feat: add DISABLE_EMAIL_SIGN_UP to control email and OAuth signups separately

mrjasonroy · claude · mrjasonroy · commit cbbd78a8aee4 · 2025-11-25T21:42:11.000-08:00
Previously, DISABLE_SIGN_UP controlled both email and OAuth signups together. This change introduces DISABLE_EMAIL_SIGN_UP to allow more granular control: - DISABLE_EMAIL_SIGN_IN: Disables email/password authentication entirely - DISABLE_EMAIL_SIGN_UP: Disables email/password signups only (allows existing users to sign in) - DISABLE_SIGN_UP: Disables OAuth signups only (Google, GitHub, Microsoft) This enables use cases like: - Allow OAuth signups but block email signups - Require users to authenticate via corporate SSO while blocking email registration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.env.example b/.env.example
@@ -76,11 +76,15 @@ MICROSOFT_TENANT_ID=
 MICROSOFT_FORCE_ACCOUNT_SELECTION=
 
 # (Optional)
-# Set this to 1 to disable email sign in
+# Set this to 1 to disable email/password sign in completely
 DISABLE_EMAIL_SIGN_IN=
 
 # (Optional)
-# Set this to 1 to disable user sign-ups.
+# Set this to 1 to disable email/password sign-ups (still allows sign-in for existing users)
+DISABLE_EMAIL_SIGN_UP=
+
+# (Optional)
+# Set this to 1 to disable OAuth sign-ups (Google, GitHub, Microsoft)
 DISABLE_SIGN_UP=
 
 # (Optional)
diff --git a/src/lib/auth/config.ts b/src/lib/auth/config.ts
@@ -28,6 +28,7 @@ function parseSocialAuthConfigs() {
     google?: GoogleConfig;
     microsoft?: MicrosoftConfig;
   } = {};
+  // DISABLE_SIGN_UP only applies to OAuth signups, not email signups
   const disableSignUp = parseEnvBoolean(process.env.DISABLE_SIGN_UP);
 
   if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) {
@@ -102,8 +103,10 @@ export function getAuthConfig(): AuthConfig {
     emailAndPasswordEnabled: process.env.DISABLE_EMAIL_SIGN_IN
       ? !parseEnvBoolean(process.env.DISABLE_EMAIL_SIGN_IN)
       : true,
-    signUpEnabled: process.env.DISABLE_SIGN_UP
-      ? !parseEnvBoolean(process.env.DISABLE_SIGN_UP)
+    // signUpEnabled now only applies to email signups
+    // OAuth signups are controlled separately via DISABLE_SIGN_UP in parseSocialAuthConfigs
+    signUpEnabled: process.env.DISABLE_EMAIL_SIGN_UP
+      ? !parseEnvBoolean(process.env.DISABLE_EMAIL_SIGN_UP)
       : true,
     socialAuthenticationProviders: parseSocialAuthConfigs(),
   };
