feat(server): sign-up restrictions for self-hosted

packages/server/src/services/Authentication/AuthApplication.ts

@@ -1,8 +1,14 @@
 import { Service, Inject, Container } from 'typedi';
-import { IRegisterDTO, ISystemUser, IPasswordReset } from '@/interfaces';
+import {
+  IRegisterDTO,
+  ISystemUser,
+  IPasswordReset,
+  IAuthGetMetaPOJO,
+} from '@/interfaces';
 import { AuthSigninService } from './AuthSignin';
 import { AuthSignupService } from './AuthSignup';
 import { AuthSendResetPassword } from './AuthSendResetPassword';
+import { GetAuthMeta } from './GetAuthMeta';
 
 @Service()
 export default class AuthenticationApplication {
@@ -15,6 +21,9 @@ export default class AuthenticationApplication {
   @Inject()
   private authResetPasswordService: AuthSendResetPassword;
 
+  @Inject()
+  private authGetMeta: GetAuthMeta;
+
   /**
    * Signin and generates JWT token.
    * @throws {ServiceError}
@@ -53,4 +62,12 @@ export default class AuthenticationApplication {
   public async resetPassword(token: string, password: string): Promise<void> {
     return this.authResetPasswordService.resetPassword(token, password);
   }
+
+  /**
+   * Retrieves the authentication meta for SPA.
+   * @returns {Promise<IAuthGetMetaPOJO>}
+   */
+  public async getAuthMeta(): Promise<IAuthGetMetaPOJO> {
+    return this.authGetMeta.getAuthMeta();
+  }
 }

packages/server/src/services/Authentication/AuthSignup.ts

@@ -1,4 +1,4 @@
-import { omit } from 'lodash';
+import { isEmpty, omit } from 'lodash';
 import moment from 'moment';
 import { ServiceError } from '@/exceptions';
 import {
@@ -13,6 +13,7 @@ import { EventPublisher } from '@/lib/EventPublisher/EventPublisher';
 import TenantsManagerService from '../Tenancy/TenantsManager';
 import events from '@/subscribers/events';
 import { hashPassword } from '@/utils';
+import config from '@/config';
 
 export class AuthSignupService {
   @Inject()
@@ -33,6 +34,9 @@ export class AuthSignupService {
   public async signUp(signupDTO: IRegisterDTO): Promise<ISystemUser> {
     const { systemUserRepository } = this.sysRepositories;
 
+    // Validates the signup disable restrictions.
+    await this.validateSignupRestrictions(signupDTO.email);
+
     // Validates the given email uniqiness.
     await this.validateEmailUniqiness(signupDTO.email);
 
@@ -74,4 +78,40 @@ export class AuthSignupService {
       throw new ServiceError(ERRORS.EMAIL_EXISTS);
     }
   }
+
+  /**
+   * Validate sign-up disable restrictions.
+   * @param {string} email
+   */
+  private async validateSignupRestrictions(email: string) {
+    // Can't continue if the signup is not disabled.
+    if (!config.signupRestrictions.disabled) return;
+
+    // Validate the allowed domains.
+    if (!isEmpty(config.signupRestrictions.allowedDomains)) {
+      const emailDomain = email.split('@').pop();
+      const isAllowed = config.signupRestrictions.allowedDomains.some(
+        (domain) => emailDomain === domain
+      );
+      if (!isAllowed) {
+        throw new ServiceError(ERRORS.SIGNUP_NOT_ALLOWED_EMAIL_DOMAIN);
+      }
+    }
+    // Validate the allowed email addresses.
+    if (!isEmpty(config.signupRestrictions.allowedEmails)) {
+      const isAllowed =
+        config.signupRestrictions.allowedEmails.indexOf(email) !== -1;
+
+      if (!isAllowed) {
+        throw new ServiceError(ERRORS.SIGNUP_NOT_ALLOWED_EMAIL_ADDRESS);
+      }
+    }
+    // Throw error if the signup is disabled with no exceptions.
+    if (
+      isEmpty(config.signupRestrictions.allowedDomains) &&
+      isEmpty(config.signupRestrictions.allowedEmails)
+    ) {
+      throw new ServiceError(ERRORS.SIGNUP_RESTRICTED);
+    }
+  }
 }

packages/server/src/services/Authentication/GetAuthMeta.ts

@@ -0,0 +1,16 @@
+import { Service } from 'typedi';
+import { IAuthGetMetaPOJO } from '@/interfaces';
+import config from '@/config';
+
+@Service()
+export class GetAuthMeta {
+  /**
+   * Retrieves the authentication meta for SPA.
+   * @returns {Promise<IAuthGetMetaPOJO>}
+   */
+  public async getAuthMeta(): Promise<IAuthGetMetaPOJO> {
+    return {
+      signupDisabled: config.signupRestrictions.disabled,
+    };
+  }
+}

packages/server/src/services/Authentication/_constants.ts

@@ -7,4 +7,8 @@ export const ERRORS = {
   TOKEN_EXPIRED: 'TOKEN_EXPIRED',
   PHONE_NUMBER_EXISTS: 'PHONE_NUMBER_EXISTS',
   EMAIL_EXISTS: 'EMAIL_EXISTS',
+
+  SIGNUP_NOT_ALLOWED_EMAIL_ADDRESS: 'SIGNUP_NOT_ALLOWED_EMAIL_ADDRESS',
+  SIGNUP_NOT_ALLOWED_EMAIL_DOMAIN: 'SIGNUP_NOT_ALLOWED_EMAIL_DOMAIN',
+  SIGNUP_RESTRICTED: 'SIGNUP_RESTRICTED',
 };