feat: enforce email as primary user identity in SaaS mode

Add SAAS_ADMIN_EMAIL env var (defaults to <user>@<host>). Pass to bootstrap for admin user creation with primaryEmail. Update README config reference and .env.example to document the email identity requirement. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-25 20:23:05 +02:00
parent 8227483580
commit b2259328d3
3 changed files with 7 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -86,6 +86,9 @@ Settings can be provided via CLI flags, environment variables, config file (`cam
 |---------|----------|---------|------------|---------|
 | Admin username | `--admin-user` | `SAAS_ADMIN_USER` | `admin_user` | `admin` |
 | Admin password | `--admin-password` | `SAAS_ADMIN_PASS` | `admin_password` | auto-generated |
+| Admin email | `--admin-email` | `SAAS_ADMIN_EMAIL` | `admin_email` | `<username>@<PUBLIC_HOST>` |
+
+Email is the primary user identity in SaaS mode. All users — including the admin — must have an email address. If `SAAS_ADMIN_EMAIL` is not set, the bootstrap derives it from `<SAAS_ADMIN_USER>@<PUBLIC_HOST>`.

 In standalone mode, the env vars are `SERVER_ADMIN_USER` / `SERVER_ADMIN_PASS`.

--- a/templates/.env.example
+++ b/templates/.env.example
@@ -50,8 +50,11 @@ CLICKHOUSE_PASSWORD=CHANGE_ME
 # ============================================================
 # Admin credentials (SaaS mode)
 # ============================================================
+# Email is the primary user identity in SaaS mode. The admin email
+# defaults to <SAAS_ADMIN_USER>@<PUBLIC_HOST> if not set explicitly.
 SAAS_ADMIN_USER=admin
 SAAS_ADMIN_PASS=CHANGE_ME
+# SAAS_ADMIN_EMAIL=admin@example.com

 # ============================================================
 # Admin credentials (standalone mode)
--- a/templates/docker-compose.saas.yml
+++ b/templates/docker-compose.saas.yml
@@ -27,6 +27,7 @@ services:
      PG_DB_SAAS: cameleer_saas
      SAAS_ADMIN_USER: ${SAAS_ADMIN_USER:-admin}
      SAAS_ADMIN_PASS: ${SAAS_ADMIN_PASS:?SAAS_ADMIN_PASS must be set in .env}
+      SAAS_ADMIN_EMAIL: ${SAAS_ADMIN_EMAIL:-}
    extra_hosts:
      # Logto validates M2M tokens by fetching its own JWKS from ENDPOINT.
      # Route the public hostname back to the Docker host (Traefik on :443)