feat: add customizable signups disabled text for all authentication methods

blink-so[bot] · kylecarbs · blink-so[bot] · commit c1b55e2ecded · 2025-07-15T19:11:01.000Z
This change adds a general --signups-disabled-text configuration option
that allows administrators to customize the message shown when signups
are disabled, regardless of the authentication method used.

Changes:
- Add SignupsDisabledText field to DeploymentValues struct
- Add --signups-disabled-text CLI flag and CODER_SIGNUPS_DISABLED_TEXT env var
- Update userauth logic to use general text with OIDC fallback for backward compatibility
- Add new User Authentication deployment group for general auth settings
- Support Markdown formatting in the custom text

This enhances the existing OIDC-specific signups disabled text to work
with all authentication methods, providing better flexibility for
administrators to inform users about signup policies.

Co-authored-by: kylecarbs &lt;7122116+kylecarbs@users.noreply.github.com&gt;
diff --git a/cli/server.go b/cli/server.go
@@ -641,6 +641,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				ExternalAuthConfigs:         externalAuthConfigs,
 				RealIPConfig:                realIPConfig,
 				SSHKeygenAlgorithm:          sshKeygenAlgorithm,
+				SignupsDisabledText:         vals.SignupsDisabledText.String(),
 				TracerProvider:              tracerProvider,
 				Telemetry:                   telemetry.NewNoop(),
 				MetricsCacheRefreshInterval: vals.MetricsCacheRefreshInterval.Value(),
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -167,6 +167,7 @@ type Options struct {
 	PrometheusRegistry             *prometheus.Registry
 	StrictTransportSecurityCfg     httpmw.HSTSConfig
 	SSHKeygenAlgorithm             gitsshkey.Algorithm
+	SignupsDisabledText            string
 	Telemetry                      telemetry.Reporter
 	TracerProvider                 trace.TracerProvider
 	ExternalAuthConfigs            []*externalauth.Config
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -1682,7 +1682,11 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 
 		if user.ID == uuid.Nil && !allowSignup {
 			signupsDisabledText := "Please contact your Coder administrator to request access."
-			if api.OIDCConfig != nil && api.OIDCConfig.SignupsDisabledText != "" {
+			// Use general signups disabled text if configured
+			if api.SignupsDisabledText != "" {
+				signupsDisabledText = render.HTMLFromMarkdown(api.SignupsDisabledText)
+			} else if api.OIDCConfig != nil && api.OIDCConfig.SignupsDisabledText != "" {
+				// Fallback to OIDC-specific text for backward compatibility
 				signupsDisabledText = render.HTMLFromMarkdown(api.OIDCConfig.SignupsDisabledText)
 			}
 			return &idpsync.HTTPError{
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -366,6 +366,7 @@ type DeploymentValues struct {
 	Trace                           TraceConfig                          `json:"trace,omitempty" typescript:",notnull"`
 	HTTPCookies                     HTTPCookieConfig                     `json:"http_cookies,omitempty" typescript:",notnull"`
 	StrictTransportSecurity         serpent.Int64                        `json:"strict_transport_security,omitempty" typescript:",notnull"`
+	SignupsDisabledText             serpent.String                       `json:"signups_disabled_text,omitempty" typescript:",notnull"`
 	StrictTransportSecurityOptions  serpent.StringArray                  `json:"strict_transport_security_options,omitempty" typescript:",notnull"`
 	SSHKeygenAlgorithm              serpent.String                       `json:"ssh_keygen_algorithm,omitempty" typescript:",notnull"`
 	MetricsCacheRefreshInterval     serpent.Duration                     `json:"metrics_cache_refresh_interval,omitempty" typescript:",notnull"`
@@ -974,6 +975,11 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 			Name: "OIDC",
 			YAML: "oidc",
 		}
+		deploymentGroupUserAuth = serpent.Group{
+			Name:        "User Authentication",
+			Description: "Configure general user authentication and signup settings.",
+			YAML:        "userAuth",
+		}
 		deploymentGroupTelemetry = serpent.Group{
 			Name: "Telemetry",
 			YAML: "telemetry",
@@ -2494,6 +2500,15 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
 			Value:       &c.SSHKeygenAlgorithm,
 			YAML:        "sshKeygenAlgorithm",
 		},
+		{
+			Name:        "Signups Disabled Text",
+			Description: "The custom text to show on the error page when signups are disabled. Markdown format is supported.",
+			Flag:        "signups-disabled-text",
+			Env:         "CODER_SIGNUPS_DISABLED_TEXT",
+			Value:       &c.SignupsDisabledText,
+			Group:       &deploymentGroupUserAuth,
+			YAML:        "signupsDisabledText",
+		},
 		{
 			Name:        "Metrics Cache Refresh Interval",
 			Description: "How frequently metrics are refreshed.",
