Disable third-party registrations

config.example.toml

@@ -43,23 +43,27 @@
 [redis]
 	port=6379
 
-# Uncomment if you want to be using Twitter authentication
+[external]
-[twitter]
+	# Set to true if you allow registrations from the following services
-#	api=""
+	registrations=false
-#	api_secret=""
 
-# Uncomment if you want to be using Facebook authentication
+	# Uncomment if you want to be using Twitter authentication
-[facebook]
+	[external.twitter]
-#	client=""
+	#	api=""
+	#	api_secret=""
 
-# Uncomment if you want to be using Discord authentication
+	# Uncomment if you want to be using Facebook authentication
-[discord]
+	[external.facebook]
-#	api=""
+	#	client=""
-#	api_secret=""
 
-[google]
+	# Uncomment if you want to be using Discord authentication
-#	api=""
+	[external.discord]
-#	api_secret=""
+	#	api=""
+	#	api_secret=""
+
+	[external.google]
+	#	api=""
+	#	api_secret=""
 
 # reCAPTCHA configuration
 [security]

server/api/external.js

@@ -56,6 +56,7 @@ const API = {
     },
     // Create a new user
     newUser: async (service, identifier, data) => {
+      if (config.external.registrations !== true) throw new Error('Registrations from third-party websites are not allowed.')
       let udataLimited = Object.assign({
         activated: 1,
         created_at: new Date(),
@@ -239,8 +240,8 @@ const API = {
         twitterApp = new oauth.PromiseOAuth(
           'https://api.twitter.com/oauth/request_token',
           'https://api.twitter.com/oauth/access_token',
-          config.twitter.api,
+          config.external.twitter.api,
-          config.twitter.api_secret,
+          config.external.twitter.api_secret,
           '1.0A',
           redirectUri,
           'HMAC-SHA1'
@@ -360,8 +361,8 @@ const API = {
     oauth2App: function () {
       if (discordApp) return
       discordApp = new oauth.PromiseOAuth2(
-        config.discord.api,
+        config.external.discord.api,
-        config.discord.api_secret,
+        config.external.discord.api_secret,
         'https://discordapp.com/api/',
         'oauth2/authorize',
         'oauth2/token'
@@ -375,7 +376,7 @@ const API = {
       let redirectUri = config.server.domain + '/api/external/discord/callback'
 
       const params = {
-        'client_id': config.discord.api,
+        'client_id': config.external.discord.api,
         'redirect_uri': redirectUri,
         'scope': 'identify email',
         'response_type': 'code',

server/routes/index.js

@@ -102,24 +102,34 @@ router.get('/', (req, res) => {
 })
 
 // Add social media login buttons
-function extraButtons (req, res, next) {
+function extraButtons (recheck) {
-  if (config.twitter && config.twitter.api) {
+  let et = config.external
-    res.locals.twitter_auth = true
+  return function (req, res, next) {
+    if (!et) return next()
+    res.locals.auth = {
+      registrations: et.registrations
     }
 
-  if (config.discord && config.discord.api) {
+    if (recheck && et.registrations !== true) return next()
-    res.locals.discord_auth = true
+
+    if (et.twitter && et.twitter.api) {
+      res.locals.auth.twitter = true
     }
 
-  if (config.facebook && config.facebook.client) {
+    if (et.discord && et.discord.api) {
-    res.locals.facebook_auth = config.facebook.client
+      res.locals.auth.discord = true
     }
 
-  if (config.google && config.google.api) {
+    if (et.facebook && et.facebook.client) {
-    res.locals.google_auth = config.google.api
+      res.locals.auth.facebook = et.facebook.client
+    }
+
+    if (et.google && et.google.api) {
+      res.locals.auth.google = et.google.api
     }
 
     next()
+  }
 }
 
 // Retrieve form data if formError was called
@@ -136,7 +146,7 @@ function formKeep (req, res, next) {
 }
 
 // Password reset request endpoint
-router.get('/login/reset', extraButtons, (req, res) => {
+router.get('/login/reset', extraButtons(false), (req, res) => {
   if (req.session.user) return redirectLogin(req, res)
 
   res.render('user/reset_password', {sent: req.query.success != null})
@@ -157,7 +167,7 @@ router.get('/reset/:token', wrap(async (req, res) => {
   res.render('user/password_new', {token: true})
 }))
 
-router.get('/login', extraButtons, (req, res) => {
+router.get('/login', extraButtons(false), (req, res) => {
   if (req.session.user) return redirectLogin(req, res)
 
   if (req.query.returnTo) {
@@ -167,7 +177,7 @@ router.get('/login', extraButtons, (req, res) => {
   res.render('user/login')
 })
 
-router.get('/register', extraButtons, formKeep, (req, res) => {
+router.get('/register', extraButtons(true), formKeep, (req, res) => {
   if (req.session.user) return redirectLogin(req, res)
 
   if (config.security.recaptcha && config.security.recaptcha.site_key) {

views/includes/external.pug

@@ -1,5 +1,5 @@
 .external-login
-	if facebook_auth
+	if auth.facebook
 		div#fb-root
 		script.
 			window.fbAsyncInit = function() {
@@ -20,7 +20,7 @@
 			  fjs.parentNode.insertBefore(js, fjs);
 			}(document, 'script', 'facebook-jssdk'));
 		fb:login-button(scope="public_profile,email", onlogin="checkLoginState();" data-max-rows="1", data-size="large", data-button-type="login_with", data-show-faces="false", data-auto-logout-link="false", data-use-continue-as="false")
-	if google_auth
+	if auth.google
 		script(src="https://apis.google.com/js/api:client.js")
 		a.login-btn.google-login.float-lg-right
 			i.fa.fa-fw.fa-google
@@ -59,11 +59,11 @@
 			}
 
 			startApp()
-	if twitter_auth
+	if auth.twitter
 		a.login-btn.twitter-login.login-dialog-pop.float-lg-right(href="/api/external/twitter/login")
 			i.fa.fa-fw.fa-twitter
 			span Log in With Twitter
-	if discord_auth
+	if auth.discord
 		a.login-btn.discord-login.login-dialog-pop.float-lg-right(href="/api/external/discord/login")
 			img(src="/static/image/discord.svg")
 			span Log in With Discord

views/user/login.pug

@@ -26,5 +26,6 @@ block body
 				a(href="/register") Create an account
 				|  · 
 				a(href="/login/reset") Forgot password?
+			if auth
 				aside.col-sm-4
 					include ../includes/external.pug