Add config flag to require registration tokens for password registrations

2025-06-03 08:06:39 +02:00
parent e28221ac49
commit dcef4bcf3f
6 changed files with 29 additions and 1 deletions
--- a/crates/cli/src/util.rs
+++ b/crates/cli/src/util.rs
@@ -211,6 +211,7 @@ pub fn site_config_from_config(
        password_login_enabled: password_config.enabled(),
        password_registration_enabled: password_config.enabled()
            && account_config.password_registration_enabled,
+        registration_token_required: account_config.registration_token_required,
        email_change_allowed: account_config.email_change_allowed,
        displayname_change_allowed: account_config.displayname_change_allowed,
        password_change_allowed: password_config.enabled()
--- a/crates/config/src/sections/account.rs
+++ b/crates/config/src/sections/account.rs
@@ -72,6 +72,15 @@ pub struct AccountConfig {
    /// This has no effect if password login is disabled.
    #[serde(default = "default_false", skip_serializing_if = "is_default_false")]
    pub login_with_email_allowed: bool,
+
+    /// Whether registration tokens are required for password registrations.
+    /// Defaults to `false`.
+    ///
+    /// When enabled, users must provide a valid registration token during
+    /// password registration. This has no effect if password registration
+    /// is disabled.
+    #[serde(default = "default_false", skip_serializing_if = "is_default_false")]
+    pub registration_token_required: bool,
 }

 impl Default for AccountConfig {
@@ -84,6 +93,7 @@ impl Default for AccountConfig {
            password_recovery_enabled: default_false(),
            account_deactivation_allowed: default_true(),
            login_with_email_allowed: default_false(),
+            registration_token_required: default_false(),
        }
    }
 }
@@ -98,6 +108,7 @@ impl AccountConfig {
            && is_default_false(&self.password_recovery_enabled)
            && is_default_true(&self.account_deactivation_allowed)
            && is_default_false(&self.login_with_email_allowed)
+            && is_default_false(&self.registration_token_required)
    }
 }

--- a/crates/data-model/src/site_config.rs
+++ b/crates/data-model/src/site_config.rs
@@ -64,6 +64,9 @@ pub struct SiteConfig {
    /// Whether password registration is enabled.
    pub password_registration_enabled: bool,

+    /// Whether registration tokens are required for password registrations.
+    pub registration_token_required: bool,
+
    /// Whether users can change their email.
    pub email_change_allowed: bool,

--- a/crates/handlers/src/test_utils.rs
+++ b/crates/handlers/src/test_utils.rs
@@ -136,6 +136,7 @@ pub fn test_site_config() -> SiteConfig {
        imprint: None,
        password_login_enabled: true,
        password_registration_enabled: true,
+        registration_token_required: false,
        email_change_allowed: true,
        displayname_change_allowed: true,
        password_change_allowed: true,
--- a/docs/config.schema.json
+++ b/docs/config.schema.json
@@ -2533,6 +2533,10 @@
        "login_with_email_allowed": {
          "description": "Whether users can log in with their email address. Defaults to `false`.\n\nThis has no effect if password login is disabled.",
          "type": "boolean"
+        },
+        "registration_token_required": {
+          "description": "Whether registration tokens are required for password registrations. Defaults to `false`.\n\nWhen enabled, users must provide a valid registration token during password registration. This has no effect if password registration is disabled.",
+          "type": "boolean"
        }
      }
    },
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -320,6 +320,14 @@ account:
  # Defaults to `false`.
  # This has no effect if password login is disabled.
  login_with_email_allowed: false
+
+  # Whether registration tokens are required for password registrations.
+  #
+  # Defaults to `false`.
+  #
+  # When enabled, users must provide a valid registration token during password
+  # registration. This has no effect if password registration is disabled.
+  registration_token_required: false
 ```

 ## `captcha`
@@ -712,7 +720,7 @@ upstream_oauth2:
      # Additional parameters to include in the authorization request
      #additional_authorization_parameters:
      #  foo: "bar"
-      
+
      # Whether the `login_hint` should be forwarded to the provider in the
      # authorization request.
      #forward_login_hint: false