feat(api): disable registration under LPS on signup

api/api/settings.py

@@ -224,9 +224,7 @@ USER_ACTIVATION_REQUIRED = True
 VALIDITY_PERIOD_VERIFICATION_SIGNATURE = timedelta(
     hours=int(os.environ.get("DESECSTACK_API_AUTHACTION_VALIDITY", "0"))
 )
-REGISTER_LPS_ON_SIGNUP = bool(
-    int(os.environ.get("DESECSTACK_API_REGISTER_LPS_ON_SIGNUP", "1"))
-)
+REGISTER_LPS = bool(int(os.environ.get("DESECSTACK_API_REGISTER_LPS", "1")))
 
 # CAPTCHA
 CAPTCHA_VALIDITY_PERIOD = timedelta(hours=24)

api/desecapi/serializers/users.py

@@ -84,14 +84,24 @@ class RegisterAccountSerializer(UserSerializer):
                 serializer.default_error_messages["name_unavailable"],
                 code="name_unavailable",
             )
+        return value
+
+    def validate(self, attrs):
         if (
-            not settings.REGISTER_LPS_ON_SIGNUP
-            and DomainSerializer.Meta.model(name=value).is_locally_registrable
+            not settings.REGISTER_LPS
+            and attrs.get("captcha") is not None
+            and attrs.get("domain") is not None
+            and DomainSerializer.Meta.model(name=attrs["domain"]).is_locally_registrable
         ):
             raise serializers.ValidationError(
-                "Registration during sign-up disabled; please create account without a domain name.",
+                {
+                    "domain": [
+                        DomainSerializer.default_error_messages["name_unavailable"]
+                    ]
+                },
+                code="name_unavailable",
             )
-        return value
+        return super().validate(attrs)
 
     def create(self, validated_data):
         validated_data.pop("domain", None)

api/desecapi/tests/test_user_management.py

@@ -25,6 +25,7 @@ from django.contrib.auth.hashers import is_password_usable
 from django.conf import settings
 from django.core import mail
 from django.core.management import call_command
+from django.test import override_settings
 from django.urls import resolve
 from django.utils import timezone
 from rest_framework import status
@@ -610,6 +611,19 @@ class NoUserAccountTestCase(UserLifeCycleTestCase):
                 domain=self.random_domain_name(suffix=local_public_suffix)
             )
 
+    @override_settings(REGISTER_LPS=False)
+    def test_registration_with_domain_lps_disabled(self):
+        PublicSuffixMockMixin.setUpMockPatch(self)
+        with self.get_psl_context_manager("."):
+            _, _, domain = self._test_registration_with_domain()
+
+        local_public_suffix = random.sample(list(self.AUTO_DELEGATION_DOMAINS), 1)[0]
+        with self.get_psl_context_manager(local_public_suffix):
+            self._test_registration_with_domain(
+                domain=self.random_domain_name(suffix=local_public_suffix),
+                expect_failure_response=self.assertRegistrationFailureDomainUnavailableResponse,
+            )
+
     def test_registration_without_domain_and_password(self):
         email, password = self._test_registration(self.random_username(), None)
         confirmation_link = self.assertResetPasswordEmail(email)
@@ -693,6 +707,20 @@ class NoUserAccountTestCase(UserLifeCycleTestCase):
     def test_registration_late_captcha(self):
         self._test_registration(password=self.random_password(), late_captcha=True)
 
+        PublicSuffixMockMixin.setUpMockPatch(self)
+        local_public_suffix = random.sample(list(self.AUTO_DELEGATION_DOMAINS), 1)[0]
+        # Late captcha sign-up allows domain registration (Nextcloud VM workflow)
+        for register_lps in [True, False]:
+            domain = self.random_domain_name(suffix=local_public_suffix)
+            with (
+                override_settings(REGISTER_LPS=register_lps),
+                self.get_psl_context_manager(local_public_suffix),
+                self.assertRequests(
+                    self.requests_desec_domain_creation_auto_delegation(domain)
+                ),
+            ):
+                self._test_registration(domain=domain, late_captcha=True)
+
 
 class OtherUserAccountTestCase(UserManagementTestCase):
     def setUp(self):

docker-compose.yml

@@ -150,7 +150,7 @@ services:
     - DESECSTACK_API_PCH_API
     - DESECSTACK_API_PCH_API_TOKEN
     - DESECSTACK_API_AUTHACTION_VALIDITY
-    - DESECSTACK_API_REGISTER_LPS_ON_SIGNUP
+    - DESECSTACK_API_REGISTER_LPS
     - DESECSTACK_API_LIMIT_USER_DOMAIN_COUNT_DEFAULT
     - DESECSTACK_DBAPI_PASSWORD_desec
     - DESECSTACK_IPV4_REAR_PREFIX16