Add per-provider user registration control (#1321 )

Add granular registration flags: - KOMODO_DISABLE_LOCAL_USER_REGISTRATION — blocks local signups, hides Sign Up button, while allowing OIDC registration - KOMODO_DISABLE_OIDC_USER_REGISTRATION — blocks OIDC signups while allowing local registration Both are optional and fall back to the existing KOMODO_DISABLE_USER_REGISTRATION when not set. This enables the common pattern of letting your OIDC provider control access while preventing direct local account creation. Depends on mogh-lib change adding per-provider registration methods to the AuthImpl trait. Closes #1087
2.1.2 (#1347 )
2026-05-07 02:16:06 -05:00 · 2026-05-06 16:06:55 -07:00 · 2026-04-10 11:32:17 -07:00
9 changed files with 98 additions and 29 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1149,7 +1149,7 @@ dependencies = [

 [[package]]
 name = "command"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "komodo_client",
 "shlex",
@@ -1489,7 +1489,7 @@ checksum = "d7a1e2f27636f116493b8b860f5546edb47c8d8f8ea73e1d2a20be88e28d1fea"

 [[package]]
 name = "database"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "async-compression",
@@ -1759,7 +1759,7 @@ dependencies = [

 [[package]]
 name = "encoding"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "bytes",
@@ -1801,7 +1801,7 @@ dependencies = [

 [[package]]
 name = "environment"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "formatting",
@@ -1930,7 +1930,7 @@ dependencies = [

 [[package]]
 name = "formatting"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "mogh_error",
 ]
@@ -2109,7 +2109,7 @@ dependencies = [

 [[package]]
 name = "git"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "command",
@@ -2709,7 +2709,7 @@ dependencies = [

 [[package]]
 name = "interpolate"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "komodo_client",
@@ -2835,7 +2835,7 @@ dependencies = [

 [[package]]
 name = "komodo_cli"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "bcrypt",
@@ -2865,7 +2865,7 @@ dependencies = [

 [[package]]
 name = "komodo_client"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "async_timing_util",
@@ -2904,7 +2904,7 @@ dependencies = [

 [[package]]
 name = "komodo_core"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "arc-swap",
@@ -2977,7 +2977,7 @@ dependencies = [

 [[package]]
 name = "komodo_periphery"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "arc-swap",
@@ -4032,7 +4032,7 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"

 [[package]]
 name = "periphery_client"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "encoding",
@@ -5997,7 +5997,7 @@ dependencies = [

 [[package]]
 name = "transport"
-version = "2.1.1"
+version = "2.1.2"
 dependencies = [
 "anyhow",
 "axum",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ members = [
 ]

 [workspace.package]
-version = "2.1.1"
+version = "2.1.2"
 edition = "2024"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"
--- a/bin/core/src/api/write/stack.rs
+++ b/bin/core/src/api/write/stack.rs
@@ -555,8 +555,9 @@ impl Resolve<WriteArgs> for RefreshStackCache {
            &mut services,
          ) {
            warn!(
-              "failed to extract stack services, things won't works correctly. stack: {} | {e:#}",
-              stack.name
+              stack = stack.id,
+              stack_name = stack.name,
+              "Failed to extract stack services | {e:#}",
            );
          }
        }
--- a/bin/core/src/auth/mod.rs
+++ b/bin/core/src/auth/mod.rs
@@ -205,6 +205,20 @@ impl AuthImpl for KomodoAuthImpl {
    core_config().disable_user_registration
  }

+  fn local_registration_disabled(&self) -> bool {
+    let config = core_config();
+    config
+      .disable_local_user_registration
+      .unwrap_or(config.disable_user_registration)
+  }
+
+  fn oidc_registration_disabled(&self) -> bool {
+    let config = core_config();
+    config
+      .disable_oidc_user_registration
+      .unwrap_or(config.disable_user_registration)
+  }
+
  fn validate_username(
    &self,
    username: &str,
--- a/bin/core/src/config.rs
+++ b/bin/core/src/config.rs
@@ -345,6 +345,12 @@ pub fn core_config() -> &'static CoreConfig {
      disable_user_registration: env
        .komodo_disable_user_registration
        .unwrap_or(config.disable_user_registration),
+      disable_local_user_registration: env
+        .komodo_disable_local_user_registration
+        .or(config.disable_local_user_registration),
+      disable_oidc_user_registration: env
+        .komodo_disable_oidc_user_registration
+        .or(config.disable_oidc_user_registration),
      disable_non_admin_create: env
        .komodo_disable_non_admin_create
        .unwrap_or(config.disable_non_admin_create),
--- a/bin/core/src/stack/services.rs
+++ b/bin/core/src/stack/services.rs
@@ -38,8 +38,6 @@ pub fn extract_services_into_res(
        "failed to parse service names from compose contents",
      )?;

