Cannot disable new signups

[felipebraz]

Subject of the issue

I deactivated the option for new signups in docker variables and in admin page but Vaultwarden still accepting new users.

Deployment environment

• vaultwarden version: 1.30.0

• Install method: Docker Compose

• Clients used: web and desktop

• Reverse proxy and version: Cloudflare Tunnel

• Other relevant details:

Steps to reproduce

Deactivate the new signups and try to signup

Expected behaviour

Block the signup

Actual behaviour

Allowing signup

Troubleshooting data

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.0
• Web-vault version: v2023.10.0
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: false (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.41.2
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SENDS_ALLOWED, SIGNUPS_ALLOWED, SIGNUPS_VERIFY, SIGNUPS_VERIFY_RESEND_TIME, SIGNUPS_VERIFY_RESEND_LIMIT, SIGNUPS_DOMAINS_WHITELIST, EMERGENCY_ACCESS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_AUTH_MECHANISM

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 10,
  "admin_ratelimit_seconds": 60,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************",
  "domain_origin": "*****://**********************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "****************,***********,*********",
  "signups_verify": false,
  "signups_verify_resend_limit": 5,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "******************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

[stefan0xC]

Disabling signups in the back-end does not remove the registration form in the front-end. It will however prevent the creation of new users if you submit the form. See: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users

Also you allow registration via SIGNUPS_DOMAINS_WHITELIST which overrides this setting.

vaultwarden/src/config.rs

Lines 1084 to 1093 in 03c6ed2

	/// Tests whether signup is allowed for an email address, taking into
	/// account the signups_allowed and signups_domains_whitelist settings.
	pub fn is_signup_allowed(&self, email: &str) -> bool {
	if !self.signups_domains_whitelist().is_empty() {
	// The whitelist setting overrides the signups_allowed setting.
	self.is_email_domain_allowed(email)
	} else {
	self.signups_allowed()
	}
	}

[jprinaldi]

Someone updated the documentation recently and it now says:

Note that when SIGNUPS_ALLOWED=false, the Create Account button will not be shown in the web vault UI. Invitation is still possible regardless of this settings.

However, I still see the "Create account" link. Has the behavior actually changed, or is the documentation incorrect?

[BlackDex]

Have you also seen the next part of that documentation?
If you have set anything in the allow, it will still show.

That might be the case of course

[jprinaldi]

Nothing else is set.

[jprinaldi]

Anyway, I wanted to confirm whether the behavior actually changed or not. I assume based on your comment that it has, so I'll keep investigating the issue on my end. Thanks.

[felipebraz]

Oh, thank you! I haven't seend this wiki before, thank you very much!

[sempervictus]

@stefan0xC - the logic here seems to be a bit off:

should prevent anyone from self-creating an account as

is there to permit org admins to actually email invitations.

At present, anyone with an email at a domain from which an admin can invite someone else can self-sign-up even though new signups are not allowed. Since the mailer automatically sends out an invite, this can be used to spam large orgs from which only one or two users are supposed to have access.

[BlackDex]

The logic is fine. Just read the comment with that option a bit better

vaultwarden/src/config.rs

Line 468 in f05398a

/// Email domain whitelist |> Allow signups only from this list of comma-separated domains, even when signups are otherwise disabled

You'll probably want invitations_allowed to be enabled.

vaultwarden/src/config.rs

Line 475 in f05398a

/// Allow invitations |> Controls whether users can be invited by organization admins, even when signups are otherwise disabled

Maybe together with signups_allowed set to false.

vaultwarden/src/config.rs

Line 460 in f05398a

/// Allow new signups |> Controls whether new users can register. Users can be invited by the vaultwarden admin even if this is disabled

See https://github.com/dani-garcia/vaultwarden/blob/f05398a6b36891e6e979a39937f8f8eaa6360d52/src/api/core/organizations.rs#L871...L904 for the logic, and here https://github.com/dani-garcia/vaultwarden/blob/f05398a6b36891e6e979a39937f8f8eaa6360d52/src/api/core/accounts.rs#L176...L184. What you mention is not possible. The domain check and invite check is done correctly. That user probably was already invited or a had an account.

[BlackDex]

Hmm, now that look at that list link i posted a bit better it does seem a bit weird. It looks like a full bypass for this whitelisted domains.

It might be better to check both items. So if there is a whitelist only allow that if signups allowed is set to true. Else, still ignore.

[sempervictus]

That sounds like we need to remove all domain whitelists disable sign-ups to only have org admins be allowed to create new accounts by invite? The concern there would be that an org admin can invite anyone from any SMTP domain for lack of whitelist whereas what we want to do is prevent user-driven sign-ups for anyone even if they have an email in a whitelisted domain (ideally remove the link from the ui in general as that's a major abuse target for scanners/scrapers/etc) and only allow org admins to send invitations to people in the whitelisted domains. That currently does not seem possible.

[BlackDex]

That would mean my sollution would work. If you set signups_allowed to false, people can't signup anymore.
If you have signups_allowed set to true, AND there is a whitelist, then it check the whitelist.

Admins can still invite, because the invitations_allowed should then be set to true.