feat(auth): ALLOW_SELF_REGISTER toggle + public /auth/config endpoint (0.42.0)

Lets operators run a closed-membership deployment by setting ALLOW_SELF_REGISTER=false (default true, so existing deploys are unaffected). When off, POST /auth/register returns 403 forbidden. The rate-limit token is consumed BEFORE the disabled check so the timing doesn't distinguish enabled-but-rejected from disabled — closes the toggle-state probe channel. New public GET /auth/config returns { self_register_enabled: bool } so the frontend can render its register affordances correctly without conflating "disabled" with "rate-limited" (which a probe attempt would). Frontend: a lightweight reactive `authConfig` store loads the flag once on root-layout mount (and again on /register direct navigation, which bypasses the layout's onMount). Header hides the Register link when the toggle is off; /register renders a "self-registration is disabled — ask an administrator" notice instead of the form. Admin-create endpoint that pairs with this toggle is intentionally not in this PR — it lands as the next branch (feat/admin-user-create). The toggle alone is independently useful for deployments that want to lock down enrollment without yet wiring an admin UI.
2026-05-31 13:56:18 +02:00
parent 6dd21451a8
commit 2f47faa11c
12 changed files with 182 additions and 5 deletions
--- a/frontend/src/routes/+layout.svelte
+++ b/frontend/src/routes/+layout.svelte
@@ -2,6 +2,7 @@
    import { onMount, onDestroy } from 'svelte';
    import { goto } from '$app/navigation';
    import { logout } from '$lib/api/auth';
+    import { authConfig } from '$lib/auth-config.svelte';
    import { preferences } from '$lib/preferences.svelte';
    import { session } from '$lib/session.svelte';
    import { theme } from '$lib/theme.svelte';
@@ -21,6 +22,7 @@
        theme.init();
        preferences.init();
        if (!session.loaded) session.refresh();
+        if (!authConfig.loaded) authConfig.load();

        // Publish the header's measured height as a CSS custom
        // property so sticky descendants (e.g. the reader nav) can
@@ -115,7 +117,9 @@
            </button>
        {:else}
            <a class="text-link" href="/login" data-testid="nav-login">Login</a>
-            <a class="text-link" href="/register" data-testid="nav-register">Register</a>
+            {#if authConfig.self_register_enabled}
+                <a class="text-link" href="/register" data-testid="nav-register">Register</a>
+            {/if}
        {/if}
    </div>
 </header>