From 52eb80503d2717e8bc203d440b48d0965e92ebe7 Mon Sep 17 00:00:00 2001
From: Eugene Burmakin <iamfrey@gmail.com>
Date: Mon, 24 Nov 2025 20:04:31 +0100
Subject: [PATCH] Rework usage of OIDC auto-registration and email/password
 registration settings to use constants instead of direct ENV access.

---
 .../users/omniauth_callbacks_controller.rb    |  5 +---
 .../users/registrations_controller.rb         |  5 +---
 app/helpers/application_helper.rb             |  5 +---
 app/models/concerns/omniauthable.rb           |  6 +----
 config/initializers/01_constants.rb           |  6 +++++
 spec/helpers/application_helper_spec.rb       | 23 ++++++-------------
 .../requests/users/omniauth_callbacks_spec.rb |  7 ++----
 spec/requests/users/registrations_spec.rb     |  9 +++-----
 8 files changed, 22 insertions(+), 44 deletions(-)

diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index d24f4ea3..75fd0988 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -62,9 +62,6 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   end
 
   def oidc_auto_register_enabled?
-    env_value = ENV['OIDC_AUTO_REGISTER']
-    return true if env_value.nil?
-
-    ActiveModel::Type::Boolean.new.cast(env_value)
+    OIDC_AUTO_REGISTER
   end
 end
diff --git a/app/controllers/users/registrations_controller.rb b/app/controllers/users/registrations_controller.rb
index 518d4c4d..b29b31b4 100644
--- a/app/controllers/users/registrations_controller.rb
+++ b/app/controllers/users/registrations_controller.rb
@@ -99,9 +99,6 @@ class Users::RegistrationsController < Devise::RegistrationsController
   end
 
   def email_password_registration_allowed?
-    env_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-    return false if env_value.nil?
-
-    ActiveModel::Type::Boolean.new.cast(env_value)
+    ALLOW_EMAIL_PASSWORD_REGISTRATION
   end
 end
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 268bb714..970a549b 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -140,9 +140,6 @@ module ApplicationHelper
   def email_password_registration_enabled?
     return true unless DawarichSettings.self_hosted?
 
-    env_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-    return false if env_value.nil?
-
-    ActiveModel::Type::Boolean.new.cast(env_value)
+    ALLOW_EMAIL_PASSWORD_REGISTRATION
   end
 end
diff --git a/app/models/concerns/omniauthable.rb b/app/models/concerns/omniauthable.rb
index c94aea5a..45fc612d 100644
--- a/app/models/concerns/omniauthable.rb
+++ b/app/models/concerns/omniauthable.rb
@@ -39,11 +39,7 @@ module Omniauthable
     private
 
     def oidc_auto_register_enabled?
-      # Default to true for backward compatibility
-      env_value = ENV['OIDC_AUTO_REGISTER']
-      return true if env_value.nil?
-
-      ActiveModel::Type::Boolean.new.cast(env_value)
+      OIDC_AUTO_REGISTER
     end
   end
 end
diff --git a/config/initializers/01_constants.rb b/config/initializers/01_constants.rb
index 53644b1e..f7b0ba98 100644
--- a/config/initializers/01_constants.rb
+++ b/config/initializers/01_constants.rb
@@ -56,3 +56,9 @@ OMNIAUTH_PROVIDERS =
 
 # Custom OIDC provider display name
 OIDC_PROVIDER_NAME = ENV.fetch('OIDC_PROVIDER_NAME', 'Openid Connect').freeze
+
+# OIDC auto-registration setting (default: true for backward compatibility)
+OIDC_AUTO_REGISTER = ENV.fetch('OIDC_AUTO_REGISTER', 'true') == 'true'
+
+# Email/password registration setting (default: false for self-hosted, true for cloud)
+ALLOW_EMAIL_PASSWORD_REGISTRATION = ENV.fetch('ALLOW_EMAIL_PASSWORD_REGISTRATION', 'false') == 'true'
diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb
index 5a06a6c8..25f8068b 100644
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -46,11 +46,8 @@ RSpec.describe ApplicationHelper, type: :helper do
       end
 
       context 'when ALLOW_EMAIL_PASSWORD_REGISTRATION is true' do
-        around do |example|
-          original_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = 'true'
-          example.run
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = original_value
+        before do
+          stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', true)
         end
 
         it 'returns true' do
@@ -59,11 +56,8 @@ RSpec.describe ApplicationHelper, type: :helper do
       end
 
       context 'when ALLOW_EMAIL_PASSWORD_REGISTRATION is false' do
-        around do |example|
-          original_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = 'false'
-          example.run
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = original_value
+        before do
+          stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', false)
         end
 
         it 'returns false' do
@@ -71,12 +65,9 @@ RSpec.describe ApplicationHelper, type: :helper do
         end
       end
 
-      context 'when ALLOW_EMAIL_PASSWORD_REGISTRATION is not set' do
-        around do |example|
-          original_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-          ENV.delete('ALLOW_EMAIL_PASSWORD_REGISTRATION')
-          example.run
-          ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = original_value
+      context 'when ALLOW_EMAIL_PASSWORD_REGISTRATION is not set (default)' do
+        before do
+          stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', false)
         end
 
         it 'returns false (default)' do
diff --git a/spec/requests/users/omniauth_callbacks_spec.rb b/spec/requests/users/omniauth_callbacks_spec.rb
index 1ba8e0f4..e2dc5814 100644
--- a/spec/requests/users/omniauth_callbacks_spec.rb
+++ b/spec/requests/users/omniauth_callbacks_spec.rb
@@ -65,11 +65,8 @@ RSpec.describe 'Users::OmniauthCallbacks', type: :request do
     include_examples 'successful OAuth authentication', :openid_connect, 'OpenID Connect'
 
     context 'when OIDC auto-registration is disabled' do
-      around do |example|
-        original_value = ENV['OIDC_AUTO_REGISTER']
-        ENV['OIDC_AUTO_REGISTER'] = 'false'
-        example.run
-        ENV['OIDC_AUTO_REGISTER'] = original_value
+      before do
+        stub_const('OIDC_AUTO_REGISTER', false)
       end
 
       context "when user doesn't exist" do
diff --git a/spec/requests/users/registrations_spec.rb b/spec/requests/users/registrations_spec.rb
index b0049414..38e5b24c 100644
--- a/spec/requests/users/registrations_spec.rb
+++ b/spec/requests/users/registrations_spec.rb
@@ -142,7 +142,7 @@ RSpec.describe 'Users::Registrations', type: :request do
 
     context 'when accessing registration without invitation token and email/password registration disabled' do
       before do
-        allow(ENV).to receive(:[]).with('ALLOW_EMAIL_PASSWORD_REGISTRATION').and_return(nil)
+        stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', false)
       end
 
       it 'redirects to root with error message' do
@@ -169,11 +169,8 @@ RSpec.describe 'Users::Registrations', type: :request do
     end
 
     context 'when email/password registration is enabled' do
-      around do |example|
-        original_value = ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION']
-        ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = 'true'
-        example.run
-        ENV['ALLOW_EMAIL_PASSWORD_REGISTRATION'] = original_value
+      before do
+        stub_const('ALLOW_EMAIL_PASSWORD_REGISTRATION', true)
       end
 
       it 'allows registration page access' do