make it so the registration token can be used to set the customize field of the user account on creation

Author: williamstein

src/packages/database/postgres/registration-tokens.ts

@@ -12,6 +12,7 @@ interface Query {
   limit?: number;
   disabled?: boolean;
   ephemeral?: boolean;
+  customize?;
 }
 
 export default async function registrationTokensQuery(
@@ -38,24 +39,27 @@ export default async function registrationTokensQuery(
     return rows;
   } else if (query.token) {
     // upsert an existing one
-    const { token, descr, expires, limit, disabled, ephemeral } = query;
+    const { token, descr, expires, limit, disabled, ephemeral, customize } =
+      query;
     const { rows } = await callback2(db._query, {
-      query: `INSERT INTO registration_tokens ("token","descr","expires","limit","disabled","ephemeral")
-                VALUES ($1, $2, $3, $4, $5, $6) ON CONFLICT (token)
+      query: `INSERT INTO registration_tokens ("token","descr","expires","limit","disabled","ephemeral","customize")
+                VALUES ($1, $2, $3, $4, $5, $6, $7) ON CONFLICT (token)
                 DO UPDATE SET
                   "token"    = EXCLUDED.token,
                   "descr"    = EXCLUDED.descr,
                   "expires"  = EXCLUDED.expires,
                   "limit"    = EXCLUDED.limit,
                   "disabled" = EXCLUDED.disabled,
-                  "ephemeral" = EXCLUDED.ephemeral`,
+                  "ephemeral" = EXCLUDED.ephemeral,
+                  "customize" = EXCLUDED.customize`,
       params: [
         token,
         descr ? descr : null,
         expires ? expires : null,
         limit == null ? null : limit, // if undefined make it null
         disabled != null ? disabled : false,
         ephemeral == null ? null : ephemeral,
+        customize == null ? null : customize,
       ],
     });
     return rows;

src/packages/frontend/admin/registration-token.tsx

@@ -16,6 +16,7 @@ import {
   InputNumber,
   Popconfirm,
   Radio,
+  Space,
   Switch,
   Table,
 } from "antd";
@@ -56,6 +57,10 @@ interface Token {
   counter?: number; // readonly
   expires?: dayjs.Dayjs; // DB uses Date objects, watch out!
   ephemeral?: number;
+  customize?: {
+    disableCollaborators?: boolean;
+    disableAI?: boolean;
+  };
 }
 
 const HOUR_MS = 60 * 60 * 1000;
@@ -121,6 +126,7 @@ function use_registration_tokens() {
             limit: null,
             disabled: null,
             ephemeral: null,
+            customize: null,
           },
         },
       });
@@ -178,11 +184,18 @@ function use_registration_tokens() {
       "limit",
       "descr",
       "ephemeral",
+      "customize",
     ] as RegistrationTokenSetFields[]);
     // set optional field to undefined (to get rid of it)
     ["descr", "limit", "expires", "ephemeral"].forEach(
       (k: RegistrationTokenSetFields) => (val[k] = val[k] ?? undefined),
     );
+    if (val.customize != null) {
+      const { disableCollaborators, disableAI } = val.customize;
+      if (!disableCollaborators && !disableAI) {
+        val.customize = undefined;
+      }
+    }
     try {
       set_saving(true);
       await query({
@@ -416,6 +429,24 @@ export function RegistrationToken() {
             }}
           </Form.Item>
         </Form.Item>
+        <Form.Item label="Restrictions">
+          <Space direction="vertical">
+            <Form.Item
+              name={["customize", "disableCollaborators"]}
+              valuePropName="checked"
+              noStyle
+            >
+              <Checkbox>Disable configuring collaborators</Checkbox>
+            </Form.Item>
+            <Form.Item
+              name={["customize", "disableAI"]}
+              valuePropName="checked"
+              noStyle
+            >
+              <Checkbox>Disable artificial intelligence</Checkbox>
+            </Form.Item>
+          </Space>
+        </Form.Item>
         <Form.Item name="active" label="Active" valuePropName="checked">
           <Switch />
         </Form.Item>
@@ -544,6 +575,16 @@ export function RegistrationToken() {
             dataIndex="ephemeral"
             render={(value) => formatEphemeralHours(value)}
           />
+          <Table.Column<Token>
+            title="Restrict collaborators"
+            render={(_, token) =>
+              token.customize?.disableCollaborators ? "Yes" : ""
+            }
+          />
+          <Table.Column<Token>
+            title="Disable AI"
+            render={(_, token) => (token.customize?.disableAI ? "Yes" : "")}
+          />
           <Table.Column<Token>
             title="% Used"
             dataIndex="used"

src/packages/next/pages/api/v2/auth/ephemeral.ts

@@ -47,6 +47,7 @@ export default async function createEphemeralAccount(req, res) {
       tags: ["ephemeral"],
       signupReason: "ephemeral",
       ephemeral: tokenInfo.ephemeral,
+      customize: tokenInfo.customize,
     });
   } catch (err) {
     res.json({

