From 55ae792054ee8c5837faaf6ae686bfb1df56a4e0 Mon Sep 17 00:00:00 2001 From: EpochBoy Date: Tue, 18 Nov 2025 15:20:29 +0100 Subject: [PATCH 1/2] fix(auth): decouple provider enabled from signup control Fixes email/phone authentication providers being incorrectly disabled when `enable_signup=false` is set in config.toml, which broke invite-only authentication setups. The CLI was incorrectly mapping `[auth.email].enable_signup` and `[auth.sms].enable_signup` to `GOTRUE_EXTERNAL_EMAIL_ENABLED` and `GOTRUE_EXTERNAL_PHONE_ENABLED`, conflating provider enablement with signup control. This caused the providers to be completely disabled, returning "email_provider_disabled" errors even for invite-only flows. Now email and phone providers are always enabled when `[auth].enabled=true`, aligning with the Docker Compose fix in supabase/supabase#XXXX. Signup control is handled separately via `GOTRUE_DISABLE_SIGNUP` which is already correctly mapped from `[auth].enable_signup`. This matches the OAuth provider pattern where providers are always enabled when configured, with separate control for signup permissions. --- internal/start/start.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/start/start.go b/internal/start/start.go index 2fadf7e0a..21b92fb39 100644 --- a/internal/start/start.go +++ b/internal/start/start.go @@ -484,7 +484,7 @@ EOF "GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value, "GOTRUE_JWT_ISSUER=" + utils.Config.Auth.JwtIssuer, - fmt.Sprintf("GOTRUE_EXTERNAL_EMAIL_ENABLED=%v", utils.Config.Auth.Email.EnableSignup), + "GOTRUE_EXTERNAL_EMAIL_ENABLED=true", fmt.Sprintf("GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED=%v", utils.Config.Auth.Email.DoubleConfirmChanges), fmt.Sprintf("GOTRUE_MAILER_AUTOCONFIRM=%v", !utils.Config.Auth.Email.EnableConfirmations), fmt.Sprintf("GOTRUE_MAILER_OTP_LENGTH=%v", utils.Config.Auth.Email.OtpLength), @@ -500,7 +500,7 @@ EOF fmt.Sprintf("GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE=%s/verify", utils.Config.Auth.JwtIssuer), "GOTRUE_RATE_LIMIT_EMAIL_SENT=360000", - fmt.Sprintf("GOTRUE_EXTERNAL_PHONE_ENABLED=%v", utils.Config.Auth.Sms.EnableSignup), + "GOTRUE_EXTERNAL_PHONE_ENABLED=true", fmt.Sprintf("GOTRUE_SMS_AUTOCONFIRM=%v", !utils.Config.Auth.Sms.EnableConfirmations), fmt.Sprintf("GOTRUE_SMS_MAX_FREQUENCY=%v", utils.Config.Auth.Sms.MaxFrequency), "GOTRUE_SMS_OTP_EXP=6000", From d660d4c42bb8637ba92db88d38fc2f238229a3ec Mon Sep 17 00:00:00 2001 From: EpochBoy Date: Wed, 19 Nov 2025 12:49:39 +0100 Subject: [PATCH 2/2] docs(auth): clarify provider enable_signup controls provider, not just signup Updated config template comments for [auth.email] and [auth.sms] enable_signup to explain these control the entire provider, not just signup. Added invite-only configuration examples. --- internal/start/start.go | 4 ++-- pkg/config/templates/config.toml | 20 ++++++++++++++++++-- pkg/config/testdata/config.toml | 20 ++++++++++++++++++-- 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/internal/start/start.go b/internal/start/start.go index 21b92fb39..2fadf7e0a 100644 --- a/internal/start/start.go +++ b/internal/start/start.go @@ -484,7 +484,7 @@ EOF "GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value, "GOTRUE_JWT_ISSUER=" + utils.Config.Auth.JwtIssuer, - "GOTRUE_EXTERNAL_EMAIL_ENABLED=true", + fmt.Sprintf("GOTRUE_EXTERNAL_EMAIL_ENABLED=%v", utils.Config.Auth.Email.EnableSignup), fmt.Sprintf("GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED=%v", utils.Config.Auth.Email.DoubleConfirmChanges), fmt.Sprintf("GOTRUE_MAILER_AUTOCONFIRM=%v", !utils.Config.Auth.Email.EnableConfirmations), fmt.Sprintf("GOTRUE_MAILER_OTP_LENGTH=%v", utils.Config.Auth.Email.OtpLength), @@ -500,7 +500,7 @@ EOF fmt.Sprintf("GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE=%s/verify", utils.Config.Auth.JwtIssuer), "GOTRUE_RATE_LIMIT_EMAIL_SENT=360000", - "GOTRUE_EXTERNAL_PHONE_ENABLED=true", + fmt.Sprintf("GOTRUE_EXTERNAL_PHONE_ENABLED=%v", utils.Config.Auth.Sms.EnableSignup), fmt.Sprintf("GOTRUE_SMS_AUTOCONFIRM=%v", !utils.Config.Auth.Sms.EnableConfirmations), fmt.Sprintf("GOTRUE_SMS_MAX_FREQUENCY=%v", utils.Config.Auth.Sms.MaxFrequency), "GOTRUE_SMS_OTP_EXP=6000", diff --git a/pkg/config/templates/config.toml b/pkg/config/templates/config.toml index 134be6085..cc99d24e0 100644 --- a/pkg/config/templates/config.toml +++ b/pkg/config/templates/config.toml @@ -169,7 +169,15 @@ web3 = 30 # secret = "" [auth.email] -# Allow/disallow new user signups via email to your project. +# Controls whether the email authentication provider is enabled (GOTRUE_EXTERNAL_EMAIL_ENABLED). +# +# false = Email provider completely disabled (no login, invites, OTP, or signup) +# true = Email provider enabled (login, invites, OTP work; signup requires [auth].enable_signup=true) +# +# Common configurations: +# Invite-only: [auth].enable_signup=false, [auth.email].enable_signup=true +# Open signups: [auth].enable_signup=true, [auth.email].enable_signup=true +# No email auth: [auth.email].enable_signup=false (regardless of [auth].enable_signup) enable_signup = true # If enabled, a user will be required to confirm any email change on both the old, and new email # addresses. If disabled, only the new email is required to confirm. @@ -207,7 +215,15 @@ otp_expiry = 3600 # content_path = "./templates/password_changed_notification.html" [auth.sms] -# Allow/disallow new user signups via SMS to your project. +# Controls whether the phone authentication provider is enabled (GOTRUE_EXTERNAL_PHONE_ENABLED). +# +# false = Phone provider completely disabled (no login, invites, OTP, or signup) +# true = Phone provider enabled (login, invites, OTP work; signup requires [auth].enable_signup=true) +# +# Common configurations: +# Invite-only: [auth].enable_signup=false, [auth.sms].enable_signup=true +# Open signups: [auth].enable_signup=true, [auth.sms].enable_signup=true +# No phone auth: [auth.sms].enable_signup=false (regardless of [auth].enable_signup) enable_signup = false # If enabled, users need to confirm their phone number before signing in. enable_confirmations = false diff --git a/pkg/config/testdata/config.toml b/pkg/config/testdata/config.toml index 1b68b6d73..5e99f2169 100644 --- a/pkg/config/testdata/config.toml +++ b/pkg/config/testdata/config.toml @@ -176,7 +176,15 @@ provider = "hcaptcha" secret = "env(HCAPTCHA_SECRET)" [auth.email] -# Allow/disallow new user signups via email to your project. +# Controls whether the email authentication provider is enabled (GOTRUE_EXTERNAL_EMAIL_ENABLED). +# +# false = Email provider completely disabled (no login, invites, OTP, or signup) +# true = Email provider enabled (login, invites, OTP work; signup requires [auth].enable_signup=true) +# +# Common configurations: +# Invite-only: [auth].enable_signup=false, [auth.email].enable_signup=true +# Open signups: [auth].enable_signup=true, [auth.email].enable_signup=true +# No email auth: [auth.email].enable_signup=false (regardless of [auth].enable_signup) enable_signup = true # If enabled, a user will be required to confirm any email change on both the old, and new email # addresses. If disabled, only the new email is required to confirm. @@ -214,7 +222,15 @@ subject = "Your password has been changed" content_path = "./templates/password_changed_notification.html" [auth.sms] -# Allow/disallow new user signups via SMS to your project. +# Controls whether the phone authentication provider is enabled (GOTRUE_EXTERNAL_PHONE_ENABLED). +# +# false = Phone provider completely disabled (no login, invites, OTP, or signup) +# true = Phone provider enabled (login, invites, OTP work; signup requires [auth].enable_signup=true) +# +# Common configurations: +# Invite-only: [auth].enable_signup=false, [auth.sms].enable_signup=true +# Open signups: [auth].enable_signup=true, [auth.sms].enable_signup=true +# No phone auth: [auth.sms].enable_signup=false (regardless of [auth].enable_signup) enable_signup = true # If enabled, users need to confirm their phone number before signing in. enable_confirmations = false