diff --git a/.env.example b/.env.example
index 9ab43b55b7..6e0231b9ee 100644
--- a/.env.example
+++ b/.env.example
@@ -1,6 +1,3 @@
-# add a access code to lock your lobe-chat application, you can set a long password to avoid leaking. If this value contains a comma, it is a password array.
-# ACCESS_CODE=lobe66
-
# Specify your API Key selection method, currently supporting `random` and `turn`.
# API_KEY_SELECT_MODE=random
@@ -295,6 +292,10 @@ OPENAI_API_KEY=sk-xxxxxxxxx
# Leave empty to allow all emails
# AUTH_ALLOWED_EMAILS=example.com,admin@other.com
+# Disable email/password authentication (SSO-only mode)
+# Set to '1' to disable email/password sign-in and registration, only allowing SSO login
+# AUTH_DISABLE_EMAIL_PASSWORD=0
+
# Google OAuth Configuration (for Better-Auth)
# Get credentials from: https://console.cloud.google.com/apis/credentials
# Authorized redirect URIs:
diff --git a/Dockerfile b/Dockerfile
index 6e53d29117..6f794834ee 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -158,14 +158,12 @@ ENV HOSTNAME="0.0.0.0" \
PORT="3210"
# General Variables
-ENV ACCESS_CODE="" \
- APP_URL="" \
+ENV APP_URL="" \
API_KEY_SELECT_MODE="" \
DEFAULT_AGENT_CONFIG="" \
SYSTEM_AGENT="" \
FEATURE_FLAGS="" \
- PROXY_URL="" \
- ENABLE_AUTH_PROTECTION=""
+ PROXY_URL=""
# Database
ENV KEY_VAULTS_SECRET="" \
@@ -176,6 +174,10 @@ ENV KEY_VAULTS_SECRET="" \
ENV AUTH_SECRET="" \
AUTH_SSO_PROVIDERS="" \
AUTH_ALLOWED_EMAILS="" \
+ AUTH_TRUSTED_ORIGINS="" \
+ AUTH_DISABLE_EMAIL_PASSWORD="" \
+ AUTH_EMAIL_VERIFICATION="" \
+ AUTH_ENABLE_MAGIC_LINK="" \
# Google
AUTH_GOOGLE_ID="" \
AUTH_GOOGLE_SECRET="" \
diff --git a/README.md b/README.md
index 25a737a7b3..76c5828192 100644
--- a/README.md
+++ b/README.md
@@ -581,7 +581,7 @@ LobeHub provides Self-Hosted Version with Vercel, Alibaba Cloud, and [Docker Ima
"If you want to deploy this service yourself on Vercel, Zeabur or Alibaba Cloud, you can follow these steps:
- Prepare your [OpenAI API Key](https://platform.openai.com/account/api-keys).
-- Click the button below to start deployment: Log in directly with your GitHub account, and remember to fill in the `OPENAI_API_KEY`(required) and `ACCESS_CODE` (recommended) on the environment variable section.
+- Click the button below to start deployment: Log in directly with your GitHub account, and remember to fill in the `OPENAI_API_KEY`(required) on the environment variable section.
- After deployment, you can start using it.
- Bind a custom domain (optional): The DNS of the domain assigned by Vercel is polluted in some areas; binding a custom domain can connect directly.
@@ -647,7 +647,6 @@ This project provides some additional configuration items set with environment v
| -------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- |
| `OPENAI_API_KEY` | Yes | This is the API key you apply on the OpenAI account page | `sk-xxxxxx...xxxxxx` |
| `OPENAI_PROXY_URL` | No | If you manually configure the OpenAI interface proxy, you can use this configuration item to override the default OpenAI API request base URL | `https://api.chatanywhere.cn` or `https://aihubmix.com/v1`
The default value is
`https://api.openai.com/v1` |
-| `ACCESS_CODE` | No | Add a password to access this service; you can set a long password to avoid leaking. If this value contains a comma, it is a password array. | `awCTe)re_r74` or `rtrt_ewee3@09!` or `code1,code2,code3` |
| `OPENAI_MODEL_LIST` | No | Used to control the model list. Use `+` to add a model, `-` to hide a model, and `model_name=display_name` to customize the display name of a model, separated by commas. | `qwen-7b-chat,+glm-6b,-gpt-3.5-turbo` |
> \[!NOTE]
@@ -829,7 +828,7 @@ This project is [LobeHub Community License](./LICENSE) licensed.
