search

jackyzy823 / fxa-selfhosting

Selfhosting your own Firefox Accounts (FxA)!
Mozilla Public License 2.0
93 stars 13 forks source link

Disable account creation after initial setup #27

Open h7sj opened 2 months ago

h7sj commented 2 months ago

Is there an easy way to block account creation after the initial setup?

I vaguely remember reading about a solution for sync-server to limit the number of users but I can't find anything for the auth-server.

Edit - looks like this is going to be rough. There's a lot of clues to suggest it's not possible.

h7sj commented 2 months ago

Hacky solution:

Add a trigger to the database to prevent INSERT on accounts table.

In docker-compose.tmpl.yml, merge this diff to get access to the mysql server from the outside:

@@ -25,6 +25,8 @@
       - MYSQL_ROOT_HOST=%
     expose:
       - "3306"
+    ports:
+      - "3307:3306"

Run init.sh and docker-compose up -d again. Your mysql should now be exposed on 3307.

Connect with mysql -u root -h 127.0.0.1 -P 3307;


use fxa;

DELIMITER //

CREATE TRIGGER block_new_users
BEFORE INSERT ON accounts
FOR EACH ROW
BEGIN
    SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'No new users';
END;
//

DELIMITER ;

Keep mysql open, and go try add a user. It will go through to the password step, but if you try to progress beyond that you should expect to see "Unexpected error" in scary red.

Verify only expected users are in your table.

select email from accounts;

I don't think there is a way to disable this temporarily. You just have to drop the trigger and add again when creating new users.

jackyzy823 commented 2 months ago

Some solutions (no tested) 1) https://github.com/mozilla/fxa/issues/3652#issuecomment-602542246

since mozllia use fxa as a public service, i dont think they designed a principal to forbid some email addresses to register.

So the only way i found is to configure your email sender to only send mails to allowed domains which makes that user can not proceed the verfication step and can not using sync service.

2) block the register endpoint in nginx proxy side (fxa-auth-server and fxa-graphql-api).

h7sj commented 2 months ago

Thanks for the reply, jackyzy823. And thank you for this awesome work, you made this process easy!

I actually think I prefer my hack to (1). The benefit of adding the database trigger is that it protects the database from filing up with unverified accounts.

I don't really understand (2). Will try to figure that one out after some sleep.