ember/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fix(!783): Don't allow registrations by default with no token configured

Browse source
This commit is contained in:
Ginger 2026-01-06 11:51:12 -05:00
parent 112403e470
commit adc7c5ac49
2 changed files with 21 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
conduwuit-example.toml
View file

@ -452,8 +452,8 @@
# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` # `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
# to true to allow open registration without any conditions. # to true to allow open registration without any conditions.
# #
# If you do not want to set a static token, the `!admin token` commands may also be used # If you do not want to set a static token, the `!admin token` commands
# to manage registration tokens. # may also be used to manage registration tokens.
# #
# example: "o&^uCtes4HPf0Vu@F20jQeeWE7" # example: "o&^uCtes4HPf0Vu@F20jQeeWE7"
# #

22
src/api/client/account.rs
View file

@ -179,7 +179,9 @@ pub(crate) async fn register_route(
}, },
} }
return Err!(Request(Forbidden("Registration has been disabled."))); return Err!(Request(Forbidden(
"This server is not accepting registrations at this time."
)));
} }
if is_guest if is_guest
@ -206,7 +208,9 @@ pub(crate) async fn register_route(
rejecting registration. Guest's initial device name: \"{}\"", rejecting registration. Guest's initial device name: \"{}\"",
body.initial_device_display_name.as_deref().unwrap_or("") body.initial_device_display_name.as_deref().unwrap_or("")
); );
return Err!(Request(Forbidden("Registration is temporarily disabled."))); return Err!(Request(Forbidden(
"This server is not accepting registrations at this time."
)));
} }
let user_id = match (body.username.as_ref(), is_guest) { let user_id = match (body.username.as_ref(), is_guest) {
@ -332,7 +336,19 @@ pub(crate) async fn register_route(
} }
if uiaainfo.flows.is_empty() && !skip_auth { if uiaainfo.flows.is_empty() && !skip_auth {
// No registration token necessary, but clients must still go through the flow // Registration isn't _disabled_, but there's no captcha configured and no
// registration tokens currently set. Bail out by default unless open
// registration was explicitly enabled.
if !services
.config
.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
{
return Err!(Request(Forbidden(
"This server is not accepting registrations at this time."
)));
}
// We have open registration enabled (😧), provide a dummy stage
uiaainfo = UiaaInfo { uiaainfo = UiaaInfo {
flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }], flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }],
completed: Vec::new(), completed: Vec::new(),