[codespaces-link]: https://codespaces.new/lobehub/lobe-chat
[codespaces-shield]: https://github.com/codespaces/badge.svg
[deploy-button-image]: https://vercel.com/button
-[deploy-link]: https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Flobehub%2Flobe-chat&env=OPENAI_API_KEY,ACCESS_CODE&envDescription=Find%20your%20OpenAI%20API%20Key%20by%20click%20the%20right%20Learn%20More%20button.%20%7C%20Access%20Code%20can%20protect%20your%20website&envLink=https%3A%2F%2Fplatform.openai.com%2Faccount%2Fapi-keys&project-name=lobe-chat&repository-name=lobe-chat
+[deploy-link]: https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Flobehub%2Flobe-chat&env=OPENAI_API_KEY&envDescription=Find%20your%20OpenAI%20API%20Key%20by%20click%20the%20right%20Learn%20More%20button.&envLink=https%3A%2F%2Fplatform.openai.com%2Faccount%2Fapi-keys&project-name=lobe-chat&repository-name=lobe-chat
[deploy-on-alibaba-cloud-button-image]: https://service-info-public.oss-cn-hangzhou.aliyuncs.com/computenest-en.svg
[deploy-on-alibaba-cloud-link]: https://computenest.console.aliyun.com/service/instance/create/default?type=user&ServiceName=LobeHub%E7%A4%BE%E5%8C%BA%E7%89%88
[deploy-on-repocloud-button-image]: https://d16t0pc4846x52.cloudfront.net/deploylobe.svg
diff --git a/README.zh-CN.md b/README.zh-CN.md
index 863d3cc333..2392a7bcff 100644
--- a/README.zh-CN.md
+++ b/README.zh-CN.md
@@ -555,7 +555,7 @@ LobeHub 提供了 Vercel 的 自托管版本 和 [Docker 镜像][docker-release-
如果想在 Vercel 、 Zeabur 或 阿里云 上部署该服务,可以按照以下步骤进行操作:
- 准备好你的 [OpenAI API Key](https://platform.openai.com/account/api-keys) 。
-- 点击下方按钮开始部署: 直接使用 GitHub 账号登录即可,记得在环境变量页填入 `OPENAI_API_KEY` (必填) and `ACCESS_CODE`(推荐);
+- 点击下方按钮开始部署: 直接使用 GitHub 账号登录即可,记得在环境变量页填入 `OPENAI_API_KEY` (必填);
- 部署完毕后,即可开始使用;
- 绑定自定义域名(可选):Vercel 分配的域名 DNS 在某些区域被污染了,绑定自定义域名即可直连。目前 Zeabur 提供的域名还未被污染,大多数地区都可以直连。
@@ -621,7 +621,6 @@ docker compose up -d
| ------------------- | ---- | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
| `OPENAI_API_KEY` | 必选 | 这是你在 OpenAI 账户页面申请的 API 密钥 | `sk-xxxxxx...xxxxxx` |
| `OPENAI_PROXY_URL` | 可选 | 如果你手动配置了 OpenAI 接口代理,可以使用此配置项来覆盖默认的 OpenAI API 请求基础 URL | `https://api.chatanywhere.cn` 或 `https://aihubmix.com/v1`
默认值:
`https://api.openai.com/v1` |
-| `ACCESS_CODE` | 可选 | 添加访问此服务的密码,你可以设置一个长密码以防被爆破,该值用逗号分隔时为密码数组 | `awCTe)re_r74` or `rtrt_ewee3@09!` or `code1,code2,code3` |
| `OPENAI_MODEL_LIST` | 可选 | 用来控制模型列表,使用 `+` 增加一个模型,使用 `-` 来隐藏一个模型,使用 `模型名=展示名` 来自定义模型的展示名,用英文逗号隔开。 | `qwen-7b-chat,+glm-6b,-gpt-3.5-turbo` |
> \[!NOTE]
@@ -843,7 +842,7 @@ This project is [LobeHub Community License](./LICENSE) licensed.
[codespaces-link]: https://codespaces.new/lobehub/lobe-chat
[codespaces-shield]: https://github.com/codespaces/badge.svg
[deploy-button-image]: https://vercel.com/button
-[deploy-link]: https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Flobehub%2Flobe-chat&env=OPENAI_API_KEY,ACCESS_CODE&envDescription=Find%20your%20OpenAI%20API%20Key%20by%20click%20the%20right%20Learn%20More%20button.%20%7C%20Access%20Code%20can%20protect%20your%20website&envLink=https%3A%2F%2Fplatform.openai.com%2Faccount%2Fapi-keys&project-name=lobe-chat&repository-name=lobe-chat
+[deploy-link]: https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Flobehub%2Flobe-chat&env=OPENAI_API_KEY&envDescription=Find%20your%20OpenAI%20API%20Key%20by%20click%20the%20right%20Learn%20More%20button.&envLink=https%3A%2F%2Fplatform.openai.com%2Faccount%2Fapi-keys&project-name=lobe-chat&repository-name=lobe-chat
[deploy-on-alibaba-cloud-button-image]: https://service-info-public.oss-cn-hangzhou.aliyuncs.com/computenest-en.svg
[deploy-on-alibaba-cloud-link]: https://computenest.console.aliyun.com/service/instance/create/default?type=user&ServiceName=LobeHub%E7%A4%BE%E5%8C%BA%E7%89%88
[deploy-on-sealos-button-image]: https://raw.githubusercontent.com/labring-actions/templates/main/Deploy-on-Sealos.svg
diff --git a/docs/self-hosting/auth.mdx b/docs/self-hosting/auth.mdx
index ee9d4fe948..122c29174b 100644
--- a/docs/self-hosting/auth.mdx
+++ b/docs/self-hosting/auth.mdx
@@ -61,6 +61,8 @@ To enable Better Auth in LobeHub, set the following environment variables:
Click on a provider below for detailed configuration guides:
+
+
@@ -149,6 +151,16 @@ The current authentication system requires email. Please configure a valid email
This applies to all authentication methods, including SSO providers like Casdoor. Always ensure users have valid email addresses configured.
