feat(api): disable registration under LPS on signup

2024-01-12 11:55:32 +01:00 · 2024-01-12 11:55:32 +01:00 · 4fff0ae171
commit 4fff0ae171
parent 97b7191465
4 changed files with 44 additions and 8 deletions
--- a/api/api/settings.py
+++ b/api/api/settings.py
@ -224,9 +224,7 @@ USER_ACTIVATION_REQUIRED = True
 VALIDITY_PERIOD_VERIFICATION_SIGNATURE = timedelta(
    hours=int(os.environ.get("DESECSTACK_API_AUTHACTION_VALIDITY", "0"))
 )
-REGISTER_LPS_ON_SIGNUP = bool(
-    int(os.environ.get("DESECSTACK_API_REGISTER_LPS_ON_SIGNUP", "1"))
-)
+REGISTER_LPS = bool(int(os.environ.get("DESECSTACK_API_REGISTER_LPS", "1")))

 # CAPTCHA
 CAPTCHA_VALIDITY_PERIOD = timedelta(hours=24)
--- a/api/desecapi/serializers/users.py
+++ b/api/desecapi/serializers/users.py
@ -84,14 +84,24 @@ class RegisterAccountSerializer(UserSerializer):
                serializer.default_error_messages["name_unavailable"],
                code="name_unavailable",
            )
+        return value
+
+    def validate(self, attrs):
        if (
-            not settings.REGISTER_LPS_ON_SIGNUP
-            and DomainSerializer.Meta.model(name=value).is_locally_registrable
+            not settings.REGISTER_LPS
+            and attrs.get("captcha") is not None
+            and attrs.get("domain") is not None
+            and DomainSerializer.Meta.model(name=attrs["domain"]).is_locally_registrable
        ):
            raise serializers.ValidationError(
-                "Registration during sign-up disabled; please create account without a domain name.",
+                {
+                    "domain": [
+                        DomainSerializer.default_error_messages["name_unavailable"]
+                    ]
+                },
+                code="name_unavailable",
            )
-        return value
+        return super().validate(attrs)

    def create(self, validated_data):
        validated_data.pop("domain", None)
--- a/api/desecapi/tests/test_user_management.py
+++ b/api/desecapi/tests/test_user_management.py
@ -25,6 +25,7 @@ from django.contrib.auth.hashers import is_password_usable
 from django.conf import settings
 from django.core import mail
 from django.core.management import call_command
+from django.test import override_settings
 from django.urls import resolve
 from django.utils import timezone
 from rest_framework import status
@ -610,6 +611,19 @@ class NoUserAccountTestCase(UserLifeCycleTestCase):
                domain=self.random_domain_name(suffix=local_public_suffix)
            )

+    @override_settings(REGISTER_LPS=False)
+    def test_registration_with_domain_lps_disabled(self):
+        PublicSuffixMockMixin.setUpMockPatch(self)
+        with self.get_psl_context_manager("."):
+            _, _, domain = self._test_registration_with_domain()
+
+        local_public_suffix = random.sample(list(self.AUTO_DELEGATION_DOMAINS), 1)[0]
+        with self.get_psl_context_manager(local_public_suffix):
+            self._test_registration_with_domain(
+                domain=self.random_domain_name(suffix=local_public_suffix),
+                expect_failure_response=self.assertRegistrationFailureDomainUnavailableResponse,
+            )
+
    def test_registration_without_domain_and_password(self):
        email, password = self._test_registration(self.random_username(), None)
        confirmation_link = self.assertResetPasswordEmail(email)
@ -693,6 +707,20 @@ class NoUserAccountTestCase(UserLifeCycleTestCase):
    def test_registration_late_captcha(self):
        self._test_registration(password=self.random_password(), late_captcha=True)

+        PublicSuffixMockMixin.setUpMockPatch(self)
+        local_public_suffix = random.sample(list(self.AUTO_DELEGATION_DOMAINS), 1)[0]
+        # Late captcha sign-up allows domain registration (Nextcloud VM workflow)
+        for register_lps in [True, False]:
+            domain = self.random_domain_name(suffix=local_public_suffix)
+            with (
+                override_settings(REGISTER_LPS=register_lps),
+                self.get_psl_context_manager(local_public_suffix),
+                self.assertRequests(
+                    self.requests_desec_domain_creation_auto_delegation(domain)
+                ),
+            ):
+                self._test_registration(domain=domain, late_captcha=True)
+

 class OtherUserAccountTestCase(UserManagementTestCase):
    def setUp(self):
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -150,7 +150,7 @@ services:
    - DESECSTACK_API_PCH_API
    - DESECSTACK_API_PCH_API_TOKEN
    - DESECSTACK_API_AUTHACTION_VALIDITY
-    - DESECSTACK_API_REGISTER_LPS_ON_SIGNUP
+    - DESECSTACK_API_REGISTER_LPS
    - DESECSTACK_API_LIMIT_USER_DOMAIN_COUNT_DEFAULT
    - DESECSTACK_DBAPI_PASSWORD_desec
    - DESECSTACK_IPV4_REAR_PREFIX16