284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
8.1 KiB
8.1 KiB
Email Registration System Documentation
Overview
The email registration system allows clients to self-register using their company email addresses. The system supports two registration flows:
- Contact-based registration (existing functionality)
- Allows existing contacts to create user accounts
- Automatically assigns client role
- Validates contact status (active/inactive)
- Preserves existing company and contact relationships
- Email suffix-based registration (new functionality)
- Validates email domain against allowed suffixes
- Creates new contact and user records
- Assigns roles based on company context (first user gets client_admin)
Architecture
Database Tables
-
company_email_settings- Stores allowed email suffixes for each company
- Reference table in CitusDB environment
- Includes self-registration toggle per suffix
-
pending_registrations- Tracks registration attempts and their status
- Distributed table in CitusDB environment
- Statuses: PENDING_VERIFICATION, VERIFIED, COMPLETED, EXPIRED
-
verification_tokens- Manages email verification tokens
- Reference table in CitusDB environment
- Includes expiration and usage tracking
Security Measures
-
Rate Limiting
- Registration attempts: 5 per hour per email
- Verification attempts: 3 per 5 minutes per token
- Email sending: 3 per hour per email
- Includes user-friendly error messages with wait times
- Memory-based implementation using rate-limiter-flexible
-
Token Security
- 32-byte random tokens using crypto library
- Base64URL encoding for URL safety
- 24-hour expiration
- One-time use only
- Validation includes expiration and usage checks
- Transaction-based token management
-
Audit Logging
- Security event logging temporarily disabled (tenant context issue)
- Will log registration attempts, verifications, and completions
- Includes detailed event context and tenant isolation
- Uses centralized audit logging system
Registration Flow
-
User submits registration form
- Validates rate limits for registration attempts
- For contacts:
- Verifies contact exists and is active
- Checks for existing user account
- Creates user with contact association
- For email suffix:
- Validates email domain against allowed suffixes
- Determines company from email suffix
- Creates pending registration with expiration
- Generates and stores verification token
- Validates email sending rate limit
- Sends verification email using templated system
-
User verifies email
- Clicks link in email with token and registration ID
- System validates token:
- Checks rate limits for verification attempts
- Verifies token exists and hasn't been used
- Confirms token hasn't expired
- Validates registration status is PENDING_VERIFICATION
- Updates token usage timestamp
- Updates registration status to VERIFIED
-
System completes registration
- Validates registration exists and is verified
- Executes in a database transaction:
- Creates contact record if needed
- Creates user account
- Assigns client role to user (client_admin role is managed separately through settings)
- Updates registration status to COMPLETED
- Handles rollback on any failure
Maintenance
Cleanup Jobs
Two cleanup jobs run hourly:
-
cleanupExpiredRegistrations- Finds registrations past 24-hour expiration
- Updates status to EXPIRED
- Logs cleanup events
- Maintains registration record for audit purposes
-
cleanupExpiredTokens- Removes expired verification tokens
- Only removes tokens that were never used
- Preserves used tokens for audit trail
- Runs after registration cleanup
Monitoring
Monitor these aspects:
-
Registration Attempts
- Watch for unusual patterns
- Track success/failure rates
- Monitor rate limit hits
-
Token Usage
- Track verification success rates
- Monitor token expiration patterns
- Watch for repeated failures
-
Email Delivery
- Monitor sending success rates
- Track delivery delays
- Watch for bounces
Troubleshooting
Common issues and solutions:
-
Rate Limit Exceeded
- System provides specific wait time in error message
- Check logs for abuse patterns
- Verify limit configurations in rate-limiter-flexible settings
- Consider adjusting points or duration if needed
-
Token Verification Failures
- Check token expiration (24-hour limit)
- Verify email delivery through email service logs
- Look for multiple verification attempts
- Check if token was already used
- Validate registration ID matches token
-
Role Assignment Issues
- Verify role existence in roles table
- Check tenant isolation in all related tables
- Validate company settings and email suffix configuration
- Verify first-user detection logic
Administration
Administration Interface
The system provides two main administration interfaces:
-
Email Registration Settings
- Email Suffix Management:
- Add new email suffixes with validation
- Delete existing suffixes
- View all configured suffixes in a data table
- Case-insensitive suffix handling (automatically converted to lowercase)
- Registration Controls:
- Toggle self-registration per suffix using switches
- Immediate effect on registration availability
- Visual feedback for configuration status
- Error handling for failed operations
- User Interface Features:
- Clean, card-based layout
- Interactive data table for suffix management
- Dropdown menus for suffix actions
- Form validation and error messaging
- Loading states during operations
- Error Handling:
- Displays error alerts for failed operations
- Validates input before submission
- Maintains state consistency after errors
- Provides feedback for all user actions
- Email Suffix Management:
-
User Management
- Role Management:
- View and edit user roles through user details drawer
- Assign/remove client_admin role as needed
- Manage role-based permissions
- Maintain audit trail of role changes
- User Controls:
- Edit user details and status
- Reset passwords (admin only)
- Enable/disable user accounts
- View user activity and roles
- Role Management:
Security Settings
Available controls:
- Rate limit configurations
- Token expiration times
- Email sending limits
- IP-based restrictions
Best Practices
-
Email Suffixes
- Use specific suffixes when possible
- Avoid common email providers
- Regularly review and update
-
Security
- Monitor audit logs regularly
- Review rate limits periodically
- Keep email templates updated
-
Maintenance
- Check cleanup job logs
- Monitor database size
- Review expired registrations
Deployment
Prerequisites
- PostgreSQL or CitusDB
- Node.js environment
- Email service configuration
Configuration Steps
- Run database migrations
- Configure email service
- Set environment variables
- Enable cleanup jobs
Rollback Procedures
- Disable new registrations
- Revert database migrations
- Remove email settings
Troubleshooting Guide
Common Issues
-
Registration Fails
- Check email suffix configuration
- Verify rate limits
- Check database connectivity
-
Verification Link Invalid
- Check token expiration
- Verify token usage
- Check email delivery logs
-
Role Assignment Fails
- Verify role existence
- Check tenant configuration
- Validate company settings
Monitoring Checklist
Daily:
- Check registration success rates
- Monitor verification attempts
- Review security logs
Weekly:
- Analyze rate limit patterns
- Check cleanup job effectiveness
- Review expired registrations
Monthly:
- Audit email suffix configurations
- Review security settings
- Check system performance
Support
For issues:
- Check audit logs first
- Review rate limit status
- Verify email delivery
- Check database consistency
Future Improvements
Planned enhancements:
- Enhanced rate limiting
- IP-based restrictions
- Improved monitoring
- Additional security measures