util/featureflags";`
`40`	`41`
`41`	`42`	`/**`
`42`	`43`	`* This is a generic implementation of OAuth2-based AuthProvider.`
`@@ -431,6 +432,13 @@ export abstract class GenericAuthProvider implements AuthProvider {`
`431`	`432`	`};`
`432`	`433`
`433`	`434`	`if (VerifyResult.WithIdentity.is(flowContext)) {`
	`435`	`+ // Check if signup is blocked by Classic PAYG sunset`
	`436`	`+ if (await isUserSignupBlockedBySunset("anonymous", this.config.isDedicatedInstallation)) {`
	`437`	+ log.info(context, `(${strategyName}) Signup blocked by Classic PAYG sunset`, logPayload);
	`438`	`+ response.redirect(302, "https://app.ona.com/login");`
	`439`	`+ return;`
	`440`	`+ }`
	`441`	`+`
`434`	`442`	log.info(context, `(${strategyName}) Creating new user and completing login.`, logPayload);
`435`	`443`	`// There is no current session, we need to create a new user because this`
`436`	`444`	`// identity does not yet exist.`

`‎components/server/src/util/featureflags.ts‎`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -85,3 +85,19 @@ export async function isUserLoginBlockedBySunset(user: User, isDedicatedInstalla`
`85`	`85`	`// Installation-owned users (no organizationId) are blocked`
`86`	`86`	`return true;`
`87`	`87`	`}`
	`88`	`+`
	`89`	`+export async function isUserSignupBlockedBySunset(userId: string, isDedicatedInstallation: boolean): Promise<boolean> {`
	`90`	`+ // Dedicated installations are never blocked`
	`91`	`+ if (isDedicatedInstallation) {`
	`92`	`+ return false;`
	`93`	`+ }`
	`94`	`+`
	`95`	`+ const config = await getClassicPaygSunsetConfig(userId);`
	`96`	`+`
	`97`	`+ if (!config.enabled) {`
	`98`	`+ return false;`
	`99`	`+ }`
	`100`	`+`
	`101`	`+ // New users don't have roles/permissions or organizations yet, so we block all signups`
	`102`	`+ return true;`
	`103`	`+}`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 8e02e09

File tree

2 files changed

2 files changed

`‎components/server/src/auth/generic-auth-provider.ts‎`

`‎components/server/src/util/featureflags.ts‎`

0 commit comments