Merge branch 'main' of https://github.com/formbricks/formbricks into feat-resetpassword

.env.example

@@ -172,7 +172,6 @@ ENTERPRISE_LICENSE_KEY=
 # Automatically assign new users to a specific organization and role within that organization
 # Insert an existing organization id or generate a valid CUID for a new one at https://www.getuniqueid.com/cuid (e.g. cjld2cjxh0000qzrmn831i7rn)
 # (Role Management is an Enterprise feature)
-# DEFAULT_ORGANIZATION_ROLE=owner
 # AUTH_SSO_DEFAULT_TEAM_ID=
 # AUTH_SKIP_INVITE_FOR_SSO=
 

apps/web/modules/auth/signup/page.test.tsx

@@ -89,7 +89,6 @@ vi.mock("@/lib/constants", () => ({
   AZURE_OAUTH_ENABLED: true,
   OIDC_OAUTH_ENABLED: true,
   DEFAULT_ORGANIZATION_ID: "test-default-organization-id",
-  DEFAULT_ORGANIZATION_ROLE: "test-default-organization-role",
   IS_TURNSTILE_CONFIGURED: true,
   SAML_TENANT: "test-saml-tenant",
   SAML_PRODUCT: "test-saml-product",

apps/web/modules/ee/sso/lib/tests/sso-handlers.test.ts

@@ -93,7 +93,6 @@ vi.mock("@/lib/constants", () => ({
   SKIP_INVITE_FOR_SSO: 0,
   DEFAULT_TEAM_ID: "team-123",
   DEFAULT_ORGANIZATION_ID: "org-123",
-  DEFAULT_ORGANIZATION_ROLE: "member",
   ENCRYPTION_KEY: "test-encryption-key-32-chars-long",
 }));
 

apps/web/modules/setup/(fresh-instance)/signup/page.test.tsx

@@ -47,7 +47,6 @@ vi.mock("@/lib/constants", () => ({
   AZURE_OAUTH_ENABLED: true,
   OIDC_OAUTH_ENABLED: true,
   DEFAULT_ORGANIZATION_ID: "test-default-organization-id",
-  DEFAULT_ORGANIZATION_ROLE: "test-default-organization-role",
   IS_TURNSTILE_CONFIGURED: true,
   SAML_TENANT: "test-saml-tenant",
   SAML_PRODUCT: "test-saml-product",

apps/web/modules/setup/organization/[organizationId]/invite/page.test.tsx

@@ -48,7 +48,6 @@ vi.mock("@/lib/constants", () => ({
   AZURE_OAUTH_ENABLED: true,
   OIDC_OAUTH_ENABLED: true,
   DEFAULT_ORGANIZATION_ID: "test-default-organization-id",
-  DEFAULT_ORGANIZATION_ROLE: "test-default-organization-role",
   IS_TURNSTILE_CONFIGURED: true,
   SAML_TENANT: "test-saml-tenant",
   SAML_PRODUCT: "test-saml-product",

apps/web/modules/setup/organization/create/page.test.tsx

@@ -50,7 +50,6 @@ vi.mock("@/lib/constants", () => ({
   AZURE_OAUTH_ENABLED: true,
   OIDC_OAUTH_ENABLED: true,
   DEFAULT_ORGANIZATION_ID: "test-default-organization-id",
-  DEFAULT_ORGANIZATION_ROLE: "test-default-organization-role",
   IS_TURNSTILE_CONFIGURED: true,
   SAML_TENANT: "test-saml-tenant",
   SAML_PRODUCT: "test-saml-product",

docs/mint.json

@@ -260,6 +260,7 @@
           "group": "Auth & SSO",
           "icon": "lock",
           "pages": [
+            "self-hosting/auth-behavior",
             "self-hosting/configuration/auth-sso/open-id-connect",
             "self-hosting/configuration/auth-sso/azure-ad-oauth",
             "self-hosting/configuration/auth-sso/google-oauth",

