feat-add-signup-to-dex

Author: oasisk

README.md

@@ -127,6 +127,106 @@ Please see our [security policy](.github/SECURITY.md) for details about reportin
 [issue-1065]: https://github.com/dexidp/dex/issues/1065
 [release-notes]: https://github.com/dexidp/dex/releases
 
+## Custom Signup Feature (Fork Addition)
+
+This fork includes a custom user signup feature that allows users to register with email and password.
+
+### Configuration
+
+Enable the signup feature in your `config.yaml`:
+
+```yaml
+enablePasswordDB: true  # Required
+enableSignup: true      # Enables signup
+```
+
+### API Endpoint
+
+**Create a new user:**
+```bash
+curl -X POST http://127.0.0.1:5556/dex/signup \
+  -H "Content-Type: application/json" \
+  -d '{
+    "email": "[email protected]",
+    "username": "username",
+    "password": "password123"
+  }'
+```
+
+**Response:**
+```json
+{
+  "user_id": "generated-id",
+  "email": "[email protected]",
+  "username": "username",
+  "message": "User created successfully"
+}
+```
+
+### UI Access
+
+- Signup page: `http://127.0.0.1:5556/dex/signup`
+- Signup links automatically appear on login pages when enabled
+
+### Validation Rules
+
+- Email: Required, valid format
+- Password: Minimum 8 characters
+- Username: Required
+- Duplicate emails rejected with 409 Conflict
+
+### Security
+
+- Passwords hashed with bcrypt (cost 10)
+- Emails stored in lowercase
+- Request body size limit (1MB)
+- Input validation and sanitization
+
+### Code Organization
+
+The signup feature is modularized to minimize merge conflicts with upstream:
+
+**New Files:**
+- `server/handlers_signup.go` - Complete signup implementation
+- `web/templates/signup.html` - Signup form template
+
+**Modified Files (minimal changes):**
+- `cmd/dex/config.go` - Config field + validation
+- `server/server.go` - Field + route registration
+- `server/templates.go` - Template rendering
+- `web/templates/login.html` & `password.html` - Conditional signup links
+
+### Testing
+
+```bash
+# Run signup tests
+go test ./server -run TestHandleSignup -v
+
+# Build and start
+go build -o bin/dex ./cmd/dex
+./bin/dex serve config.dev.yaml
+
+# Test API
+curl -X POST http://127.0.0.1:5556/dex/signup \
+  -H "Content-Type: application/json" \
+  -d '{"email":"[email protected]","username":"test","password":"password123"}'
+
+# Verify in database
+sqlite3 var/sqlite/dex.db "SELECT email, username FROM password;"
+```
+
+### Syncing with Upstream
+
+When syncing with upstream dexidp/dex:
+
+1. **No conflict files**: `handlers_signup.go`, `signup.html` (completely custom)
+2. **Potential conflicts**: Config, server struct, templates
+3. **Resolution**: Re-add the `enableSignup` field and route registration lines
+
+The modular structure isolates ~350 lines of custom code with only ~45 lines of integration changes across 6 existing files.
+
+---
+
 ## Development
 
 When all coding and testing is done, please run the test suite:

cmd/dex/config.go

@@ -51,6 +51,12 @@ type Config struct {
 	// querying the storage. Cannot be specified without enabling a passwords
 	// database.
 	StaticPasswords []password `json:"staticPasswords"`
+
+	// If enabled, allows users to sign up with email and password via REST API.
+	// Requires EnablePasswordDB to be true.
+	EnableSignup bool `json:"enableSignup"`
+
+	HiddenConnectors []string `json:"hiddenConnectors"`
 }
 
 // Validate the configuration
@@ -62,6 +68,7 @@ func (c Config) Validate() error {
 	}{
 		{c.Issuer == "", "no issuer specified in config file"},
 		{!c.EnablePasswordDB && len(c.StaticPasswords) != 0, "cannot specify static passwords without enabling password db"},
+		{c.EnableSignup && !c.EnablePasswordDB, "cannot enable signup without enabling password db"},
 		{c.Storage.Config == nil, "no storage supplied in config file"},
 		{c.Web.HTTP == "" && c.Web.HTTPS == "", "must supply a HTTP/HTTPS  address to listen on"},
 		{c.Web.HTTPS != "" && c.Web.TLSCert == "", "no cert specified for HTTPS"},

