diff --git a/README.md b/README.md
index 4c8ecaa..b1e7152 100644
--- a/README.md
+++ b/README.md
@@ -188,7 +188,8 @@ You can specify configuration options either via a config file (default: `config
| `security.password_salt` /
`WAKAPI_PASSWORD_SALT` | - | Pepper to use for password hashing |
| `security.insecure_cookies` /
`WAKAPI_INSECURE_COOKIES` | `true` | Whether or not to allow cookies over HTTP. For production, it is **highly recommended** to serve Wakapi via HTTPS and set this to `false`. |
| `security.cookie_max_age` /
`WAKAPI_COOKIE_MAX_AGE` | `172800` | Lifetime of authentication cookies in seconds or `0` to use [Session](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Define_the_lifetime_of_a_cookie) cookies |
-| `security.allow_signup` /
`WAKAPI_ALLOW_SIGNUP` | `true` | Whether to enable user registration |
+| `security.allow_signup` /
`WAKAPI_ALLOW_SIGNUP` | `true` | Whether to enable local user registration |
+| `security.oidc_allow_signup` /
`WAKAPI_OIDC_ALLOW_SIGNUP` | `true` | Whether to enable user registration via OIDC |
| `security.signup_captcha` /
`WAKAPI_SIGNUP_CAPTCHA` | `false` | Whether the registration form requires solving a CAPTCHA |
| `security.invite_codes` /
`WAKAPI_INVITE_CODES` | `true` | Whether to enable registration by invite codes. Primarily useful if registration is disabled (invite-only server). |
| `security.disable_frontpage` /
`WAKAPI_DISABLE_FRONTPAGE` | `false` | Whether to disable landing page (useful for personal instances) |
diff --git a/config.default.yml b/config.default.yml
index f9336d0..587b028 100644
--- a/config.default.yml
+++ b/config.default.yml
@@ -86,6 +86,7 @@ security:
insecure_cookies: true # should be set to 'false', except when not running with HTTPS (e.g. on localhost)
cookie_max_age: 172800
allow_signup: true
+ oidc_allow_signup: true
signup_captcha: false
invite_codes: true # whether to enable invite codes for overriding disabled signups
disable_frontpage: false
diff --git a/config/config.go b/config/config.go
index db767d4..c25463e 100644
--- a/config/config.go
+++ b/config/config.go
@@ -117,6 +117,7 @@ type appConfig struct {
type securityConfig struct {
AllowSignup bool `yaml:"allow_signup" default:"true" env:"WAKAPI_ALLOW_SIGNUP"`
+ OidcAllowSignup bool `yaml:"oidc_allow_signup" default:"true" env:"WAKAPI_OIDC_ALLOW_SIGNUP"`
SignupCaptcha bool `yaml:"signup_captcha" default:"false" env:"WAKAPI_SIGNUP_CAPTCHA"`
InviteCodes bool `yaml:"invite_codes" default:"true" env:"WAKAPI_INVITE_CODES"`
ExposeMetrics bool `yaml:"expose_metrics" default:"false" env:"WAKAPI_EXPOSE_METRICS"`
diff --git a/routes/login.go b/routes/login.go
index 593d328..5098e1a 100644
--- a/routes/login.go
+++ b/routes/login.go
@@ -431,7 +431,7 @@ func (h *LoginHandler) GetOidcCallback(w http.ResponseWriter, r *http.Request) {
user, err := h.userSrvc.GetUserByOidc(provider.Name, idTokenPayload.Subject)
if err != nil {
// create new user account
- if !h.config.IsDev() && !h.config.Security.AllowSignup {
+ if !h.config.IsDev() && !h.config.Security.OidcAllowSignup {
routeutils.SetError(r, w, "registration is disabled on this server")
http.Redirect(w, r, fmt.Sprintf("%s/login", h.config.Server.BasePath), http.StatusFound)
return
diff --git a/routes/login_test.go b/routes/login_test.go
index 81e259c..5777705 100644
--- a/routes/login_test.go
+++ b/routes/login_test.go
@@ -209,6 +209,7 @@ func (suite *LoginHandlerTestSuite) TestPostSignup_Success() {
suite.UserService.On("Count", mock.Anything).Return(1, nil)
