sourcebot-dev
diff --git a/‎.env.development‎
Lines changed: 0 additions & 1 deletion b/‎.env.development‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎docs/docs/configuration/auth/access-settings.mdx‎
Lines changed: 12 additions & 4 deletions b/‎docs/docs/configuration/auth/access-settings.mdx‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎docs/docs/configuration/auth/providers.mdx‎
Lines changed: 9 additions & 10 deletions b/‎docs/docs/configuration/auth/providers.mdx‎
Lines changed: 9 additions & 10 deletions
diff --git a/‎docs/docs/configuration/config-file.mdx‎
Lines changed: 0 additions & 1 deletion b/‎docs/docs/configuration/config-file.mdx‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎docs/docs/configuration/environment-variables.mdx‎
Lines changed: 0 additions & 6 deletions b/‎docs/docs/configuration/environment-variables.mdx‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎docs/images/anonymous_access_toggle.png‎
32.3 KB b/‎docs/images/anonymous_access_toggle.png‎
32.3 KB
diff --git a/‎docs/images/demote_to_member.png‎
-9.85 KB b/‎docs/images/demote_to_member.png‎
-9.85 KB
diff --git a/‎docs/images/email_code_login_setting.png‎
28.4 KB b/‎docs/images/email_code_login_setting.png‎
28.4 KB
diff --git a/‎docs/images/email_password_login_setting.png‎
29.7 KB b/‎docs/images/email_password_login_setting.png‎
29.7 KB
@@ -13,7 +13,6 @@ CTAGS_COMMAND=ctags
 # @see: https://authjs.dev/getting-started/deployment#auth_secret
 AUTH_SECRET="00000000000000000000000000000000000000000000"
 AUTH_URL="http://localhost:3000"
-# AUTH_CREDENTIALS_LOGIN_ENABLED=true
 
 DATA_CACHE_DIR=${PWD}/.sourcebot  # Path to the sourcebot cache dir (ex. ~/sourcebot/.sourcebot)
 SOURCEBOT_PUBLIC_KEY_PATH=${PWD}/public.pem
 
@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+- Changed the workspace "Access" page to a "Security" page. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
+
+### Added
+- Added the ability to configure email code and credentials login from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
+- Added a list of configured SSO providers from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
+
 ## [5.0.2] - 2026-06-11
 
 ### Changed
 
@@ -11,9 +11,11 @@ By default, Sourcebot requires new members to be approved by an owner of the dep
 to configure this behavior.
 
 ### Configuration
-Member approval can be configured by an owner of the deployment by navigating to **Settings -> Access**, or by setting the `REQUIRE_APPROVAL_NEW_MEMBERS` environment variable. When the environment variable is set, the UI toggle is disabled and the setting is controlled by the environment variable.
+Member approval can be configured by an owner of the deployment by navigating to **Settings -> Security**.
 
-![Member Approval Toggle](/images/member_approval_toggle.png)
+<Frame>
+  <img src="/images/member_approval_toggle.png" alt="Require approval for new members toggle in Settings → Access" />
+</Frame>
 
 ### Managing Requests
 
@@ -27,7 +29,9 @@ Owners can see and manage all pending join requests by navigating to **Settings
 If member approval is required, an owner of the deployment can enable an invite link. When enabled, users
 can use this invite link to register and be automatically added to the organization without approval:
 
-![Invite Link Toggle](/images/invite_link_toggle.png)
+<Frame>
+  <img src="/images/invite_link_toggle.png" alt="Enable invite links toggle in Settings → Access" />
+</Frame>
 
 
 # Anonymous access
@@ -36,6 +40,10 @@ can use this invite link to register and be automatically added to the organizat
 
 By default, your Sourcebot deployment is gated with a login page. If you'd like users to access the deployment anonymously, you can enable anonymous access. 
 
-This can be enabled by navigating to **Settings -> Access** or by setting the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable.
+This can be enabled by navigating to **Settings -> Access**.
+
+<Frame>
+  <img src="/images/anonymous_access_toggle.png" alt="Enable anonymous access toggle in Settings → Access" />
+</Frame>
 
 When accessing Sourcebot anonymously, a user's permissions are limited to that of the  [Guest](/docs/configuration/auth/roles-and-permissions) role.
@@ -10,19 +10,18 @@ If there's an authentication provider you'd like us to support, please [reach ou
 # Core Authentication Providers
 
 ### Email / Password
----
-Email / password authentication is enabled by default. It can be **disabled** by setting `AUTH_CREDENTIALS_LOGIN_ENABLED` to `false`.
+Email / password authentication is enabled by default. You can toggle it from **Settings → Security** using the **Email login** setting.
 
