From adc7c5ac492b38d9cc1294607d9e15c4cb93897a Mon Sep 17 00:00:00 2001 From: Ginger Date: Tue, 6 Jan 2026 11:51:12 -0500 Subject: [PATCH] fix(!783): Don't allow registrations by default with no token configured --- conduwuit-example.toml | 4 ++-- src/api/client/account.rs | 22 +++++++++++++++++++--- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/conduwuit-example.toml b/conduwuit-example.toml index 8b36afb4..bd0fe69a 100644 --- a/conduwuit-example.toml +++ b/conduwuit-example.toml @@ -452,8 +452,8 @@ # `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` # to true to allow open registration without any conditions. # -# If you do not want to set a static token, the `!admin token` commands may also be used -# to manage registration tokens. +# If you do not want to set a static token, the `!admin token` commands +# may also be used to manage registration tokens. # # example: "o&^uCtes4HPf0Vu@F20jQeeWE7" # diff --git a/src/api/client/account.rs b/src/api/client/account.rs index 2c377d03..d2fb80f2 100644 --- a/src/api/client/account.rs +++ b/src/api/client/account.rs @@ -179,7 +179,9 @@ pub(crate) async fn register_route( }, } - return Err!(Request(Forbidden("Registration has been disabled."))); + return Err!(Request(Forbidden( + "This server is not accepting registrations at this time." + ))); } if is_guest @@ -206,7 +208,9 @@ pub(crate) async fn register_route( rejecting registration. Guest's initial device name: \"{}\"", body.initial_device_display_name.as_deref().unwrap_or("") ); - return Err!(Request(Forbidden("Registration is temporarily disabled."))); + return Err!(Request(Forbidden( + "This server is not accepting registrations at this time." + ))); } let user_id = match (body.username.as_ref(), is_guest) { @@ -332,7 +336,19 @@ pub(crate) async fn register_route( } if uiaainfo.flows.is_empty() && !skip_auth { - // No registration token necessary, but clients must still go through the flow + // Registration isn't _disabled_, but there's no captcha configured and no + // registration tokens currently set. Bail out by default unless open + // registration was explicitly enabled. + if !services + .config + .yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse + { + return Err!(Request(Forbidden( + "This server is not accepting registrations at this time." + ))); + } + + // We have open registration enabled (😧), provide a dummy stage uiaainfo = UiaaInfo { flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }], completed: Vec::new(),