chore(web): Improved security settings

.env.development

@@ -13,7 +13,6 @@ CTAGS_COMMAND=ctags
 # @see: https://authjs.dev/getting-started/deployment#auth_secret
 AUTH_SECRET="00000000000000000000000000000000000000000000"
 AUTH_URL="http://localhost:3000"
-# AUTH_CREDENTIALS_LOGIN_ENABLED=true
 
 DATA_CACHE_DIR=${PWD}/.sourcebot  # Path to the sourcebot cache dir (ex. ~/sourcebot/.sourcebot)
 SOURCEBOT_PUBLIC_KEY_PATH=${PWD}/public.pem

CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+- Changed the workspace "Access" page to a "Security" page. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
+
+### Added
+- Added the ability to configure email code and credentials login from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
+- Added a list of configured SSO providers from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
+
 ## [5.0.2] - 2026-06-11
 
 ### Changed

docs/docs/configuration/auth/access-settings.mdx

@@ -11,9 +11,11 @@ By default, Sourcebot requires new members to be approved by an owner of the dep
 to configure this behavior.
 
 ### Configuration
-Member approval can be configured by an owner of the deployment by navigating to **Settings -> Access**, or by setting the `REQUIRE_APPROVAL_NEW_MEMBERS` environment variable. When the environment variable is set, the UI toggle is disabled and the setting is controlled by the environment variable.
+Member approval can be configured by an owner of the deployment by navigating to **Settings -> Security**.
 
-![Member Approval Toggle](/images/member_approval_toggle.png)
+<Frame>
+  <img src="/images/member_approval_toggle.png" alt="Require approval for new members toggle in Settings → Access" />
+</Frame>
 
 ### Managing Requests
 
@@ -27,7 +29,9 @@ Owners can see and manage all pending join requests by navigating to **Settings
 If member approval is required, an owner of the deployment can enable an invite link. When enabled, users
 can use this invite link to register and be automatically added to the organization without approval:
 
-![Invite Link Toggle](/images/invite_link_toggle.png)
+<Frame>
+  <img src="/images/invite_link_toggle.png" alt="Enable invite links toggle in Settings → Access" />
+</Frame>
 
 
 # Anonymous access
@@ -36,6 +40,10 @@ can use this invite link to register and be automatically added to the organizat
 
 By default, your Sourcebot deployment is gated with a login page. If you'd like users to access the deployment anonymously, you can enable anonymous access. 
 
-This can be enabled by navigating to **Settings -> Access** or by setting the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable.
+This can be enabled by navigating to **Settings -> Access**.
+
+<Frame>
+  <img src="/images/anonymous_access_toggle.png" alt="Enable anonymous access toggle in Settings → Access" />
+</Frame>
 
 When accessing Sourcebot anonymously, a user's permissions are limited to that of the  [Guest](/docs/configuration/auth/roles-and-permissions) role.

docs/docs/configuration/auth/providers.mdx

@@ -10,19 +10,18 @@ If there's an authentication provider you'd like us to support, please [reach ou
 # Core Authentication Providers
 
 ### Email / Password
----
-Email / password authentication is enabled by default. It can be **disabled** by setting `AUTH_CREDENTIALS_LOGIN_ENABLED` to `false`.
+Email / password authentication is enabled by default. You can toggle it from **Settings → Security** using the **Email login** setting.
 
-### Email codes
----
-Email codes are 6 digit codes sent to a provided email. Email codes are enabled when transactional emails are configured using the following environment variables:
-
-- `AUTH_EMAIL_CODE_LOGIN_ENABLED`
-- `SMTP_CONNECTION_URL`
-- `EMAIL_FROM_ADDRESS`
+<Frame>
+  <img src="/images/email_password_login_setting.png" alt="Email & password login setting toggle in Settings → Security" />
+</Frame>
 
+### Email codes
+Email codes are 6 digit codes sent to a provided email. Email codes are enabled when [transactional emails](/docs/configuration/transactional-emails) and the **Email code** setting is toggled from **Settings → Security**:
 