src/packages/next/pages/api/v2/auth/sign-up.ts

@@ -194,8 +194,9 @@ export async function signUp(req, res) {
     }
   }
 
+  let tokenInfo;
   try {
-    await redeemRegistrationToken(registrationToken);
+    tokenInfo = await redeemRegistrationToken(registrationToken);
   } catch (err) {
     res.json({
       issues: {
@@ -216,6 +217,8 @@ export async function signUp(req, res) {
       tags,
       signupReason,
       owner_id,
+      ephemeral: tokenInfo?.ephemeral,
+      customize: tokenInfo?.customize,
     });
 
     if (email) {

src/packages/server/accounts/create-account.ts

@@ -28,6 +28,7 @@ interface Params {
   // avoiding confusion with self-hosted installs.
   noFirstProject?: boolean;
   ephemeral?: number;
+  customize?: any;
 }
 
 export default async function createAccount({
@@ -41,6 +42,7 @@ export default async function createAccount({
   owner_id,
   noFirstProject,
   ephemeral,
+  customize,
 }: Params): Promise<void> {
   try {
     log.debug(
@@ -54,7 +56,7 @@ export default async function createAccount({
     );
     const pool = getPool();
     await pool.query(
-      "INSERT INTO accounts (email_address, password_hash, first_name, last_name, account_id, created, tags, sign_up_usage_intent, owner_id, ephemeral) VALUES($1::TEXT, $2::TEXT, $3::TEXT, $4::TEXT, $5::UUID, NOW(), $6::TEXT[], $7::TEXT, $8::UUID, $9::BIGINT)",
+      "INSERT INTO accounts (email_address, password_hash, first_name, last_name, account_id, created, tags, sign_up_usage_intent, owner_id, ephemeral, customize) VALUES($1::TEXT, $2::TEXT, $3::TEXT, $4::TEXT, $5::UUID, NOW(), $6::TEXT[], $7::TEXT, $8::UUID, $9::BIGINT, $10::JSONB)",
       [
         email ? email : undefined, // can't insert "" more than once!
         password ? passwordHash(password) : undefined, // definitely don't set password_hash to hash of empty string, e.g., anonymous accounts can then NEVER switch to email/password.  This was a bug in production for a while.
@@ -65,6 +67,7 @@ export default async function createAccount({
         signupReason,
         owner_id,
         ephemeral ?? null,
+        customize ?? null,
       ],
     );
     const { insecure_test_mode } = await getServerSettings();

src/packages/server/auth/tokens/redeem.ts

@@ -12,6 +12,7 @@ import { getTransactionClient } from "@cocalc/database/pool";
 export interface RegistrationTokenInfo {
   token: string;
   ephemeral?: number;
+  customize?: any;
 }
 
 export default async function redeem(
@@ -36,7 +37,7 @@ export default async function redeem(
     // → if counter, check counter vs. limit
     //   → true: increase the counter → ok
     //   → false: ok
-    const q_match = `SELECT "expires", "counter", "limit", "disabled", "ephemeral"
+    const q_match = `SELECT "expires", "counter", "limit", "disabled", "ephemeral", "customize"
                      FROM registration_tokens
                      WHERE token = $1::TEXT
                      FOR UPDATE`;
@@ -52,6 +53,7 @@ export default async function redeem(
       limit,
       disabled: disabled_raw,
       ephemeral,
+      customize,
     } = match.rows[0];
     const counter = counter_raw ?? 0;
     const disabled = disabled_raw ?? false;
@@ -79,6 +81,7 @@ export default async function redeem(
     return {
       token,
       ephemeral: typeof ephemeral === "number" ? ephemeral : undefined,
+      customize,
     };
   } catch (err) {
     await client.query("ROLLBACK");

src/packages/util/db-schema/accounts.ts

@@ -579,7 +579,6 @@ Table({
           evaluate_key: true,
           font_size: true,
           profile: true,
-          customize: true,
           ssh_keys: true,
           sign_up_usage_intent: true,
           unlisted: true,

src/packages/util/db-schema/registration-tokens.ts

@@ -41,6 +41,7 @@ Table({
           limit: null,
           disabled: null,
           ephemeral: null,
+          customize: null,
         } as { [key in RegistrationTokenSetFields]: null },
       },
       get: {
@@ -55,6 +56,7 @@ Table({
           limit: null,
           disabled: null,
           ephemeral: null,
+          customize: null,
         } as { [key in RegistrationTokenGetFields]: null },
       },
     },
@@ -73,5 +75,9 @@ Table({
       type: "number",
       desc: "optional – lifetime in milliseconds for accounts/projects created via this token",
     },
+    customize: {
+      type: "map",
+      desc: "Optional account customization overrides applied when redeeming this token.",
+    },
   },
 });

src/packages/util/db-schema/types.ts

@@ -327,7 +327,8 @@ export type RegistrationTokenSetFields =
   | "expires"
   | "limit"
   | "disabled"
-  | "ephemeral";
+  | "ephemeral"
+  | "customize";
 
 export type RegistrationTokenGetFields = RegistrationTokenSetFields | "counter";