lywsvip/supabase
1
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-07-01 02:24:32 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a45776ecb97a35db8afb0cc107401f65c9ecaea7
supabase/apps/studio/components/interfaces/Auth/SmtpForm/SmtpForm.tsx
Danny White a45776ecb9 feat(studio): restrict auth email template editing for free projects (#45396) 
## What kind of change does this PR introduce?

Feature / abuse-prevention update. Resolves DEPR-198.

## What is the current behaviour?

Free projects using Supabase's built-in email service can edit raw Auth
email template subjects and HTML in Studio. That is the risky cohort
this project is trying to constrain.

## What is the new behaviour?

### Template editing restrictions

For free projects using Supabase's built-in email service, Studio keeps
Auth email templates viewable and previewable but disables subject/body
editing and saving. Editing is unlocked by setting up Custom SMTP,
configuring a send-email hook, or upgrading to a paid plan.

**Grandfathering:** projects created before `2026-06-01T00:00:00Z` (the
platform enforcement cutoff) are exempt; their editing UI stays
unlocked. This mirrors `FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE` in the
platform PR exactly.

| After |
| --- |
| <img width="1024" height="759" alt="Emails Authentication Fizz Test
Supabase-173BB09B-0FB9-4133-8202-9E310DDB347A"
src="https://github.com/user-attachments/assets/c966212d-ed0c-443b-8197-440cc2937ef6"
/> |
| <img width="1024" height="759" alt="Emails Authentication Fizz Test
Supabase-CD5845EB-0E45-4779-8989-44E775B2411A"
src="https://github.com/user-attachments/assets/055a64d6-b5e8-4d37-a261-6e280f04536a"
/> |

### Warning dialogs on transitions that reset templates

Two flows now surface a warning before the user commits to a state
change that resets their custom email templates to defaults:

1. **Disabling custom SMTP** (SMTP settings page): a confirmation dialog
warns that templates will be reset to defaults and the email rate limit
reduced to 2 per hour. On confirm, Studio resets all 13 templates via
the existing per-template reset endpoint (`Promise.allSettled`). The
"won't be able to edit" sentence is shown only for post-cutoff projects;
grandfathered projects skip it. The corresponding server-side
enforcement is in the Platform PR:
https://github.com/supabase/platform/pull/33129

2. **Downgrading to the Free plan** (billing settings): an admonition in
the existing downgrade confirmation modal warns that custom templates
will be reset to defaults and won't be editable without custom SMTP. The
admonition is shown only when the org has at least one post-cutoff
project; orgs whose projects are all grandfathered skip it.

| Custom SMTP | Downgrading |
| --- | --- |
| <img width="862" height="586" alt="66764"
src="https://github.com/user-attachments/assets/6470c8a6-2f79-40a5-ad3b-bfe5b0ba9c54"
/> | <img width="1268" height="1552" alt="CleanShot 2026-05-22 at 17 28
37@2x-FEB1901E-38E6-42DF-8C27-0A036D8A1B94"
src="https://github.com/user-attachments/assets/e8caa9e6-c3ed-4787-b771-af77a43eb854"
/> |

### Informational admonition when enabling SMTP

When a user enables custom SMTP for the first time, a sandwiched
admonition above the save footer informs them that the email rate limit
will be increased to 30 per hour and can be adjusted.

_This is just a minor cosmetic change, unrelated to the email template
disabling. Sorry._

| Before | After |
| --- | --- |
| <img width="1024" height="759" alt="Emails Authentication Chisel
Toolshed Supabase-54317D18-803C-4A58-8211-2359355D083B"
src="https://github.com/user-attachments/assets/29eff649-02dc-40f3-a379-0b4d484a76c7"
/> | <img width="1024" height="759" alt="Emails Authentication Chisel
Toolshed Supabase-9E12399E-E9FB-4F9A-B029-A08008EA4B50"
src="https://github.com/user-attachments/assets/e542ed86-4da6-407e-8293-0f4c0f071e18"
/> |

## How to test

All existing projects pre-date the enforcement cutoff
(`2026-06-01T00:00:00Z`) and are grandfathered, so the restriction UI
won't appear by default. To force the restricted state locally,
back-date the cutoff in one file:

In
`apps/studio/components/interfaces/Auth/EmailTemplates/EmailTemplates.utils.ts`,
temporarily change:

```ts
export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2026-06-01T00:00:00Z'
```

to:

```ts
export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2025-01-01T00:00:00Z'
```

Revert before committing. With the cutoff back-dated, use a free-plan
project and:

- **Template restriction + admonition:** navigate to Authentication >
Emails with no custom SMTP configured. Subject/body fields should be
read-only and the "Set up SMTP" admonition should appear, with its
dropdown offering upgrade and send-email hook options.
- **SMTP disable warning:** enable custom SMTP on a project, then
disable it via Authentication > SMTP Settings. The confirmation dialog
should warn that templates will reset to defaults and that editing will
be restricted after disabling.
- **Downgrade warning:** in billing settings, initiate a downgrade to
the Free plan. The downgrade modal should include an admonition warning
about template reset and restricted editing (only if the org has at
least one post-cutoff project).

## Additional context

The default Auth email template copy was also improved across docs,
examples, and UI library snippets (separate prior commits).

The per-template reset button (`ResetTemplateDialog`) was migrated to
the async `AlertDialogAction` pattern introduced in #45960; the dialog
stays open and shows a loading state while the reset is in-flight,
closes on success, and stays open on error.

Closes PRODSEC-183

---------

Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Stephen Morgan <stephen@doublethink.co.nz>
2026-05-28 17:23:45 +12:00