+### How do I enable SSO-only mode (disable email/password login)?
+
+Set `AUTH_DISABLE_EMAIL_PASSWORD=1` to disable email/password authentication. When enabled:
+
+- The email input will be hidden on the login page, only SSO buttons are displayed
+- The signup page will redirect to the login page
+- Users can only log in via configured SSO providers
+
+Make sure you have at least one SSO provider configured via `AUTH_SSO_PROVIDERS` before enabling this option.
+
### How do I restrict registration to specific emails or domains?
Set the `AUTH_ALLOWED_EMAILS` environment variable with a comma-separated list of allowed emails or domains. For example:
diff --git a/docs/self-hosting/auth.zh-CN.mdx b/docs/self-hosting/auth.zh-CN.mdx
index ebcf5df900..e3ebf8ff6e 100644
--- a/docs/self-hosting/auth.zh-CN.mdx
+++ b/docs/self-hosting/auth.zh-CN.mdx
@@ -61,6 +61,8 @@ LobeHub 支持使用 Better Auth 配置外部身份验证服务,供企业 /
点击下方提供商查看详细配置指南:
+
+
@@ -150,6 +152,16 @@ Better Auth 支持内置提供商(Google、GitHub、Microsoft、Apple、AWS Co
这适用于所有身份验证方式,包括 Casdoor 等 SSO 提供商。请确保用户配置了有效的邮箱地址。
+### 如何启用仅 SSO 模式(禁用邮箱密码登录)?
+
+设置 `AUTH_DISABLE_EMAIL_PASSWORD=1` 可禁用邮箱密码登录。启用后:
+
+- 登录页面将隐藏邮箱输入框,仅显示 SSO 登录按钮
+- 注册页面将重定向到登录页面
+- 用户只能通过配置的 SSO 提供商登录
+
+启用此选项前,请确保已通过 `AUTH_SSO_PROVIDERS` 配置了至少一个 SSO 提供商。
+
### 如何限制只允许特定邮箱或域名注册?
设置 `AUTH_ALLOWED_EMAILS` 环境变量,支持完整邮箱地址或域名,以逗号分隔。例如:
diff --git a/docs/self-hosting/auth/providers/password.mdx b/docs/self-hosting/auth/providers/password.mdx
new file mode 100644
index 0000000000..d273912153
--- /dev/null
+++ b/docs/self-hosting/auth/providers/password.mdx
@@ -0,0 +1,112 @@
+---
+title: Configuring Email/Password Authentication for LobeHub
+description: >-
+ Learn how to configure email and password authentication for LobeHub,
+ including enabling/disabling options and SSO-only mode.
+tags:
+ - Email
+ - Password
+ - Authentication
+ - LobeHub
+---
+
+# Configuring Email/Password Authentication
+
+LobeHub supports traditional email and password authentication out of the box.
+This guide covers the available configuration options.
+
+## Default Behavior
+
+By default, email/password authentication is enabled.
+Users can register with their email address and set a password.
+
+## Configuration Options
+
+### Disable Email/Password Authentication (SSO-Only Mode)
+
+If you want to force users to authenticate via SSO providers only,
+set the following environment variable:
+
+| Environment Variable | Type | Description |
+| ----------------------------- | -------- | ------------------------------------------ |
+| `AUTH_DISABLE_EMAIL_PASSWORD` | Optional | Set to `1` to disable email/password login |
+
+When enabled:
+
+- The email input field is hidden on the login page
+- Only SSO provider buttons are displayed
+- The signup page redirects to the login page
+- Users must authenticate through configured SSO providers
+
+
+ Before enabling SSO-only mode, ensure you have configured at least one SSO
+ provider via `AUTH_SSO_PROVIDERS`. Otherwise, users will have no way to log
+ in.
+
+
+### Enable Email Verification
+
+To require users to verify their email address before signing in:
+
+| Environment Variable | Type | Description |
+| ------------------------- | -------- | ---------------------------------------- |
+| `AUTH_EMAIL_VERIFICATION` | Optional | Set to `1` to require email verification |
+
+This requires configuring an email service (SMTP).
+See [Email Service Configuration](/docs/self-hosting/auth/email) for details.
+
+### Enable Magic Link Login
+
+To allow passwordless login via email magic links:
+
+| Environment Variable | Type | Description |
+| ------------------------ | -------- | ------------------------------------- |
+| `AUTH_ENABLE_MAGIC_LINK` | Optional | Set to `1` to enable magic link login |
+
+This also requires configuring an email service (SMTP).
