feature: Allow disabling password signups (#413)

* [Feature Request] Allow to disable default password log in after SSO is configured #406
Added the DISABLE_LOCAL_SIGNUPS that can be used to force OAuth signups only

* rename local signups to password signups

---------

Co-authored-by: MohamedBassem <me@mbassem.com>

5 files changed, 15 insertions, 3 deletions

diff --git a/apps/web/components/signin/CredentialsForm.tsx b/apps/web/components/signin/CredentialsForm.tsx
index a505f699..a35b768f 100644
--- a/apps/web/components/signin/CredentialsForm.tsx
+++ b/apps/web/components/signin/CredentialsForm.tsx
@@ -233,7 +233,8 @@ export default function CredentialsForm() {
         <SignIn />
       </TabsContent>
       <TabsContent value="signup">
-        {clientConfig.auth.disableSignups ? (
+        {clientConfig.auth.disableSignups ||
+        clientConfig.auth.disablePasswordSignups ? (
           <p className="text-center">Signups are currently disabled.</p>
         ) : (
           <SignUp />
diff --git a/apps/web/lib/clientConfig.tsx b/apps/web/lib/clientConfig.tsx
index 31395199..90e6d35c 100644
--- a/apps/web/lib/clientConfig.tsx
+++ b/apps/web/lib/clientConfig.tsx
@@ -6,6 +6,7 @@ export const ClientConfigCtx = createContext<ClientConfig>({
   demoMode: undefined,
   auth: {
     disableSignups: false,
+    disablePasswordSignups: false,
   },
   inference: {
     inferredTagLang: "english",
diff --git a/docs/docs/03-configuration.md b/docs/docs/03-configuration.md
index f026977e..d1b587ad 100644
--- a/docs/docs/03-configuration.md
+++ b/docs/docs/03-configuration.md
@@ -28,6 +28,7 @@ When setting up OAuth, the allowed redirect URLs configured at the provider shou
 | Name                                        | Required | Default                | Description                                                                                                                                                         |
 | ------------------------------------------- | -------- | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | DISABLE_SIGNUPS                             | No       | false                  | If enabled, no new signups will be allowed and the signup button will be disabled in the UI                                                                         |
+| DISABLE_PASSWORD_SIGNUPS                    | No       | false                  | If enabled, only signups using OAuth are allowed and the signup button for a local account will be disabled in the UI                                               |
 | OAUTH_WELLKNOWN_URL                         | No       | Not set                | The "wellknown Url" for openid-configuration as provided by the OAuth provider                                                                                      |
 | OAUTH_CLIENT_SECRET                         | No       | Not set                | The "Client Secret" as provided by the OAuth provider                                                                                                               |
 | OAUTH_CLIENT_ID                             | No       | Not set                | The "Client ID" as provided by the OAuth provider                                                                                                                   |
diff --git a/packages/shared/config.ts b/packages/shared/config.ts
index b87babbd..288becab 100644
--- a/packages/shared/config.ts
+++ b/packages/shared/config.ts
@@ -10,6 +10,7 @@ const stringBool = (defaultValue: string) =>
 const allEnv = z.object({
   API_URL: z.string().url().default("http://localhost:3000"),
   DISABLE_SIGNUPS: stringBool("false"),
+  DISABLE_PASSWORD_SIGNUPS: stringBool("false"),
   OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: stringBool("false"),
   OAUTH_WELLKNOWN_URL: z.string().url().optional(),
   OAUTH_CLIENT_SECRET: z.string().optional(),
@@ -53,6 +54,7 @@ const serverConfigSchema = allEnv.transform((val) => {
     apiUrl: val.API_URL,
     auth: {
       disableSignups: val.DISABLE_SIGNUPS,
+      disablePasswordSignups: val.DISABLE_PASSWORD_SIGNUPS,
       oauth: {
         allowDangerousEmailAccountLinking:
           val.OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING,
@@ -112,6 +114,7 @@ export const clientConfig = {
   demoMode: serverConfig.demoMode,
   auth: {
     disableSignups: serverConfig.auth.disableSignups,
+    disablePasswordSignups: serverConfig.auth.disablePasswordSignups,
   },
   inference: {
     inferredTagLang: serverConfig.inference.inferredTagLang,
diff --git a/packages/trpc/routers/users.ts b/packages/trpc/routers/users.ts
index ba1aee24..736e7e2f 100644
--- a/packages/trpc/routers/users.ts
+++ b/packages/trpc/routers/users.ts
@@ -29,10 +29,16 @@ export const usersAppRouter = router({
       }),
     )
     .mutation(async ({ input, ctx }) => {
-      if (serverConfig.auth.disableSignups) {
+      if (
+        serverConfig.auth.disableSignups ||
+        serverConfig.auth.disablePasswordSignups
+      ) {
+        const errorMessage = serverConfig.auth.disablePasswordSignups
+          ? "Local Signups are disabled in the server config. Use OAuth instead!"
+          : "Signups are disabled in server config";
         throw new TRPCError({
           code: "FORBIDDEN",
-          message: "Signups are disabled in server config",
+          message: errorMessage,
         });
       }
       // TODO: This is racy, but that's probably fine.