-See [transactional emails](/docs/configuration/transactional-emails) for more details.
+<Frame>
+  <img src="/images/email_code_login_setting.png" alt="Email code login setting toggle in Settings → Security" />
+</Frame>
 
 # Enterprise Authentication Providers
 

docs/docs/configuration/config-file.mdx

@@ -49,7 +49,6 @@ The following are settings that can be provided in your config file to modify So
 | `maxRepoGarbageCollectionJobConcurrency`        | number  | 8          | 1       | Concurrent repo‑garbage‑collection jobs.                                               |
 | `repoGarbageCollectionGracePeriodMs`            | number  | 10 seconds | 1       | Grace period to avoid deleting shards while loading.                                   |
 | `repoIndexTimeoutMs`                            | number  | 2 hours    | 1       | Timeout for a single repo‑indexing run.                                                |
-| `enablePublicAccess` **(deprecated)**           | boolean | false      | —       | Use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.                  |
 | `repoDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the repo permission syncer should run.                               |
 | `userDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the user permission syncer should run.                               |
 | `experiment_repoDrivenPermissionSyncIntervalMs` **(deprecated)** | number  | 24 hours   | 1       | Use `repoDrivenPermissionSyncIntervalMs` instead.             |

docs/docs/configuration/environment-variables.mdx

@@ -10,8 +10,6 @@ The following environment variables allow you to configure your Sourcebot deploy
 
 | Variable | Default | Description |
 | :------- | :------ | :---------- |
-| `AUTH_CREDENTIALS_LOGIN_ENABLED` | `true` | <p>Enables/disables authentication with basic credentials. Username and passwords are stored encrypted at rest within the postgres database. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info</p> |
-| `AUTH_EMAIL_CODE_LOGIN_ENABLED` | `false` | <p>Enables/disables authentication with a login code that's sent to a users email. `SMTP_CONNECTION_URL` and `EMAIL_FROM_ADDRESS` must also be set. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info </p> |
 | `AUTH_SECRET` **(required)** | - | <p>Used to validate login session cookies. Genearte one with `openssl rand -base64 33`.</p> |
 | `AUTH_SESSION_MAX_AGE_SECONDS` | `2592000` (30 days) | <p>Relative time from now in seconds when to expire the session.</p> |
 | `AUTH_SESSION_UPDATE_AGE_SECONDS` | `86400` (1 day) | <p>How often the session should be updated in seconds. If set to `0`, session is updated every time.</p> |
@@ -24,8 +22,6 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `DATA_DIR` | `/data` | <p>The directory within the container to store all persistent data. Typically, this directory will be volume mapped such that data is persisted across container restarts (e.g., `docker run -v $(pwd):/data`)</p> |
 | `DATABASE_URL` **(required)** | - | <p>Connection string of your Postgres database, e.g. `postgresql://user:password@host:5432/sourcebot`.</p><p>If you'd like to use a non-default schema, you can provide it as a parameter in the database url.</p><p>You can also use `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` to construct the database url.</p> |
 | `EMAIL_FROM_ADDRESS` | `-` | <p>The email address that transactional emails will be sent from. See [this doc](/docs/configuration/transactional-emails) for more info.</p> | 
-| `FORCE_ENABLE_ANONYMOUS_ACCESS` | `false` | <p>When enabled, [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) to the organization will always be enabled</p>
-| `REQUIRE_APPROVAL_NEW_MEMBERS` | - | <p>When set, controls whether new users require approval before accessing your deployment. If not set, the setting can be configured via the UI. See [member approval](/docs/configuration/auth/access-settings#member-approval) for more info.</p>
 | `REDIS_URL` **(required)** | - | <p>Connection string of your Redis instance, e.g. `redis://host:6379`.</p><p>To enable TLS, see [this doc](/docs/deployment/infrastructure/redis#tls).</p> |
 | `REDIS_REMOVE_ON_COMPLETE` | `0` | <p>Controls how many completed jobs are allowed to remain in Redis queues</p> |
 | `REDIS_REMOVE_ON_FAIL` | `100` | <p>Controls how many failed jobs are allowed to remain in Redis queues</p> |
@@ -54,10 +50,8 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
 | `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
-| `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` **(deprecated)** | `false` | <p>Deprecated. Use `PERMISSION_SYNC_ENABLED` instead.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 | `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create API keys. Non-owner members will receive a `403` error if they attempt to create one.</p> |
-| `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` **(deprecated)** | `false` | <p>Deprecated. Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
 | `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create or use API keys. Non-owner members will receive a `403` error if they attempt to create or authenticate with an API key. If you only want to restrict creation (not usage), use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
 