+
+## Change Password
+
+Users can change their password in two ways:
+
+1. **Profile Settings**: Go to Settings > Profile to change password
+2. **Forgot Password**: On the login page, enter email, proceed to the password step, then click "Forgot Password" below the password input
+
+
+ Both methods require email service (SMTP) to be configured for sending
+ password reset emails.
+
+
+## Example Configurations
+
+### SSO-Only (Disable Email/Password)
+
+```bash
+AUTH_DISABLE_EMAIL_PASSWORD=1
+AUTH_SSO_PROVIDERS=google,github
+```
+
+### Email/Password with Verification
+
+```bash
+AUTH_EMAIL_VERIFICATION=1
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USER=noreply@example.com
+SMTP_PASS=your-password
+```
+
+### Email/Password with Magic Link
+
+```bash
+AUTH_ENABLE_MAGIC_LINK=1
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USER=noreply@example.com
+SMTP_PASS=your-password
+```
+
+
+ Go to [Environment Variables](/docs/self-hosting/environment-variables/auth)
+ for detailed information on all authentication variables.
+
diff --git a/docs/self-hosting/auth/providers/password.zh-CN.mdx b/docs/self-hosting/auth/providers/password.zh-CN.mdx
new file mode 100644
index 0000000000..5273614188
--- /dev/null
+++ b/docs/self-hosting/auth/providers/password.zh-CN.mdx
@@ -0,0 +1,103 @@
+---
+title: 配置 LobeHub 邮箱密码登录
+description: 了解如何配置 LobeHub 的邮箱密码登录,包括启用/禁用选项和仅 SSO 模式。
+tags:
+ - 邮箱
+ - 密码
+ - 身份验证
+ - LobeHub
+---
+
+# 配置邮箱密码登录
+
+LobeHub 默认支持传统的邮箱密码登录方式。本指南介绍可用的配置选项。
+
+## 默认行为
+
+默认情况下,邮箱密码登录已启用。用户可以使用邮箱地址注册并设置密码。
+
+## 配置选项
+
+### 禁用邮箱密码登录(仅 SSO 模式)
+
+如果你希望强制用户只能通过 SSO 提供商登录,请设置以下环境变量:
+
+| 环境变量 | 类型 | 描述 |
+| ----------------------------- | -- | ---------------- |
+| `AUTH_DISABLE_EMAIL_PASSWORD` | 可选 | 设置为 `1` 禁用邮箱密码登录 |
+
+启用后:
+
+- 登录页面隐藏邮箱输入框
+- 仅显示 SSO 提供商登录按钮
+- 注册页面重定向到登录页面
+- 用户必须通过配置的 SSO 提供商进行身份验证
+
+
+ 启用仅 SSO 模式前,请确保已通过 `AUTH_SSO_PROVIDERS` 配置了至少一个 SSO
+ 提供商。否则用户将无法登录。
+
+
+### 启用邮箱验证
+
+要求用户在登录前验证邮箱地址:
+
+| 环境变量 | 类型 | 描述 |
+| ------------------------- | -- | -------------- |
+| `AUTH_EMAIL_VERIFICATION` | 可选 | 设置为 `1` 启用邮箱验证 |
+
+这需要配置邮件服务(SMTP)。详情请参阅[邮件服务配置](/zh/docs/self-hosting/auth/email)。
+
+### 启用魔法链接登录
+
+允许通过邮件魔法链接实现无密码登录:
+
+| 环境变量 | 类型 | 描述 |
+| ------------------------ | -- | ---------------- |
+| `AUTH_ENABLE_MAGIC_LINK` | 可选 | 设置为 `1` 启用魔法链接登录 |
+
+这也需要配置邮件服务(SMTP)。
+
+## 修改密码
+
+用户可以通过以下两种方式修改密码:
+
+1. **个人设置**:前往 设置 > 个人资料 修改密码
+2. **忘记密码**:在登录页面输入邮箱后,进入密码输入步骤,点击密码框下方的「忘记密码」
+
+
+ 以上两种方式都需要配置邮件服务(SMTP)以发送密码重置邮件。
+
+
+## 配置示例
+
+### 仅 SSO(禁用邮箱密码)
+
+```bash
+AUTH_DISABLE_EMAIL_PASSWORD=1
+AUTH_SSO_PROVIDERS=google,github
+```
+
+### 邮箱密码 + 邮箱验证
+
+```bash
+AUTH_EMAIL_VERIFICATION=1
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USER=noreply@example.com
+SMTP_PASS=your-password
+```
+
+### 邮箱密码 + 魔法链接
+
+```bash
+AUTH_ENABLE_MAGIC_LINK=1
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USER=noreply@example.com
+SMTP_PASS=your-password
+```
+
+
+ 前往[环境变量](/zh/docs/self-hosting/environment-variables/auth)查看所有身份验证相关变量的详细信息。
+
diff --git a/docs/self-hosting/environment-variables/auth.mdx b/docs/self-hosting/environment-variables/auth.mdx
index c7a5d1107f..5f2b547a99 100644
--- a/docs/self-hosting/environment-variables/auth.mdx
+++ b/docs/self-hosting/environment-variables/auth.mdx
@@ -46,6 +46,13 @@ LobeHub provides a complete authentication service capability when deployed. The
- Default: `-`
- Example: `example.com,admin@other.com`
+#### `AUTH_DISABLE_EMAIL_PASSWORD`
+
+- Type: Optional
+- Description: Set to `1` to disable email/password authentication, forcing users to use SSO login only. When enabled, the email input will be hidden on the login page and the signup page will redirect to login.
