flagsmith
flagsmith copied to clipboard
Flagsmith
Possible to create non-SSO users via API
Where an organisation is configured to only allow signing in via SSO, https://api.flagsmith.com/api/v1/auth/users/ can be used to create a non SSO-users that can then be used to access the API.
We should not allow API user creation if the organisation is configured in that manner.
@dabeeeenster this issue is a little unclear. The endpoint you have mentioned can be used to create users yes, but those users will not be part of any organisation. Users must be invited to an existing organisation. Can you clarify the exact steps that this issue relates to?
Note that we also have the auth controller repository which can be used to restrict access to certain auth type(s) based on an email domain.
@dabeeeenster this issue is a little unclear. The endpoint you have mentioned can be used to create users yes, but those users will not be part of any organisation. Users must be invited to an existing organisation. Can you clarify the exact steps that this issue relates to?
Note that we also have the auth controller repository which can be used to restrict access to certain auth type(s) based on an email domain.
We have a dedicated host for flagsmith, something like "https://abc123.flagsmith.com". Anybody on the internet can sign up to our instance. Yes, they will not get access to our data, but I think it's still unreasonable that anyone can run stuff on our org's host (If API is accessible for these users?). We had previously requested that sign-up was not enabled from the start-page (SSO only), but it is still possible to signup via API.