554 lines
20 KiB
TypeScript
Raw Blame History

import { zodResolver } from '@hookform/resolvers/zod'
import { PermissionAction } from '@supabase/shared-types/out/constants'
import { useParams } from 'common'
import { useEffect, useState } from 'react'
import { SubmitHandler, useForm } from 'react-hook-form'
import { toast } from 'sonner'
import {
Button,
Card,
CardContent,
CardFooter,
Form,
FormControl,
FormField,
FormInputGroupInput,
Input,
InputGroup,
InputGroupAddon,
InputGroupText,
Switch,
} from 'ui'
import { Admonition, PageSection, PageSectionContent } from 'ui-patterns'
import { Input as PasswordInput } from 'ui-patterns/DataInputs/Input'
import { FormItemLayout } from 'ui-patterns/form/FormItemLayout/FormItemLayout'
import * as z from 'zod'
import { urlRegex } from '../Auth.constants'
import { AUTH_TEMPLATE_RESET_TYPES } from '../EmailTemplates/EmailTemplates.constants'
import { isBeforeFreeTierTemplateBlockCutoff } from '../EmailTemplates/EmailTemplates.utils'
import { SmtpDisableConfirmationDialog } from './SmtpDisableConfirmationDialog'
import { defaultDisabledSmtpFormValues } from './SmtpForm.constants'
import { generateFormValues, isSmtpEnabled } from './SmtpForm.utils'
import { AlertError } from '@/components/ui/AlertError'
import { InlineLink } from '@/components/ui/InlineLink'
import { NoPermission } from '@/components/ui/NoPermission'
import { useAuthConfigQuery } from '@/data/auth/auth-config-query'
import { useAuthConfigUpdateMutation } from '@/data/auth/auth-config-update-mutation'
import { useAuthTemplateResetMutation } from '@/data/auth/auth-template-reset-mutation'
import { useAsyncCheckPermissions } from '@/hooks/misc/useCheckPermissions'
import { useSelectedProjectQuery } from '@/hooks/misc/useSelectedProject'
const smtpEnabledSchema = z.object({
ENABLE_SMTP: z.literal(true),
SMTP_ADMIN_EMAIL: z
.string()
.trim()
.min(1, 'Sender email address is required')
.email('Must be a valid email'),
SMTP_SENDER_NAME: z.string().trim().min(1, 'Sender name is required'),
SMTP_HOST: z
.string()
.trim()
.min(1, 'Host URL is required')
.regex(urlRegex({ excludeSimpleDomains: false }), 'Must be a valid URL or IP address'),
SMTP_PORT: z.preprocess(
(val) => (val === '' || val == null ? undefined : val),
z.coerce
.number({
required_error: 'Port number is required',
invalid_type_error: 'Port number is required',
})
.min(1, 'Must be a valid port number more than 0')
.max(65535, 'Must be a valid port number no more than 65535')
),
SMTP_MAX_FREQUENCY: z.preprocess(
(val) => (val === '' || val == null ? undefined : val),
z.coerce
.number({
required_error: 'Rate limit is required',
invalid_type_error: 'Rate limit is required',
})
.min(1, 'Must be more than 0')
.max(32767, 'Must not be more than 32,767 an hour')
),
SMTP_USER: z.string().trim().min(1, 'SMTP Username is required'),
SMTP_PASS: z.string().trim().optional(),
})
const smtpDisabledSchema = z.object({
ENABLE_SMTP: z.literal(false),
SMTP_ADMIN_EMAIL: z.string().optional(),
SMTP_SENDER_NAME: z.string().optional(),
SMTP_HOST: z.string().optional(),
SMTP_PORT: z.preprocess(
(val) => (val === '' || val == null ? undefined : val),
z.coerce.number().optional()
),
SMTP_MAX_FREQUENCY: z.preprocess(
(val) => (val === '' || val == null ? undefined : val),
z.coerce.number().optional()
),
SMTP_USER: z.string().optional(),
SMTP_PASS: z.string().optional(),
})
const smtpSchema = z.discriminatedUnion('ENABLE_SMTP', [smtpEnabledSchema, smtpDisabledSchema])
type SmtpFormValues = z.infer<typeof smtpSchema>
export const SmtpForm = () => {
const { ref: projectRef } = useParams()
const { data: authConfig, error: authConfigError, isError } = useAuthConfigQuery({ projectRef })
const { data: selectedProject } = useSelectedProjectQuery()
const { mutate: updateAuthConfig, isPending: isUpdatingConfig } = useAuthConfigUpdateMutation()
const { mutateAsync: resetAuthTemplate } = useAuthTemplateResetMutation()
const [enableSmtp, setEnableSmtp] = useState(false)
const [showDisableConfirmation, setShowDisableConfirmation] = useState(false)
const [pendingValues, setPendingValues] = useState<SmtpFormValues | null>(null)
const { can: canReadConfig } = useAsyncCheckPermissions(
PermissionAction.READ,
'custom_config_gotrue'
)
const { can: canUpdateConfig } = useAsyncCheckPermissions(
PermissionAction.UPDATE,
'custom_config_gotrue'
)
const blockEditingOnReset =
!!selectedProject?.inserted_at &&
