trigger.dev icon indicating copy to clipboard operation
trigger.dev copied to clipboard
Published 2 weeks ago verified publisher icon triggerdotdev

[TRI-1857] Improve email whitelisting for self-hosters

Open matt-aitken opened this issue 2 years ago • 1 comments

How to do it

You can restrict access to self-hosted instances of Trigger.dev by using the WHITELISTED_EMAILS environment variable.

Like this:

WHITELISTED_EMAILS="authorized@yahoo\.com|authorized@gmail\.com"

It's a regex pattern so you can allow specific addresses or patterns of addresses, like your company's email accounts.

Problem

The barrier only exists when a user tries to login using a magic link that they've been emailed. Security wise this should be fine, but it's not a great user experience.

  • If you want to allow GitHub login then you can't restrict access.
  • Magic link emails just shouldn't be sent in the first place to emails that don't pass the test.

Solution

Keep the existing check but also:

  • Check the whitelist before sending magic link emails.
  • Check the whitelist after a user has gone through the GitHub OAuth flow and reject them if their is a whitelist and they don't match.

TRI-1857

matt-aitken avatar Jan 11 '24 09:01 matt-aitken

This is a must-have feature.

gevera avatar Mar 16 '25 17:03 gevera

Did you manage to login with magic link?

fstodulski avatar May 18 '25 16:05 fstodulski