Gate the first time registration for password auth behind an env var.

backend/.env.example

@@ -9,6 +9,7 @@ APP_ENV=dev
 # List of comma separated admin usernames. USE WITH CAUTION! Those can do serious damage to the data.
 APP_ADMIN_ALLOW_LIST=
 APP_SETUP
+APP_ALLOW_FIRST_TIME_REGISTER=
 
 # -- FRONTEND --
 FRONTEND_URL=http://localhost:8080

backend/README.md

@@ -8,6 +8,8 @@ This is the backend component of Thunderbird Appointment written in Python using
 
 More information will be provided in the future. There is currently a docker file provided which we use to deploy to AWS' ECS which should help you get started.
 
+In order to create a user with password authentication mode, you will need to set `APP_ALLOW_FIRST_TIME_REGISTER=True` in your `.env`.
+
 After the first login you'll want to fill the `APP_ADMIN_ALLOW_LIST` env variable with your account's email to access the basic admin panel located at `/admin/subscribers`. 
 
 ### Configuration

backend/src/appointment/routes/auth.py

@@ -292,7 +292,7 @@ def token(
 
  has_subscribers = db.query(Subscriber).count()
 
- if has_subscribers == 0:
+ if os.getenv('APP_ALLOW_FIRST_TIME_REGISTER') == 'True' and has_subscribers == 0:
  # Create an initial subscriber based with the UTC timezone, the FTUE will give them a change to adjust this
  create_subscriber(db, form_data.username, form_data.password, 'UTC')
 

backend/test/integration/test_auth.py

@@ -99,6 +99,19 @@ def test_token_creates_user(self, with_db, with_client):
 
  email2 = 'george@example.org'
 
+ # Disable first time registering
+ os.environ['APP_ALLOW_FIRST_TIME_REGISTER'] = ''
+
+ # Fails with improper env set
+ response = with_client.post(
+ '/token',
+ data={'username': email2, 'password': password},
+ )
+ assert response.status_code == 403, response.text
+
+ # Enable first time registering
+ os.environ['APP_ALLOW_FIRST_TIME_REGISTER'] = 'True'
+
  # Test non-user credentials
  response = with_client.post(
  '/token',