-### Email codes
----
-Email codes are 6 digit codes sent to a provided email. Email codes are enabled when transactional emails are configured using the following environment variables:
-
-- `AUTH_EMAIL_CODE_LOGIN_ENABLED`
-- `SMTP_CONNECTION_URL`
-- `EMAIL_FROM_ADDRESS`
+<Frame>
+  <img src="/images/email_password_login_setting.png" alt="Email & password login setting toggle in Settings → Security" />
+</Frame>
 
+### Email codes
+Email codes are 6 digit codes sent to a provided email. Email codes are enabled when [transactional emails](/docs/configuration/transactional-emails) and the **Email code** setting is toggled from **Settings → Security**:
 
-See [transactional emails](/docs/configuration/transactional-emails) for more details.
+<Frame>
+  <img src="/images/email_code_login_setting.png" alt="Email code login setting toggle in Settings → Security" />
+</Frame>
 
 # Enterprise Authentication Providers
 
 
@@ -49,7 +49,6 @@ The following are settings that can be provided in your config file to modify So
 | `maxRepoGarbageCollectionJobConcurrency`        | number  | 8          | 1       | Concurrent repo‑garbage‑collection jobs.                                               |
 | `repoGarbageCollectionGracePeriodMs`            | number  | 10 seconds | 1       | Grace period to avoid deleting shards while loading.                                   |
 | `repoIndexTimeoutMs`                            | number  | 2 hours    | 1       | Timeout for a single repo‑indexing run.                                                |
-| `enablePublicAccess` **(deprecated)**           | boolean | false      | —       | Use the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable instead.                  |
 | `repoDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the repo permission syncer should run.                               |
 | `userDrivenPermissionSyncIntervalMs`            | number  | 24 hours   | 1       | Interval at which the user permission syncer should run.                               |
 | `experiment_repoDrivenPermissionSyncIntervalMs` **(deprecated)** | number  | 24 hours   | 1       | Use `repoDrivenPermissionSyncIntervalMs` instead.             |
 
@@ -10,8 +10,6 @@ The following environment variables allow you to configure your Sourcebot deploy
 
 | Variable | Default | Description |
 | :------- | :------ | :---------- |
-| `AUTH_CREDENTIALS_LOGIN_ENABLED` | `true` | <p>Enables/disables authentication with basic credentials. Username and passwords are stored encrypted at rest within the postgres database. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info</p> |
-| `AUTH_EMAIL_CODE_LOGIN_ENABLED` | `false` | <p>Enables/disables authentication with a login code that's sent to a users email. `SMTP_CONNECTION_URL` and `EMAIL_FROM_ADDRESS` must also be set. Checkout the [auth docs](/docs/configuration/auth/authentication) for more info </p> |
 | `AUTH_SECRET` **(required)** | - | <p>Used to validate login session cookies. Genearte one with `openssl rand -base64 33`.</p> |
 | `AUTH_SESSION_MAX_AGE_SECONDS` | `2592000` (30 days) | <p>Relative time from now in seconds when to expire the session.</p> |
 | `AUTH_SESSION_UPDATE_AGE_SECONDS` | `86400` (1 day) | <p>How often the session should be updated in seconds. If set to `0`, session is updated every time.</p> |
@@ -24,8 +22,6 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `DATA_DIR` | `/data` | <p>The directory within the container to store all persistent data. Typically, this directory will be volume mapped such that data is persisted across container restarts (e.g., `docker run -v $(pwd):/data`)</p> |
 | `DATABASE_URL` **(required)** | - | <p>Connection string of your Postgres database, e.g. `postgresql://user:password@host:5432/sourcebot`.</p><p>If you'd like to use a non-default schema, you can provide it as a parameter in the database url.</p><p>You can also use `DATABASE_HOST`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_NAME`, and `DATABASE_ARGS` to construct the database url.</p> |
 | `EMAIL_FROM_ADDRESS` | `-` | <p>The email address that transactional emails will be sent from. See [this doc](/docs/configuration/transactional-emails) for more info.</p> | 
-| `FORCE_ENABLE_ANONYMOUS_ACCESS` | `false` | <p>When enabled, [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) to the organization will always be enabled</p>
-| `REQUIRE_APPROVAL_NEW_MEMBERS` | - | <p>When set, controls whether new users require approval before accessing your deployment. If not set, the setting can be configured via the UI. See [member approval](/docs/configuration/auth/access-settings#member-approval) for more info.</p>
 | `REDIS_URL` **(required)** | - | <p>Connection string of your Redis instance, e.g. `redis://host:6379`.</p><p>To enable TLS, see [this doc](/docs/deployment/infrastructure/redis#tls).</p> |
 | `REDIS_REMOVE_ON_COMPLETE` | `0` | <p>Controls how many completed jobs are allowed to remain in Redis queues</p> |
 | `REDIS_REMOVE_ON_FAIL` | `100` | <p>Controls how many failed jobs are allowed to remain in Redis queues</p> |
@@ -54,10 +50,8 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
 | `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `PERMISSION_SYNC_ENABLED` is `true`.</p> |
-| `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` **(deprecated)** | `false` | <p>Deprecated. Use `PERMISSION_SYNC_ENABLED` instead.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 | `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create API keys. Non-owner members will receive a `403` error if they attempt to create one.</p> |
-| `EXPERIMENT_DISABLE_API_KEY_CREATION_FOR_NON_ADMIN_USERS` **(deprecated)** | `false` | <p>Deprecated. Use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |
 | `DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS` | `false` | <p>When enabled, only organization owners can create or use API keys. Non-owner members will receive a `403` error if they attempt to create or authenticate with an API key. If you only want to restrict creation (not usage), use `DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS` instead.</p> |