feat(auth): ALLOW_SELF_REGISTER toggle + public /auth/config endpoint (0.42.0)

Lets operators run a closed-membership deployment by setting ALLOW_SELF_REGISTER=false (default true, so existing deploys are unaffected). When off, POST /auth/register returns 403 forbidden. The rate-limit token is consumed BEFORE the disabled check so the timing doesn't distinguish enabled-but-rejected from disabled — closes the toggle-state probe channel. New public GET /auth/config returns { self_register_enabled: bool } so the frontend can render its register affordances correctly without conflating "disabled" with "rate-limited" (which a probe attempt would). Frontend: a lightweight reactive `authConfig` store loads the flag once on root-layout mount (and again on /register direct navigation, which bypasses the layout's onMount). Header hides the Register link when the toggle is off; /register renders a "self-registration is disabled — ask an administrator" notice instead of the form. Admin-create endpoint that pairs with this toggle is intentionally not in this PR — it lands as the next branch (feat/admin-user-create). The toggle alone is independently useful for deployments that want to lock down enrollment without yet wiring an admin UI.
2026-05-31 13:56:18 +02:00
parent 6dd21451a8
commit 2f47faa11c
12 changed files with 182 additions and 5 deletions
--- a/frontend/src/lib/api/auth.test.ts
+++ b/frontend/src/lib/api/auth.test.ts
@@ -14,7 +14,8 @@ import {
    me,
    changePassword,
    createToken,
-    deleteToken
+    deleteToken,
+    getAuthConfig
 } from './auth';

 function ok(body: unknown, status = 200): Response {
@@ -169,6 +170,17 @@ describe('auth api client', () => {
        expect(url).toMatch(/\/v1\/auth\/tokens$/);
    });

+    it('getAuthConfig GETs /v1/auth/config and parses the flag', async () => {
+        fetchSpy.mockResolvedValueOnce(ok({ self_register_enabled: false }));
+        const cfg = await getAuthConfig();
+        expect(cfg.self_register_enabled).toBe(false);
+        const url = fetchSpy.mock.calls[0][0] as string;
+        expect(url).toMatch(/\/v1\/auth\/config$/);
+        const init = fetchSpy.mock.calls[0][1] as RequestInit;
+        // Public endpoint; no method override means default GET.
+        expect(init?.method ?? 'GET').toBe('GET');
+    });
+
    it('deleteToken DELETEs to /v1/auth/tokens/{id} and handles 204', async () => {
        fetchSpy.mockResolvedValueOnce(noContent());
        await expect(deleteToken('t1')).resolves.toBeUndefined();
--- a/frontend/src/lib/api/auth.ts
+++ b/frontend/src/lib/api/auth.ts
@@ -100,3 +100,15 @@ export async function createToken(name: string): Promise<CreatedToken> {
 export async function deleteToken(id: string): Promise<void> {
    await request<void>(`/v1/auth/tokens/${encodeURIComponent(id)}`, { method: 'DELETE' });
 }
+
+export type AuthConfig = {
+    /** When false, /v1/auth/register returns 403 and the UI should
+     * hide its register affordance. Admins can still mint accounts
+     * via POST /v1/admin/users. */
+    self_register_enabled: boolean;
+};
+
+/** Public — no auth, no cookie required. */
+export async function getAuthConfig(): Promise<AuthConfig> {
+    return request<AuthConfig>('/v1/auth/config');
+}
--- a/frontend/src/lib/auth-config.svelte.ts
+++ b/frontend/src/lib/auth-config.svelte.ts
@@ -0,0 +1,37 @@
+// Anonymous-relevant auth policy (currently just whether self-
+// registration is enabled). Loaded once per browser session on root-
+// layout mount, then read reactively from `authConfig.self_register_enabled`.
+//
+// Defaults to `self_register_enabled = true` while loading so the
+// register link doesn't flash off-and-on for the default-open case.
+// If the fetch fails (network blip, backend restart), the stale value
+// is kept — there's no per-request retry. A new tab will retry on its
+// own mount.
+//
+// Same browser-only contract as `session.svelte.ts` — see that file's
+// SSR comment.
+
+import { browser } from '$app/environment';
+import { getAuthConfig } from './api/auth';
+
+class AuthConfigStore {
+    self_register_enabled = $state(true);
+    loaded = $state(false);
+    private loading = false;
+
+    async load(): Promise<void> {
+        if (this.loaded || this.loading || !browser) return;
+        this.loading = true;
+        try {
+            const cfg = await getAuthConfig();
+            this.self_register_enabled = cfg.self_register_enabled;
+            this.loaded = true;
+        } catch {
+            // Keep optimistic default; next page mount will retry.
+        } finally {
+            this.loading = false;
+        }
+    }
+}
+
+export const authConfig = new AuthConfigStore();