Allow disabling public signups#25
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a configuration-based toggle to disable public user registration. It adds the allowPublicSignup property to the application configuration and implements a check in the manual signup endpoint of the AuthController. A critical security concern was raised regarding the Google authentication flow, which also performs user registration but currently lacks the allowPublicSignup check, potentially allowing users to bypass the registration restriction.
| if (!this.configService.get('allowPublicSignup')) { | ||
| throw new ForbiddenException('Signups are disabled'); | ||
| } |
There was a problem hiding this comment.
The implementation of the allowPublicSignup check is incomplete. While it correctly blocks the manual email/password signup route, the googleAuth method (lines 42-46) also performs user registration for new accounts and currently lacks this check. This allows users to bypass the restriction by signing up via Google. To fully satisfy the requirement of disabling public signups, this check should also be applied to the Google authentication flow before a new user is created.
1 participant
No description provided.