How to do it

You can restrict access to self-hosted instances of Trigger.dev by using the WHITELISTED_EMAILS environment variable.

Like this:

WHITELISTED_EMAILS="authorized@yahoo\.com|authorized@gmail\.com"

It's a regex pattern so you can allow specific addresses or patterns of addresses, like your company's email accounts.

Problem

The barrier only exists when a user tries to login using a magic link that they've been emailed. Security wise this should be fine, but it's not a great user experience.

• If you want to allow GitHub login then you can't restrict access.
• Magic link emails just shouldn't be sent in the first place to emails that don't pass the test.

Solution

Keep the existing check but also:

• Check the whitelist before sending magic link emails.
• Check the whitelist after a user has gone through the GitHub OAuth flow and reject them if their is a whitelist and they don't match.

_TRI-1857