feat(auth): ALLOW_SELF_REGISTER toggle + public /auth/config endpoint (0.42.0)

Lets operators run a closed-membership deployment by setting
ALLOW_SELF_REGISTER=false (default true, so existing deploys are
unaffected). When off, POST /auth/register returns 403 forbidden. The
rate-limit token is consumed BEFORE the disabled check so the timing
doesn't distinguish enabled-but-rejected from disabled — closes the
toggle-state probe channel.

New public GET /auth/config returns { self_register_enabled: bool }
so the frontend can render its register affordances correctly
without conflating "disabled" with "rate-limited" (which a probe
attempt would).

Frontend: a lightweight reactive `authConfig` store loads the flag
once on root-layout mount (and again on /register direct navigation,
which bypasses the layout's onMount). Header hides the Register link
when the toggle is off; /register renders a "self-registration is
disabled — ask an administrator" notice instead of the form.

Admin-create endpoint that pairs with this toggle is intentionally
not in this PR — it lands as the next branch (feat/admin-user-create).
The toggle alone is independently useful for deployments that want
to lock down enrollment without yet wiring an admin UI.

backend/tests/api_auth.rs

@@ -765,3 +765,44 @@ async fn create_token_rejects_name_over_64_chars(pool: PgPool) {
     assert_eq!(body["error"]["code"], "validation_failed");
     assert!(body["error"]["details"]["name"].is_string());
 }
+
+// ---- self-register toggle + /auth/config -----------------------------------
+
+#[sqlx::test(migrations = "./migrations")]
+async fn auth_config_reports_self_register_enabled_by_default(pool: PgPool) {
+    let h = common::harness(pool);
+    let resp = h
+        .app
+        .oneshot(common::get("/api/v1/auth/config"))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::OK);
+    let body = common::body_json(resp).await;
+    assert_eq!(body["self_register_enabled"], true);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn auth_config_reflects_self_register_disabled(pool: PgPool) {
+    let h = common::harness_with_self_register_disabled(pool);
+    let resp = h
+        .app
+        .oneshot(common::get("/api/v1/auth/config"))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::OK);
+    let body = common::body_json(resp).await;
+    assert_eq!(body["self_register_enabled"], false);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn register_returns_403_when_self_register_disabled(pool: PgPool) {
+    let h = common::harness_with_self_register_disabled(pool);
+    let resp = h
+        .app
+        .oneshot(common::post_json("/api/v1/auth/register", creds("alice")))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+    let body = common::body_json(resp).await;
+    assert_eq!(body["error"]["code"], "forbidden");
+}

backend/tests/common/mod.rs

@@ -78,6 +78,20 @@ fn harness_with_auth_config(
     Harness { app: router(state), _storage_dir: storage_dir }
 }
 
+/// Like [`harness`] but flips `ALLOW_SELF_REGISTER` off so the
+/// register-disabled test exercises the 403 branch in
+/// `api::auth::register`.
+pub fn harness_with_self_register_disabled(pool: PgPool) -> Harness {
+    let storage_dir = tempfile::tempdir().expect("tempdir");
+    let storage = Arc::new(LocalStorage::new(storage_dir.path()));
+    let auth = AuthConfig {
+        cookie_secure: false,
+        allow_self_register: false,
+        ..AuthConfig::default()
+    };
+    harness_with_auth_config(pool, storage, storage_dir, auth)
+}
+
 /// Like [`harness`] but configures a tight auth rate limit. Used by
 /// the brute-force-rate-limiting test.
 pub fn harness_with_auth_rate_limit(