From 8ff555d597504a132e579dfafa5f90ddfb429338 Mon Sep 17 00:00:00 2001
From: lafleur <lafleur@boum.org>
Date: Thu, 26 Oct 2023 16:51:54 +0800
Subject: [PATCH 1/2] add registration_token in default cfg and README

---
 DEPLOY.md            | 5 +++++
 conduit-example.toml | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/DEPLOY.md b/DEPLOY.md
index cb318eee..f1b9a3a9 100644
--- a/DEPLOY.md
+++ b/DEPLOY.md
@@ -171,6 +171,11 @@ max_request_size = 20_000_000 # in bytes
 # Enables registration. If set to false, no users can register on this server.
 allow_registration = true
 
+# A static registration token that new users will have to provide when creating
+# an account. If unset and `allow_registration` is true, registration is open
+# without any condition. YOU NEED TO EDIT THIS
+registration_token = "change this token for something specific to your server"
+
 allow_federation = true
 allow_check_for_updates = true
 
diff --git a/conduit-example.toml b/conduit-example.toml
index 836db654..b8177381 100644
--- a/conduit-example.toml
+++ b/conduit-example.toml
@@ -38,6 +38,11 @@ max_request_size = 20_000_000 # in bytes
 # Enables registration. If set to false, no users can register on this server.
 allow_registration = true
 
+# A static registration token that new users will have to provide when creating
+# an account. If unset and `allow_registration` is true, registration is open
+# without any condition. YOU NEED TO EDIT THIS
+registration_token = "change this token for something specific to your server"
+
 allow_federation = true
 allow_check_for_updates = true
 
-- 
2.45.2


From 5a407ef387b15f57ca163ec0fe93f8cdbac2b306 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20K=C3=B6sters?= <timo@koesters.xyz>
Date: Wed, 24 Jan 2024 18:44:00 +0100
Subject: [PATCH 2/2] improvement: registration token now only works when
 registration is enabled

---
 src/api/client_server/account.rs | 47 ++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 18 deletions(-)

diff --git a/src/api/client_server/account.rs b/src/api/client_server/account.rs
index 46551305..4e6b6b97 100644
--- a/src/api/client_server/account.rs
+++ b/src/api/client_server/account.rs
@@ -74,10 +74,7 @@ pub async fn get_register_available_route(
 /// - Creates a new account and populates it with default account data
 /// - If `inhibit_login` is false: Creates a device and returns device id and access_token
 pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> {
-    if !services().globals.allow_registration()
-        && !body.from_appservice
-        && services().globals.config.registration_token.is_none()
-    {
+    if !services().globals.allow_registration() && !body.from_appservice {
         return Err(Error::BadRequest(
             ErrorKind::Forbidden,
             "Registration has been disabled.",
@@ -122,21 +119,35 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
     };
 
     // UIAA
-    let mut uiaainfo = UiaaInfo {
-        flows: vec![AuthFlow {
-            stages: if services().globals.config.registration_token.is_some() {
-                vec![AuthType::RegistrationToken]
-            } else {
-                vec![AuthType::Dummy]
-            },
-        }],
-        completed: Vec::new(),
-        params: Default::default(),
-        session: None,
-        auth_error: None,
-    };
+    let mut uiaainfo;
+    let skip_auth;
+    if services().globals.config.registration_token.is_some() {
+        // Registration token required
+        uiaainfo = UiaaInfo {
+            flows: vec![AuthFlow {
+                stages: vec![AuthType::RegistrationToken],
+            }],
+            completed: Vec::new(),
+            params: Default::default(),
+            session: None,
+            auth_error: None,
+        };
+        skip_auth = body.from_appservice;
+    } else {
+        // No registration token necessary, but clients must still go through the flow
+        uiaainfo = UiaaInfo {
+            flows: vec![AuthFlow {
+                stages: vec![AuthType::Dummy],
+            }],
+            completed: Vec::new(),
+            params: Default::default(),
+            session: None,
+            auth_error: None,
+        };
+        skip_auth = body.from_appservice || is_guest;
+    }
 
-    if !body.from_appservice && !is_guest {
+    if !skip_auth {
         if let Some(auth) = &body.auth {
             let (worked, uiaainfo) = services().uiaa.try_auth(
                 &UserId::parse_with_server_name("", services().globals.server_name())
-- 
2.45.2