Optional email confirmation for signups in self-hosted mode

[gdassori]

Feature description

Optional email confirmation in self-hosted mode

Why would it be useful?

To unbound email usage from secrets management in self-hosted mode, as any example.com domain can be used to set up an account, without passing SMTP credentials at all.

Additional context

A mail server MUST be involved at some point, during secrets management, with the current implementation.

[maidul98]

this is a great idea and will make self hosting much less of a hassle

[yoobato]

We also need this feature! Some small teams like us don't have a SMTP server.
(we're trying to use Infisical in the private network where no connection to Internet.)

[maidul98]

@yoobato I'm almost done! Just need some UI changes to finish it up. Without SMTP, what do you think is the best way to invite team members? In the current implementation, without SMTP we don't allow team invites.

[yoobato]

@maidul98 Great! Right now, I could think options below;

• Restrict only specific email domain can sign-up. (ex. Users who have @example.com mail can only sign-up)
• Add a pending step.
  • If user sign-up, then the account status changed to pending approval.
  • Team administrator have to change the user status pending to approved manually.
• However FIRST USER have to be created without approval.
  • Generate a single super admin user when running Infisical self-hosted type at first time. (similar from root)
  • First super admin user may be deleted after another user is created.

[maidul98]

@yoobato I have decided to go with this approach as I think it requires the least amout of work to achive the desired behavior. It will soon be deployed

[yoobato]

@yoobato I have decided to go with this approach as I think it requires the least amout of work to achive the desired behavior. It will soon be deployed

Great! Glad to hear that!

Okay, so member can be invited manually using link with token.
Then, how about the initial user? (may be team admin.)

For the initial user, MySQL approach can be considered.
Enter root ID/PW in Infisical docker environment. (or just create root user and output random root password once like MYSQL_RANDOM_ROOT_PASSWORD env in MySQL)

[maidul98]

The inital user can be created without having to do anything else. If INVITE_ONLY_SIGNUP=true then after the first user is created, all users need to be invited. These changes have been released! Feel free to deploy and let us know what you think https://infisical.com/docs/self-hosting/overview

[yoobato]

@maidul98 I'm going through with INVITE_ONLY_SIGNUP=true environment variable has set. I can definitely say this is an AMAZING project. However, there're still some limitations to use Infisical in private network which has no internet connection (e.g. Infisical-CLI installation, self-hosted GitLab integrations, ...)

What do you think about using Infisical in private network configurations?

[maidul98]

Hey @yoobato are you referring to running Infisical within a private VPN? If so, we don't have documentation for this yet. However, it should be possible to enclose infisical within a VPN network so that only those within the network can access Infisical. This isn't specfic to Infisical but you can do this with any application. Let me know if you were referring to something else

[M4TY]

Hi, sorry for bumping this, but what is the initial password and email with INVITE_ONLY_SIGNUP=true?

[maidul98]

There is no inital user and password. With INVITE_ONLY_SIGNUP, it allows you to create one user and the rest will get blocked unless invited.

[M4TY]

@maidul98 I guess the issue could be somewhere else? On a local compose project the configuration works just fine, when I use it in my Docker Swarm cluster, it wants me to input the verification code.

[M4TY]

Seems like the problem might be in something else:

I hope my routing is all correct and the .env is the same.

[M4TY]

`version: "3"
services:
nginx:
image: nginx
volumes:
- ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
depends_on:
- frontend
- backend
deploy:
placement:
constraints:
- node.role == manager
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik-public"
- "traefik.http.routers.infisical.entrypoints=websecure"
- "traefik.http.routers.infisical.rule=Host('')"
- "traefik.http.services.infiscal.loadbalancer.server.port=80"
networks:
- infisical
- traefik-public

backend:
depends_on:
- mongo
image: infisical/backend
env_file: .env
environment:
- NODE_ENV=production
networks:
- infisical
deploy:
placement:
constraints:
- node.role == manager

frontend:
depends_on:
- backend
image: infisical/frontend
env_file: .env
environment:
# - NEXT_PUBLIC_POSTHOG_API_KEY=${POSTHOG_PROJECT_API_KEY}
- INFISICAL_TELEMETRY_ENABLED=${TELEMETRY_ENABLED}
- NEXT_PUBLIC_STRIPE_PRODUCT_PRO=${STRIPE_PRODUCT_PRO}
- NEXT_PUBLIC_STRIPE_PRODUCT_TEAM=${STRIPE_PRODUCT_TEAM}
- NEXT_PUBLIC_STRIPE_PRODUCT_STARTER=${STRIPE_PRODUCT_STARTER}
networks:
- infisical
deploy:
placement:
constraints:
- node.role == manager

mongo:
image: mongo
env_file: .env
environment:
- MONGO_INITDB_ROOT_USERNAME=${MONGO_USERNAME}
- MONGO_INITDB_ROOT_PASSWORD=${MONGO_PASSWORD}
volumes:
- infisical-data:/data/db
networks:
- infisical
deploy:
placement:
constraints:
- node.role == manager

volumes:
infisical-data:

networks:
infisical:
traefik-public:
external: true`

This is my config and the .env file is default exoect the invite only.

[maidul98]

@M4TY I'm not too familiar with docker swarm, but this is likley due to how the networking is setup in docker swarm between services. We have detailed documentation for kubernetes if you are looking for alternative way to orchestrate your conatiners https://infisical.com/docs/self-hosting/deployment-options/kubernetes-helm. We also have Kubernetes 1 click in digital ocean if you do not want to set up a cluster yourself https://marketplace.digitalocean.com/apps/infisical

[jessebot]

Hi, sorry for bumping this, but what is the initial password and email with INVITE_ONLY_SIGNUP=true?

An initial user would really unblock a lot of automation in self hosted mode. more details in #234