From 406f481a5794f0c1f56ffaa91fe5becefb69be0d Mon Sep 17 00:00:00 2001 From: ScreenTinker Date: Mon, 8 Jun 2026 10:29:08 -0500 Subject: [PATCH] docs: surface DISABLE_REGISTRATION self-hosting flag (#11) DISABLE_REGISTRATION already closes public self-service signup (first-user setup on an empty DB still allowed) and the login page already hides its "Create account" button when it's set - but the flag was easy to miss: it was in the README env-var table yet absent from .env.example (the file self-hosters actually copy) and from the README systemd unit example. - .env.example: document DISABLE_REGISTRATION + DISABLE_HOMEPAGE under the Self-hosting section. - README: add commented Environment= lines for both to the systemd example, noting the login UI hides the signup button to match. Docs only - no code change. Backend gate (routes/auth.js canRegister + /auth/config registration_enabled) and the login.js hiding already behave correctly; verified registration_enabled flips to false under the flag. Closes #11. --- .env.example | 11 +++++++++++ README.md | 7 +++++++ 2 files changed, 18 insertions(+) diff --git a/.env.example b/.env.example index 5fb7d49..fc13357 100644 --- a/.env.example +++ b/.env.example @@ -11,6 +11,17 @@ # instance never emits mail from a domain that isn't yours. SELF_HOSTED=true +# Close public self-service registration — for instances where all accounts are +# provisioned by your team (admin "Add user" / invites). When true, the public +# signup route is blocked (OAuth auto-signup with it) AND the login page hides +# its "Create account" button so the UI matches the backend. First-user setup on +# an empty DB is still allowed so a fresh install can be initialized. +# DISABLE_REGISTRATION=true + +# Redirect "/" to the app (/app) instead of serving the marketing landing page. +# For internal-only deployments that don't want the public homepage shown. +# DISABLE_HOMEPAGE=true + # Where new-signup admin notifications are sent. Leave UNSET to disable admin # notifications entirely — the user's welcome email is unaffected. Self-hosters # who want to be notified of signups set this to their own address. diff --git a/README.md b/README.md index c5d2384..bb2f674 100644 --- a/README.md +++ b/README.md @@ -243,6 +243,13 @@ Restart=always Environment=PORT=3001 Environment=NODE_ENV=production Environment=SELF_HOSTED=true +# Lock down an internal / provisioned-only instance (all accounts created by your +# team). DISABLE_REGISTRATION closes self-service signup — first-user setup on an +# empty DB is still allowed, and the login page hides its "Create account" button +# to match. DISABLE_HOMEPAGE sends `/` straight to the app instead of the +# marketing landing page. +# Environment=DISABLE_REGISTRATION=true +# Environment=DISABLE_HOMEPAGE=true # Environment=APP_URL=https://signage.yourcompany.com # Environment=STRIPE_SECRET_KEY=sk_live_... # Environment=STRIPE_WEBHOOK_SECRET=whsec_...