From d78e5d05b4c7e4e04843e13de502f30d5654d607 Mon Sep 17 00:00:00 2001
From: LK-maker-007 <singaraj.yali@gmail.com>
Date: Thu, 16 Apr 2026 21:55:42 +0530
Subject: [PATCH] feat: allow OAuth-only self-registration when general
 registration is disabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #8042

## Problem
When an admin sets , users cannot
self-register via OAuth providers (GitHub, Google, etc.) even if the
admin wants to allow OAuth logins as the sole registration method.
This forces admins to either enable registration for everyone or
manually create every user account.

## Solution
Add a new  instance setting that,
when enabled, allows new user accounts to be created via OAuth
even while general password-based registration remains closed.

### Changes
- **Migration**: adds  boolean column
  (default: false) to  table
- **Model** (): registers field in `$fillable` and
  `$casts`
- **OauthController**: updates the registration guard to allow OAuth
  account creation when either flag is true
- **Livewire** (): wires up the new property in
  mount, rules, and instantSave
- **Blade view**: adds an "Allow OAuth Registration" checkbox that
  appears only when general registration is disabled, so the UI
  is contextually clear

### Behaviour
| is_registration_enabled | is_oauth_registration_enabled | Result |
|---|---|---|
| true | any | All registrations allowed |
| false | false | No self-registration (original behaviour) |
| false | true | OAuth-only self-registration allowed |

Existing OAuth users (already have an account) are always able to
log in — this change only controls new account creation.
---
 app/Http/Controllers/OauthController.php      |  6 ++++-
 app/Livewire/Settings/Advanced.php            |  6 +++++
 app/Models/InstanceSettings.php               |  2 ++
 ...auth_registration_to_instance_settings.php | 22 +++++++++++++++++++
 .../livewire/settings/advanced.blade.php      |  6 +++++
 5 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 database/migrations/2026_04_16_000000_add_oauth_registration_to_instance_settings.php

diff --git a/app/Http/Controllers/OauthController.php b/app/Http/Controllers/OauthController.php
index 3a3f18c9c4..bc806c1d1c 100644
--- a/app/Http/Controllers/OauthController.php
+++ b/app/Http/Controllers/OauthController.php
@@ -22,7 +22,10 @@ public function callback(string $provider)
             $user = User::whereEmail($oauthUser->email)->first();
             if (! $user) {
                 $settings = instanceSettings();
-                if (! $settings->is_registration_enabled) {
+                // Allow new user creation via OAuth when either:
+                // 1. General registration is enabled, OR
+                // 2. OAuth-only registration is explicitly enabled
+                if (! $settings->is_registration_enabled && ! $settings->is_oauth_registration_enabled) {
                     abort(403, 'Registration is disabled');
                 }
 
@@ -31,6 +34,7 @@ public function callback(string $provider)
                     'email' => $oauthUser->email,
                 ]);
             }
+
             Auth::login($user);
 
             return redirect('/');
diff --git a/app/Livewire/Settings/Advanced.php b/app/Livewire/Settings/Advanced.php
index d31f688593..80934e87ba 100644
--- a/app/Livewire/Settings/Advanced.php
+++ b/app/Livewire/Settings/Advanced.php
@@ -15,6 +15,9 @@ class Advanced extends Component
     #[Validate('boolean')]
     public bool $is_registration_enabled;
 
+    #[Validate('boolean')]
+    public bool $is_oauth_registration_enabled;
+
     #[Validate('boolean')]
     public bool $do_not_track;
 
@@ -41,6 +44,7 @@ public function rules()
     {
         return [
             'is_registration_enabled' => 'boolean',
+            'is_oauth_registration_enabled' => 'boolean',
             'do_not_track' => 'boolean',
             'is_dns_validation_enabled' => 'boolean',
             'custom_dns_servers' => ['nullable', 'string', new ValidDnsServers],
@@ -62,6 +66,7 @@ public function mount()
         $this->allowed_ips = $this->settings->allowed_ips;
         $this->do_not_track = $this->settings->do_not_track;
         $this->is_registration_enabled = $this->settings->is_registration_enabled;
+        $this->is_oauth_registration_enabled = $this->settings->is_oauth_registration_enabled ?? false;
         $this->is_dns_validation_enabled = $this->settings->is_dns_validation_enabled;
         $this->is_api_enabled = $this->settings->is_api_enabled;
         $this->disable_two_step_confirmation = $this->settings->disable_two_step_confirmation;
@@ -142,6 +147,7 @@ public function instantSave()
     {
         try {
             $this->settings->is_registration_enabled = $this->is_registration_enabled;
+            $this->settings->is_oauth_registration_enabled = $this->is_oauth_registration_enabled;
             $this->settings->do_not_track = $this->do_not_track;
             $this->settings->is_dns_validation_enabled = $this->is_dns_validation_enabled;
             $this->settings->custom_dns_servers = $this->custom_dns_servers;
diff --git a/app/Models/InstanceSettings.php b/app/Models/InstanceSettings.php
index 6061bc8634..0d8fe27c62 100644
--- a/app/Models/InstanceSettings.php
+++ b/app/Models/InstanceSettings.php
@@ -18,6 +18,7 @@ class InstanceSettings extends Model
         'do_not_track',
         'is_auto_update_enabled',
         'is_registration_enabled',
+        'is_oauth_registration_enabled',
         'next_channel',
         'smtp_enabled',
         'smtp_from_address',
@@ -63,6 +64,7 @@ class InstanceSettings extends Model
 
         'allowed_ip_ranges' => 'array',
         'is_auto_update_enabled' => 'boolean',
+        'is_oauth_registration_enabled' => 'boolean',
         'auto_update_frequency' => 'string',
         'update_check_frequency' => 'string',
         'sentinel_token' => 'encrypted',
diff --git a/database/migrations/2026_04_16_000000_add_oauth_registration_to_instance_settings.php b/database/migrations/2026_04_16_000000_add_oauth_registration_to_instance_settings.php
new file mode 100644
index 0000000000..e9415d8527
--- /dev/null
+++ b/database/migrations/2026_04_16_000000_add_oauth_registration_to_instance_settings.php
@@ -0,0 +1,22 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('instance_settings', function (Blueprint $table) {
+            $table->boolean('is_oauth_registration_enabled')->default(false)->after('is_registration_enabled');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('instance_settings', function (Blueprint $table) {
+            $table->dropColumn('is_oauth_registration_enabled');
+        });
+    }
+};
diff --git a/resources/views/livewire/settings/advanced.blade.php b/resources/views/livewire/settings/advanced.blade.php
index 6c26b453da..2237a08538 100644
--- a/resources/views/livewire/settings/advanced.blade.php
+++ b/resources/views/livewire/settings/advanced.blade.php
@@ -40,7 +40,13 @@ class="flex flex-col h-full gap-8 sm:flex-row">
                                 confirmationLabel="Please type the confirmation text to enable registration."
                                 shortConfirmationLabel="Confirmation text" />
                         </div>
+                        <div class="md:w-96" wire:key="oauth-registration">
+                            <x-forms.checkbox instantSave id="is_oauth_registration_enabled"
+                                helper="Allow users to self-register via OAuth providers (e.g. GitHub, Google) even when general registration is disabled. Existing OAuth logins are always allowed — this only controls new account creation via OAuth."
+                                label="Allow OAuth Registration" />
+                        </div>
                     @endif
+
                     <div class="md:w-96">
                         <x-forms.checkbox instantSave id="do_not_track"
                             helper="Opt out of anonymous usage tracking. When enabled, this instance will not report to coolify.io's installation count and will not send error reports to help improve Coolify."