feat(auth): add public GET /api/auth/config endpoint

[PierreBrisorgueil]

Summary

• What changed: Added a GET /api/auth/config endpoint that returns public auth feature flags (sign.in, sign.up) as booleans
• Why: The Vue frontend needs to know whether signin/signup is disabled server-side so it can display a warning instead of letting the user fill a form that will fail with a 404
• Related issues: Closes feat(auth): expose public auth config flags via API #3209

Scope

• Module(s) impacted: auth
• Cross-module impact: none
• Risk level: low

Validation

• npm run lint
• npm test
• Manual checks done (if applicable)

Guardrails check

• No secrets or credentials introduced (.env*, secrets/**, keys, tokens)
• No risky rename/move of core stack paths
• Changes remain merge-friendly for downstream projects
• Tests added or updated when behavior changed

Notes for reviewers

• Security considerations: Only boolean flags are exposed — no secrets, tokens, or internal config values leak through this endpoint. Rate limiting is applied.
• Mergeability considerations: The new route is placed before the :strategy wildcard to avoid being swallowed by it. No existing routes or behaviour are modified.
• Follow-up tasks (optional): Add corresponding Vue frontend integration to read this endpoint and display warnings on signin/signup views.

Summary by CodeRabbit

• New Features
  • Added a new public API endpoint that provides authentication configuration information. The endpoint returns sign-in and sign-up feature availability flags, enabling applications to dynamically configure their authentication options based on server settings. Rate limiting has been applied to protect against abuse and ensure service reliability.

[coderabbitai]

Warning

Rate limit exceeded

@PierreBrisorgueil has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 24 minutes and 7 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b62de8ad-914b-49d8-8d41-1465fb3eff32

📥 Commits

Reviewing files that changed from the base of the PR and between 047a92c and f2e835a.

📒 Files selected for processing (2)

• modules/auth/controllers/auth.controller.js
• modules/auth/tests/auth.integration.tests.js

📝 Walkthrough

Walkthrough

A public API endpoint GET /api/auth/config was added to expose authentication configuration flags (sign.in and sign.up) enabling the frontend to detect disabled signin/signup functionality and display warnings before user interaction.

Changes

Cohort / File(s)	Summary
Auth Config Endpoint modules/auth/controllers/auth.controller.js, modules/auth/routes/auth.routes.js	Added new public controller method getConfig returning authentication configuration flags (sign.in and sign.up) via standard responses helper. Corresponding route GET /api/auth/config mapped to controller, guarded by existing authLimiter.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A config endpoint hops into place,
Where sign-in and sign-up show their face,
No more 404 surprises await,
The frontend now knows its own fate! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and concisely describes the main change: adding a public GET endpoint for auth configuration.
Description check	✅ Passed	The pull request description covers all major template sections including summary, scope, validation checklist, guardrails, and reviewer notes with appropriate detail.
Linked Issues check	✅ Passed	The code changes fully implement the requirements from issue #3209: the new GET /api/auth/config endpoint returns auth feature flags enabling the frontend to detect disabled signin/signup.
Out of Scope Changes check	✅ Passed	All changes are tightly scoped to the linked issue objective—only the new endpoint and its route are added with no modifications to existing code or unrelated functionality.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/auth-config-endpoint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.21%. Comparing base (1254a08) to head (f2e835a).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3210      +/-   ##
==========================================
+ Coverage   90.19%   90.21%   +0.02%     
==========================================
  Files          56       56              
  Lines        1183     1186       +3     
  Branches      239      239              
==========================================
+ Hits         1067     1070       +3     
  Misses        105      105              
  Partials       11       11              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds a new public, rate-limited endpoint in the auth module so the frontend can query whether server-side signin/signup are enabled.

Changes:

• Add GET /api/auth/config route (placed before the :strategy wildcard route).
• Implement auth.getConfig controller returning sign.in / sign.up as booleans via the standard success response helper.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
modules/auth/routes/auth.routes.js	Registers the new public GET /api/auth/config endpoint with rate limiting.
modules/auth/controllers/auth.controller.js	Adds getConfig controller and exports it for routing.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

modules/auth/routes/auth.routes.js (1)

16-18: Please add a contract test for this new public route.

This endpoint now has a frontend-facing contract and depends on ordering ahead of /api/auth/:strategy. A small test covering the exact JSON body and route precedence would make regressions much harder.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/auth/routes/auth.routes.js` around lines 16 - 18, Add a contract test
that calls the public route '/api/auth/config' (which is registered with
authLimiter and handled by auth.getConfig) and asserts the exact JSON response
body shape/values expected by the frontend; also include a test that verifies
route precedence by ensuring '/api/auth/config' resolves before the dynamic
'/api/auth/:strategy' route (e.g., request '/api/auth/config' does not get
matched as a strategy). Place tests alongside other auth route tests and use the
same server/bootstrap helpers so ordering in the router is exercised.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@modules/auth/controllers/auth.controller.js`:
- Around line 216-222: getConfig currently uses responses.success which wraps
the payload under data; change it to return the documented top-level object
instead of the success envelope by sending a plain JSON response (e.g.,
res.status(200).json(...)) that contains { sign: { in: !!config.sign.in, up:
!!config.sign.up, oauthGoogle: !!config.sign.oauthGoogle, oauthGithub:
!!config.sign.oauthGithub } } (or the actual oauth flag names present on
config.sign per the JSDoc) so clients receive sign.* at the top level; remove
the responses.success call and ensure getConfig exports/returns the new
top-level payload.

---

Nitpick comments:
In `@modules/auth/routes/auth.routes.js`:
- Around line 16-18: Add a contract test that calls the public route
'/api/auth/config' (which is registered with authLimiter and handled by
auth.getConfig) and asserts the exact JSON response body shape/values expected
by the frontend; also include a test that verifies route precedence by ensuring
'/api/auth/config' resolves before the dynamic '/api/auth/:strategy' route
(e.g., request '/api/auth/config' does not get matched as a strategy). Place
tests alongside other auth route tests and use the same server/bootstrap helpers
so ordering in the router is exercised.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f9649ab7-e86e-421c-b7a5-0ad6f3677acc

📥 Commits

Reviewing files that changed from the base of the PR and between 1254a08 and 047a92c.

📒 Files selected for processing (2)

• modules/auth/controllers/auth.controller.js
• modules/auth/routes/auth.routes.js