-  let mut services = Vec::with_capacity(compose.services.capacity());
-
  for (
    service_name,
    ComposeService {
@@ -49,17 +47,29 @@ pub fn extract_services_into_res(
    },
  ) in compose.services
  {
-    let image = image.unwrap_or_default();
-    services.push(StackServiceNames {
-      container_name: container_name
-        .unwrap_or_else(|| format!("{project_name}-{service_name}")),
-      image_digest: service_image_digests.get(&service_name).cloned(),
-      service_name,
-      image,
-    });
+    if let Some(existing) =
+      res.iter_mut().find(|s| s.service_name == service_name)
+    {
+      // Override any defined fields
+      if let Some(container_name) = container_name {
+        existing.container_name = container_name;
+      }
+      if let Some(image) = image {
+        existing.image = image;
+      }
+    } else {
+      res.push(StackServiceNames {
+        container_name: container_name.unwrap_or_else(|| {
+          format!("{project_name}-{service_name}")
+        }),
+        image_digest: service_image_digests
+          .get(&service_name)
+          .cloned(),
+        image: image.unwrap_or_default(),
+        service_name,
+      });
+    }
  }

-  res.extend(services);
-
  Ok(())
 }
--- a/client/core/rs/src/entities/config/core.rs
+++ b/client/core/rs/src/entities/config/core.rs
@@ -124,6 +124,10 @@ pub struct Env {
  pub komodo_enable_new_users: Option<bool>,
  /// Override `disable_user_registration`
  pub komodo_disable_user_registration: Option<bool>,
+  /// Override `disable_local_user_registration`
+  pub komodo_disable_local_user_registration: Option<bool>,
+  /// Override `disable_oidc_user_registration`
+  pub komodo_disable_oidc_user_registration: Option<bool>,
  /// Override `lock_login_credentials_for`
  pub komodo_lock_login_credentials_for: Option<Vec<String>>,
  /// Override `disable_confirm_dialog`
@@ -457,6 +461,20 @@ pub struct CoreConfig {
  #[serde(default)]
  pub disable_user_registration: bool,

+  /// Disable local (username/password) user registration only.
+  /// When set, the "Sign Up" button is hidden and local signups are blocked,
+  /// but OIDC and other external provider signups are still allowed.
+  /// If not set, falls back to `disable_user_registration`.
+  #[serde(default)]
+  pub disable_local_user_registration: Option<bool>,
+
+  /// Disable OIDC user registration only.
+  /// When set, new users cannot register via OIDC,
+  /// but local and other provider signups are still allowed.
+  /// If not set, falls back to `disable_user_registration`.
+  #[serde(default)]
+  pub disable_oidc_user_registration: Option<bool>,
+
  /// List of usernames for which the update username / password
  /// APIs are disabled. Used by demo to lock the 'demo' : 'demo' login.
  ///
@@ -826,6 +844,8 @@ impl Default for CoreConfig {
      transparent_mode: Default::default(),
      enable_new_users: Default::default(),
      disable_user_registration: Default::default(),
+      disable_local_user_registration: Default::default(),
+      disable_oidc_user_registration: Default::default(),
      lock_login_credentials_for: Default::default(),
      disable_non_admin_create: Default::default(),
      jwt_secret: Default::default(),
@@ -909,6 +929,10 @@ impl CoreConfig {
      enable_fancy_toml: config.enable_fancy_toml,
      enable_new_users: config.enable_new_users,
      disable_user_registration: config.disable_user_registration,
+      disable_local_user_registration: config
+        .disable_local_user_registration,
+      disable_oidc_user_registration: config
+        .disable_oidc_user_registration,
      disable_non_admin_create: config.disable_non_admin_create,
      lock_login_credentials_for: config.lock_login_credentials_for,
      local_auth: config.local_auth,
--- a/client/core/ts/package.json
+++ b/client/core/ts/package.json
@@ -1,6 +1,6 @@
 {
  "name": "komodo_client",
-  "version": "2.1.1",
+  "version": "2.1.2",
  "description": "Komodo client package",
  "homepage": "https://komo.do",
  "main": "dist/lib.js",
--- a/config/core.config.toml
+++ b/config/core.config.toml
@@ -167,6 +167,20 @@ init_admin_password = "changeme"
 ## Default: false
 disable_user_registration = false

+## Disable local (username/password) user registration only.
+## When set to true, the "Sign Up" button is hidden and local signups are blocked,
+## but OIDC and other external provider signups are still allowed.
+## If not set, falls back to `disable_user_registration`.
+## Env: KOMODO_DISABLE_LOCAL_USER_REGISTRATION
+# disable_local_user_registration = true
+
+## Disable OIDC user registration only.
+## When set to true, new users cannot register via OIDC,
+## but local and other provider signups are still allowed.
+## If not set, falls back to `disable_user_registration`.
+## Env: KOMODO_DISABLE_OIDC_USER_REGISTRATION
+# disable_oidc_user_registration = true
+
 ## New users will be automatically enabled when they sign up.
 ## Otherwise, new users will be disabled on first login.
 ## The first user to login will always be enabled on creation.