isBeforeFreeTierTemplateBlockCutoff(selectedProject.inserted_at)
const form = useForm<SmtpFormValues>({
resolver: zodResolver(
smtpSchema.superRefine((data, ctx) => {
const isEnablingSmtp = data.ENABLE_SMTP && !isSmtpEnabled(authConfig)
if (isEnablingSmtp && !data.SMTP_PASS) {
ctx.addIssue({
code: 'custom',
message: 'SMTP Password is required',
path: ['SMTP_PASS'],
})
}
})
),
defaultValues: {
SMTP_ADMIN_EMAIL: '',
SMTP_SENDER_NAME: '',
SMTP_HOST: '',
SMTP_PORT: undefined,
SMTP_MAX_FREQUENCY: undefined,
SMTP_USER: '',
SMTP_PASS: '',
ENABLE_SMTP: false,
},
})
const { isDirty } = form.formState
const doUpdate = ({
values,
onSuccess,
onError,
}: {
values: SmtpFormValues
onSuccess?: () => void
onError?: () => void
}) => {
const { ENABLE_SMTP, ...rest } = values
const basePayload = ENABLE_SMTP ? rest : defaultDisabledSmtpFormValues
// When enabling SMTP, set RATE_LIMIT_EMAIL_SENT to 30
// When disabling, backend will handle resetting to default
const isEnablingSmtp = ENABLE_SMTP && !isSmtpEnabled(authConfig)
const payload = {
...basePayload,
...(isEnablingSmtp && { RATE_LIMIT_EMAIL_SENT: 30 }),
}
// Format payload: Convert port to string
if (payload.SMTP_PORT) {
payload.SMTP_PORT = payload.SMTP_PORT.toString() as any
}
// the SMTP_PASS is write-only, it's never shown. If we don't delete it from the payload, it will replace the
// previously saved value with an empty one
if (payload.SMTP_PASS === '') {
delete payload.SMTP_PASS
}
updateAuthConfig(
{ projectRef: projectRef!, config: payload as any },
{
onError: (error) => {
toast.error(`Failed to update settings: ${error.message}`)
onError?.()
},
onSuccess: () => {
toast.success('Successfully updated settings')
onSuccess?.()
},
}
)
}
const onSubmit: SubmitHandler<SmtpFormValues> = (values) => {
const isDisablingSmtp = !values.ENABLE_SMTP && isSmtpEnabled(authConfig)
if (isDisablingSmtp) {
setPendingValues(values)
setShowDisableConfirmation(true)
return
}
doUpdate({ values })
}
const handleConfirmDisable = (): Promise<void> => {
if (!pendingValues || !projectRef) return Promise.resolve()
return new Promise<void>((resolve, reject) => {
doUpdate({
values: pendingValues,
onSuccess: async () => {
setPendingValues(null)
try {
const results = await Promise.allSettled(
AUTH_TEMPLATE_RESET_TYPES.map((template) =>
resetAuthTemplate({ projectRef, template })
)
)
if (results.some((r) => r.status === 'rejected')) {
toast.error('SMTP disabled, but some email templates could not be reset')
}
} finally {
resolve()
}
},
onError: reject,
})
})
}
// Update form values when auth config is loaded
useEffect(() => {
if (authConfig) {
const formValues = generateFormValues(authConfig)
form.reset({
...formValues,
ENABLE_SMTP: isSmtpEnabled(authConfig),
} as SmtpFormValues)
setEnableSmtp(isSmtpEnabled(authConfig))
}
}, [authConfig, form])
// Update enableSmtp state when the form field changes
useEffect(() => {
const subscription = form.watch((value, { name }) => {
if (name === 'ENABLE_SMTP') {
setEnableSmtp(value.ENABLE_SMTP as boolean)
}
})
return () => subscription.unsubscribe()
}, [form])
if (isError) {
return (
<PageSection>
<PageSectionContent>
<AlertError error={authConfigError} subject="Failed to retrieve auth configuration" />
</PageSectionContent>
</PageSection>
)
}
if (!canReadConfig) {
return (
<PageSection>
<PageSectionContent>
<NoPermission resourceText="view SMTP settings" />
</PageSectionContent>
</PageSection>
)
}
const showEnablingAdmonition = form.formState.isDirty && enableSmtp && !isSmtpEnabled(authConfig)
return (
<PageSection>
<PageSectionContent>
<Form {...form}>
<form onSubmit={form.handleSubmit(onSubmit)}>
<Card>
<CardContent>
<FormField
control={form.control}
name="ENABLE_SMTP"
render={({ field }) => (
<FormItemLayout
layout="flex-row-reverse"
label="Enable custom SMTP"
description={
<p className="text-sm text-foreground-lighter">
Send auth emails through your custom SMTP provider.{' '}
<InlineLink href={`/project/${projectRef}/auth/rate-limits`}>
Rate limits
</InlineLink>{' '}
apply.
</p>
}
>
<FormControl>
<Switch
checked={field.value}
onCheckedChange={field.onChange}
disabled={!canUpdateConfig}
/>
</FormControl>
</FormItemLayout>
)}
/>
</CardContent>
{enableSmtp && (
<>
<CardContent className="py-6">
<div className="grid grid-cols-12 gap-6">
<div className="col-span-4">
<h3 className="text-sm mb-1">Sender details</h3>
<p className="text-sm text-foreground-lighter text-balance">
Configure the sender information for your emails.
