Fix login/register registration policy UI

Author: ZimengXiong

frontend/src/api/index.ts

@@ -82,6 +82,7 @@ export const clearCsrfToken = (): void => {
 export interface AuthStatusResponse {
   authEnabled?: boolean;
   enabled?: boolean;
+  registrationEnabled?: boolean;
   authMode?: "local" | "hybrid" | "oidc_enforced";
   oidcEnabled?: boolean;
   oidcEnforced?: boolean;

frontend/src/context/AuthContext.tsx

@@ -24,6 +24,7 @@ interface AuthContextType {
   user: User | null;
   loading: boolean;
   authEnabled: boolean | null;
+  registrationEnabled: boolean;
   authStatusError: string | null;
   authMode: 'local' | 'hybrid' | 'oidc_enforced';
   oidcEnabled: boolean;
@@ -48,6 +49,7 @@ export const AuthProvider: React.FC<{ children: ReactNode }> = ({ children }) =>
   const [user, setUser] = useState<User | null>(null);
   const [loading, setLoading] = useState(true);
   const [authEnabled, setAuthEnabled] = useState<boolean | null>(null);
+  const [registrationEnabled, setRegistrationEnabled] = useState(false);
   const [authStatusError, setAuthStatusError] = useState<string | null>(null);
   const [authMode, setAuthMode] = useState<'local' | 'hybrid' | 'oidc_enforced'>('local');
   const [oidcEnabled, setOidcEnabled] = useState(false);
@@ -74,6 +76,7 @@ export const AuthProvider: React.FC<{ children: ReactNode }> = ({ children }) =>
               : true;
         setAuthEnabled(enabled);
         localStorage.setItem(AUTH_ENABLED_CACHE_KEY, String(enabled));
+        setRegistrationEnabled(Boolean(statusResponse?.registrationEnabled));
         const nextAuthMode =
           statusResponse?.authMode === 'hybrid' || statusResponse?.authMode === 'oidc_enforced'
             ? statusResponse.authMode
@@ -100,6 +103,7 @@ export const AuthProvider: React.FC<{ children: ReactNode }> = ({ children }) =>
         if (cachedAuthEnabled === "false") {
           setAuthStatusError(null);
           setAuthEnabled(false);
+          setRegistrationEnabled(false);
           setAuthMode('local');
           setOidcEnabled(false);
           setOidcEnforced(false);
@@ -115,6 +119,7 @@ export const AuthProvider: React.FC<{ children: ReactNode }> = ({ children }) =>
           "Unable to reach the backend API. Check BACKEND_URL, FRONTEND_URL, and your reverse proxy configuration."
         );
         setAuthEnabled(null);
+        setRegistrationEnabled(false);
         setAuthMode('local');
         setOidcEnabled(false);
         setOidcEnforced(false);
@@ -252,6 +257,7 @@ export const AuthProvider: React.FC<{ children: ReactNode }> = ({ children }) =>
         user,
         loading,
         authEnabled,
+        registrationEnabled,
         authStatusError,
         authMode,
         oidcEnabled,

frontend/src/pages/Login.tsx

@@ -19,6 +19,7 @@ export const Login: React.FC = () => {
     login,
     logout,
     authEnabled,
+    registrationEnabled,
     authStatusError,
     retryAuthStatus,
     oidcEnabled,
@@ -159,7 +160,7 @@ export const Login: React.FC = () => {
                 ? `Sign in with ${oidcProvider || 'OIDC'}`
                 : 'Sign in to your account'}
           </h2>
-          {!mustReset && !oidcEnforced ? (
+          {!mustReset && !oidcEnforced && registrationEnabled ? (
             <p className="mt-2 text-sm text-gray-600 dark:text-gray-400">
               Or{' '}
               <Link
@@ -169,6 +170,10 @@ export const Login: React.FC = () => {
                 create a new account
               </Link>
             </p>
+          ) : !mustReset && !oidcEnforced ? (
+            <p className="mt-2 text-sm text-gray-600 dark:text-gray-400">
+              Sign in with an existing account.
+            </p>
           ) : mustReset ? (
             <p className="mt-2 text-sm text-gray-600 dark:text-gray-400">
               Your admin requires you to set a new password before using ExcaliDash.