+- Default: `0`
+- Example: `1`
+
#### `JWKS_KEY`
- Type: Required
diff --git a/docs/self-hosting/environment-variables/auth.zh-CN.mdx b/docs/self-hosting/environment-variables/auth.zh-CN.mdx
index a1760fbde0..4c9b1c2452 100644
--- a/docs/self-hosting/environment-variables/auth.zh-CN.mdx
+++ b/docs/self-hosting/environment-variables/auth.zh-CN.mdx
@@ -44,6 +44,13 @@ LobeHub 在部署时提供了完善的身份验证服务能力,以下是相关
- 默认值:`-`
- 示例:`example.com,admin@other.com`
+#### `AUTH_DISABLE_EMAIL_PASSWORD`
+
+- 类型:可选
+- 描述:设置为 `1` 以禁用邮箱密码登录,强制用户使用 SSO 登录。启用后,登录页面将隐藏邮箱输入框,注册页面将重定向到登录页。
+- 默认值:`0`
+- 示例:`1`
+
#### `JWKS_KEY`
- 类型:必选
diff --git a/docs/self-hosting/environment-variables/basic.mdx b/docs/self-hosting/environment-variables/basic.mdx
index 9bf24ede9e..00234a7a5d 100644
--- a/docs/self-hosting/environment-variables/basic.mdx
+++ b/docs/self-hosting/environment-variables/basic.mdx
@@ -190,13 +190,6 @@ SSRF_ALLOW_IP_ADDRESS_LIST=192.168.1.100,10.0.0.50
- Allow access to internal API gateway: `10.0.0.50`
- Allow access to internal documentation server: `172.16.0.10`
-### `ENABLE_AUTH_PROTECTION`
-
-- Type: Optional
-- Description: Controls whether to enable route protection. When set to `1`, all routes except public routes (like `/api/auth`, `/login`, `/signup`) will require authentication. When set to `0` or not set, only specific protected routes (like `/settings`, `/files`) will require authentication.
-- Default: `0`
-- Example: `1` or `0`
-
### `NEXT_PUBLIC_ASSET_PREFIX`
- Type: Optional
diff --git a/docs/self-hosting/environment-variables/basic.zh-CN.mdx b/docs/self-hosting/environment-variables/basic.zh-CN.mdx
index 3908dfef95..0cab53ae50 100644
--- a/docs/self-hosting/environment-variables/basic.zh-CN.mdx
+++ b/docs/self-hosting/environment-variables/basic.zh-CN.mdx
@@ -185,13 +185,6 @@ SSRF_ALLOW_IP_ADDRESS_LIST=192.168.1.100,10.0.0.50
- 允许访问内网 API 网关:`10.0.0.50`
- 允许访问内网文档服务器:`172.16.0.10`
-### `ENABLE_AUTH_PROTECTION`
-
-- 类型:可选
-- 说明:控制是否启用路由保护。当设置为 `1` 时,除了公共路由(如 `/api/auth`、`/login`、`/signup`)外,所有路由都需要认证。当设置为 `0` 或未设置时,只有特定的受保护路由(如 `/settings`、`/files` 等)需要认证。
-- 默认值:`0`
-- 示例:`1` 或 `0`
-
### `NEXT_PUBLIC_ASSET_PREFIX`
- 类型:可选
diff --git a/docs/self-hosting/examples/azure-openai.mdx b/docs/self-hosting/examples/azure-openai.mdx
index 7bafa0cfd7..16f8ef3f76 100644
--- a/docs/self-hosting/examples/azure-openai.mdx
+++ b/docs/self-hosting/examples/azure-openai.mdx
@@ -40,4 +40,3 @@ If you want the deployed version to be pre-configured with Azure OpenAI for end
| `AZURE_ENDPOINT` | Required | Azure API address, can be found in the "Keys and Endpoints" section when checking resources in the Azure portal | - | `https://docs-test-001.openai.azure.com` |
| `AZURE_API_VERSION` | Required | Azure API version, following the format YYYY-MM-DD | 2023-08-01-preview | `-`, see [latest version](https://learn.microsoft.com/en-us/azure/ai-services/openai/reference#chat-completions) |
| `AZURE_MODEL_LIST` | Required | Used to control the model list, use `+` to add a model, use `-` to hide a model, use `id->deplymentName=displayName` to customize the display name of a model, separated by commas. Definition syntax rules see [Model List](/docs/self-hosting/advanced/model-list) | - | `gpt-35-turbo->my-deploy=GPT 3.5 Turbo` or `gpt-4-turbo->my-gpt4=GPT 4 Turbo<128000:vision:fc>` |
-| `ACCESS_CODE` | Optional | Add a password to access LobeHub. You can set a long password to prevent brute force attacks. When this value is separated by commas, it becomes an array of passwords | - | `awCT74` or `e3@09!` or `code1,code2,code3` |
