Merge pull request #7888 from appwrite/feat-security-emails

New environment for certificates and security emails
2026-05-23 08:58:35 +00:00 · 2024-06-19 12:20:55 +05:30 · 2024-06-19 12:20:55 +05:30 · c5e788c2ef
commit c5e788c2ef
parent 4b24848f22 f762d66c5e
8 changed files with 35 additions and 15 deletions
--- a/.env
+++ b/.env
@ -9,7 +9,8 @@ _APP_CONSOLE_COUNTRIES_DENYLIST=AQ
 _APP_CONSOLE_HOSTNAMES=localhost,appwrite.io,*.appwrite.io
 _APP_SYSTEM_EMAIL_NAME=Appwrite
 _APP_SYSTEM_EMAIL_ADDRESS=team@appwrite.io
-_APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io
+_APP_EMAIL_SECURITY=security@appwrite.io
+_APP_EMAIL_CERTIFICATES=certificates@appwrite.io
 _APP_SYSTEM_RESPONSE_FORMAT=
 _APP_OPTIONS_ABUSE=disabled
 _APP_OPTIONS_ROUTER_PROTECTION=disabled
--- a/app/config/variables.php
+++ b/app/config/variables.php
@ -162,13 +162,31 @@ return [
            ],
            [
                'name' => '_APP_SYSTEM_SECURITY_EMAIL_ADDRESS',
-                'description' => 'This is the email address used to issue SSL certificates for custom domains or the user agent in your webhooks payload.',
+                'description' => 'Deprecated since 1.5.1 use _APP_EMAIL_SECURITY and _APP_EMAIL_CERTIFICATES instead',
                'introduction' => '0.7.0',
                'default' => 'certs@appwrite.io',
                'required' => false,
                'question' => '',
                'filter' => ''
            ],
+            [
+                'name' => '_APP_EMAIL_SECURITY',
+                'description' => 'This is the email address used as the user agent in your webhooks payload.',
+                'introduction' => '1.5.1',
+                'default' => '',
+                'required' => false,
+                'question' => '',
+                'filter' => ''
+            ],
+            [
+                'name' => '_APP_EMAIL_CERTIFICATES',
+                'description' => 'This is the email address used to issue SSL certificates for custom domains',
+                'introduction' => '1.5.1',
+                'default' => '',
+                'required' => true,
+                'question' => '',
+                'filter' => ''
+            ],
            [
                'name' => '_APP_USAGE_STATS',
                'description' => 'This variable allows you to disable the collection and displaying of usage stats. This value is set to \'enabled\' by default, to disable the usage stats set the value to \'disabled\'. When disabled, it\'s recommended to turn off the Worker Usage container to reduce resource usage.',
--- a/app/controllers/api/avatars.php
+++ b/app/controllers/api/avatars.php
@ -321,7 +321,7 @@ App::get('/v1/avatars/favicon')
                ->setUserAgent(\sprintf(
                    APP_USERAGENT,
                    System::getEnv('_APP_VERSION', 'UNKNOWN'),
-                    System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS', APP_EMAIL_SECURITY)
+                    System::getEnv('_APP_EMAIL_SECURITY', System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS', APP_EMAIL_SECURITY))
                ))
                ->fetch($url);
        } catch (\Throwable) {
--- a/app/init.php
+++ b/app/init.php
@ -1011,7 +1011,7 @@ foreach ($locales as $locale) {
        'user_agent' => \sprintf(
            APP_USERAGENT,
            System::getEnv('_APP_VERSION', 'UNKNOWN'),
-            System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS', APP_EMAIL_SECURITY)
+            System::getEnv('_APP_EMAIL_SECURITY', System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS', APP_EMAIL_SECURITY))
        ),
        'timeout' => 2,
    ],
--- a/app/views/install/compose.phtml
+++ b/app/views/install/compose.phtml
@ -79,7 +79,7 @@ $image = $this->getParam('image', '');
      - _APP_CONSOLE_HOSTNAMES
      - _APP_SYSTEM_EMAIL_NAME
      - _APP_SYSTEM_EMAIL_ADDRESS
-      - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS
+      - _APP_EMAIL_SECURITY
      - _APP_SYSTEM_RESPONSE_FORMAT
      - _APP_OPTIONS_ABUSE
      - _APP_OPTIONS_ROUTER_PROTECTION
@ -249,6 +249,7 @@ $image = $this->getParam('image', '');
      - _APP_ENV
      - _APP_WORKER_PER_CORE
      - _APP_OPENSSL_KEY_V1
+      - _APP_EMAIL_SECURITY
      - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS
      - _APP_DB_HOST
      - _APP_DB_PORT
@ -430,7 +431,7 @@ $image = $this->getParam('image', '');
      - _APP_DOMAIN
      - _APP_DOMAIN_TARGET
      - _APP_DOMAIN_FUNCTIONS
-      - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS
+      - _APP_EMAIL_CERTIFICATES
      - _APP_REDIS_HOST
      - _APP_REDIS_PORT
      - _APP_REDIS_USER
@ -580,7 +581,7 @@ $image = $this->getParam('image', '');
      - _APP_OPENSSL_KEY_V1
      - _APP_DOMAIN
      - _APP_DOMAIN_TARGET
-      - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS
+      - _APP_EMAIL_SECURITY
      - _APP_REDIS_HOST
      - _APP_REDIS_PORT
      - _APP_REDIS_USER
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -101,7 +101,7 @@ services:
      - _APP_CONSOLE_HOSTNAMES
      - _APP_SYSTEM_EMAIL_NAME
      - _APP_SYSTEM_EMAIL_ADDRESS
-      - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS
+      - _APP_EMAIL_SECURITY
      - _APP_SYSTEM_RESPONSE_FORMAT
      - _APP_OPTIONS_ABUSE
      - _APP_OPTIONS_ROUTER_PROTECTION
@ -286,7 +286,7 @@ services:
      - _APP_ENV
      - _APP_WORKER_PER_CORE
      - _APP_OPENSSL_KEY_V1
-      - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS
+      - _APP_EMAIL_SECURITY
      - _APP_DB_HOST
      - _APP_DB_PORT
      - _APP_DB_SCHEMA
@ -475,7 +475,7 @@ services:
      - _APP_DOMAIN
      - _APP_DOMAIN_TARGET
      - _APP_DOMAIN_FUNCTIONS
-      - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS
+      - _APP_EMAIL_CERTIFICATES
      - _APP_REDIS_HOST
      - _APP_REDIS_PORT
      - _APP_REDIS_USER
@ -635,7 +635,7 @@ services:
      - _APP_OPENSSL_KEY_V1
      - _APP_DOMAIN
      - _APP_DOMAIN_TARGET
-      - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS
+      - _APP_EMAIL_SECURITY
      - _APP_REDIS_HOST
      - _APP_REDIS_PORT
      - _APP_REDIS_USER
--- a/src/Appwrite/Platform/Workers/Certificates.php
+++ b/src/Appwrite/Platform/Workers/Certificates.php
@ -135,9 +135,9 @@ class Certificates extends Action

