From d15c823da218cb2bf20588739fc68c4b9f11b198 Mon Sep 17 00:00:00 2001 From: Motoko Date: Tue, 31 Mar 2026 00:39:28 +0000 Subject: [PATCH] feat: disable user registration via DISABLE_REGISTRATION env var - Add DISABLE_REGISTRATION setting (default False) in app/config.py - Return 403 when registration is disabled in POST /auth/register - Add test_register_disabled test --- app/config.py | 1 + app/routers/auth.py | 3 +++ tests/test_auth.py | 13 +++++++++++++ 3 files changed, 17 insertions(+) diff --git a/app/config.py b/app/config.py index 0b9943d..fe999cb 100644 --- a/app/config.py +++ b/app/config.py @@ -33,6 +33,7 @@ class Settings(BaseSettings): LOG_LEVEL: str = "INFO" INITIAL_ADMIN_USERNAME: str # Required: admin user to auto-create INITIAL_ADMIN_PASSWORD: str # Required: password for auto-created admin + DISABLE_REGISTRATION: bool = False @property def resolved_database_url(self) -> str: diff --git a/app/routers/auth.py b/app/routers/auth.py index aaf16be..9e73f7d 100644 --- a/app/routers/auth.py +++ b/app/routers/auth.py @@ -69,6 +69,9 @@ async def get_current_agent(request: Request, db: AsyncSession) -> Agent: @router.post("/register", response_model=AgentResponse, status_code=201) async def register(payload: AgentCreate, db: AsyncSession = Depends(get_db)): + if settings.DISABLE_REGISTRATION: + raise HTTPException(status_code=403, detail="Registration is disabled") + existing = await auth_service.get_agent_by_username(db, payload.username) if existing: raise HTTPException(status_code=400, detail="Username already exists") diff --git a/tests/test_auth.py b/tests/test_auth.py index 5adc520..8b0282e 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -68,3 +68,16 @@ async def test_me(client): async def test_me_unauthorized(client): response = await client.get("/api/v1/auth/me") assert response.status_code == 401 + + +@pytest.mark.asyncio +async def test_register_disabled(client, monkeypatch): + from app.config import settings + monkeypatch.setattr(settings, "DISABLE_REGISTRATION", True) + + response = await client.post( + "/api/v1/auth/register", + json={"username": "shouldfail", "password": "testpass123"} + ) + assert response.status_code == 403 + assert response.json()["detail"] == "Registration is disabled"