diff --git a/docs/self-hosting/examples/azure-openai.zh-CN.mdx b/docs/self-hosting/examples/azure-openai.zh-CN.mdx
index 3993422725..306ca0a050 100644
--- a/docs/self-hosting/examples/azure-openai.zh-CN.mdx
+++ b/docs/self-hosting/examples/azure-openai.zh-CN.mdx
@@ -42,4 +42,3 @@ LobeHub 支持使用 [Azure OpenAI](https://learn.microsoft.com/zh-cn/azure/ai-s
| `AZURE_ENDPOINT` | 必选 | Azure API 地址,从 Azure 门户检查资源时,可在 “密钥和终结点” 部分中找到此值 | - | `https://docs-test-001.openai.azure.com` |
| `AZURE_API_VERSION` | 必选 | Azure 的 API 版本,遵循 YYYY-MM-DD 格式 | 2023-08-01-preview | `-`,查阅[最新版本](https://learn.microsoft.com/zh-cn/azure/ai-services/openai/reference#chat-completions) |
| `AZURE_MODEL_LIST` | 必选 | 用来控制模型列表,使用 `模型名->部署名=展示名` 来自定义模型的展示名,用英文逗号隔开。支持扩展能力,其余语法规则详见 [模型列表](/zh/docs/self-hosting/advanced/model-list) | - | `gpt-35-turbo->my-deploy=GPT 3.5 Turbo` 或 `gpt-4-turbo->my-gpt4=GPT 4 Turbo<128000:vision:fc>` |
-| `ACCESS_CODE` | 可选 | 添加访问 LobeHub 的密码,你可以设置一个长密码以防被爆破,该值用逗号分隔时为密码数组 | - | `awCT74` 或 `e3@09!` or `code1,code2,code3` |
diff --git a/locales/en-US/auth.json b/locales/en-US/auth.json
index 0b360f062e..4da2c12290 100644
--- a/locales/en-US/auth.json
+++ b/locales/en-US/auth.json
@@ -98,6 +98,7 @@
"betterAuth.signin.signupLink": "Sign up now",
"betterAuth.signin.socialError": "Social sign in failed, please try again",
"betterAuth.signin.socialOnlyHint": "This email was registered via a third-party social account. Sign in with that provider, or",
+ "betterAuth.signin.ssoOnlyNoProviders": "Email registration is disabled and no SSO providers are configured. Please contact your administrator.",
"betterAuth.signin.submit": "Sign In",
"betterAuth.signup.confirmPasswordPlaceholder": "Confirm your password",
"betterAuth.signup.emailPlaceholder": "Enter your email address",
diff --git a/locales/zh-CN/auth.json b/locales/zh-CN/auth.json
index 39399af395..f0b58fbf4a 100644
--- a/locales/zh-CN/auth.json
+++ b/locales/zh-CN/auth.json
@@ -98,6 +98,7 @@
"betterAuth.signin.signupLink": "创建账号",
"betterAuth.signin.socialError": "登录遇到了问题,请重试",
"betterAuth.signin.socialOnlyHint": "此邮箱是通过第三方社交账号注册的。请使用该服务提供商登录,或",
+ "betterAuth.signin.ssoOnlyNoProviders": "邮箱注册已禁用,且未配置 SSO 提供商。请联系管理员。",
"betterAuth.signin.submit": "登录",
"betterAuth.signup.confirmPasswordPlaceholder": "请确认密码",
"betterAuth.signup.emailPlaceholder": "请输入邮箱地址",
diff --git a/netlify.toml b/netlify.toml
index 0546e7e2c2..aedfbe4771 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -7,4 +7,3 @@ NODE_OPTIONS = "--max-old-space-size=4096"
[template.environment]
OPENAI_API_KEY = "set your OpenAI API Key"
-ACCESS_CODE = "set your password to protect your api key"
diff --git a/packages/types/src/serverConfig.ts b/packages/types/src/serverConfig.ts
index c67a04db0a..6a275f35be 100644
--- a/packages/types/src/serverConfig.ts
+++ b/packages/types/src/serverConfig.ts
@@ -49,6 +49,7 @@ export type ServerLanguageModel = Partial;
+ disableEmailPassword?: boolean;
enableBusinessFeatures?: boolean;
enableEmailVerification?: boolean;
enableKlavis?: boolean;
diff --git a/src/app/[variants]/(auth)/signin/SignInEmailStep.tsx b/src/app/[variants]/(auth)/signin/SignInEmailStep.tsx
index 1ef6569e14..2ed6e5d5a2 100644
--- a/src/app/[variants]/(auth)/signin/SignInEmailStep.tsx
+++ b/src/app/[variants]/(auth)/signin/SignInEmailStep.tsx
@@ -24,6 +24,7 @@ export const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
export const USERNAME_REGEX = /^\w+$/;
export interface SignInEmailStepProps {
