Summary
Setting LOWCODER_EMAIL_SIGNUP_ENABLED=false (which application.yaml maps to auth.email.enable-register) does not disable email self-registration. /api/configs still reports the EMAIL provider with "enableRegister": true, and POST /api/auth/form/login with "register": true still creates a user and returns HTTP 200. Reproducible on a clean first-boot instance. This contradicts the docs, which state the Sign Up should return an error when the flag is false.
Environment
- Image
lowcoderorg/lowcoder-ce:latest (all-in-one), api-service v2.7.6
LOWCODER_WORKSPACE_MODE=ENTERPRISE
- Fresh instance (empty Mongo), flag set from the first boot
Steps to reproduce
- Start the all-in-one with
LOWCODER_EMAIL_SIGNUP_ENABLED=false from first boot. Confirm on the container: docker inspect <ctr> --format '{{range .Config.Env}}{{println .}}{{end}}' | grep EMAIL_SIGNUP → LOWCODER_EMAIL_SIGNUP_ENABLED=false.
GET /api/configs → EMAIL/FORM authConfig shows "enableRegister": true (expected false).
POST /api/auth/form/login body {"register":true,"loginId":"outsider@example.com","password":"...","source":"EMAIL"} → HTTP 200, {"success":true}, user created (visible in db.user).
Expected
Registration rejected when LOWCODER_EMAIL_SIGNUP_ENABLED=false.
Also tried (no effect)
POST /api/auth/config {"authType":"FORM","source":"EMAIL","id":"EMAIL","enableRegister":false} → success:true but /api/configs still shows enableRegister:true and registration still succeeds.
- Same with
"enable":false on the FORM config via the API → no effect (the built-in EMAIL config is unchanged).
Workaround
LOWCODER_EMAIL_AUTH_ENABLED=false (maps to auth.email.enable). Then /api/configs shows EMAIL enable:false, and POST /api/auth/form/login {register:true} → HTTP 403 {"code":5622,"message":"Email provider is disabled."}. Note this disables the email provider broadly (regular email login off), though super-admin form login still succeeds.
Security impact
Operators who set the documented LOWCODER_EMAIL_SIGNUP_ENABLED=false reasonably believe self-registration is closed. It is not; the register API stays open. In ENTERPRISE/single-workspace mode a self-registered account auto-joins the single workspace as a member, so any internet-reachable instance can be joined by anyone unless another layer (reverse-proxy auth, or disabling the email provider entirely) is added.
Summary
Setting
LOWCODER_EMAIL_SIGNUP_ENABLED=false(whichapplication.yamlmaps toauth.email.enable-register) does not disable email self-registration./api/configsstill reports the EMAIL provider with"enableRegister": true, andPOST /api/auth/form/loginwith"register": truestill creates a user and returns HTTP 200. Reproducible on a clean first-boot instance. This contradicts the docs, which state the Sign Up should return an error when the flag is false.Environment
lowcoderorg/lowcoder-ce:latest(all-in-one), api-service v2.7.6LOWCODER_WORKSPACE_MODE=ENTERPRISESteps to reproduce
LOWCODER_EMAIL_SIGNUP_ENABLED=falsefrom first boot. Confirm on the container:docker inspect <ctr> --format '{{range .Config.Env}}{{println .}}{{end}}' | grep EMAIL_SIGNUP→LOWCODER_EMAIL_SIGNUP_ENABLED=false.GET /api/configs→ EMAIL/FORM authConfig shows"enableRegister": true(expected false).POST /api/auth/form/loginbody{"register":true,"loginId":"outsider@example.com","password":"...","source":"EMAIL"}→ HTTP 200,{"success":true}, user created (visible indb.user).Expected
Registration rejected when
LOWCODER_EMAIL_SIGNUP_ENABLED=false.Also tried (no effect)
POST /api/auth/config{"authType":"FORM","source":"EMAIL","id":"EMAIL","enableRegister":false}→success:truebut/api/configsstill showsenableRegister:trueand registration still succeeds."enable":falseon the FORM config via the API → no effect (the built-in EMAIL config is unchanged).Workaround
LOWCODER_EMAIL_AUTH_ENABLED=false(maps toauth.email.enable). Then/api/configsshows EMAILenable:false, andPOST /api/auth/form/login {register:true}→ HTTP 403{"code":5622,"message":"Email provider is disabled."}. Note this disables the email provider broadly (regular email login off), though super-admin form login still succeeds.Security impact
Operators who set the documented
LOWCODER_EMAIL_SIGNUP_ENABLED=falsereasonably believe self-registration is closed. It is not; the register API stays open. In ENTERPRISE/single-workspace mode a self-registered account auto-joins the single workspace as a member, so any internet-reachable instance can be joined by anyone unless another layer (reverse-proxy auth, or disabling the email provider entirely) is added.