fix: Block social sign-on registration when registrations are disabled

bobbyonmagic · bobbyiliev · commit f7e10aa816bf · 2026-01-26T13:35:06.000+02:00
When registration_enabled is set to false, new users could still
create accounts via social sign-on (Google, Facebook, etc.).

This fix adds a check in SocialController::findOrCreateProviderUser()
to reject new user creation when registrations are disabled, while
still allowing existing users to log in via social providers.
diff --git a/src/Http/Controllers/SocialController.php b/src/Http/Controllers/SocialController.php
@@ -77,6 +77,12 @@ private function findOrCreateProviderUser($socialiteUser, $driver)
 
         $user = app(config('auth.providers.users.model'))->where('email', $socialiteUser->getEmail())->first();
 
+        // If no existing user and registrations are disabled, reject the request
+        if (! $user && ! config('devdojo.auth.settings.registration_enabled', true)) {
+            return redirect()->route('auth.login')->with('error',
+                config('devdojo.auth.language.register.registrations_disabled', 'Registrations are currently disabled.'));
+        }
+
         if ($user) {
             $existingProvider = $user->socialProviders()->first();
             if ($existingProvider) {
