feat(auth): add allowRegistration config for open self-registration

intel352 · claude · intel352 · commit 2e62989c5ad8 · 2026-02-25T03:57:36.000-05:00
The auth.jwt module previously only allowed the first user to self-register.
This adds an allowRegistration config option that, when true, lets any
visitor register without admin intervention.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/module/jwt_auth.go b/module/jwt_auth.go
@@ -39,10 +39,11 @@ type JWTAuthModule struct {
 	users          map[string]*User // keyed by email (used when no external userStore)
 	mu             sync.RWMutex
 	nextID         int
-	app            modular.Application
-	logger         modular.Logger
-	persistence    *PersistenceStore // optional write-through backend
-	userStore      *UserStore        // optional external user store (from auth.user-store module)
+	app                 modular.Application
+	logger              modular.Logger
+	persistence         *PersistenceStore // optional write-through backend
+	userStore           *UserStore        // optional external user store (from auth.user-store module)
+	allowRegistration   bool              // when true, any visitor may self-register
 }
 
 // NewJWTAuthModule creates a new JWT auth module
@@ -76,6 +77,13 @@ func (j *JWTAuthModule) SetResponseFormat(format string) {
 	j.responseFormat = format
 }
 
+// SetAllowRegistration enables or disables open self-registration.
+// When true, any visitor may register; when false (default), registration is
+// only permitted when no users exist (initial setup mode).
+func (j *JWTAuthModule) SetAllowRegistration(allow bool) {
+	j.allowRegistration = allow
+}
+
 // Name returns the module name
 func (j *JWTAuthModule) Name() string {
 	return j.name
@@ -177,9 +185,9 @@ func (j *JWTAuthModule) Handle(w http.ResponseWriter, r *http.Request) {
 }
 
 func (j *JWTAuthModule) handleRegister(w http.ResponseWriter, r *http.Request) {
-	// Self-registration is only allowed when no users exist (initial setup).
-	// After setup, new users must be created by an admin via the user management API.
-	if j.userCount() > 0 {
+	// Self-registration is only allowed when no users exist (initial setup) OR
+	// when allowRegistration is explicitly enabled.
+	if !j.allowRegistration && j.userCount() > 0 {
 		w.WriteHeader(http.StatusForbidden)
 		_ = json.NewEncoder(w).Encode(map[string]string{"error": "registration is disabled; contact an administrator"})
 		return
diff --git a/module/jwt_auth_test.go b/module/jwt_auth_test.go
@@ -86,6 +86,24 @@ func TestJWTAuth_Register(t *testing.T) {
 	}
 }
 
+func TestJWTAuth_OpenRegistration(t *testing.T) {
+	j := setupJWTAuth(t)
+	j.SetAllowRegistration(true)
+
+	// First user registers successfully
+	registerUser(t, j, "user1@example.com", "User One", "pass1")
+
+	// Second user should also succeed when allowRegistration is true
+	body := `{"email":"user2@example.com","name":"User Two","password":"pass2"}`
+	req := httptest.NewRequest(http.MethodPost, "/auth/register", bytes.NewBufferString(body))
+	w := httptest.NewRecorder()
+	j.Handle(w, req)
+
+	if w.Code != http.StatusCreated {
+		t.Errorf("expected status %d (open registration enabled), got %d; body: %s", http.StatusCreated, w.Code, w.Body.String())
+	}
+}
+
 func TestJWTAuth_RegisterDisabledAfterSetup(t *testing.T) {
 	j := setupJWTAuth(t)
 
diff --git a/plugins/auth/plugin.go b/plugins/auth/plugin.go
@@ -88,6 +88,9 @@ func (p *Plugin) ModuleFactories() map[string]plugin.ModuleFactory {
 			if rf, ok := cfg["responseFormat"].(string); ok && rf != "" {
 				authMod.SetResponseFormat(rf)
 			}
+			if ar, ok := cfg["allowRegistration"].(bool); ok && ar {
+				authMod.SetAllowRegistration(true)
+			}
 			return authMod
 		},
 		"auth.user-store": func(name string, _ map[string]any) modular.Module {
@@ -201,6 +204,7 @@ func (p *Plugin) ModuleSchemas() []*schema.ModuleSchema {
 				{Key: "issuer", Label: "Issuer", Type: schema.FieldTypeString, DefaultValue: "workflow", Description: "Token issuer claim", Placeholder: "workflow"},
 				{Key: "seedFile", Label: "Seed Users File", Type: schema.FieldTypeString, Description: "Path to JSON file with initial user accounts", Placeholder: "data/users.json"},
 				{Key: "responseFormat", Label: "Response Format", Type: schema.FieldTypeSelect, Options: []string{"standard", "oauth2"}, Description: "Format of authentication response payloads"},
+				{Key: "allowRegistration", Label: "Allow Open Registration", Type: schema.FieldTypeBool, DefaultValue: false, Description: "When true, any visitor may register without admin intervention"},
 			},
 			DefaultConfig: map[string]any{"tokenExpiry": "24h", "issuer": "workflow"},
 		},
diff --git a/schema/module_schema.go b/schema/module_schema.go
@@ -580,6 +580,7 @@ func (r *ModuleSchemaRegistry) registerBuiltins() {
 			{Key: "issuer", Label: "Issuer", Type: FieldTypeString, DefaultValue: "workflow", Description: "Token issuer claim", Placeholder: "workflow"},
 			{Key: "seedFile", Label: "Seed Users File", Type: FieldTypeString, Description: "Path to JSON file with initial user accounts", Placeholder: "data/users.json"},
 			{Key: "responseFormat", Label: "Response Format", Type: FieldTypeSelect, Options: []string{"standard", "oauth2"}, Description: "Format of authentication response payloads"},
+			{Key: "allowRegistration", Label: "Allow Open Registration", Type: FieldTypeBool, DefaultValue: false, Description: "When true, any visitor may register without admin intervention"},
 		},
 		DefaultConfig: map[string]any{"tokenExpiry": "24h", "issuer": "workflow"},
 	})
diff --git a/schema/module_schema_test.go b/schema/module_schema_test.go
@@ -65,7 +65,7 @@ func TestModuleSchemaRegistry_ConfigFieldsMatchEngine(t *testing.T) {
 		{"api.handler", []string{"resourceName", "workflowType", "workflowEngine", "initialTransition", "seedFile", "sourceResourceName", "stateFilter", "fieldMapping", "transitionMap", "summaryFields"}},
 		{"database.workflow", []string{"driver", "dsn", "maxOpenConns", "maxIdleConns"}},
 		{"messaging.kafka", []string{"brokers", "groupId"}},
-		{"auth.jwt", []string{"secret", "tokenExpiry", "issuer", "seedFile", "responseFormat"}},
+		{"auth.jwt", []string{"secret", "tokenExpiry", "issuer", "seedFile", "responseFormat", "allowRegistration"}},
 		{"static.fileserver", []string{"root", "prefix", "spaFallback", "cacheMaxAge", "router"}},
 		{"processing.step", []string{"componentId", "successTransition", "compensateTransition", "maxRetries", "retryBackoffMs", "timeoutSeconds"}},
 		{"http.middleware.securityheaders", []string{"contentSecurityPolicy", "frameOptions", "contentTypeOptions", "hstsMaxAge", "referrerPolicy", "permissionsPolicy"}},
