Add NEXT_PUBLIC_INVITE_DISABLED env variable to disable invite functionality (#373)

* Add env variable to check for team invite

* Check for only public invite env for invite

* Disable Add Member and block the invite API

* Change the invite disabled condition

* Update the condition for env variable

---------

Co-authored-by: Seram Nitesh Singh <nitesh.s@auzmor.com>
Co-authored-by: Matthias Nannt <mail@matthiasnannt.com>

.env.docker

@@ -70,6 +70,9 @@ NEXT_PUBLIC_PASSWORD_RESET_DISABLED=1
 # Signup. Disable the ability for new users to create an account.
 # NEXT_PUBLIC_SIGNUP_DISABLED=1
 
+# Team Invite. Disable the ability for invited users to create an account.
+# NEXT_PUBLIC_INVITE_DISABLED=1
+
 ##########
 # Other  #
 ##########

.env.example

@@ -70,6 +70,9 @@ SMTP_PASSWORD=smtpPassword
 # Signup. Disable the ability for new users to create an account.
 # NEXT_PUBLIC_SIGNUP_DISABLED=1
 
+# Team Invite. Disable the ability for invited users to create an account.
+# NEXT_PUBLIC_INVITE_DISABLED=1
+
 ##########
 # Other  #
 ##########

apps/web/app/api/v1/users/route.ts

@@ -5,10 +5,14 @@ import { prisma } from "@formbricks/database";
 import { NextResponse } from "next/server";
 
 export async function POST(request: Request) {
-  if (process.env.NEXT_PUBLIC_SIGNUP_DISABLED === "1") {
+  let { inviteToken, ...user } = await request.json();
+  if (
+    inviteToken
+      ? process.env.NEXT_PUBLIC_INVITE_DISABLED === "1"
+      : process.env.NEXT_PUBLIC_SIGNUP_DISABLED === "1"
+  ) {
     return NextResponse.json({ error: "Signup disabled" }, { status: 403 });
   }
-  let { inviteToken, ...user } = await request.json();
   user = { ...user, ...{ email: user.email.toLowerCase() } };
 
   let inviteId;

apps/web/app/auth/signup/page.tsx

@@ -1,9 +1,15 @@
+'use client'
+
 import Link from "next/link";
+import { useSearchParams } from "next/navigation";
 import { SignupForm } from "@/components/auth/SignupForm";
 import FormWrapper from "@/components/auth/FormWrapper";
 import Testimonial from "@/components/auth/Testimonial";
 
 export default function SignUpPage() {
+  const searchParams = useSearchParams();
+  const inviteToken = searchParams?.get("inviteToken");
+
   return (
     <div className="grid min-h-screen w-full bg-gradient-to-tr from-slate-100 to-slate-50 lg:grid-cols-5">
       <div className="col-span-2 hidden lg:flex">
@@ -11,7 +17,11 @@ export default function SignUpPage() {
       </div>
       <div className="col-span-3 flex flex-col items-center justify-center">
         <FormWrapper>
-          {process.env.NEXT_PUBLIC_SIGNUP_DISABLED === "1" ? (
+          {(
+            inviteToken
+              ? process.env.NEXT_PUBLIC_INVITE_DISABLED === "1"
+              : process.env.NEXT_PUBLIC_SIGNUP_DISABLED === "1"
+          ) ? (
             <>
               <h1 className="leading-2 mb-4 text-center font-bold">Sign up disabled</h1>
               <p className="text-center">

apps/web/app/environments/[environmentId]/settings/members/EditMemberships.tsx

@@ -181,7 +181,7 @@ export function EditMemberships({ environmentId }: EditMembershipsProps) {
           }}>
           Create New Team
         </Button>
-        {isAdminOrOwner && (
+        {process.env.NEXT_PUBLIC_INVITE_DISABLED !== "1" && isAdminOrOwner && (
           <Button
             variant="darkCTA"
             onClick={() => {

apps/web/pages/api/v1/teams/[teamId]/invite/index.ts

@@ -20,6 +20,10 @@ export default async function handle(req: NextApiRequest, res: NextApiResponse)
     return res.status(403).json({ message: "Not authorized" });
   }
 
+  if (process.env.NEXT_PUBLIC_INVITE_DISABLED === "1") {
+    return res.status(403).json({ message: "Invite Disabled" });
+  }
+
   const hasOwnerOrAdminAccess = await isAdminOrOwner(currentUser, teamId);
   if (!hasOwnerOrAdminAccess) {
     return res.status(403).json({ message: "Not authorized" });

turbo.json

@@ -21,6 +21,7 @@
         "NEXT_PUBLIC_PASSWORD_RESET_DISABLED",
         "NEXT_PUBLIC_PRIVACY_URL",
         "NEXT_PUBLIC_SENTRY_DSN",
+        "NEXT_PUBLIC_INVITE_DISABLED",
         "NEXT_PUBLIC_SIGNUP_DISABLED",
         "NEXT_PUBLIC_STRIPE_PRICING_TABLE_ID",
         "NEXT_PUBLIC_STRIPE_PUBLIC_KEY",