feat(auth): implement REGISTRATION_POLICY=invite and REGISTRATION_POLICY=admin-approval #219
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#219
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
REGISTRATION_POLICYis documented as a self-hoster env var with three accepted values:open,invite,admin-approval. Onlyopenis implemented; the other two are accepted as configuration but reject every new registration with503 policy_not_implemented. Self-hosters that want a closed instance today have no real option short of putting an external reverse-proxy auth in front.Source
REGISTRATION_POLICYrow: "Accepts open / invite / admin-approval. Only open is implemented today — invite and admin-approval are accepted as values but reject new registrations with 503 policy_not_implemented."apps/api/lib/auth/registration.tslines 55-60: "Set REGISTRATION_POLICY=open or wait for the invite/admin-approval follow-up."Scope
Invite policy
is_admin = 1can mint a one-time invite token (table:invites, fields:id,created_by,created_at,expires_at,consumed_by,consumed_at,email_hint?).POST /api/auth/registerrequires the invite token onpolicy=invite; consumes it on success./accountto mint + revoke + view consumed invites (admin-only).Admin-approval policy
POST /api/auth/registeronpolicy=admin-approvalcreates a user row withstatus = pending(new column onusers)./api/auth/loginreturnspending_approval).status = active.Shared
Acceptance criteria
invitestable andusers.statuscolumn on both engines.policy=inviteend-to-end: admin mints, user registers with token, second-use returnsinvite_consumed.policy=admin-approvalend-to-end: registration succeeds but login is gated until admin approves.Out of scope
is_admin(existing single-flag model is preserved).Composes with
registration.tslines 45-52 — still acceptable as documented.