codepath · PrayagCodes · Dec 6, 2025
diff --git a/src/backend/src/api/APIError.js b/src/backend/src/api/APIError.js
@@ -408,6 +408,14 @@ module.exports = class APIError {
             status: 403,
             message: 'Password does not match.',
         },
+        'temp_users_disabled': {
+            status: 403,
+            message: 'Temporary user creation is disabled.',
+        },
+        'user_signup_disabled': {
+            status: 403,
+            message: 'New user signups are disabled.',
+        },
 
         // Object Mapping
         'field_not_allowed_for_create': {

diff --git a/src/backend/src/config.js b/src/backend/src/config.js
@@ -25,6 +25,9 @@ let config = {};
 // Static defaults
 config.servers = [];
 
+// Will disable new user signups. Users will not be able to create new permanent accounts.
+config.disable_user_signup = false;
+
 // Will disable the auto-generated temp users. If a user lands on the site, they will be required to sign up or log in.
 config.disable_temp_users = false;
 

diff --git a/src/backend/src/routers/save_account.js b/src/backend/src/routers/save_account.js
@@ -22,6 +22,7 @@ const router = new express.Router();
 const {get_taskbar_items, username_exists, send_email_verification_code, send_email_verification_token, invalidate_cached_user, get_user } = require('../helpers');
 const auth = require('../middleware/auth.js');
 const config = require('../config');
+const APIError = require('../api/APIError');
 const { DB_WRITE } = require('../services/database/consts');
 
 // -----------------------------------------------------------------------//
@@ -32,6 +33,11 @@ router.post('/save_account', auth, express.json(), async (req, res, next)=>{
     if(require('../helpers').subdomain(req) !== 'api' && require('../helpers').subdomain(req) !== '')
         next();
 
+    // check if regular user signup is disabled
+    if(config.disable_user_signup){
+        return APIError.create('user_signup_disabled').write(res);
+    }
+
     // modules
     const db = req.services.get('database').get(DB_WRITE, 'auth');
     const validator = require('validator')

diff --git a/src/backend/src/routers/signup.js b/src/backend/src/routers/signup.js
@@ -19,6 +19,7 @@
 "use strict"
 const {get_taskbar_items, send_email_verification_code, send_email_verification_token, username_exists, invalidate_cached_user_by_id, get_user } = require('../helpers');
 const config = require('../config');
+const APIError = require('../api/APIError');
 const eggspress = require('../api/eggspress');
 const { Context } = require('../util/context');
 const { DB_WRITE } = require('../services/database/consts');
@@ -91,6 +92,12 @@ module.exports = eggspress(['/signup'], {
         // const decoded = await jwt.verify(token, config.jwt_secret);
         // const user = await get_user({ uuid: decoded.uuid });
         if ( user ) {
+            // Check if temp users are disabled and this is a temp user
+            const is_temp_user = (user.password === null && user.email === null);
+            if (is_temp_user && config.disable_temp_users) {
+                return APIError.create('temp_users_disabled').write(res);
+            }
+
             return res.send({
                 token: token,
                 user: {
@@ -111,8 +118,13 @@ module.exports = eggspress(['/signup'], {
         req.body.username = await generate_random_username();
         req.body.email = req.body.username + '@gmail.com';
         req.body.password = 'sadasdfasdfsadfsa';
-    }else if(config.disable_temp_users){
-        return res.status(400).send('Temp users are disabled.');
+    }else if(req.body.is_temp && config.disable_temp_users){
+        return APIError.create('temp_users_disabled').write(res);
+    }
+
+    // check if regular user signup is disabled
+    if(!req.body.is_temp && config.disable_user_signup){
+        return APIError.create('user_signup_disabled').write(res);
     }
 
     // send_confirmation_code

diff --git a/src/backend/src/routers/whoami.js b/src/backend/src/routers/whoami.js
@@ -32,6 +32,8 @@ const auth = require('../middleware/auth.js');
 const fs = require('../middleware/fs.js');
 const _path = require('path');
 const eggspress = require('../api/eggspress');
+const APIError = require('../api/APIError');
+const config = require('../config');
 const { Context } = require('../util/context');
 const { UserActorType, AppUnderUserActorType } = require('../services/auth/Actor');
 
@@ -50,6 +52,12 @@ const WHOAMI_GET = eggspress('/whoami', {
 
     const is_user = actor.type instanceof UserActorType;
 
+    // Check if temp users are disabled and this is a temp user
+    const is_temp_user = (req.user.password === null && req.user.email === null);
+    if (is_temp_user && config.disable_temp_users) {
+        return APIError.create('temp_users_disabled').write(res);
+    }
+
     // send user object
     const details = {
         username: req.user.username,

diff --git a/src/gui/src/UI/UIWindowSignup.js b/src/gui/src/UI/UIWindowSignup.js
@@ -216,7 +216,9 @@ function UIWindowSignup(options){
                     }
                 },
                 error: function (err){
-                    $(el_window).find('.signup-error-msg').html(err.responseText);
+                    // Parse JSON error response from APIError
+                    const error_obj = JSON.parse(err.responseText);
+                    $(el_window).find('.signup-error-msg').html(error_obj.message);
                     $(el_window).find('.signup-error-msg').fadeIn();
                     // re-enable 'Create Account' button so user can try again
                     $(el_window).find('.signup-btn').prop('disabled', false);

diff --git a/src/gui/src/initgui.js b/src/gui/src/initgui.js
@@ -458,10 +458,28 @@ window.initgui = async function(options){
             try{
                 whoami = await puter.os.user();
             }catch(e){
+                // Check for 401 or forbidden status
                 if(e.status === 401){
                     bad_session_logout();
                     return;
                 }
+                // If temp users are disabled (check the error code)
+                if(e.code === 'temp_users_disabled'){
+                    bad_session_logout();
+                    if(window.logged_in_users.length > 0){
+                        UIWindowSessionList();
+                    }
+                    else{
+                        await UIWindowLogin({
+                            reload_on_success: true,
+                            send_confirmation_code: false,
+                            window_options:{
+                                has_head: false
+                            }
+                        });
+                    }
+                    return;
+                }
             }
         }
         // update local user data