Add config flag to require registration tokens for password registrations

sandhose · sandhose · commit 685f4761cd74 · 2025-06-03T17:42:53.000+02:00
diff --git a/crates/cli/src/util.rs b/crates/cli/src/util.rs
@@ -211,6 +211,7 @@ pub fn site_config_from_config(
         password_login_enabled: password_config.enabled(),
         password_registration_enabled: password_config.enabled()
             && account_config.password_registration_enabled,
+        registration_token_required: account_config.registration_token_required,
         email_change_allowed: account_config.email_change_allowed,
         displayname_change_allowed: account_config.displayname_change_allowed,
         password_change_allowed: password_config.enabled()
diff --git a/crates/config/src/sections/account.rs b/crates/config/src/sections/account.rs
@@ -72,6 +72,15 @@ pub struct AccountConfig {
     /// This has no effect if password login is disabled.
     #[serde(default = "default_false", skip_serializing_if = "is_default_false")]
     pub login_with_email_allowed: bool,
+
+    /// Whether registration tokens are required for password registrations.
+    /// Defaults to `false`.
+    ///
+    /// When enabled, users must provide a valid registration token during
+    /// password registration. This has no effect if password registration
+    /// is disabled.
+    #[serde(default = "default_false", skip_serializing_if = "is_default_false")]
+    pub registration_token_required: bool,
 }
 
 impl Default for AccountConfig {
@@ -84,6 +93,7 @@ impl Default for AccountConfig {
             password_recovery_enabled: default_false(),
             account_deactivation_allowed: default_true(),
             login_with_email_allowed: default_false(),
+            registration_token_required: default_false(),
         }
     }
 }
@@ -98,6 +108,7 @@ impl AccountConfig {
             && is_default_false(&self.password_recovery_enabled)
             && is_default_true(&self.account_deactivation_allowed)
             && is_default_false(&self.login_with_email_allowed)
+            && is_default_false(&self.registration_token_required)
     }
 }
 
diff --git a/crates/data-model/src/site_config.rs b/crates/data-model/src/site_config.rs
@@ -64,6 +64,9 @@ pub struct SiteConfig {
     /// Whether password registration is enabled.
     pub password_registration_enabled: bool,
 
+    /// Whether registration tokens are required for password registrations.
+    pub registration_token_required: bool,
+
     /// Whether users can change their email.
     pub email_change_allowed: bool,
 
diff --git a/crates/handlers/src/test_utils.rs b/crates/handlers/src/test_utils.rs
@@ -136,6 +136,7 @@ pub fn test_site_config() -> SiteConfig {
         imprint: None,
         password_login_enabled: true,
         password_registration_enabled: true,
+        registration_token_required: false,
         email_change_allowed: true,
         displayname_change_allowed: true,
         password_change_allowed: true,
diff --git a/docs/config.schema.json b/docs/config.schema.json
@@ -2533,6 +2533,10 @@
         "login_with_email_allowed": {
           "description": "Whether users can log in with their email address. Defaults to `false`.\n\nThis has no effect if password login is disabled.",
           "type": "boolean"
+        },
+        "registration_token_required": {
+          "description": "Whether registration tokens are required for password registrations. Defaults to `false`.\n\nWhen enabled, users must provide a valid registration token during password registration. This has no effect if password registration is disabled.",
+          "type": "boolean"
         }
       }
     },
diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
@@ -320,6 +320,14 @@ account:
   # Defaults to `false`.
   # This has no effect if password login is disabled.
   login_with_email_allowed: false
+
+  # Whether registration tokens are required for password registrations.
+  #
+  # Defaults to `false`.
+  #
+  # When enabled, users must provide a valid registration token during password
+  # registration. This has no effect if password registration is disabled.
+  registration_token_required: false
 ```
 
 ## `captcha`
@@ -712,7 +720,7 @@ upstream_oauth2:
       # Additional parameters to include in the authorization request
       #additional_authorization_parameters:
       #  foo: "bar"
-      
+
       # Whether the `login_hint` should be forwarded to the provider in the
       # authorization request.
       #forward_login_hint: false

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,15 @@ pub struct AccountConfig {`
`72`	`72`	`/// This has no effect if password login is disabled.`
`73`	`73`	`#[serde(default = "default_false", skip_serializing_if = "is_default_false")]`
`74`	`74`	`pub login_with_email_allowed: bool,`
	`75`	`+`
	`76`	`+ /// Whether registration tokens are required for password registrations.`
	`77`	+ /// Defaults to `false`.
	`78`	`+ ///`
	`79`	`+ /// When enabled, users must provide a valid registration token during`
	`80`	`+ /// password registration. This has no effect if password registration`
	`81`	`+ /// is disabled.`
	`82`	`+ #[serde(default = "default_false", skip_serializing_if = "is_default_false")]`
	`83`	`+ pub registration_token_required: bool,`
`75`	`84`	`}`
`76`	`85`
`77`	`86`	`impl Default for AccountConfig {`
`@@ -84,6 +93,7 @@ impl Default for AccountConfig {`
`84`	`93`	`password_recovery_enabled: default_false(),`
`85`	`94`	`account_deactivation_allowed: default_true(),`
`86`	`95`	`login_with_email_allowed: default_false(),`
	`96`	`+ registration_token_required: default_false(),`
`87`	`97`	`}`
`88`	`98`	`}`
`89`	`99`	`}`
`@@ -98,6 +108,7 @@ impl AccountConfig {`
`98`	`108`	`&& is_default_false(&self.password_recovery_enabled)`
`99`	`109`	`&& is_default_true(&self.account_deactivation_allowed)`
`100`	`110`	`&& is_default_false(&self.login_with_email_allowed)`
	`111`	`+ && is_default_false(&self.registration_token_required)`
`101`	`112`	`}`
`102`	`113`	`}`
`103`	`114`
Original file line number	Diff line number	Diff line change
`@@ -2533,6 +2533,10 @@`
`2533`	`2533`	`"login_with_email_allowed": {`
`2534`	`2534`	"description": "Whether users can log in with their email address. Defaults to `false`.\n\nThis has no effect if password login is disabled.",
`2535`	`2535`	`"type": "boolean"`
	`2536`	`+ },`
	`2537`	`+ "registration_token_required": {`
	`2538`	+ "description": "Whether registration tokens are required for password registrations. Defaults to `false`.\n\nWhen enabled, users must provide a valid registration token during password registration. This has no effect if password registration is disabled.",
	`2539`	`+ "type": "boolean"`
`2536`	`2540`	`}`
`2537`	`2541`	`}`
`2538`	`2542`	`},`