feat: Disable public user registration via environment flag

[AnishSarkar22]

Description

Add support to disable user registration via environment variable and surface a clear message in the frontend when registration is disabled.

Motivation and Context

Prevent unwanted public signups on deployed instances. Project owner requested a simple server-side switch (REGISTRATION_ENABLED) and keeping the register UI intact while showing a clear error message when registrations are blocked.

FIX #266

Screenshots

API Changes

• This PR includes API changes

Change Type

• Bug fix
• New feature
• Performance improvement
• Refactoring
• Documentation
• Dependency/Build system
• Breaking change
• Other (specify):

Testing Performed

• Tested locally
• Manual/QA verification

Checklist

• Follows project coding standards and conventions
• Documentation updated as needed
• Dependencies updated as needed
• No lint/build errors or new warnings
• All relevant tests are passing

High-level PR Summary

This PR adds the ability to disable public user registration through a REGISTRATION_ENABLED environment variable. When registration is disabled, the backend blocks both local and OAuth registration endpoints with a 403 error, and the frontend displays a user-friendly message informing users that registrations are currently closed and to contact their administrator.

⏱️ Estimated Review Time: 5-15 minutes

💡 Review Order Suggestion

Order	File Path
1	surfsense_backend/.env.example
2	surfsense_backend/app/config/__init__.py
3	surfsense_backend/app/app.py
4	surfsense_web/app/(home)/register/page.tsx

Summary by CodeRabbit

• New Features
  • Added configuration option to enable or disable user registration
  • When registration is disabled, users receive a clear, user-friendly notification instead of a generic error message

[vercel]

@AnishSarkar22 is attempting to deploy a commit to the Rohan Verma's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

This pull request implements a feature to disable user registration via a configuration flag. A new REGISTRATION_ENABLED environment variable is added to the backend configuration, a FastAPI dependency enforces the check, and the frontend handles 403 responses with a user-friendly error message.

Changes

Cohort / File(s)	Summary
Environment Configuration surfsense_backend/.env.example	Added REGISTRATION_ENABLED environment variable to control registration availability
Backend Configuration surfsense_backend/app/config/__init__.py	Added REGISTRATION_ENABLED boolean property to Config class, defaults to TRUE
Backend Dependencies & Routes surfsense_backend/app/app.py	Introduced registration_allowed() dependency that returns HTTP 403 when registration is disabled; applied to /auth/register and /auth/google routes
Frontend Error Handling surfsense_web/app/(home)/register/page.tsx	Added specific 403 branch in registration flow to display "Registration is disabled" message before generic error handling

Sequence Diagram

sequenceDiagram
    actor User
    participant Frontend as Frontend<br/>(register page)
    participant Backend as Backend<br/>(API routes)
    participant Config as Config<br/>(REGISTRATION_ENABLED)

    User->>Frontend: Submit registration
    Frontend->>Backend: POST /auth/register
    Backend->>Config: Check REGISTRATION_ENABLED
    
    alt Registration Disabled
        Config-->>Backend: false
        Backend-->>Frontend: 403 Forbidden
        Frontend->>Frontend: Display "Registration is disabled"
        Frontend->>User: Show error message
    else Registration Enabled
        Config-->>Backend: true
        Backend->>Backend: Process registration
        Backend-->>Frontend: 200 OK / success response
        Frontend->>User: Navigate to dashboard
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

The changes follow a consistent, repetitive pattern (adding a boolean check across configuration, dependency, and error handling). Logic is straightforward with no complex branching or state management. File spread is moderate with homogeneous edits across well-established patterns.

Poem

🐰 A toggle to gatekeep the sign-up gate,
Registration can now decline—no new mates!
Configuration keeps the hopper secure,
Boolean flags make the policy pure,
One check, one 403, peace ensured! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "feat: Disable public user registration via environment flag" clearly and directly summarizes the main change across the changeset. The changes implement a feature to add an environment variable (REGISTRATION_ENABLED) that controls whether public user registration is allowed, which is exactly what the title conveys. The title is concise, avoids noise, and is specific enough that a teammate scanning history would immediately understand the primary change.
Linked Issues Check	✅ Passed	The implementation fully addresses the coding requirements from issue #266. The changes provide a server-side configuration mechanism to disable public user registrations through the REGISTRATION_ENABLED environment variable, which directly meets the user's request for a way to block random public signups when deploying SurfSense. The solution covers both local authentication registration and Google OAuth registration endpoints, both returning 403 errors when disabled, and includes frontend feedback with a user-friendly "Registration is disabled" message. All core requirements have been satisfied through the backend configuration, dependency gating, and frontend UI updates.
Out of Scope Changes Check	✅ Passed	All changes in this pull request are directly in scope and related to the stated objective of disabling public user registration via an environment flag. The modifications to .env.example, app/config/__init__.py, and app/app.py establish the configuration infrastructure and backend logic for the feature, while the change to surfsense_web/app/(home)/register/page.tsx implements the frontend user experience. Each change serves a necessary purpose in completing the registration disabling feature with no unrelated alterations or scope creep detected.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

surfsense_backend/app/app.py (1)

68-77: Fix OAuth router to allow existing users to log in when registration is disabled.

