📦 Package
hermes-app (Frontend/UI)
💡 What feature do you want?
When self-hosting Hermes, anyone with access to the web interface can create user accounts via the signup form. This is problematic for self-hosted deployments where only the administrator should be able to create accounts.
Currently, there is no way to disable the /api/v1/auth/signup endpoint or hide the signup form, leaving self-hosted instances vulnerable to unauthorized account creation.
📝 Additional context (optional)
Proposed Solution
Add a configuration option HERMES_ENABLE_SIGNUP (default: true) that:
- Disables the signup API endpoint when set to false
- Hides/removes the signup form and navigation links from the frontend
- Returns a 403 Forbidden response for signup attempts when disabled
Technical Implementation
Backend Changes:
-
Add enable_signup: bool = Field(default=True) to Settings class in app/core/config.py
-
Modify the signup endpoint in app/api/v1/endpoints/auth.py to check this setting
-
Return 403 Forbidden when signup is disabled
Frontend Changes:
-
Add conditional rendering for signup form and links based on the configuration
-
Could be implemented via a config endpoint or build-time environment variable
Use Case
Self-hosted administrators who want to:
My Current Workaround
I'm using tinyauth and have moved hermes behind it. Because of which I'm currently logging in twice. Firstly in tinyauth and then in hermes.
📦 Package
hermes-app (Frontend/UI)
💡 What feature do you want?
When self-hosting Hermes, anyone with access to the web interface can create user accounts via the signup form. This is problematic for self-hosted deployments where only the administrator should be able to create accounts.
Currently, there is no way to disable the /api/v1/auth/signup endpoint or hide the signup form, leaving self-hosted instances vulnerable to unauthorized account creation.
📝 Additional context (optional)
Proposed Solution
Add a configuration option HERMES_ENABLE_SIGNUP (default: true) that:
Technical Implementation
Backend Changes:
Add enable_signup: bool = Field(default=True) to Settings class in app/core/config.py
Modify the signup endpoint in app/api/v1/endpoints/auth.py to check this setting
Return 403 Forbidden when signup is disabled
Frontend Changes:
Add conditional rendering for signup form and links based on the configuration
Could be implemented via a config endpoint or build-time environment variable
Use Case
Self-hosted administrators who want to:
Pre-create user accounts manually
Prevent unauthorized account creation
My Current Workaround
I'm using tinyauth and have moved hermes behind it. Because of which I'm currently logging in twice. Firstly in tinyauth and then in hermes.