Add metered open signups, per-IP limits, and auth security hardening
Enables public beta signup metering: DAILY_OPEN_SIGNUPS env var controls how many users can register without an invite code per day (0=disabled, -1=unlimited, N=daily cap). Invite codes always bypass the limit. Also adds per-IP signup throttling (DAILY_SIGNUPS_PER_IP, default 3/day) and fail-closed rate limiting on auth endpoints when Redis is down. Client dynamically fetches /api/auth/signup-info to show invite field as optional with remaining slots when open signups are enabled. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
adlee-was-taken
@@ -75,6 +75,15 @@ SECRET_KEY=
|
||||
# Enable invite-only mode (requires invitation to register)
|
||||
INVITE_ONLY=true
|
||||
|
||||
# Metered open signups (public beta)
|
||||
# 0 = disabled (invite-only enforced), -1 = unlimited, N = max open signups per day
|
||||
# When set > 0, users can register without an invite code up to the daily limit.
|
||||
# Invite codes always work regardless of this limit.
|
||||
DAILY_OPEN_SIGNUPS=0
|
||||
|
||||
# Max signups per IP address per day (0 = unlimited)
|
||||
DAILY_SIGNUPS_PER_IP=3
|
||||
|
||||
# Bootstrap admin account (for first-time setup with INVITE_ONLY=true)
|
||||
# Remove these after first login!
|
||||
# BOOTSTRAP_ADMIN_USERNAME=admin
|
||||
|
||||
Reference in New Issue
Block a user