diff --git a/apps/web/components/signin/CredentialsForm.tsx b/apps/web/components/signin/CredentialsForm.tsx
index a505f699..a35b768f 100644
--- a/apps/web/components/signin/CredentialsForm.tsx
+++ b/apps/web/components/signin/CredentialsForm.tsx
@@ -233,7 +233,8 @@ export default function CredentialsForm() {
- {clientConfig.auth.disableSignups ? (
+ {clientConfig.auth.disableSignups ||
+ clientConfig.auth.disablePasswordSignups ? (
Signups are currently disabled.
) : (
diff --git a/apps/web/lib/clientConfig.tsx b/apps/web/lib/clientConfig.tsx
index 31395199..90e6d35c 100644
--- a/apps/web/lib/clientConfig.tsx
+++ b/apps/web/lib/clientConfig.tsx
@@ -6,6 +6,7 @@ export const ClientConfigCtx = createContext({
demoMode: undefined,
auth: {
disableSignups: false,
+ disablePasswordSignups: false,
},
inference: {
inferredTagLang: "english",
diff --git a/docs/docs/03-configuration.md b/docs/docs/03-configuration.md
index f026977e..d1b587ad 100644
--- a/docs/docs/03-configuration.md
+++ b/docs/docs/03-configuration.md
@@ -28,6 +28,7 @@ When setting up OAuth, the allowed redirect URLs configured at the provider shou
| Name | Required | Default | Description |
| ------------------------------------------- | -------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| DISABLE_SIGNUPS | No | false | If enabled, no new signups will be allowed and the signup button will be disabled in the UI |
+| DISABLE_PASSWORD_SIGNUPS | No | false | If enabled, only signups using OAuth are allowed and the signup button for a local account will be disabled in the UI |
| OAUTH_WELLKNOWN_URL | No | Not set | The "wellknown Url" for openid-configuration as provided by the OAuth provider |
| OAUTH_CLIENT_SECRET | No | Not set | The "Client Secret" as provided by the OAuth provider |
| OAUTH_CLIENT_ID | No | Not set | The "Client ID" as provided by the OAuth provider |
diff --git a/packages/shared/config.ts b/packages/shared/config.ts
index b87babbd..288becab 100644
--- a/packages/shared/config.ts
+++ b/packages/shared/config.ts
@@ -10,6 +10,7 @@ const stringBool = (defaultValue: string) =>
const allEnv = z.object({
API_URL: z.string().url().default("http://localhost:3000"),
DISABLE_SIGNUPS: stringBool("false"),
+ DISABLE_PASSWORD_SIGNUPS: stringBool("false"),
OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: stringBool("false"),
OAUTH_WELLKNOWN_URL: z.string().url().optional(),
OAUTH_CLIENT_SECRET: z.string().optional(),
@@ -53,6 +54,7 @@ const serverConfigSchema = allEnv.transform((val) => {
apiUrl: val.API_URL,
auth: {
disableSignups: val.DISABLE_SIGNUPS,
+ disablePasswordSignups: val.DISABLE_PASSWORD_SIGNUPS,
oauth: {
allowDangerousEmailAccountLinking:
val.OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING,
@@ -112,6 +114,7 @@ export const clientConfig = {
demoMode: serverConfig.demoMode,
auth: {
disableSignups: serverConfig.auth.disableSignups,
+ disablePasswordSignups: serverConfig.auth.disablePasswordSignups,
},
inference: {
inferredTagLang: serverConfig.inference.inferredTagLang,
diff --git a/packages/trpc/routers/users.ts b/packages/trpc/routers/users.ts
index ba1aee24..736e7e2f 100644
--- a/packages/trpc/routers/users.ts
+++ b/packages/trpc/routers/users.ts
@@ -29,10 +29,16 @@ export const usersAppRouter = router({
}),
)
.mutation(async ({ input, ctx }) => {
- if (serverConfig.auth.disableSignups) {
+ if (
+ serverConfig.auth.disableSignups ||
+ serverConfig.auth.disablePasswordSignups
+ ) {
+ const errorMessage = serverConfig.auth.disablePasswordSignups
+ ? "Local Signups are disabled in the server config. Use OAuth instead!"
+ : "Signups are disabled in server config";
throw new TRPCError({
code: "FORBIDDEN",
- message: "Signups are disabled in server config",
+ message: errorMessage,
});
}
// TODO: This is racy, but that's probably fine.