suite.UserService.On("CreateOrGet", mock.Anything, mock.Anything).Return(&models.User{}, true, nil)
suite.Cfg.Security.AllowSignup = true
+ suite.Cfg.Security.OidcAllowSignup = false
suite.Sut.PostSignup(w, r)
@@ -236,6 +237,7 @@ func (suite *LoginHandlerTestSuite) TestPostSignup_InvalidForm() {
suite.UserService.On("Count", mock.Anything).Return(1, nil)
suite.Cfg.Security.AllowSignup = true
+ suite.Cfg.Security.OidcAllowSignup = false
suite.Sut.PostSignup(w, r)
body, _ := io.ReadAll(w.Body)
@@ -258,6 +260,7 @@ func (suite *LoginHandlerTestSuite) TestPostSignup_ExistingUser() {
suite.UserService.On("Count", mock.Anything).Return(1, nil)
suite.UserService.On("CreateOrGet", mock.Anything, mock.Anything).Return(suite.TestUser, false, nil)
suite.Cfg.Security.AllowSignup = true
+ suite.Cfg.Security.OidcAllowSignup = false
suite.Sut.PostSignup(w, r)
body, _ := io.ReadAll(w.Body)
@@ -268,6 +271,9 @@ func (suite *LoginHandlerTestSuite) TestPostSignup_ExistingUser() {
}
func (suite *LoginHandlerTestSuite) TestPostSignup_SignupDisabled() {
+ suite.Cfg.Security.AllowSignup = false
+ suite.Cfg.Security.OidcAllowSignup = true
+
form := url.Values{}
form.Add("username", testUserNewId)
form.Add("password", testUserNewPassword)
@@ -331,7 +337,8 @@ func (suite *LoginHandlerTestSuite) TestGetOidcLoginCallback_Success() {
}
func (suite *LoginHandlerTestSuite) TestGetOidcLoginCallback_Success_CreateUser() {
- suite.Cfg.Security.AllowSignup = true
+ suite.Cfg.Security.AllowSignup = false
+ suite.Cfg.Security.OidcAllowSignup = true
url := suite.authorizeUser(suite.OidcUserNew)
r := httptest.NewRequest(http.MethodGet, url, nil)
@@ -363,6 +370,9 @@ func (suite *LoginHandlerTestSuite) TestGetOidcLoginCallback_Success_CreateUser(
}
func (suite *LoginHandlerTestSuite) TestGetOidcLoginCallback_SignupDisabled() {
+ suite.Cfg.Security.AllowSignup = true
+ suite.Cfg.Security.OidcAllowSignup = false
+
url := suite.authorizeUser(suite.OidcUserNew)
r := httptest.NewRequest(http.MethodGet, url, nil)
r = WithUrlParam(r, "provider", testProvider)
diff --git a/testing/config.cockroach.yml b/testing/config.cockroach.yml
index 8826e18..39fd1e9 100644
--- a/testing/config.cockroach.yml
+++ b/testing/config.cockroach.yml
@@ -36,6 +36,7 @@ security:
insecure_cookies: true
cookie_max_age: 172800
allow_signup: true
+ oidc_allow_signup: true
expose_metrics: true
signup_max_rate: 999/1s
login_max_rate: 999/1s
diff --git a/testing/config.mysql.yml b/testing/config.mysql.yml
index 657e4b5..32f815a 100644
--- a/testing/config.mysql.yml
+++ b/testing/config.mysql.yml
@@ -35,6 +35,7 @@ security:
insecure_cookies: true
cookie_max_age: 172800
allow_signup: true
+ oidc_allow_signup: true
expose_metrics: true
signup_max_rate: 999/1s
login_max_rate: 999/1s
diff --git a/testing/config.postgres.yml b/testing/config.postgres.yml
index 84f49c4..9146a11 100644
--- a/testing/config.postgres.yml
+++ b/testing/config.postgres.yml
@@ -36,6 +36,7 @@ security:
insecure_cookies: true
cookie_max_age: 172800
allow_signup: true
+ oidc_allow_signup: true
expose_metrics: true
signup_max_rate: 999/1s
login_max_rate: 999/1s
diff --git a/testing/config.sqlite.yml b/testing/config.sqlite.yml
index 7a78a2e..b26f87a 100644
--- a/testing/config.sqlite.yml
+++ b/testing/config.sqlite.yml
@@ -36,6 +36,7 @@ security:
insecure_cookies: true
cookie_max_age: 172800
allow_signup: true
+ oidc_allow_signup: true
expose_metrics: true
signup_max_rate: 999/1s
login_max_rate: 999/1s
@@ -57,4 +58,4 @@ mail:
port:
username:
password:
- tls:
\ No newline at end of file
+ tls: