flagsmith Cannot invite users using invitation link

trafficstars

How are you running Flagsmith

[x] Self Hosted with Docker
[ ] Self Hosted with Kubernetes
[ ] SaaS at flagsmith.com
[ ] Some other way (add details in description below)

Describe the bug

Running Flagsmith locally, with the following env var set: "PREVENT_SIGNUP: 1", users cannot sign-up using valid invitation link. Also the error message is unclear and we can see (Unauthorized 401) error code in the browser's console.

From Flagsmith docs: https://docs.flagsmith.com/deployment/hosting/locally-frontend

" PREVENT_SIGNUP: Determines whether to prevent manual signups without invites. Set it to any value to prevent signups. "

Steps To Reproduce

Start the Flagsmith container with PREVENT_SIGNUP: 1, set it up as usual. As an Admin user, send invitation link to create a new user. As a new user, open the link and fill-in: First Name, Last Name, Email, Password, make sure all valid and click "Create Account".

Expected behavior

The user should be created and provided access to the Organization. Instead, got Unauthorized 401 error code in the Browser's console. Also the error message to the user is unclear: "".

Workaround

Set both:

PREVENT_SIGNUP: 0
ALLOW_REGISTRATION_WITHOUT_INVITE: 0

This way users won't be able to sign-up without invitations - yet - the Sign-up button appears but will return error if trying to click it.

Screenshots

May 29 '25 09:05 tomerplus500

Thanks for raising the issue. It is actually the expected behavior from PREVENT_SIGNUP that is supposed to block any new sign-up. The doc is not up to date on this one, we will update it along with the error message (for the variable below).

Otherwise, if you want to restrict signups to invitations only, the correct variable to set in the API container is ALLOW_REGISTRATION_WITHOUT_INVITE=false

May 29 '25 15:05 Zaimwa9

Thanks @Zaimwa9, this is exactly what I end up with. One suggestion: Please hide/remove the "Sign up" button in case that ALLOW_REGISTRATION_WITHOUT_INVITE=false and accessing the Flagsmith main page directly (without invitation link). Being able to Register a new user when ALLOW_REGISTRATION_WITHOUT_INVITE=false either directly from the UI or using REST API is a "Backdoor".

Jun 03 '25 06:06 tomerplus500

Hi @tomerplus500 , thanks for the details here - we'll look at removing the UI section as you mentioned.

To be clear here though, there is no "Backdoor" - the API prevents the signup without an invite as expected which can be seen here:

Jun 04 '25 15:06 matthewelwell

Weird, because I managed to register without an invite. Maybe I configured the container incorrectly. I used the env-vars exactly as shared here.

On Wed, Jun 4, 2025, 18:03 Matthew Elwell @.***> wrote:

matthewelwell left a comment (Flagsmith/flagsmith#5506) https://github.com/Flagsmith/flagsmith/issues/5506#issuecomment-2940387155

Hi @tomerplus500 https://github.com/tomerplus500 , thanks for the details here - we'll look at removing the UI section as you mentioned.

To be clear here though, there is no "Backdoor" - the API prevents the signup without an invite as expected which can be seen here: image.png (view on web) https://github.com/user-attachments/assets/33f20a1a-0f7a-401f-b039-3fe76464424e

— Reply to this email directly, view it on GitHub https://github.com/Flagsmith/flagsmith/issues/5506#issuecomment-2940387155, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFDQEWEFHT5UEUB6RIC2RXD3B4DEZAVCNFSM6AAAAAB6FBSRNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSNBQGM4DOMJVGU . You are receiving this because you were mentioned.Message ID: @.***>

Jun 04 '25 17:06 tomerplus500

If you can provide reproduction steps, we can investigate but, as shown above, I have not been able to reproduce the issue.

Jun 05 '25 07:06 matthewelwell

@matthewelwell could you please confirm what should be final env variable to handle only invite user can signup?

Jun 11 '25 09:06 asheeshChoudhary

ALLOW_REGISTRATION_WITHOUT_INVITE: false

Jun 11 '25 09:06 matthewelwell

@matthewelwell do we need to add prevent_signup as well or this is enough to handle

Jun 11 '25 09:06 asheeshChoudhary

If you want to prevent registration without invitation, this is sufficient.

As per the discussion above, there is an improvement that we need to make in the UI to hide the sign up option when this environment variable is set, but any registrations will fail due to the validation in the API.

Jun 11 '25 09:06 matthewelwell

Got it! I tried using ALLOW_REGISTRATION_WITHOUT_INVITE: false, but still not able to signup via invite link

Could you confirm here , there is two invite option with and without email I am using invite link without any email configuration

Is it mandatory to add email for this approach?

Jun 11 '25 10:06 asheeshChoudhary

@asheeshChoudhary thanks for the details - it looks like there is a bug currently preventing using invite links when ALLOW_REGISTRATION_WITHOUT_INVITE is set to false - the frontend is not passing the invite_hash attribute in the registration request. We'll take a look into this, but in the meantime, please use email invites when using ALLOW_REGISTRATION_WITHOUT_INVITE.

Jun 11 '25 10:06 matthewelwell

Running Flagsmith using the Docker Compose file on my Laptop, I can confirm that settings these:

PREVENT_SIGNUP: 0
ALLOW_REGISTRATION_WITHOUT_INVITE: 0

I was able to Sign-up using link generated by the initial admin user, such as: http://localhost:8000/invite-link/nxmweAWvksraRJBGBMPxzk
I wasn't able to Sign-up when not using the link, although the button was there, it let me do the all process, but eventually failed with generic error message.

Please find the attached screen shots of the process.