</p>
</div>
<div className="col-span-8 space-y-4">
<FormField
control={form.control}
name="SMTP_ADMIN_EMAIL"
render={({ field }) => (
<FormItemLayout
label="Sender email address"
description="The email address the emails are sent from."
>
<FormControl>
<Input
{...field}
placeholder="noreply@yourdomain.com"
disabled={!canUpdateConfig}
/>
</FormControl>
</FormItemLayout>
)}
/>
<FormField
control={form.control}
name="SMTP_SENDER_NAME"
render={({ field }) => (
<FormItemLayout
label="Sender name"
description="Name displayed in the recipient's inbox."
>
<FormControl>
<Input
{...field}
placeholder="Your Name"
disabled={!canUpdateConfig}
/>
</FormControl>
</FormItemLayout>
)}
/>
</div>
</div>
</CardContent>
<CardContent className="py-6">
<div className="grid grid-cols-12 gap-6">
<div className="col-span-4">
<h3 className="text-sm mb-1">SMTP provider settings</h3>
<p className="text-sm text-foreground-lighter text-balance">
Your SMTP credentials will always be encrypted in our database.
</p>
</div>
<div className="col-span-8 space-y-4">
<FormField
control={form.control}
name="SMTP_HOST"
render={({ field }) => (
<FormItemLayout
label="Host"
description="Hostname or IP address of your SMTP server."
>
<FormControl>
<Input
{...field}
placeholder="your.smtp.host.com"
disabled={!canUpdateConfig}
/>
</FormControl>
</FormItemLayout>
)}
/>
{form.watch('SMTP_HOST')?.endsWith('.gmail.com') && (
<Admonition
type="warning"
title="Check your SMTP provider"
description="It looks like the SMTP provider you entered is designed
for sending personal rather than transactional email messages. Email deliverability may
be impacted."
className="mb-4 bg-warning-200 border-warning-400"
/>
)}
<FormField
control={form.control}
name="SMTP_PORT"
render={({ field }) => (
<FormItemLayout
label="Port number"
description={
<>
<span className="block">
Port used by your SMTP server. Common ports include 465 and 587.
Avoid using port 25 as it is often blocked by providers to curb
spam.
</span>
</>
}
>
<FormControl>
<Input
type="number"
value={field.value}
onChange={(e) => field.onChange(e.target.value)}
placeholder="587"
disabled={!canUpdateConfig}
/>
</FormControl>
</FormItemLayout>
)}
/>
<FormField
control={form.control}
name="SMTP_MAX_FREQUENCY"
render={({ field }) => (
<FormItemLayout
label="Minimum interval per user"
description="The minimum time in seconds between emails before another email can be sent to the same user."
>
<FormControl>
<InputGroup>
<FormInputGroupInput
type="number"
value={field.value}
onChange={(e) => field.onChange(e.target.value)}
disabled={!canUpdateConfig}
/>
<InputGroupAddon align="inline-end">
<InputGroupText>seconds</InputGroupText>
</InputGroupAddon>
</InputGroup>
</FormControl>
</FormItemLayout>
)}
/>
<FormField
control={form.control}
name="SMTP_USER"
render={({ field }) => (
<FormItemLayout
label="Username"
description="Username for your SMTP server."
>
<FormControl>
<Input
{...field}
placeholder="SMTP Username"
disabled={!canUpdateConfig}
/>
</FormControl>
</FormItemLayout>
)}
/>
<FormField
control={form.control}
name="SMTP_PASS"
render={({ field }) => (
<FormItemLayout
label="Password"
description="Password for your SMTP server. For security reasons, this password cannot be viewed once saved."
>
<FormControl>
<PasswordInput {...field} reveal copy disabled={!canUpdateConfig} />
</FormControl>
</FormItemLayout>
)}
/>
</div>
</div>
</CardContent>
</>
)}
{showEnablingAdmonition && (
<Admonition
type="default"
className="rounded-none border-x-0 border-t-0"
description={
<>
The email rate limit will be increased to 30 emails per hour after enabling
custom SMTP. It can be{' '}
<InlineLink href={`/project/${projectRef}/auth/rate-limits`}>
adjusted further
</InlineLink>{' '}
at any time.
</>
}
/>
)}
<CardFooter className="justify-end gap-x-2">
<div className="flex items-center gap-x-2">
{isDirty && (
<Button
type="default"
onClick={() => {
form.reset()
setEnableSmtp(isSmtpEnabled(authConfig))
}}
>
Cancel
</Button>
)}
<Button
type="primary"
htmlType="submit"
loading={isUpdatingConfig}
disabled={!canUpdateConfig || !isDirty}
>
Save changes
</Button>
</div>
</CardFooter>
</Card>
</form>
</Form>
</PageSectionContent>
<SmtpDisableConfirmationDialog
open={showDisableConfirmation}
onOpenChange={setShowDisableConfirmation}
onConfirm={handleConfirmDisable}
blockEditingOnReset={blockEditingOnReset}
/>
</PageSection>
)
}
Reference in New Issue View Git Blame Copy Permalink