+ disableEmailPassword?: boolean;
form: FormInstance<{ email: string }>;
isSocialOnly: boolean;
loading: boolean;
@@ -36,6 +37,7 @@ export interface SignInEmailStepProps {
}
export const SignInEmailStep = ({
+ disableEmailPassword,
form,
isSocialOnly,
loading,
@@ -133,58 +135,63 @@ export const SignInEmailStep = ({
{getProviderLabel(provider)}
))}
- {divider}
+ {!disableEmailPassword && divider}
)}
-
+ {
+ if (!value) return Promise.resolve();
+ const trimmedValue = (value as string).trim();
+ if (EMAIL_REGEX.test(trimmedValue) || USERNAME_REGEX.test(trimmedValue)) {
+ return Promise.resolve();
+ }
+ return Promise.reject(new Error(t('betterAuth.errors.emailInvalid')));
+ },
+ },
+ ]}
+ style={{ marginBottom: 0 }}
+ >
+
+ }
+ ref={emailInputRef}
+ size="large"
+ style={{
+ padding: 6,
+ }}
+ suffix={
+
+
+ )}
{isSocialOnly && (
{
const {
+ disableEmailPassword,
email,
form,
handleBackToEmail,
@@ -29,6 +30,7 @@ const SignInPage = () => {
}>
{step === 'email' ? (
{
const router = useRouter();
const searchParams = useSearchParams();
const enableMagicLink = useServerConfigStore(serverConfigSelectors.enableMagicLink);
+ const disableEmailPassword = useServerConfigStore(serverConfigSelectors.disableEmailPassword);
const [form] = Form.useForm();
const [loading, setLoading] = useState(false);
const [socialLoading, setSocialLoading] = useState(null);
@@ -242,6 +243,7 @@ export const useSignIn = () => {
};
return {
+ disableEmailPassword,
email,
form,
handleBackToEmail,
diff --git a/src/app/[variants]/(auth)/signup/[[...signup]]/page.tsx b/src/app/[variants]/(auth)/signup/[[...signup]]/page.tsx
index 19e987f4a9..592b4506d1 100644
--- a/src/app/[variants]/(auth)/signup/[[...signup]]/page.tsx
+++ b/src/app/[variants]/(auth)/signup/[[...signup]]/page.tsx
@@ -1,3 +1,6 @@
+import { redirect } from 'next/navigation';
+
+import { authEnv } from '@/envs/auth';
import { metadataModule } from '@/server/metadata';
import { translation } from '@/server/translation';
import { type DynamicLayoutProps } from '@/types/next';
@@ -17,6 +20,10 @@ export const generateMetadata = async (props: DynamicLayoutProps) => {
};
const Page = () => {
+ if (authEnv.AUTH_DISABLE_EMAIL_PASSWORD) {
+ redirect('/signin');
+ }
+
return ;
};
diff --git a/src/envs/app.ts b/src/envs/app.ts
index 7d925e8fd4..ccba4acb9b 100644
--- a/src/envs/app.ts
+++ b/src/envs/app.ts
@@ -52,7 +52,6 @@ export const getAppConfig = () => {
INTERNAL_APP_URL: z.string().optional(),
VERCEL_EDGE_CONFIG: z.string().optional(),
MIDDLEWARE_REWRITE_THROUGH_LOCAL: z.boolean().optional(),
- ENABLE_AUTH_PROTECTION: z.boolean().optional(),
CDN_USE_GLOBAL: z.boolean().optional(),
CUSTOM_FONT_FAMILY: z.string().optional(),
@@ -107,7 +106,6 @@ export const getAppConfig = () => {
APP_URL,
INTERNAL_APP_URL,
MIDDLEWARE_REWRITE_THROUGH_LOCAL: process.env.MIDDLEWARE_REWRITE_THROUGH_LOCAL === '1',
- ENABLE_AUTH_PROTECTION: process.env.ENABLE_AUTH_PROTECTION === '1',
CUSTOM_FONT_FAMILY: process.env.CUSTOM_FONT_FAMILY,
CUSTOM_FONT_URL: process.env.CUSTOM_FONT_URL,
diff --git a/src/envs/auth.ts b/src/envs/auth.ts
index 6a1ae7f038..31c6656484 100644
--- a/src/envs/auth.ts
+++ b/src/envs/auth.ts
@@ -13,6 +13,7 @@ declare global {
AUTH_SSO_PROVIDERS?: string;
AUTH_TRUSTED_ORIGINS?: string;
AUTH_ALLOWED_EMAILS?: string;
+ AUTH_DISABLE_EMAIL_PASSWORD?: string;
// ===== Auth Provider Credentials ===== //
AUTH_GOOGLE_ID?: string;
@@ -112,6 +113,7 @@ export const getAuthConfig = () => {
AUTH_EMAIL_VERIFICATION: z.boolean().optional().default(false),