        try {
            // Email for alerts is required by LetsEncrypt
-            $email = System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS');
+            $email = System::getEnv('_APP_EMAIL_CERTIFICATES', System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS'));
            if (empty($email)) {
-                throw new Exception('You must set a valid security email address (_APP_SYSTEM_SECURITY_EMAIL_ADDRESS) to issue an SSL certificate.');
+                throw new Exception('You must set a valid security email address (_APP_EMAIL_CERTIFICATES) to issue an SSL certificate.');
            }

            // Validate domain and DNS records. Skip if job is forced
@ -474,7 +474,7 @@ class Certificates extends Action
            ->setBody($body)
            ->setName('Appwrite Administrator')
            ->setVariables($emailVariables)
-            ->setRecipient(System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS'))
+            ->setRecipient(System::getEnv('_APP_EMAIL_CERTIFICATES', System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS')))
            ->trigger();
    }

--- a/src/Appwrite/Platform/Workers/Webhooks.php
+++ b/src/Appwrite/Platform/Workers/Webhooks.php
@ -104,7 +104,7 @@ class Webhooks extends Action
        \curl_setopt($ch, CURLOPT_USERAGENT, \sprintf(
            APP_USERAGENT,
            System::getEnv('_APP_VERSION', 'UNKNOWN'),
-            System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS', APP_EMAIL_SECURITY)
+            System::getEnv('_APP_EMAIL_SECURITY', System::getEnv('_APP_SYSTEM_SECURITY_EMAIL_ADDRESS', APP_EMAIL_SECURITY))
        ));
        \curl_setopt(
            $ch,