fix(auth): allow_register was not respected in strategy controllers

2026-03-15 20:17:22 +00:00 · 2025-12-06 20:51:09 +01:00
parent 4f7925dfd8
commit 09b9a5e857
4 changed files with 50 additions and 37 deletions
--- a/app/src/auth/api/AuthController.ts
+++ b/app/src/auth/api/AuthController.ts
@@ -199,7 +199,12 @@ export class AuthController extends Controller {
      for (const [name, strategy] of Object.entries(strategies)) {
         if (!this.auth.isStrategyEnabled(strategy)) continue;

-         hono.route(`/${name}`, strategy.getController(this.auth.authenticator));
+         hono.route(
+            `/${name}`,
+            strategy.getController(this.auth.authenticator, {
+               allow_register: this.auth.config.allow_register,
+            }),
+         );
         this.registerStrategyActions(strategy, hono);
      }

@@ -305,7 +310,9 @@ export class AuthController extends Controller {
            await c.context.ctx().helper.granted(c, AuthPermissions.testPassword);

            const pw = this.auth.authenticator.strategy("password") as PasswordStrategy;
-            const controller = pw.getController(this.auth.authenticator);
+            const controller = pw.getController(this.auth.authenticator, {
+               allow_register: this.auth.config.allow_register,
+            });

            const res = await controller.request(
               new Request("https://localhost/login", {
--- a/app/src/auth/authenticate/strategies/PasswordStrategy.ts
+++ b/app/src/auth/authenticate/strategies/PasswordStrategy.ts
@@ -87,7 +87,7 @@ export class PasswordStrategy extends AuthStrategy<typeof schema> {
      };
   }

-   getController(authenticator: Authenticator): Hono<any> {
+   getController(authenticator: Authenticator, opts: { allow_register?: boolean }): Hono<any> {
      const hono = new Hono();
      const redirectQuerySchema = s.object({
         redirect: s.string().optional(),
@@ -120,41 +120,43 @@ export class PasswordStrategy extends AuthStrategy<typeof schema> {
         },
      );

-      hono.post(
-         "/register",
-         describeRoute({
-            summary: "Register a new user with email and password",
-            tags: ["auth"],
-         }),
-         jsc("query", redirectQuerySchema),
-         async (c) => {
-            try {
-               const { redirect } = c.req.valid("query");
-               const { password, email, ...body } = parse(
-                  payloadSchema,
-                  await authenticator.getBody(c),
-                  {
-                     onError: (errors) => {
-                        $console.error("Invalid register payload", [...errors]);
-                        new InvalidCredentialsException();
+      if (opts.allow_register) {
+         hono.post(
+            "/register",
+            describeRoute({
+               summary: "Register a new user with email and password",
+               tags: ["auth"],
+            }),
+            jsc("query", redirectQuerySchema),
+            async (c) => {
+               try {
+                  const { redirect } = c.req.valid("query");
+                  const { password, email, ...body } = parse(
+                     payloadSchema,
+                     await authenticator.getBody(c),
+                     {
+                        onError: (errors) => {
+                           $console.error("Invalid register payload", [...errors]);
+                           new InvalidCredentialsException();
+                        },
                     },
-                  },
-               );
+                  );

-               const profile = {
-                  ...body,
-                  email,
-                  strategy_value: await this.hash(password),
-               };
+                  const profile = {
+                     ...body,
+                     email,
+                     strategy_value: await this.hash(password),
+                  };

-               return await authenticator.resolveRegister(c, this, profile, async () => void 0, {
-                  redirect,
-               });
-            } catch (e) {
-               return authenticator.respondWithError(c, e as any);
-            }
-         },
-      );
+                  return await authenticator.resolveRegister(c, this, profile, async () => void 0, {
+                     redirect,
+                  });
+               } catch (e) {
+                  return authenticator.respondWithError(c, e as any);
+               }
+            },
+         );
+      }

      return hono;
   }
--- a/app/src/auth/authenticate/strategies/Strategy.ts
+++ b/app/src/auth/authenticate/strategies/Strategy.ts
@@ -36,7 +36,7 @@ export abstract class AuthStrategy<Schema extends s.Schema = s.Schema> {

   protected abstract getSchema(): Schema;

-   abstract getController(auth: Authenticator): Hono;
+   abstract getController(auth: Authenticator, opts: { allow_register?: boolean }): Hono;

   getType(): string {
      return this.type;
--- a/app/src/auth/authenticate/strategies/oauth/OAuthStrategy.ts
+++ b/app/src/auth/authenticate/strategies/oauth/OAuthStrategy.ts
@@ -284,7 +284,7 @@ export class OAuthStrategy extends AuthStrategy<typeof schemaProvided> {
      }
   }

-   getController(auth: Authenticator): Hono<any> {
+   getController(auth: Authenticator, opts: { allow_register?: boolean }): Hono<any> {
      const hono = new Hono();
      const secret = "secret";
      const cookie_name = "_challenge";
@@ -379,6 +379,10 @@ export class OAuthStrategy extends AuthStrategy<typeof schemaProvided> {
            return c.notFound();
         }

+         if (action === "register" && !opts.allow_register) {
+            return c.notFound();
+         }
+
         const url = new URL(c.req.url);
         const path = url.pathname.replace(`/${action}`, "");
         const redirect_uri = url.origin + path + "/callback";