From d74531e2e1a702d0c2e3a2442338a3513a74d0d5 Mon Sep 17 00:00:00 2001
From: 409 <409dev@protonmail.com>
Date: Fri, 29 Aug 2025 16:17:13 +0200
Subject: [PATCH] `AUTH_ALLOW_REGISTRATION` env variable

---
 .../warren/models/user/requests/register.rs   |  2 ++
 backend/src/lib/domain/warren/service/auth.rs | 24 ++++++++++++++++++-
 backend/src/lib/inbound/http/errors.rs        |  3 +++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/backend/src/lib/domain/warren/models/user/requests/register.rs b/backend/src/lib/domain/warren/models/user/requests/register.rs
index 055aadd..7998aee 100644
--- a/backend/src/lib/domain/warren/models/user/requests/register.rs
+++ b/backend/src/lib/domain/warren/models/user/requests/register.rs
@@ -43,6 +43,8 @@ impl From<RegisterUserRequest> for CreateUserRequest {
 pub enum RegisterUserError {
     #[error(transparent)]
     CreateUser(#[from] CreateUserError),
+    #[error("Registration is disabled")]
+    Disabled,
     #[error(transparent)]
     Unknown(#[from] anyhow::Error),
 }
diff --git a/backend/src/lib/domain/warren/service/auth.rs b/backend/src/lib/domain/warren/service/auth.rs
index ca0fa94..b6f9b77 100644
--- a/backend/src/lib/domain/warren/service/auth.rs
+++ b/backend/src/lib/domain/warren/service/auth.rs
@@ -52,6 +52,7 @@ use crate::{
 };
 
 const AUTH_SESSION_EXPIRATION_KEY: &str = "AUTH_SESSION_EXPIRATION";
+const ALLOW_REGISTRATION_KEY: &str = "AUTH_ALLOW_REGISTRATION";
 
 /// The authentication service configuration
 ///
@@ -59,6 +60,7 @@ const AUTH_SESSION_EXPIRATION_KEY: &str = "AUTH_SESSION_EXPIRATION";
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct AuthConfig {
     session_lifetime: SessionExpirationTime,
+    allow_registration: bool,
 }
 
 impl AuthConfig {
@@ -71,12 +73,27 @@ impl AuthConfig {
             }
         };
 
-        Ok(Self { session_lifetime })
+        let allow_registration = match Config::load_env(ALLOW_REGISTRATION_KEY)
+            .map(|v| v.to_lowercase())
+            .as_deref()
+        {
+            Ok("true") => true,
+            Ok("false") | Ok(_) | Err(_) => false,
+        };
+
+        Ok(Self {
+            session_lifetime,
+            allow_registration,
+        })
     }
 
     pub fn session_lifetime(&self) -> SessionExpirationTime {
         self.session_lifetime
     }
+
+    pub fn allow_registration(&self) -> bool {
+        self.allow_registration
+    }
 }
 
 #[derive(Debug, Clone)]
@@ -232,6 +249,11 @@ where
     }
 
     async fn register_user(&self, request: RegisterUserRequest) -> Result<User, RegisterUserError> {
+        if !self.config.allow_registration {
+            self.metrics.record_user_registration_failure().await;
+            return Err(RegisterUserError::Disabled);
+        }
+
         let result = self.repository.create_user(request.into()).await;
 
         if let Ok(user) = result.as_ref() {
diff --git a/backend/src/lib/inbound/http/errors.rs b/backend/src/lib/inbound/http/errors.rs
index 156efa9..9991213 100644
--- a/backend/src/lib/inbound/http/errors.rs
+++ b/backend/src/lib/inbound/http/errors.rs
@@ -112,6 +112,9 @@ impl From<RegisterUserError> for ApiError {
     fn from(value: RegisterUserError) -> Self {
         match value {
             RegisterUserError::CreateUser(err) => err.into(),
+            RegisterUserError::Disabled => {
+                Self::BadRequest("User registration is disabled".to_string())
+            }
             RegisterUserError::Unknown(error) => Self::InternalServerError(error.to_string()),
         }
     }