frontend/src/pages/Register.tsx

@@ -19,6 +19,7 @@ export const Register: React.FC = () => {
   const {
     register,
     authEnabled,
+    registrationEnabled,
     authStatusError,
     retryAuthStatus,
     oidcEnabled,
@@ -72,10 +73,24 @@ export const Register: React.FC = () => {
       navigate('/', { replace: true });
       return;
     }
+    if (!bootstrapRequired && !registrationEnabled) {
+      navigate('/login', { replace: true });
+      return;
+    }
     if (isAuthenticated) {
       navigate('/', { replace: true });
     }
-  }, [authEnabled, authLoading, authOnboardingRequired, authStatusError, isAuthenticated, navigate, oidcEnforced]);
+  }, [
+    authEnabled,
+    authLoading,
+    authOnboardingRequired,
+    authStatusError,
+    bootstrapRequired,
+    isAuthenticated,
+    navigate,
+    oidcEnforced,
+    registrationEnabled,
+  ]);
 
   if (authStatusError) {
     return <AuthStatusErrorPanel message={authStatusError} onRetry={retryAuthStatus} fullScreen />;

frontend/src/pages/authRegistrationPolicy.test.tsx

@@ -0,0 +1,87 @@
+import { render, screen } from "@testing-library/react";
+import { MemoryRouter } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { Login } from "./Login";
+import { Register } from "./Register";
+
+const mockUseAuth = vi.fn();
+const mockNavigate = vi.fn();
+
+vi.mock("../context/AuthContext", () => ({
+  useAuth: () => mockUseAuth(),
+}));
+
+vi.mock("../api", () => ({
+  startOidcSignIn: vi.fn(),
+  api: {
+    post: vi.fn(),
+  },
+  isAxiosError: vi.fn(() => false),
+}));
+
+vi.mock("../components/Logo", () => ({
+  Logo: () => <div data-testid="logo" />,
+}));
+
+vi.mock("react-router-dom", async () => {
+  const actual = await vi.importActual<typeof import("react-router-dom")>("react-router-dom");
+  return {
+    ...actual,
+    useNavigate: () => mockNavigate,
+  };
+});
+
+const baseAuthState = {
+  login: vi.fn(),
+  logout: vi.fn(),
+  register: vi.fn(),
+  authEnabled: true,
+  registrationEnabled: true,
+  authStatusError: null,
+  retryAuthStatus: vi.fn(),
+  oidcEnabled: false,
+  oidcEnforced: false,
+  oidcProvider: "OIDC",
+  bootstrapRequired: false,
+  authOnboardingRequired: false,
+  isAuthenticated: false,
+  loading: false,
+  user: null,
+};
+
+describe("auth page registration policy", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("hides the register link on the login page when registration is disabled", () => {
+    mockUseAuth.mockReturnValue({
+      ...baseAuthState,
+      registrationEnabled: false,
+    });
+
+    render(
+      <MemoryRouter initialEntries={["/login"]}>
+        <Login />
+      </MemoryRouter>
+    );
+
+    expect(screen.queryByRole("link", { name: /create a new account/i })).not.toBeInTheDocument();
+    expect(screen.getByText(/sign in with an existing account/i)).toBeInTheDocument();
+  });
+
+  it("redirects away from /register when registration is disabled outside bootstrap flow", () => {
+    mockUseAuth.mockReturnValue({
+      ...baseAuthState,
+      registrationEnabled: false,
+    });
+
+    render(
+      <MemoryRouter initialEntries={["/register"]}>
+        <Register />
+      </MemoryRouter>
+    );
+
+    expect(mockNavigate).toHaveBeenCalledWith("/login", { replace: true });
+  });
+});

frontend/src/pages/authStatusBlocking.test.tsx

@@ -27,6 +27,7 @@ const baseAuthState = {
   logout: vi.fn(),
   register: vi.fn(),
   authEnabled: true,
+  registrationEnabled: true,
   authStatusError: "Unable to reach the backend API. Check BACKEND_URL and reverse proxy settings, then retry.",
   retryAuthStatus: vi.fn(),
   oidcEnabled: false,