feat: Add email domain filtering and passwordless login toggle #2361
Description
Feature Request: Email Domain Filtering and Passwordless Login Toggle
Problem
Self-hosted Typebot instances often need to restrict signups to specific email domains (e.g., @company.com) or control whether magic link/passwordless authentication is available.
Currently, there's no way to:
- Restrict signups to specific email domains
- Disable magic link authentication (force OAuth-only)
Proposed Solution
Add two new environment variables:
| Variable | Default | Description |
|---|---|---|
ALLOWED_EMAIL_DOMAINS |
(empty) | Comma-separated list of allowed email domains. When set, only users with emails from these domains can sign in. |
EMAIL_LOGIN_ENABLED |
true |
Set to false to disable magic link/passwordless email authentication. |
Use Cases
- Enterprise deployments: Restrict to corporate email domains only (
ALLOWED_EMAIL_DOMAINS=company.com,subsidiary.com) - OAuth-only mode: Disable email login and require OAuth providers (
EMAIL_LOGIN_ENABLED=false) - Multi-tenant: Allow specific partner domains
Implementation Notes
- Domain filtering happens in Better Auth database hooks (before user creation)
- Invalid domain attempts return a clear error message listing allowed domains
- Works with both OAuth and magic link authentication
Dependencies
This feature depends on the Better Auth migration (#2360).