 

packages/db/prisma/migrations/20260611195453_add_org_access_settings/migration.sql

@@ -0,0 +1,11 @@
+-- AlterTable
+ALTER TABLE "Org" ADD COLUMN     "isAnonymousAccessEnabled" BOOLEAN NOT NULL DEFAULT false,
+ADD COLUMN     "isCredentialsLoginEnabled" BOOLEAN NOT NULL DEFAULT true,
+ADD COLUMN     "isEmailCodeLoginEnabled" BOOLEAN NOT NULL DEFAULT false;
+
+-- Backfill the new dedicated column from the legacy `metadata.anonymousAccessEnabled`
+-- value (see orgMetadataSchema in packages/web/src/types.ts) so existing deployments
+-- that had anonymous access enabled keep it after upgrading.
+UPDATE "Org"
+SET "isAnonymousAccessEnabled" = true
+WHERE "metadata"->>'anonymousAccessEnabled' = 'true';

packages/db/prisma/migrations/20260612182049_remove_org_metadata_field/migration.sql

@@ -0,0 +1,8 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `metadata` on the `Org` table. All the data in the column will be lost.
+
+*/
+-- AlterTable
+ALTER TABLE "Org" DROP COLUMN "metadata";

packages/db/prisma/schema.prisma

@@ -274,10 +274,31 @@ model Org {
   apiKeys     ApiKey[]
   isOnboarded Boolean      @default(false)
   imageUrl    String?
-  metadata    Json? // For schema see orgMetadataSchema in packages/web/src/types.ts
 
+  /// @deprecated This property can be controlled by the environment
+  /// variable `REQUIRE_APPROVAL_NEW_MEMBERS`. To ensure that we use
+  /// the correct setting, use the helper function `isMemberApprovalRequired`
+  /// in shared/src/utils.ts
   memberApprovalRequired Boolean @default(true)
 
+  /// @deprecated This property can be controlled by the environment
+  /// variable `AUTH_CREDENTIALS_LOGIN_ENABLED`. To ensure that we use
+  /// the correct setting, use the helper function `isCredentialsLoginEnabled`
+  /// in shared/src/utils.ts
+  isCredentialsLoginEnabled Boolean @default(true)
+
+  /// @deprecated This property can be controlled by the environment
+  /// variable `AUTH_EMAIL_CODE_LOGIN_ENABLED`. To ensure that we use
+  /// the correct setting, use the helper function `isEmailCodeLoginEnabled`
+  /// in shared/src/utils.ts
+  isEmailCodeLoginEnabled Boolean @default(false)
+
+  /// @deprecated This property can be overriden by the environment
+  /// variable `FORCE_ENABLE_ANONYMOUS_ACCESS`, as well as the org's
+  /// available entitlements. Use the helper function `isAnonymousAccessEnabled`
+  /// in web/src/lib/entitlements.ts
+  isAnonymousAccessEnabled Boolean @default(false)
+
   /// List of pending invites to this organization
   invites Invite[]
 

packages/shared/src/constants.ts

@@ -1,7 +1,7 @@
 import { CodeHostType } from "@sourcebot/db";
 import { ConfigSettings, IdentityProviderType } from "./types.js";
 
-export const SOURCEBOT_SUPPORT_EMAIL = 'team@sourcebot.dev';
+export const SOURCEBOT_SUPPORT_EMAIL = 'support@sourcebot.dev';
 
 /**
  * @deprecated Use API_KEY_PREFIX instead.

