Skip to content

feat(auth): add feature flags to disable temp users and user signups #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
PrayagCodes wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(auth): add feature flags to disable temp users and user signups #63

PrayagCodes wants to merge 1 commit into from

Conversation

@PrayagCodes
Copy link

@PrayagCodes PrayagCodes commented Dec 6, 2025

Summary

This PR adds two new configuration flags (disable_temp_users and disable_user_signup) that allow administrators to control user access to the platform. When enabled, these flags prevent temporary user creation and/or new permanent account signups, returning appropriate 403 Forbidden errors.

Motivation

Administrators need the ability to control user access in production environments. This is critical for:

  • Restricting access to existing users only
  • Preventing anonymous temporary accounts
  • Temporarily closing registration during maintenance or security incidents
  • Managing user onboarding according to organizational requirements

Changes

Backend

  • ✅ Added disable_temp_users and disable_user_signup configuration flags in config.js
  • ✅ Added temp_users_disabled and user_signup_disabled APIError codes
  • ✅ Implemented blocking logic in /signup endpoint for both temp and regular signups
  • ✅ Added protection in /save_account endpoint to prevent temp-to-permanent conversion
  • ✅ Added protection in /whoami endpoint to block existing temp user sessions
  • ✅ Fixed bug where disable_temp_users incorrectly blocked all signups (not just temp users)

Frontend

  • ✅ Updated temp user creation flow to handle 403 errors gracefully
  • ✅ Added error handling to show login window when temp users are disabled
  • ✅ Implemented temp user session invalidation when temp users are disabled
  • ✅ Updated signup UI to parse and display JSON error messages properly

Configuration

Both flags can be configured in volatile/config/config.json:

{
"disable_temp_users": false, // Prevents automatic temp user creation
"disable_user_signup": false // Prevents new permanent account signups
}### Flag Combinations

disable_temp_users disable_user_signup Behavior
false false Default: Both temp users and signups allowed
true false Temp users blocked, signups allowed
false true Temp users allowed, signups blocked (temp users cannot convert)
true true Both blocked, only existing permanent users can log in

Testing

Test Scenarios

  • Both flags disabled (default): Temp user created on first visit, regular signup works
  • Temp users disabled: No temp user created, login window shown, regular signup still works
  • User signup disabled: Temp users can be created and used, but cannot convert to permanent, regular signup returns 403
  • Both flags enabled: No temp users, no signups, only existing permanent users can authenticate

Manual Testing Steps

  1. Test temp users disabled:

    { "disable_temp_users": true, "disable_user_signup": false }

    • Visit homepage in incognito window
    • Verify login window appears (no temp user created)
    • Verify regular signup still works

  2. Test user signup disabled:

    { "disable_temp_users": false, "disable_user_signup": true }

    • Visit homepage, verify temp user is created
    • Try to sign up via UI, verify 403 error with message "New user signups are disabled."
    • Try to save temp account, verify 403 error

  3. Test both disabled:

    { "disable_temp_users": true, "disable_user_signup": true }

    • Visit homepage, verify login window appears
    • Try to sign up, verify 403 error
    • Verify existing permanent users can still log in

Error Responses

When features are disabled, the API returns 403 Forbidden with structured JSON:

{
"message": "Temporary user creation is disabled.",
"code": "temp_users_disabled"
}
{
"message": "New user signups are disabled.",
"code": "user_signup_disabled"
}## Backward Compatibility

Fully backward compatible

  • Default values are false, maintaining existing behavior
  • No breaking changes to existing APIs
  • Existing users unaffected

Files Changed

  • src/backend/src/config.js - Added configuration flags
  • src/backend/src/api/APIError.js - Added error codes
  • src/backend/src/routers/signup.js - Added blocking logic
  • src/backend/src/routers/save_account.js - Added blocking logic
  • src/backend/src/routers/whoami.js - Added blocking logic
  • src/gui/src/initgui.js - Updated error handling
  • src/gui/src/UI/UIWindowSignup.js - Updated error display

@PrayagCodes
feat(auth): add feature flags to disable temp users and user signups
5f142c2 
Add disable_temp_users and disable_user_signup configuration flags
to allow administrators to control user access. When enabled, returns
403 Forbidden errors with appropriate messages.

- Backend: Add config flags, APIError codes, and blocking logic in
  /signup, /save_account, and /whoami endpoints
- Frontend: Handle 403 errors gracefully and show login window when
  temp users are disabled
- Fix bug where disable_temp_users incorrectly blocked all signups
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PrayagCodes