Rework usage of OIDC auto-registration and email/password registration settings to use constants instead of direct ENV access.

app/controllers/users/omniauth_callbacks_controller.rb

@@ -62,9 +62,6 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   end
 
   def oidc_auto_register_enabled?
-    env_value = ENV['OIDC_AUTO_REGISTER']
-    return true if env_value.nil?
-
-    ActiveModel::Type::Boolean.new.cast(env_value)
+    OIDC_AUTO_REGISTER
   end
 end

app/controllers/users/registrations_controller.rb

@@ -99,9 +99,6 @@ class Users::RegistrationsController < Devise::RegistrationsController
   end
 
   def email_password_registration_allowed?
-    env_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-    return false if env_value.nil?
-
-    ActiveModel::Type::Boolean.new.cast(env_value)
+    ALLOW_EMAIL_PASSWORD_REGISTRATION
   end
 end

app/helpers/application_helper.rb

@@ -140,9 +140,6 @@ module ApplicationHelper
   def email_password_registration_enabled?
     return true unless DawarichSettings.self_hosted?
 
-    env_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-    return false if env_value.nil?
-
-    ActiveModel::Type::Boolean.new.cast(env_value)
+    ALLOW_EMAIL_PASSWORD_REGISTRATION
   end
 end

app/models/concerns/omniauthable.rb

@@ -39,11 +39,7 @@ module Omniauthable
     private
 
     def oidc_auto_register_enabled?
-      # Default to true for backward compatibility
-      env_value = ENV['OIDC_AUTO_REGISTER']
-      return true if env_value.nil?
-
-      ActiveModel::Type::Boolean.new.cast(env_value)
+      OIDC_AUTO_REGISTER
     end
   end
 end

config/initializers/01_constants.rb

@@ -56,3 +56,9 @@ OMNIAUTH_PROVIDERS =
 
 # Custom OIDC provider display name
 OIDC_PROVIDER_NAME = ENV.fetch('OIDC_PROVIDER_NAME', 'Openid Connect').freeze
+
+# OIDC auto-registration setting (default: true for backward compatibility)
+OIDC_AUTO_REGISTER = ENV.fetch('OIDC_AUTO_REGISTER', 'true') == 'true'
+
+# Email/password registration setting (default: false for self-hosted, true for cloud)
+ALLOW_EMAIL_PASSWORD_REGISTRATION = ENV.fetch('ALLOW_EMAIL_PASSWORD_REGISTRATION', 'false') == 'true'

spec/helpers/application_helper_spec.rb

@@ -46,11 +46,8 @@ RSpec.describe ApplicationHelper, type: :helper do
       end
 
       context 'when ALLOW_EMAIL_PASSWORD_REGISTRATION is true' do
-        around do |example|
-          original_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = 'true'
-          example.run
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = original_value
+        before do
+          stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', true)
         end
 
         it 'returns true' do
@@ -59,11 +56,8 @@ RSpec.describe ApplicationHelper, type: :helper do
       end
 
       context 'when ALLOW_EMAIL_PASSWORD_REGISTRATION is false' do
-        around do |example|
-          original_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = 'false'
-          example.run
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = original_value
+        before do
+          stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', false)
         end
 
         it 'returns false' do
@@ -71,12 +65,9 @@ RSpec.describe ApplicationHelper, type: :helper do
         end
       end
 
-      context 'when ALLOW_EMAIL_PASSWORD_REGISTRATION is not set' do
-        around do |example|
-          original_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-          ENV.delete('ALLOW_EMAIL_PASSWORD_REGISTRATION')
-          example.run
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = original_value
+      context 'when ALLOW_EMAIL_PASSWORD_REGISTRATION is not set (default)' do
+        before do
+          stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', false)
         end
 
         it 'returns false (default)' do

spec/requests/users/omniauth_callbacks_spec.rb

@@ -65,11 +65,8 @@ RSpec.describe 'Users::OmniauthCallbacks', type: :request do
     include_examples 'successful OAuth authentication', :openid_connect, 'OpenID Connect'
 
     context 'when OIDC auto-registration is disabled' do
-      around do |example|
-        original_value = ENV['OIDC_AUTO_REGISTER']
-        ENV['OIDC_AUTO_REGISTER'] = 'false'
-        example.run
-        ENV['OIDC_AUTO_REGISTER'] = original_value
+      before do
+        stub_const('OIDC_AUTO_REGISTER', false)
       end
 
       context "when user doesn't exist" do

spec/requests/users/registrations_spec.rb

@@ -142,7 +142,7 @@ RSpec.describe 'Users::Registrations', type: :request do
 
     context 'when accessing registration without invitation token and email/password registration disabled' do
       before do
-        allow(ENV).to receive(:[]).with('ALLOW_EMAIL_PASSWORD_REGISTRATION').and_return(nil)
+        stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', false)
       end
 
       it 'redirects to root with error message' do
@@ -169,11 +169,8 @@ RSpec.describe 'Users::Registrations', type: :request do
     end
 
     context 'when email/password registration is enabled' do
-      around do |example|
-        original_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-        ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = 'true'
-        example.run
-        ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = original_value
+      before do
+        stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', true)
       end
 
       it 'allows registration page access' do