packages/shared/src/env.server.ts

@@ -173,12 +173,8 @@ const options = {
         ZOEKT_WEBSERVER_URL: z.string().url().default("http://localhost:6070"),
 
         // Auth
-        FORCE_ENABLE_ANONYMOUS_ACCESS: booleanSchema.default('false'),
-        REQUIRE_APPROVAL_NEW_MEMBERS: booleanSchema.optional(),
         AUTH_SECRET: z.string(),
         AUTH_URL: z.string().url(),
-        AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.default('true'),
-        AUTH_EMAIL_CODE_LOGIN_ENABLED: booleanSchema.default('false'),
 
         /**
          * Relative time from now in seconds when to expire the session.
@@ -308,20 +304,11 @@ const options = {
         GOOGLE_VERTEX_REGION: z.string().default('us-central1'),
         GOOGLE_APPLICATION_CREDENTIALS: z.string().optional(),
 
-        /**
-         * @deprecated Use `thinkingBudget` in the language model config instead.
-         */
-        GOOGLE_VERTEX_THINKING_BUDGET_TOKENS: numberSchema.optional(),
-
         AWS_ACCESS_KEY_ID: z.string().optional(),
         AWS_SECRET_ACCESS_KEY: z.string().optional(),
         AWS_SESSION_TOKEN: z.string().optional(),
         AWS_REGION: z.string().optional(),
 
-        /**
-         * @deprecated Use per-model `temperature` in the language model config instead.
-         */
-        SOURCEBOT_CHAT_MODEL_TEMPERATURE: numberSchema.optional(),
         SOURCEBOT_CHAT_MAX_STEP_COUNT: numberSchema.default(100),
         SOURCEBOT_CHAT_PROMPT_CACHING_ENABLED: booleanSchema.default('true'),
         SOURCEBOT_MCP_TOOL_CALL_TIMEOUT_MS: numberSchema.int().positive().max(maxTimerDelayMs).default(60000),
@@ -342,12 +329,6 @@ const options = {
                 return value ?? ((process.env.EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS as 'true' | 'false') ?? 'false');
             }),
 
-        /**
-         * @deprecated Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.
-         */
-        EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS: booleanSchema.default('false'),
-
-
         // Experimental Environment Variables
         // @note: These environment variables are subject to change at any time and are not garunteed to be backwards compatible.
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_ENABLED: booleanSchema.default('false'),
@@ -407,11 +388,6 @@ const options = {
                 return value ?? ((process.env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED as 'true' | 'false') ?? 'false');
             }),
 
-        /**
-         * @deprecated Use `PERMISSION_SYNC_ENABLED` instead.
-         */
-        EXPERIMENT_EE_PERMISSION_SYNC_ENABLED: booleanSchema.default('false'),
-
         /**
          * Configure whether to send telemetry events.
          * By default, all events are anonymized and do not contain PII data,
@@ -425,6 +401,59 @@ const options = {
          * ignored.
          */
         SOURCEBOT_TELEMETRY_PII_COLLECTION_ENABLED: booleanSchema.default('false'),
+
+        //////////// Deprecated ////////////
+        /**
+         * @deprecated Configure this setting via the "Require approval
+         * for new members" toggle in Settings → Security intsead.
+         */
+        REQUIRE_APPROVAL_NEW_MEMBERS: booleanSchema.optional(),
+
+        /**
+         * @deprecated Configure email + password login via the "Email & password login"
+         * toggle in Settings → Security instead. When set, this env var overrides the UI
+         * setting and locks the toggle; when unset, the DB-backed
+         * `Org.isCredentialsLoginEnabled` setting is used.
+         */
+        AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.optional(),
+
+        /**
+         * @deprecated Configure email code login via the UI in Settings → Security
+         * instead. When set, this env var overrides the UI setting and locks the toggle;
+         * when unset, the DB-backed `Org.isEmailCodeLoginEnabled` setting is used. Left
+         * optional (rather than defaulting to 'false') so we can detect whether it was
+         * explicitly set.
+         */
+        AUTH_EMAIL_CODE_LOGIN_ENABLED: booleanSchema.optional(),
+
+        /**
+         * @deprecated Configure anonymous access via the UI in Settings → Security
+         * instead. When set, this env var overrides the UI setting and locks the toggle;
+         * when unset, the DB-backed `Org.isAnonymousAccessEnabled` setting is used. Left
+         * optional (rather than defaulting to 'false') so we can detect whether it was
+         * explicitly set.
+         */
+        FORCE_ENABLE_ANONYMOUS_ACCESS: booleanSchema.optional(),
+
+        /**
+         * @deprecated Use `PERMISSION_SYNC_ENABLED` instead.
+         */
+        EXPERIMENT_EE_PERMISSION_SYNC_ENABLED: booleanSchema.default('false'),
+
+        /**
+         * @deprecated Use `thinkingBudget` in the language model config instead.
+         */
+        GOOGLE_VERTEX_THINKING_BUDGET_TOKENS: numberSchema.optional(),
+
+        /**
+         * @deprecated Use per-model `temperature` in the language model config instead.
+         */
+        SOURCEBOT_CHAT_MODEL_TEMPERATURE: numberSchema.optional(),
+
+        /**
+         * @deprecated Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.
+         */
+        EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS: booleanSchema.default('false'),
     },
     runtimeEnv,
     emptyStringAsUndefined: true,