AUTH_ENABLE_MAGIC_LINK: z.boolean().optional().default(false),
AUTH_ALLOWED_EMAILS: z.string().optional(),
+ AUTH_DISABLE_EMAIL_PASSWORD: z.boolean().optional().default(false),
AUTH_GOOGLE_ID: z.string().optional(),
AUTH_GOOGLE_SECRET: z.string().optional(),
@@ -199,6 +201,7 @@ export const getAuthConfig = () => {
AUTH_SSO_PROVIDERS: process.env.AUTH_SSO_PROVIDERS,
AUTH_TRUSTED_ORIGINS: process.env.AUTH_TRUSTED_ORIGINS,
AUTH_ALLOWED_EMAILS: process.env.AUTH_ALLOWED_EMAILS,
+ AUTH_DISABLE_EMAIL_PASSWORD: process.env.AUTH_DISABLE_EMAIL_PASSWORD === '1',
// Cognito provider specific env vars
AUTH_COGNITO_DOMAIN: process.env.AUTH_COGNITO_DOMAIN,
diff --git a/src/libs/better-auth/define-config.ts b/src/libs/better-auth/define-config.ts
index f1bc8568e2..068a96ee5f 100644
--- a/src/libs/better-auth/define-config.ts
+++ b/src/libs/better-auth/define-config.ts
@@ -107,7 +107,7 @@ export function defineConfig(customOptions: CustomBetterAuthOptions) {
emailAndPassword: {
autoSignIn: true,
- enabled: true,
+ enabled: !authEnv.AUTH_DISABLE_EMAIL_PASSWORD,
maxPasswordLength: 64,
minPasswordLength: 8,
requireEmailVerification: authEnv.AUTH_EMAIL_VERIFICATION,
diff --git a/src/libs/next/proxy/define-config.ts b/src/libs/next/proxy/define-config.ts
index c0c37643d2..60d719d5af 100644
--- a/src/libs/next/proxy/define-config.ts
+++ b/src/libs/next/proxy/define-config.ts
@@ -228,7 +228,6 @@ export function defineConfig() {
};
logDefault('Middleware configuration: %O', {
- enableAuthProtection: appEnv.ENABLE_AUTH_PROTECTION,
enableOIDC: authEnv.ENABLE_OIDC,
});
diff --git a/src/locales/default/auth.ts b/src/locales/default/auth.ts
index 5d0c5203c9..fec6d20c7d 100644
--- a/src/locales/default/auth.ts
+++ b/src/locales/default/auth.ts
@@ -102,6 +102,8 @@ export default {
'betterAuth.signin.socialError': 'Social sign in failed, please try again',
'betterAuth.signin.socialOnlyHint':
'This email was registered via a third-party social account. Sign in with that provider, or',
+ 'betterAuth.signin.ssoOnlyNoProviders':
+ 'Email registration is disabled and no SSO providers are configured. Please contact your administrator.',
'betterAuth.signin.submit': 'Sign In',
'betterAuth.signup.confirmPasswordPlaceholder': 'Confirm your password',
'betterAuth.signup.emailPlaceholder': 'Enter your email address',
diff --git a/src/server/globalConfig/index.ts b/src/server/globalConfig/index.ts
index 3ced84212d..ae6c2c553c 100644
--- a/src/server/globalConfig/index.ts
+++ b/src/server/globalConfig/index.ts
@@ -74,6 +74,7 @@ export const getServerGlobalConfig = async () => {
defaultAgent: {
config: parseAgentConfig(DEFAULT_AGENT_CONFIG),
},
+ disableEmailPassword: authEnv.AUTH_DISABLE_EMAIL_PASSWORD,
enableBusinessFeatures: ENABLE_BUSINESS_FEATURES,
enableEmailVerification: authEnv.AUTH_EMAIL_VERIFICATION,
enableKlavis: !!klavisEnv.KLAVIS_API_KEY,
diff --git a/src/store/serverConfig/selectors.ts b/src/store/serverConfig/selectors.ts
index fa41193590..b17d39e25a 100644
--- a/src/store/serverConfig/selectors.ts
+++ b/src/store/serverConfig/selectors.ts
@@ -3,6 +3,7 @@ import { type ServerConfigStore } from './store';
export const featureFlagsSelectors = (s: ServerConfigStore) => s.featureFlags;
export const serverConfigSelectors = {
+ disableEmailPassword: (s: ServerConfigStore) => s.serverConfig.disableEmailPassword || false,
enableBusinessFeatures: (s: ServerConfigStore) => s.serverConfig.enableBusinessFeatures || false,
enableEmailVerification: (s: ServerConfigStore) =>
s.serverConfig.enableEmailVerification || false,