From ee931d546eaca569edd7723f07cefacabe8e46ee Mon Sep 17 00:00:00 2001
From: forehalo <forehalo@gmail.com>
Date: Tue, 3 Jun 2025 08:53:00 +0000
Subject: [PATCH] fix(server): oauth should follow sign up restriction (#12683)

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

- **New Features**
	- Enforced signup restrictions for OAuth login based on configuration settings. Users will not be able to sign up via OAuth if signup is disabled by the administrator.
- **Bug Fixes**
	- Improved error handling during OAuth login when signup is not permitted.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 .../backend/server/src/plugins/oauth/controller.ts  | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/packages/backend/server/src/plugins/oauth/controller.ts b/packages/backend/server/src/plugins/oauth/controller.ts
index 888390f311..5664589c1f 100644
--- a/packages/backend/server/src/plugins/oauth/controller.ts
+++ b/packages/backend/server/src/plugins/oauth/controller.ts
@@ -13,11 +13,13 @@ import { ConnectedAccount } from '@prisma/client';
 import type { Request, Response } from 'express';
 
 import {
+  Config,
   InvalidAuthState,
   InvalidOauthCallbackState,
   MissingOauthQueryParameter,
   OauthAccountAlreadyConnected,
   OauthStateExpired,
+  SignUpForbidden,
   UnknownOauthProvider,
   URLHelper,
   UseNamedGuard,
@@ -38,7 +40,8 @@ export class OAuthController {
     private readonly oauth: OAuthService,
     private readonly models: Models,
     private readonly providerFactory: OAuthProviderFactory,
-    private readonly url: URLHelper
+    private readonly url: URLHelper,
+    private readonly config: Config
   ) {}
 
   @Public()
@@ -184,7 +187,7 @@ export class OAuthController {
     }
 
     const externAccount = await provider.getUser(tokens, state);
-    const user = await this.loginFromOauth(
+    const user = await this.getOrCreateUserFromOauth(
       state.provider,
       externAccount,
       tokens
@@ -205,7 +208,7 @@ export class OAuthController {
     });
   }
 
-  private async loginFromOauth(
+  private async getOrCreateUserFromOauth(
     provider: OAuthProviderName,
     externalAccount: OAuthAccount,
     tokens: Tokens
@@ -221,6 +224,10 @@ export class OAuthController {
       return connectedAccount.user;
     }
 
+    if (!this.config.auth.allowSignup) {
+      throw new SignUpForbidden();
+    }
+
     const user = await this.models.user.fulfill(externalAccount.email, {
       avatarUrl: externalAccount.avatarUrl,
     });