The fastapi-users OAuth router's /callback endpoint handles both user creation and login. Applying registration_allowed at the router level (line 75) blocks the entire /auth/google prefix when REGISTRATION_ENABLED=False, which prevents existing users from completing their OAuth login flow—contradicting issue #266's requirement to "allow the deployed instance to use OAuth for existing users."

To meet the requirement, implement a more granular approach:

• Option 1: Custom OAuth user creation callback that allows the /callback flow but skips user creation when registration is disabled
• Option 2: Custom OAuth router that applies dependency checks only at user creation time, not at the endpoint level

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4dc5ceb and fd94193.

📒 Files selected for processing (4)

• surfsense_backend/.env.example (1 hunks)
• surfsense_backend/app/app.py (4 hunks)
• surfsense_backend/app/config/__init__.py (1 hunks)
• surfsense_web/app/(home)/register/page.tsx (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/.env.*

📄 CodeRabbit inference engine (.rules/no_env_files_in_repo.mdc)

Do not commit variant environment files like .env.* (e.g., .env.local, .env.production)

Files:

• surfsense_backend/.env.example

**/.env.example

📄 CodeRabbit inference engine (.rules/no_env_files_in_repo.mdc)

Provide a .env.example file with placeholder values instead of real secrets

Files:

• surfsense_backend/.env.example

**/*.{jsx,tsx}

📄 CodeRabbit inference engine (.rules/require_unique_id_props.mdc)

**/*.{jsx,tsx}: When mapping arrays to React elements in JSX/TSX, each rendered element must include a unique key prop
Keys used for React list items should be stable, predictable, and unique among siblings

Files:

• surfsense_web/app/(home)/register/page.tsx

🪛 dotenv-linter (3.3.0)

surfsense_backend/.env.example

[warning] 12-12: [SpaceCharacter] The line has spaces around equal sign

(SpaceCharacter)

---

[warning] 12-12: [ValueWithoutQuotes] This value needs to be surrounded in quotes

(ValueWithoutQuotes)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Python Backend Quality

🔇 Additional comments (4)

surfsense_backend/app/config/__init__.py (1)

46-46: LGTM!

The implementation correctly handles case-insensitive boolean parsing with a sensible default that maintains backwards compatibility (registration enabled by default).

surfsense_web/app/(home)/register/page.tsx (1)

67-79: LGTM!

The 403 handling is well-implemented with a user-friendly error message, proper toast management (reusing the loading toast ID), and an early return to prevent duplicate error handling.

surfsense_backend/app/app.py (2)

21-27: LGTM!

The dependency function correctly raises a 403 HTTPException when registration is disabled and follows FastAPI best practices.

---

44-48: LGTM!

Correctly applies the registration gate to the local registration router, blocking POST requests to /auth/register when REGISTRATION_ENABLED is false.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix formatting for consistency.

The line has a space after the equals sign, which is inconsistent with other environment variable declarations in this file. Additionally, consider quoting the value for better consistency with shell conventions.

Apply this diff to fix the formatting:

-REGISTRATION_ENABLED= TRUE or FALSE
+REGISTRATION_ENABLED="TRUE or FALSE"

Or more clearly document both options:

-REGISTRATION_ENABLED= TRUE or FALSE
+REGISTRATION_ENABLED="TRUE"  # Set to "FALSE" to disable registration

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	REGISTRATION_ENABLED= TRUE or FALSE
	REGISTRATION_ENABLED="TRUE or FALSE"

Suggested change

	REGISTRATION_ENABLED= TRUE or FALSE
	REGISTRATION_ENABLED="TRUE" # Set to "FALSE" to disable registration

🧰 Tools

🪛 dotenv-linter (3.3.0)

[warning] 12-12: [SpaceCharacter] The line has spaces around equal sign

(SpaceCharacter)

---

[warning] 12-12: [ValueWithoutQuotes] This value needs to be surrounded in quotes

(ValueWithoutQuotes)

🤖 Prompt for AI Agents

In surfsense_backend/.env.example around line 12, the environment variable
declaration contains a space after the equals sign and ambiguous wording; remove
the space so the assignment follows the same no-space convention as other lines,
replace the "or" phrasing with a single recommended example value (TRUE or
FALSE) and optionally show the alternate in a separate commented example or
explicitly state both possible values, and consider recommending quoting (e.g.,
"TRUE" or "FALSE") for consistency with shell conventions.

[MODSetter]

@AnishSarkar22 Thanks