bknd-io · dswbx · Mar 14, 2026 · Dec 6, 2025
diff --git a/app/src/auth/api/AuthController.ts b/app/src/auth/api/AuthController.ts
@@ -199,7 +199,12 @@ export class AuthController extends Controller {
       for (const [name, strategy] of Object.entries(strategies)) {
          if (!this.auth.isStrategyEnabled(strategy)) continue;
 
-         hono.route(`/${name}`, strategy.getController(this.auth.authenticator));
+         hono.route(
+            `/${name}`,
+            strategy.getController(this.auth.authenticator, {
+               allow_register: this.auth.config.allow_register,
+            }),
+         );
          this.registerStrategyActions(strategy, hono);
       }
 
@@ -305,7 +310,9 @@ export class AuthController extends Controller {
             await c.context.ctx().helper.granted(c, AuthPermissions.testPassword);
 
             const pw = this.auth.authenticator.strategy("password") as PasswordStrategy;
-            const controller = pw.getController(this.auth.authenticator);
+            const controller = pw.getController(this.auth.authenticator, {
+               allow_register: this.auth.config.allow_register,
+            });
 
             const res = await controller.request(
                new Request("https://localhost/login", {

diff --git a/app/src/auth/authenticate/strategies/PasswordStrategy.ts b/app/src/auth/authenticate/strategies/PasswordStrategy.ts
@@ -87,7 +87,7 @@ export class PasswordStrategy extends AuthStrategy<typeof schema> {
       };
    }
 
-   getController(authenticator: Authenticator): Hono<any> {
+   getController(authenticator: Authenticator, opts: { allow_register?: boolean }): Hono<any> {
       const hono = new Hono();
       const redirectQuerySchema = s.object({
          redirect: s.string().optional(),
@@ -120,41 +120,43 @@ export class PasswordStrategy extends AuthStrategy<typeof schema> {
          },
       );
 
-      hono.post(
-         "/register",
-         describeRoute({
-            summary: "Register a new user with email and password",
-            tags: ["auth"],
-         }),
-         jsc("query", redirectQuerySchema),
-         async (c) => {
-            try {
-               const { redirect } = c.req.valid("query");
-               const { password, email, ...body } = parse(
-                  payloadSchema,
-                  await authenticator.getBody(c),
-                  {
-                     onError: (errors) => {
-                        $console.error("Invalid register payload", [...errors]);
-                        new InvalidCredentialsException();
+      if (opts.allow_register) {
+         hono.post(
+            "/register",
+            describeRoute({
+               summary: "Register a new user with email and password",
+               tags: ["auth"],
+            }),
+            jsc("query", redirectQuerySchema),
+            async (c) => {
+               try {
+                  const { redirect } = c.req.valid("query");
+                  const { password, email, ...body } = parse(
+                     payloadSchema,
+                     await authenticator.getBody(c),
+                     {
+                        onError: (errors) => {
+                           $console.error("Invalid register payload", [...errors]);
+                           new InvalidCredentialsException();
+                        },
                      },
-                  },
-               );
-
-               const profile = {
-                  ...body,
-                  email,
-                  strategy_value: await this.hash(password),
-               };
-
-               return await authenticator.resolveRegister(c, this, profile, async () => void 0, {
-                  redirect,
-               });
-            } catch (e) {
-               return authenticator.respondWithError(c, e as any);
-            }
-         },
-      );
+                  );
+
+                  const profile = {
+                     ...body,
+                     email,
+                     strategy_value: await this.hash(password),
+                  };
+
+                  return await authenticator.resolveRegister(c, this, profile, async () => void 0, {
+                     redirect,
+                  });
+               } catch (e) {
+                  return authenticator.respondWithError(c, e as any);
+               }
+            },
+         );
+      }
 
       return hono;
    }

diff --git a/app/src/auth/authenticate/strategies/Strategy.ts b/app/src/auth/authenticate/strategies/Strategy.ts
@@ -36,7 +36,7 @@ export abstract class AuthStrategy<Schema extends s.Schema = s.Schema> {
 
    protected abstract getSchema(): Schema;
 
-   abstract getController(auth: Authenticator): Hono;
+   abstract getController(auth: Authenticator, opts: { allow_register?: boolean }): Hono;
 
    getType(): string {
       return this.type;

diff --git a/app/src/auth/authenticate/strategies/oauth/OAuthStrategy.ts b/app/src/auth/authenticate/strategies/oauth/OAuthStrategy.ts
@@ -284,7 +284,7 @@ export class OAuthStrategy extends AuthStrategy<typeof schemaProvided> {
       }
    }
 
-   getController(auth: Authenticator): Hono<any> {
+   getController(auth: Authenticator, opts: { allow_register?: boolean }): Hono<any> {
       const hono = new Hono();
       const secret = "secret";
       const cookie_name = "_challenge";
@@ -379,6 +379,10 @@ export class OAuthStrategy extends AuthStrategy<typeof schemaProvided> {
             return c.notFound();
          }
 
+         if (action === "register" && !opts.allow_register) {
+            return c.notFound();
+         }
+
          const url = new URL(c.req.url);
          const path = url.pathname.replace(`/${action}`, "");
          const redirect_uri = url.origin + path + "/callback";