feature: Add an option to disable new signups

6 files changed, 23 insertions, 26 deletions

diff --git a/.env.sample b/.env.sample
index f8c314cc..df0c6ef3 100644
--- a/.env.sample
+++ b/.env.sample
@@ -19,8 +19,5 @@
 # MEILI_MASTER_KEY=
 
 ############## Auth ##############
-# Authentik for auth
 
-# AUTHENTIK_ID=
-# AUTHENTIK_SECRET=
-# AUTHENTIK_ISSUER=
+# DISABLE_SIGNUPS=
diff --git a/apps/web/components/signin/CredentialsForm.tsx b/apps/web/components/signin/CredentialsForm.tsx
index 8e1423eb..5e3b4de9 100644
--- a/apps/web/components/signin/CredentialsForm.tsx
+++ b/apps/web/components/signin/CredentialsForm.tsx
@@ -13,6 +13,7 @@ import {
 } from "@/components/ui/form";
 import { Input } from "@/components/ui/input";
 import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs";
+import { useClientConfig } from "@/lib/clientConfig";
 import { api } from "@/lib/trpc";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { TRPCClientError } from "@trpc/client";
@@ -100,6 +101,7 @@ function SignIn() {
 }
 
 function SignUp() {
+  const clientConfig = useClientConfig();
   const form = useForm<z.infer<typeof zSignUpSchema>>({
     resolver: zodResolver(zSignUpSchema),
   });
@@ -201,7 +203,11 @@ function SignUp() {
               );
             }}
           />
-          <ActionButton type="submit" loading={form.formState.isSubmitting}>
+          <ActionButton
+            type="submit"
+            loading={form.formState.isSubmitting}
+            disabled={clientConfig.auth.disableSignups}
+          >
             Sign Up
           </ActionButton>
         </div>
diff --git a/apps/web/lib/clientConfig.tsx b/apps/web/lib/clientConfig.tsx
index fac76d3b..10ca1010 100644
--- a/apps/web/lib/clientConfig.tsx
+++ b/apps/web/lib/clientConfig.tsx
@@ -4,6 +4,9 @@ import type { ClientConfig } from "@hoarder/shared/config";
 
 export const ClientConfigCtx = createContext<ClientConfig>({
   demoMode: false,
+  auth: {
+    disableSignups: false,
+  },
 });
 
 export function useClientConfig() {
diff --git a/apps/web/server/auth.ts b/apps/web/server/auth.ts
index 767bc7e8..acc3745c 100644
--- a/apps/web/server/auth.ts
+++ b/apps/web/server/auth.ts
@@ -5,12 +5,10 @@ import NextAuth, {
   getServerSession,
   NextAuthOptions,
 } from "next-auth";
-import AuthentikProvider from "next-auth/providers/authentik";
 import CredentialsProvider from "next-auth/providers/credentials";
 import { Provider } from "next-auth/providers/index";
 
 import { db } from "@hoarder/db";
-import serverConfig from "@hoarder/shared/config";
 import { validatePassword } from "@hoarder/trpc/auth";
 
 declare module "next-auth/jwt" {
@@ -63,10 +61,6 @@ const providers: Provider[] = [
   }),
 ];
 
-if (serverConfig.auth.authentik) {
-  providers.push(AuthentikProvider(serverConfig.auth.authentik));
-}
-
 export const authOptions: NextAuthOptions = {
   // https://github.com/nextauthjs/next-auth/issues/9493
   adapter: DrizzleAdapter(db) as Adapter,
diff --git a/packages/shared/config.ts b/packages/shared/config.ts
index 3126fa68..25806ae0 100644
--- a/packages/shared/config.ts
+++ b/packages/shared/config.ts
@@ -1,21 +1,7 @@
-function buildAuthentikConfig() {
-  const { AUTHENTIK_ID, AUTHENTIK_SECRET, AUTHENTIK_ISSUER } = process.env;
-
-  if (!AUTHENTIK_ID || !AUTHENTIK_SECRET || !AUTHENTIK_ISSUER) {
-    return undefined;
-  }
-
-  return {
-    clientId: AUTHENTIK_ID,
-    clientSecret: AUTHENTIK_SECRET,
-    issuer: AUTHENTIK_ISSUER,
-  };
-}
-
 const serverConfig = {
   apiUrl: process.env.API_URL ?? "http://localhost:3000",
   auth: {
-    authentik: buildAuthentikConfig(),
+    disableSignups: (process.env.DISABLE_SIGNUPS ?? "false") == "true",
   },
   openAI: {
     apiKey: process.env.OPENAI_API_KEY,
@@ -40,8 +26,12 @@ const serverConfig = {
   dataDir: process.env.DATA_DIR ?? "",
 };
 
+// Always explicitly pick up stuff from server config to avoid accidentally leaking stuff
 export const clientConfig = {
   demoMode: serverConfig.demoMode,
+  auth: {
+    disableSignups: serverConfig.auth.disableSignups,
+  }
 };
 export type ClientConfig = typeof clientConfig;
 
diff --git a/packages/trpc/routers/users.ts b/packages/trpc/routers/users.ts
index db06c0ad..1e7a83a6 100644
--- a/packages/trpc/routers/users.ts
+++ b/packages/trpc/routers/users.ts
@@ -5,6 +5,7 @@ import { z } from "zod";
 
 import { SqliteError } from "@hoarder/db";
 import { users } from "@hoarder/db/schema";
+import serverConfig from "@hoarder/shared/config";
 
 import { hashPassword, validatePassword } from "../auth";
 import {
@@ -27,6 +28,12 @@ export const usersAppRouter = router({
       }),
     )
     .mutation(async ({ input, ctx }) => {
+      if (serverConfig.auth.disableSignups) {
+        throw new TRPCError({
+          code: "FORBIDDEN",
+          message: "Signups are disabled in server config",
+        });
+      }
       // TODO: This is racy, but that's probably fine.
       const [{ count: userCount }] = await ctx.db
         .select({ count: count() })