packages/shared/src/index.server.ts

@@ -31,6 +31,9 @@ export {
     getConfigSettings,
     getRepoPath,
     getRepoIdFromPath,
+    isCredentialsLoginEnabled,
+    isEmailCodeLoginEnabled,
+    isMemberApprovalRequired,
 } from "./utils.js";
 export * from "./constants.js";
 export {

packages/shared/src/utils.ts

@@ -3,9 +3,10 @@ import stripJsonComments from 'strip-json-comments';
 import { z } from "zod";
 import { DEFAULT_CONFIG_SETTINGS } from "./constants.js";
 import { ConfigSettings } from "./types.js";
-import { Repo } from "@sourcebot/db";
+import { Org, Repo } from "@sourcebot/db";
 import path from "path";
 import { env, isRemotePath, loadConfig } from "./env.server.js";
+import { isAnonymousAccessAvailable } from './entitlements.js';
 
 // From https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
 export const base64Decode = (base64: string): string => {
@@ -118,4 +119,28 @@ export const getRepoPath = (repo: Repo): { path: string, isReadOnly: boolean } =
         path: path.join(reposPath, repo.id.toString()),
         isReadOnly: false,
     }
+}
+
+export const isCredentialsLoginEnabled = (org: Org): boolean => {
+    if (env.AUTH_CREDENTIALS_LOGIN_ENABLED !== undefined) {
+        return env.AUTH_CREDENTIALS_LOGIN_ENABLED === 'true';
+    }
+
+    return org.isCredentialsLoginEnabled;
+}
+
+export const isEmailCodeLoginEnabled = (org: Org): boolean => {
+    if (env.AUTH_EMAIL_CODE_LOGIN_ENABLED !== undefined) {
+        return env.AUTH_EMAIL_CODE_LOGIN_ENABLED === 'true';
+    }
+
+    return org.isEmailCodeLoginEnabled;
+}
+
+export const isMemberApprovalRequired = (org: Org): boolean => {
+    if (env.REQUIRE_APPROVAL_NEW_MEMBERS !== undefined) {
+        return env.REQUIRE_APPROVAL_NEW_MEMBERS === 'true';
+    }
+
+    return org.memberApprovalRequired;
 }

packages/web/src/__mocks__/prisma.ts

@@ -19,6 +19,9 @@ export const MOCK_ORG: Org = {
     imageUrl: null,
     metadata: null,
     memberApprovalRequired: false,
+    isCredentialsLoginEnabled: true,
+    isEmailCodeLoginEnabled: false,
+    isAnonymousAccessEnabled: false,
     inviteLinkEnabled: false,
     inviteLinkId: null,
 }