docs/self-hosting/auth-behavior.mdx

@@ -0,0 +1,64 @@
+---
+title: "Authentication Behavior"
+description: "Learn how authentication and user invitation work in self-hosted Formbricks deployments."
+icon: "user"
+---
+
+## Overview
+
+In self-hosted Formbricks, user management and authentication can be customized using environment variables. By default, self-hosted instances have user signup disabled, and only organization owners or admins can invite new users. The behavior of the authentication and invitation flow can be further controlled using the following environment variables:
+
+- `AUTH_SKIP_INVITE_FOR_SSO`
+- `AUTH_DEFAULT_TEAM_ID`
+
+## License Requirement for Role Management and SSO Behavior
+
+<Note>
+  To control advanced role management features and environment-based SSO behavior, your self-hosted Formbricks
+  instance must have a valid enterprise license.
+</Note>
+
+## Environment Variables
+
+### `AUTH_SKIP_INVITE_FOR_SSO`
+
+- **Type:** Boolean (0 or 1)
+- **Default:** 0 (invite required)
+- **Description:**
+  - When set to `1`, users who sign up via SSO (Single Sign-On) providers (such as Google, Azure AD, SAML, or OIDC) can create an account without requiring an invitation.
+  - When set to `0` (default), all users—including those signing up via SSO—must be invited by an organization owner or admin before they can create an account.
+- **Use case:**
+  - Set this to `1` if you want to allow anyone with access to your SSO provider to join your Formbricks instance without a manual invite.
+  - Keep it at `0` for stricter access control, where only invited users can join, regardless of SSO.
+
+### `AUTH_DEFAULT_TEAM_ID`
+
+- **Type:** String (Team ID, a valid cuid)
+- **Default:** None (must be set if you want to use default team assignment)
+- **Description:**
+  - When a new user is invited or signs up (if allowed), they will automatically be added to the team with the ID specified in this variable.
+  - This is useful for onboarding users into a default team, ensuring they have access to relevant projects and resources immediately after joining.
+- **Use case:**
+  - Set this to the ID of your default team to streamline onboarding for new users.
+  - If not set, users will not be automatically assigned to any team upon signup or invite acceptance.
+
+## Example `.env` Configuration
+
+```env
+# Allow SSO users to join without invite
+AUTH_SKIP_INVITE_FOR_SSO=1
+
+# Automatically assign new users to this team
+AUTH_DEFAULT_TEAM_ID=team-123
+```
+
+Refer to the [Environment Variables documentation](./configuration/environment-variables) for a full list and details.
+
+---
+
+For more information on SSO setup, see:
+
+- [Google OAuth](./configuration/auth-sso/google-oauth)
+- [Azure AD OAuth](./configuration/auth-sso/azure-ad-oauth)
+- [Open ID Connect](./configuration/auth-sso/open-id-connect)
+- [SAML SSO](./configuration/auth-sso/saml-sso)

docs/self-hosting/configuration/environment-variables.mdx

@@ -55,7 +55,6 @@ These variables are present inside your machine's docker-compose file. Restart t
 | TELEMETRY_DISABLED           | Disables telemetry if set to 1.                                                                                | optional                                                |                                                                           |
 | DEFAULT_BRAND_COLOR          | Default brand color for your app (Can be overwritten from the UI as well).                                     | optional                                                | #64748b                                                                   |
 | DEFAULT_ORGANIZATION_ID      | Automatically assign new users to a specific organization when joining                                         | optional                                                |                                                                           |
-| DEFAULT_ORGANIZATION_ROLE    | Role of the user in the default organization.                                                                  | optional                                                | owner                                                                     |
 | OIDC_DISPLAY_NAME            | Display name for Custom OpenID Connect Provider                                                                | optional                                                |                                                                           |
 | OIDC_CLIENT_ID               | Client ID for Custom OpenID Connect Provider                                                                   | optional (required if OIDC auth is enabled)             |                                                                           |
 | OIDC_CLIENT_SECRET           | Secret for Custom OpenID Connect Provider                                                                      | optional (required if OIDC auth is enabled)             |                                                                           |