[PR #2502] [MERGED] fix: use instance-specific emails for service accounts #2346

New issue

Closed

opened 2026-02-26 20:33:29 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 20:33:29 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/documenso/documenso/pull/2502
Author: @Mythie
Created: 2/15/2026
Status: ✅ Merged
Merged: 2/16/2026
Merged by: @dguyen

Base: main ← Head: fix/migrate-service-accounts

📝 Commits (1)

08ea1ba fix: use instance-specific emails for service accounts instead of hardcoded documenso.com addresses

📊 Changes

8 files changed (+143 additions, -3 deletions)

View changed files

📝 apps/remix/server/router.ts (+5 -0)
📝 packages/auth/server/lib/utils/handle-oauth-callback-url.ts (+9 -0)
📝 packages/auth/server/routes/email-password.ts (+26 -0)
📝 packages/auth/server/routes/passkey.ts (+9 -0)
📝 packages/lib/constants/email.ts (+0 -2)
➕ packages/lib/server-only/user/get-user-by-reset-token.ts (+24 -0)
📝 packages/lib/server-only/user/service-accounts/deleted-account.ts (+36 -1)
➕ packages/lib/server-only/user/service-accounts/legacy-service-account.ts (+34 -0)

📄 Description

Summary

Service account emails (deleted-account@... and serviceaccount@...) are now derived from the instance's NEXT_PUBLIC_WEBAPP_URL hostname instead of being hardcoded to @documenso.com. This ensures each self-hosted deployment uses its own unique service account emails.
Existing service accounts are automatically migrated to the new email format on startup.
All auth flows (email/password, passkey, OAuth) now block login attempts against service account emails.

Details

Previously, service accounts used hardcoded @documenso.com email addresses across all deployments. Self-hosted instances rightfully raised concerns about this in #2501 — service accounts should belong to the instance, not to an external domain.

How it works

Email derivation: Service account emails are now derived from the app's hostname (e.g., deleted-account@your-instance.com, serviceaccount@your-instance.com).
Env var overrides: Can be explicitly set via NEXT_PRIVATE_DELETED_SERVICE_ACCOUNT_EMAIL and NEXT_PRIVATE_LEGACY_SERVICE_ACCOUNT_EMAIL if needed.
Auto-migration: On startup, any existing service accounts with the old @documenso.com emails are migrated to the new hostname-derived addresses.
Auth hardening: Service account emails are blocked from all authentication flows (sign-in, sign-up, forgot password, reset password, passkey, OAuth) to prevent misuse.

Files changed

File	Change
`packages/lib/server-only/user/service-accounts/deleted-account.ts`	Derive email from hostname, add migration
`packages/lib/server-only/user/service-accounts/legacy-service-account.ts`	New — same pattern for the legacy service account
`packages/lib/server-only/user/get-user-by-reset-token.ts`	New — helper to look up user by reset token before allowing password reset
`packages/lib/constants/email.ts`	Remove old hardcoded `SERVICE_USER_EMAIL`
`packages/auth/server/routes/email-password.ts`	Block service account emails in sign-in, forgot-password, reset-password
`packages/auth/server/routes/passkey.ts`	Block service account emails in passkey auth
`packages/auth/server/lib/utils/handle-oauth-callback-url.ts`	Block service account emails in OAuth
`apps/remix/server/router.ts`	Run migrations on startup

Closes #2501

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/documenso/documenso/pull/2502 **Author:** [@Mythie](https://github.com/Mythie) **Created:** 2/15/2026 **Status:** ✅ Merged **Merged:** 2/16/2026 **Merged by:** [@dguyen](https://github.com/dguyen) **Base:** `main` ← **Head:** `fix/migrate-service-accounts` --- ### 📝 Commits (1) - [`08ea1ba`](https://github.com/documenso/documenso/commit/08ea1ba499a02d9927bce6f5a8427845512376d2) fix: use instance-specific emails for service accounts instead of hardcoded documenso.com addresses ### 📊 Changes **8 files changed** (+143 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `apps/remix/server/router.ts` (+5 -0) 📝 `packages/auth/server/lib/utils/handle-oauth-callback-url.ts` (+9 -0) 📝 `packages/auth/server/routes/email-password.ts` (+26 -0) 📝 `packages/auth/server/routes/passkey.ts` (+9 -0) 📝 `packages/lib/constants/email.ts` (+0 -2) ➕ `packages/lib/server-only/user/get-user-by-reset-token.ts` (+24 -0) 📝 `packages/lib/server-only/user/service-accounts/deleted-account.ts` (+36 -1) ➕ `packages/lib/server-only/user/service-accounts/legacy-service-account.ts` (+34 -0) </details> ### 📄 Description ## Summary - Service account emails (`deleted-account@...` and `serviceaccount@...`) are now derived from the instance's `NEXT_PUBLIC_WEBAPP_URL` hostname instead of being hardcoded to `@documenso.com`. This ensures each self-hosted deployment uses its own unique service account emails. - Existing service accounts are automatically migrated to the new email format on startup. - All auth flows (email/password, passkey, OAuth) now block login attempts against service account emails. ## Details Previously, service accounts used hardcoded `@documenso.com` email addresses across all deployments. Self-hosted instances rightfully raised concerns about this in #2501 — service accounts should belong to the instance, not to an external domain. ### How it works 1. **Email derivation**: Service account emails are now derived from the app's hostname (e.g., `deleted-account@your-instance.com`, `serviceaccount@your-instance.com`). 2. **Env var overrides**: Can be explicitly set via `NEXT_PRIVATE_DELETED_SERVICE_ACCOUNT_EMAIL` and `NEXT_PRIVATE_LEGACY_SERVICE_ACCOUNT_EMAIL` if needed. 3. **Auto-migration**: On startup, any existing service accounts with the old `@documenso.com` emails are migrated to the new hostname-derived addresses. 4. **Auth hardening**: Service account emails are blocked from all authentication flows (sign-in, sign-up, forgot password, reset password, passkey, OAuth) to prevent misuse. ### Files changed | File | Change | |------|--------| | `packages/lib/server-only/user/service-accounts/deleted-account.ts` | Derive email from hostname, add migration | | `packages/lib/server-only/user/service-accounts/legacy-service-account.ts` | New — same pattern for the legacy service account | | `packages/lib/server-only/user/get-user-by-reset-token.ts` | New — helper to look up user by reset token before allowing password reset | | `packages/lib/constants/email.ts` | Remove old hardcoded `SERVICE_USER_EMAIL` | | `packages/auth/server/routes/email-password.ts` | Block service account emails in sign-in, forgot-password, reset-password | | `packages/auth/server/routes/passkey.ts` | Block service account emails in passkey auth | | `packages/auth/server/lib/utils/handle-oauth-callback-url.ts` | Block service account emails in OAuth | | `apps/remix/server/router.ts` | Run migrations on startup | Closes #2501 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

kerem

2026-02-26 20:33:29 +03:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/documenso#2346

No description provided.

Rows
Columns