API registration is not allowed, but it is reported as allowed

[caspermeijn]

Environment

• Version: Git master c0cb7ef
• Installation: Using instructions in .github/CONTRIBUTING.md
• PHP version: 7.4
• OS: Linux
• Database: SQLite
• Parameters:

My app/config/parameters.yml is:

parameters:
  database_driver: pdo_sqlite
  database_driver_class: ~
  database_host: 127.0.0.1
  database_port: ~
  database_name: symfony
  database_user: root
  database_password: ~
  database_path: '%kernel.project_dir%/data/db/wallabag.sqlite'
  database_table_prefix: wallabag_
  database_socket: null
  database_charset: utf8

  domain_name: http://localhost:8000
  server_name: "Your wallabag instance"

  mailer_dsn: "smtp://127.0.0.1"

  locale: en

  # A secret key that's used to generate certain security-related tokens
  secret: ch4n63m31fy0uc4n

  # two factor stuff
  twofactor_auth: true
  twofactor_sender: no-reply@wallabag.org

  # fosuser stuff
  fosuser_registration: true
  fosuser_confirmation: true

  fos_oauth_server_access_token_lifetime: 3600
  fos_oauth_server_refresh_token_lifetime: 1209600

  from_email: wallabag@example.com

  rss_limit: 50

  # RabbitMQ processing
  rabbitmq_host: localhost
  rabbitmq_port: 5672
  rabbitmq_user: guest
  rabbitmq_password: guest
  rabbitmq_prefetch_count: 10

  # Redis processing
  redis_scheme: tcp
  redis_host: redis
  redis_port: 6379
  redis_path: ~
  redis_password: ~

  # Sentry
  sentry_dsn: ~

  session_handler: ~

What steps will reproduce the bug?

curl -X 'GET' \
  'http://127.0.0.1:8000/api/info' \
  -H 'accept: application/json'

returns: "allowed_registration": true

But

curl -X 'PUT' \
  'http://127.0.0.1:8000/api/user' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -d '{
  "username": "string",
  "password": "string",
  "email": "string",
  "client_name": "string"
}'

returns: "error": "Server doesn't allow registrations"

These contradict each other. I expect that registration via API is possible when the API indicates that registration is allowed.

Configuration options

I found there are two configuration options:

1. fosuser_registration, which indicates whether registration is allowed at all
2. api_user_registration, which indicates whether registration is allowed via the API

Why is there different behavior between frontend registration and API registration?

[j0k3r]

I can't properly remember but I know it was done on purpose: #3177
Maybe we should adjust the response from WallabagRestController to take care of both configuration

wallabag/src/Wallabag/ApiBundle/Controller/WallabagRestController.php

Line 83 in c0cb7ef

'allowed_registration' => $this->getParameter('fosuser_registration'),

[caspermeijn]

I can't properly remember but I know it was done on purpose: #3177 Maybe we should adjust the response from WallabagRestController to take care of both configuration

I found that PR as well, but it doesn't explain why it was done 😊

What I can think of is to prevent spam account creation. But I would think a spam account can also be created via the frontend.

wallabag/src/Wallabag/ApiBundle/Controller/WallabagRestController.php

Line 83 in c0cb7ef

'allowed_registration' => $this->getParameter('fosuser_registration'),

I think that is a good workaround. I can create a PR for that.