cmd/dex/serve.go

@@ -296,6 +296,7 @@ func runServe(options serveOptions) error {
 		SkipApprovalScreen:         c.OAuth2.SkipApprovalScreen,
 		AlwaysShowLoginScreen:      c.OAuth2.AlwaysShowLoginScreen,
 		PasswordConnector:          c.OAuth2.PasswordConnector,
+		EnableSignup:               c.EnableSignup,
 		Headers:                    c.Web.Headers.ToHTTPHeader(),
 		AllowedOrigins:             c.Web.AllowedOrigins,
 		AllowedHeaders:             c.Web.AllowedHeaders,

config.dev.yaml

@@ -28,6 +28,10 @@ connectors:
 
 enablePasswordDB: true
 
+# Enable user signup via REST API (POST /signup)
+# Requires enablePasswordDB to be true
+enableSignup: true
+
 staticPasswords:
   - email: "[email protected]"
     hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"

config.test.yaml

@@ -0,0 +1,39 @@
+issuer: http://127.0.0.1:5556/dex
+
+storage:
+  type: sqlite3
+  config:
+    file: var/sqlite/dex.db
+
+web:
+  http: 127.0.0.1:5556
+
+telemetry:
+  http: 127.0.0.1:5558
+
+grpc:
+  addr: 127.0.0.1:5557
+
+staticClients:
+  - id: example-app
+    redirectURIs:
+      - 'http://127.0.0.1:5555/callback'
+    name: 'Example App'
+    secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+
+connectors:
+  - type: mockCallback
+    id: mock
+    name: Example
+
+enablePasswordDB: true
+
+# Enable user signup via REST API (POST /signup)
+# Requires enablePasswordDB to be true
+enableSignup: false
+
+staticPasswords:
+  - email: "[email protected]"
+    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+    username: "admin"
+    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

config.yaml.dist

@@ -131,6 +131,11 @@ web:
 # login credentials in Dex's store.
 enablePasswordDB: true
 
+# Enable user signup via REST API endpoint (POST /signup).
+# This allows users to register with email and password.
+# Requires enablePasswordDB to be true.
+# enableSignup: false
+
 # If this option isn't chosen users may be added through the gRPC API.
 # A static list of passwords for the password connector.
 #

server/handlers.go

@@ -80,6 +80,7 @@ type discovery struct {
 	UserInfo          string   `json:"userinfo_endpoint"`
 	DeviceEndpoint    string   `json:"device_authorization_endpoint"`
 	Introspect        string   `json:"introspection_endpoint"`
+	Registration      string   `json:"registration_endpoint"`
 	GrantTypes        []string `json:"grant_types_supported"`
 	ResponseTypes     []string `json:"response_types_supported"`
 	Subjects          []string `json:"subject_types_supported"`
@@ -114,6 +115,7 @@ func (s *Server) constructDiscovery() discovery {
 		UserInfo:          s.absURL("/userinfo"),
 		DeviceEndpoint:    s.absURL("/device/code"),
 		Introspect:        s.absURL("/token/introspect"),
+		Registration:      s.absURL("/register"),
 		Subjects:          []string{"public"},
 		IDTokenAlgs:       []string{string(jose.RS256)},
 		CodeChallengeAlgs: []string{codeChallengeMethodS256, codeChallengeMethodPlain},
@@ -190,7 +192,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if err := s.templates.login(r, w, connectorInfos); err != nil {
+	if err := s.templates.login(r, w, connectorInfos, s.enableSignup); err != nil {
 		s.logger.ErrorContext(r.Context(), "server template error", "err", err)
 	}
 }
@@ -363,7 +365,7 @@ func (s *Server) handlePasswordLogin(w http.ResponseWriter, r *http.Request) {
 
 	switch r.Method {
 	case http.MethodGet:
-		if err := s.templates.password(r, w, r.URL.String(), "", usernamePrompt(pwConn), false, backLink); err != nil {
+		if err := s.templates.password(r, w, r.URL.String(), "", usernamePrompt(pwConn), false, backLink, s.enableSignup); err != nil {
 			s.logger.ErrorContext(r.Context(), "server template error", "err", err)
 		}
 	case http.MethodPost:
@@ -378,7 +380,7 @@ func (s *Server) handlePasswordLogin(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		if !ok {
-			if err := s.templates.password(r, w, r.URL.String(), username, usernamePrompt(pwConn), true, backLink); err != nil {
+			if err := s.templates.password(r, w, r.URL.String(), username, usernamePrompt(pwConn), true, backLink, s.enableSignup); err != nil {
 				s.logger.ErrorContext(r.Context(), "server template error", "err", err)
 			}
 			s.logger.ErrorContext(r.Context(), "failed login attempt: Invalid credentials.", "user", username)