Skip to content

[Bug]: LOWCODER_EMAIL_SIGNUP_ENABLED=false does not disable email self-registration #2164

Description

@andreimr

Summary

Setting LOWCODER_EMAIL_SIGNUP_ENABLED=false (which application.yaml maps to auth.email.enable-register) does not disable email self-registration. /api/configs still reports the EMAIL provider with "enableRegister": true, and POST /api/auth/form/login with "register": true still creates a user and returns HTTP 200. Reproducible on a clean first-boot instance. This contradicts the docs, which state the Sign Up should return an error when the flag is false.

Environment

  • Image lowcoderorg/lowcoder-ce:latest (all-in-one), api-service v2.7.6
  • LOWCODER_WORKSPACE_MODE=ENTERPRISE
  • Fresh instance (empty Mongo), flag set from the first boot

Steps to reproduce

  1. Start the all-in-one with LOWCODER_EMAIL_SIGNUP_ENABLED=false from first boot. Confirm on the container: docker inspect <ctr> --format '{{range .Config.Env}}{{println .}}{{end}}' | grep EMAIL_SIGNUPLOWCODER_EMAIL_SIGNUP_ENABLED=false.
  2. GET /api/configs → EMAIL/FORM authConfig shows "enableRegister": true (expected false).
  3. POST /api/auth/form/login body {"register":true,"loginId":"outsider@example.com","password":"...","source":"EMAIL"} → HTTP 200, {"success":true}, user created (visible in db.user).

Expected

Registration rejected when LOWCODER_EMAIL_SIGNUP_ENABLED=false.

Also tried (no effect)

  • POST /api/auth/config {"authType":"FORM","source":"EMAIL","id":"EMAIL","enableRegister":false}success:true but /api/configs still shows enableRegister:true and registration still succeeds.
  • Same with "enable":false on the FORM config via the API → no effect (the built-in EMAIL config is unchanged).

Workaround

LOWCODER_EMAIL_AUTH_ENABLED=false (maps to auth.email.enable). Then /api/configs shows EMAIL enable:false, and POST /api/auth/form/login {register:true} → HTTP 403 {"code":5622,"message":"Email provider is disabled."}. Note this disables the email provider broadly (regular email login off), though super-admin form login still succeeds.

Security impact

Operators who set the documented LOWCODER_EMAIL_SIGNUP_ENABLED=false reasonably believe self-registration is closed. It is not; the register API stays open. In ENTERPRISE/single-workspace mode a self-registered account auto-joins the single workspace as a member, so any internet-reachable instance can be joined by anyone unless another layer (reverse-proxy auth, or disabling the email provider entirely) is added.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions