@lenne.tech/nest-server 11.13.2 → 11.13.4

package/src/core/modules/better-auth/core-better-auth-user.mapper.ts

@@ -370,27 +370,38 @@ export class CoreBetterAuthUserMapper {
         return false;
       }
 
+      // Better-Auth stores account.userId as ObjectId that references users._id
+      const userMongoId = legacyUser._id as ObjectId;
+
+      // FAST PATH: Check if credential account already exists BEFORE expensive bcrypt
+      // For already-migrated users this avoids ~130ms of bcrypt.compare() per sign-in
+      const existingAccount = await accountsCollection.findOne({
+        providerId: 'credential',
+        userId: userMongoId,
+      });
+
+      if (existingAccount) {
+        return true;
+      }
+
+      // No password provided - cannot verify, cannot migrate
+      if (!plainPassword) {
+        return false;
+      }
+
       // IMPORTANT: Verify the provided password matches the legacy hash
       // This prevents migration with a wrong password
       // Legacy Auth uses two formats for backwards compatibility:
       // 1. bcrypt(password) - direct hash
       // 2. bcrypt(sha256(password)) - sha256 then bcrypt
-      if (plainPassword) {
-        const directMatch = await bcrypt.compare(plainPassword, legacyUser.password);
-        const sha256Match = await bcrypt.compare(sha256(plainPassword), legacyUser.password);
-        if (!directMatch && !sha256Match) {
-          // Security: Wrong password provided for migration - reject
-          this.logger.warn(`Migration password verification failed for ${maskEmail(userEmail)}`);
-          return false;
-        }
-      } else {
-        // No password provided - cannot verify, cannot migrate
+      const directMatch = await bcrypt.compare(plainPassword, legacyUser.password);
+      const sha256Match = !directMatch ? await bcrypt.compare(sha256(plainPassword), legacyUser.password) : false;
+      if (!directMatch && !sha256Match) {
+        // Security: Wrong password provided for migration - reject
+        this.logger.warn(`Migration password verification failed for ${maskEmail(userEmail)}`);
         return false;
       }
 
-      // Better-Auth stores account.userId as ObjectId that references users._id
-      // The id field is a secondary string identifier used in API responses
-      const userMongoId = legacyUser._id as ObjectId;
       const userIdHex = userMongoId.toHexString();
 
       // Update user with Better-Auth fields if not already present
@@ -413,17 +424,6 @@ export class CoreBetterAuthUserMapper {
         );
       }
 
-      // Check if credential account already exists
-      // Better-Auth stores userId as ObjectId referencing users._id
-      const existingAccount = await accountsCollection.findOne({
-        providerId: 'credential',
-        userId: userMongoId,
-      });
-
-      if (existingAccount) {
-        return true;
-      }
-
       // Create the credential account with Better-Auth compatible scrypt hash
       const passwordHash = await this.hashPasswordForBetterAuth(plainPassword);
 

package/src/core/modules/better-auth/core-better-auth.controller.ts

@@ -14,7 +14,15 @@ import {
   Res,
   UnauthorizedException,
 } from '@nestjs/common';
-import { ApiBody, ApiCreatedResponse, ApiExcludeEndpoint, ApiOkResponse, ApiOperation, ApiProperty, ApiTags } from '@nestjs/swagger';
+import {
+  ApiBody,
+  ApiCreatedResponse,
+  ApiExcludeEndpoint,
+  ApiOkResponse,
+  ApiOperation,
+  ApiProperty,
+  ApiTags,
+} from '@nestjs/swagger';
 import { Request, Response } from 'express';
 
 import { Roles } from '../../common/decorators/roles.decorator';
@@ -251,7 +259,10 @@ export class CoreBetterAuthController {
    * @since 11.13.0
    */
   @ApiOkResponse({ description: 'Better-Auth feature flags' })
-  @ApiOperation({ description: 'Get enabled Better-Auth features for client-side feature detection', summary: 'Get Features' })
+  @ApiOperation({
+    description: 'Get enabled Better-Auth features for client-side feature detection',
+    summary: 'Get Features',
+  })
   @Get('features')
   @Roles(RoleEnum.S_EVERYONE)
   getFeatures(): Record<string, boolean | number | string[]> {
@@ -262,6 +273,7 @@ export class CoreBetterAuthController {
       passkey: this.betterAuthService.isPasskeyEnabled(),
       resendCooldownSeconds: this.emailVerificationService?.getConfig()?.resendCooldownSeconds ?? 60,
       signUpChecks: this.signUpValidator?.isEnabled() ?? false,
+      signUpEnabled: this.betterAuthService.isSignUpEnabled(),
       socialProviders: this.betterAuthService.getEnabledSocialProviders(),
       twoFactor: this.betterAuthService.isTwoFactorEnabled(),
     };
@@ -345,7 +357,9 @@ export class CoreBetterAuthController {
         // Without this, users with 2FA enabled but unverified email could bypass verification
         await this.checkEmailVerificationByEmail(input.email);
 
-        this.logger.debug(`2FA required for ${maskEmail(input.email)}, forwarding to native handler for cookie handling`);
+        this.logger.debug(
+          `2FA required for ${maskEmail(input.email)}, forwarding to native handler for cookie handling`,
+        );
 
         // Forward to native Better Auth handler which sets the session cookie correctly
         // We need to modify the request body to use the normalized password
@@ -370,7 +384,7 @@ export class CoreBetterAuthController {
           body: modifiedBody,
           headers: new Headers({
             'Content-Type': 'application/json',
-            'Origin': req.headers.origin || baseUrl,
+            Origin: req.headers.origin || baseUrl,
           }),
           method: 'POST',
         });
@@ -407,7 +421,8 @@ export class CoreBetterAuthController {
         const mappedUser = await this.userMapper.mapSessionUser(response.user);
 
         // Get token: JWT accessToken > top-level token > session.token
-        const rawToken = responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+        const rawToken =
+          responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
         const token = await this.resolveJwtToken(rawToken);
 
         const result: CoreBetterAuthResponse = {
@@ -464,6 +479,7 @@ export class CoreBetterAuthController {
     @Body() input: CoreBetterAuthSignUpInput,
   ): Promise<CoreBetterAuthResponse> {
     this.ensureEnabled();
+    this.betterAuthService.ensureSignUpEnabled();
 
     // Validate sign-up input (termsAndPrivacyAccepted is required by default)
     if (this.signUpValidator) {
@@ -494,7 +510,9 @@ export class CoreBetterAuthController {
       if (hasUser(response)) {
         // Link or create user in our database
         // Pass termsAndPrivacyAccepted to store the acceptance timestamp
-        await this.userMapper.linkOrCreateUser(response.user, { termsAndPrivacyAccepted: input.termsAndPrivacyAccepted });
+        await this.userMapper.linkOrCreateUser(response.user, {
+          termsAndPrivacyAccepted: input.termsAndPrivacyAccepted,
+        });
 
         // Sync password to legacy (enables IAM Sign-Up → Legacy Sign-In)
         // Pass the plain password so it can be hashed with bcrypt for Legacy Auth
@@ -506,7 +524,8 @@ export class CoreBetterAuthController {
         // Without this, no session cookies are set after sign-up, causing 401 on
         // subsequent authenticated requests (e.g., Passkey, 2FA, /token)
         const responseAny = response as any;
-        const rawToken = responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+        const rawToken =
+          responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
         const token = await this.resolveJwtToken(rawToken);
 
         // If email verification is enabled, revoke the session and don't return session data
@@ -518,7 +537,9 @@ export class CoreBetterAuthController {
             await this.betterAuthService.revokeSession(sessionToken);
           }
           this.clearAuthCookies(res);
-          this.logger.debug(`[SignUp] Email verification required for ${maskEmail(response.user.email)}, session revoked`);
+          this.logger.debug(
+            `[SignUp] Email verification required for ${maskEmail(response.user.email)}, session revoked`,
+          );
           return {
             emailVerificationRequired: true,
             requiresTwoFactor: false,
@@ -692,10 +713,7 @@ export class CoreBetterAuthController {
    * @throws UnauthorizedException if email is not verified and verification is required
    */
   protected checkEmailVerification(sessionUser: BetterAuthSessionUser): void {
-    if (
-      this.emailVerificationService?.isEnabled()
-      && !sessionUser.emailVerified
-    ) {
+    if (this.emailVerificationService?.isEnabled() && !sessionUser.emailVerified) {
       this.logger.debug(`[SignIn] Email not verified for ${maskEmail(sessionUser.email)}, blocking login`);
       throw new UnauthorizedException(ErrorCode.EMAIL_VERIFICATION_REQUIRED);
     }
@@ -764,7 +782,9 @@ export class CoreBetterAuthController {
    * NOTE: The session token is intentionally NOT included in the response.
    * It is set as an httpOnly cookie for security.
    */
-  protected mapSession(session: null | undefined | { expiresAt: Date; id: string; token?: string }): CoreBetterAuthSessionInfo | undefined {
+  protected mapSession(
+    session: null | undefined | { expiresAt: Date; id: string; token?: string },
+  ): CoreBetterAuthSessionInfo | undefined {
     if (!session) return undefined;
     return {
       expiresAt: session.expiresAt instanceof Date ? session.expiresAt.toISOString() : String(session.expiresAt),
@@ -778,7 +798,7 @@ export class CoreBetterAuthController {
    * @param sessionUser - The user from Better-Auth session
    * @param _mappedUser - The synced user from legacy system (available for override customization)
    */
-   
+
   protected mapUser(sessionUser: BetterAuthSessionUser, _mappedUser: any): CoreBetterAuthUserResponse {
     return {
       email: sessionUser.email,
@@ -802,7 +822,11 @@ export class CoreBetterAuthController {
    * @param result - The CoreBetterAuthResponse to return
    * @param sessionToken - Optional session token to set in cookies (if not provided, uses result.token)
    */
-  protected processCookies(res: Response, result: CoreBetterAuthResponse, sessionToken?: string): CoreBetterAuthResponse {
+  protected processCookies(
+    res: Response,
+    result: CoreBetterAuthResponse,
+    sessionToken?: string,
+  ): CoreBetterAuthResponse {
     const cookiesEnabled = this.configService.getFastButReadOnly('cookies') !== false;
 
     // If a specific session token is provided, use it directly
@@ -883,7 +907,11 @@ export class CoreBetterAuthController {
       this.logger.error(`Better Auth handler error: ${error instanceof Error ? error.message : 'Unknown error'}`);
 
       // Re-throw NestJS exceptions
-      if (error instanceof BadRequestException || error instanceof UnauthorizedException || error instanceof InternalServerErrorException) {
+      if (
+        error instanceof BadRequestException ||
+        error instanceof UnauthorizedException ||
+        error instanceof InternalServerErrorException
+      ) {
         throw error;
       }
 

package/src/core/modules/better-auth/core-better-auth.module.ts

@@ -313,15 +313,17 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
     if (CoreBetterAuthModule.currentConfig) {
       const globalConfig = ConfigService.configFastButReadOnly;
       const cookiesDisabled = globalConfig?.cookies === false;
-      const jwtExplicitlyDisabled = CoreBetterAuthModule.currentConfig.jwt === false
-        || (typeof CoreBetterAuthModule.currentConfig.jwt === 'object' && CoreBetterAuthModule.currentConfig.jwt?.enabled === false);
+      const jwtExplicitlyDisabled =
+        CoreBetterAuthModule.currentConfig.jwt === false ||
+        (typeof CoreBetterAuthModule.currentConfig.jwt === 'object' &&
+          CoreBetterAuthModule.currentConfig.jwt?.enabled === false);
 
       if (cookiesDisabled && jwtExplicitlyDisabled) {
         CoreBetterAuthModule.logger.warn(
           'CONFIGURATION WARNING: cookies is set to false, but betterAuth.jwt is not enabled. ' +
-          'Without cookies, BetterAuth cannot establish sessions via Set-Cookie headers. ' +
-          'Enable betterAuth.jwt (set jwt: true in betterAuth config) to use Bearer token authentication, ' +
-          'or set cookies: true to use cookie-based sessions.',
+            'Without cookies, BetterAuth cannot establish sessions via Set-Cookie headers. ' +
+            'Enable betterAuth.jwt (set jwt: true in betterAuth config) to use Bearer token authentication, ' +
+            'or set cookies: true to use cookie-based sessions.',
         );
       }
     }
@@ -331,8 +333,8 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
     if (CoreBetterAuthModule.rolesGuardExplicitlyDisabled && !RolesGuardRegistry.isRegistered()) {
       CoreBetterAuthModule.logger.warn(
         '⚠️ SECURITY WARNING: registerRolesGuardGlobally is explicitly set to false, ' +
-        'but no RolesGuard is registered globally. @Roles() decorators will NOT enforce access control! ' +
-        'Either set registerRolesGuardGlobally: true, or ensure CoreAuthModule (Legacy) is imported.',
+          'but no RolesGuard is registered globally. @Roles() decorators will NOT enforce access control! ' +
+          'Either set registerRolesGuardGlobally: true, or ensure CoreAuthModule (Legacy) is imported.',
       );
     }
   }
@@ -422,10 +424,10 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
     if (this.forRootCalled && !process.env.VITEST) {
       this.logger.warn(
         'CoreBetterAuthModule.forRoot() was called more than once. ' +
-        'The second call is ignored by NestJS (DynamicModule deduplication). ' +
-        'Custom controller/resolver from the second call will NOT be registered. ' +
-        'Solutions: (1) Use betterAuth.controller/resolver in config, or ' +
-        '(2) Set betterAuth.autoRegister: false and import your module separately.',
+          'The second call is ignored by NestJS (DynamicModule deduplication). ' +
+          'Custom controller/resolver from the second call will NOT be registered. ' +
+          'Solutions: (1) Use betterAuth.controller/resolver in config, or ' +
+          '(2) Set betterAuth.autoRegister: false and import your module separately.',
       );
       if (this.cachedDynamicModule) {
         return this.cachedDynamicModule;
@@ -453,11 +455,9 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
     const effectiveRawConfig = rawConfig ?? globalConfig?.betterAuth;
 
     // Auto-detect fallbackSecrets from ConfigService if not explicitly provided
-    const effectiveFallbackSecrets = fallbackSecrets ?? (
-      globalConfig?.jwt
-        ? [globalConfig.jwt.secret, globalConfig.jwt.refresh?.secret].filter(Boolean)
-        : undefined
-    );
+    const effectiveFallbackSecrets =
+      fallbackSecrets ??
+      (globalConfig?.jwt ? [globalConfig.jwt.secret, globalConfig.jwt.refresh?.secret].filter(Boolean) : undefined);
 
     // Auto-detect server URLs from ConfigService if not explicitly provided
     const effectiveServerAppUrl = serverAppUrl ?? globalConfig?.appUrl;
@@ -489,7 +489,14 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
       this.logger.debug('BetterAuth is disabled - skipping initialization');
       this.betterAuthEnabled = false;
       this.cachedDynamicModule = {
-        exports: [BETTER_AUTH_INSTANCE, CoreBetterAuthService, CoreBetterAuthUserMapper, CoreBetterAuthRateLimiter, BetterAuthTokenService, CoreBetterAuthChallengeService],
+        exports: [
+          BETTER_AUTH_INSTANCE,
+          CoreBetterAuthService,
+          CoreBetterAuthUserMapper,
+          CoreBetterAuthRateLimiter,
+          BetterAuthTokenService,
+          CoreBetterAuthChallengeService,
+        ],
         module: CoreBetterAuthModule,
         providers: [
           {
@@ -537,7 +544,16 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
   static forRootAsync(): DynamicModule {
     return {
       controllers: [this.getControllerClass()],
-      exports: [BETTER_AUTH_INSTANCE, CoreBetterAuthService, CoreBetterAuthUserMapper, CoreBetterAuthRateLimiter, BetterAuthTokenService, CoreBetterAuthChallengeService, CoreBetterAuthEmailVerificationService, CoreBetterAuthSignUpValidatorService],
+      exports: [
+        BETTER_AUTH_INSTANCE,
+        CoreBetterAuthService,
+        CoreBetterAuthUserMapper,
+        CoreBetterAuthRateLimiter,
+        BetterAuthTokenService,
+        CoreBetterAuthChallengeService,
+        CoreBetterAuthEmailVerificationService,
+        CoreBetterAuthSignUpValidatorService,
+      ],
       imports: [],
       module: CoreBetterAuthModule,
       providers: [
@@ -559,7 +575,10 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
         {
           inject: [ConfigService, CoreBetterAuthEmailVerificationService],
           provide: BETTER_AUTH_INSTANCE,
-          useFactory: async (configService: ConfigService, emailVerificationService: CoreBetterAuthEmailVerificationService) => {
+          useFactory: async (
+            configService: ConfigService,
+            emailVerificationService: CoreBetterAuthEmailVerificationService,
+          ) => {
             // Set static reference for callbacks BEFORE creating Better-Auth instance
             this.setEmailVerificationService(emailVerificationService);
 
@@ -608,9 +627,8 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
             // The original config object may be frozen (from ConfigService), so we
             // create a shallow copy with the resolved fallback secret applied.
             const resolvedSecret = config.secret || fallbackSecrets?.find((s) => s && s.length >= 32);
-            this.currentConfig = resolvedSecret && resolvedSecret !== config.secret
-              ? { ...config, secret: resolvedSecret }
-              : config;
+            this.currentConfig =
+              resolvedSecret && resolvedSecret !== config.secret ? { ...config, secret: resolvedSecret } : config;
 
             if (this.authInstance) {
               this.logger.log('BetterAuth initialized successfully');
@@ -725,7 +743,11 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
    */
   private static createEmailVerificationCallbacks(): {
     onEmailVerified: (userId: string) => Promise<void>;
-    sendVerificationEmail: (options: { token: string; url: string; user: { email: string; id: string; name?: null | string } }) => Promise<void>;
+    sendVerificationEmail: (options: {
+      token: string;
+      url: string;
+      user: { email: string; id: string; name?: null | string };
+    }) => Promise<void>;
   } {
     return {
       onEmailVerified: async (userId: string) => {
@@ -735,16 +757,17 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
           const db = this.mongoConnection?.db;
           if (db) {
             const { ObjectId } = await import('mongodb');
-            await db.collection('users').updateOne(
-              { _id: new ObjectId(userId) },
-              { $set: { verified: true, verifiedAt: new Date() } },
-            );
+            await db
+              .collection('users')
+              .updateOne({ _id: new ObjectId(userId) }, { $set: { verified: true, verifiedAt: new Date() } });
             this.logger.debug(`Email verified for user ${userId} - synced verified/verifiedAt`);
           } else {
             this.logger.warn(`Cannot sync verifiedAt for user ${userId} - no database connection`);
           }
         } catch (error) {
-          this.logger.error(`Failed to sync verifiedAt for user ${userId}: ${error instanceof Error ? error.message : 'Unknown error'}`);
+          this.logger.error(
+            `Failed to sync verifiedAt for user ${userId}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+          );
         }
       },
       sendVerificationEmail: async (options) => {
@@ -778,7 +801,16 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
   ): DynamicModule {
     return {
       controllers: [this.getControllerClass()],
-      exports: [BETTER_AUTH_INSTANCE, CoreBetterAuthService, CoreBetterAuthUserMapper, CoreBetterAuthRateLimiter, BetterAuthTokenService, CoreBetterAuthChallengeService, CoreBetterAuthEmailVerificationService, CoreBetterAuthSignUpValidatorService],
+      exports: [
+        BETTER_AUTH_INSTANCE,
+        CoreBetterAuthService,
+        CoreBetterAuthUserMapper,
+        CoreBetterAuthRateLimiter,
+        BetterAuthTokenService,
+        CoreBetterAuthChallengeService,
+        CoreBetterAuthEmailVerificationService,
+        CoreBetterAuthSignUpValidatorService,
+      ],
       module: CoreBetterAuthModule,
       providers: [
         // Optional BrevoService: uses factory to avoid constructor error when brevo config is missing
@@ -801,7 +833,10 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
           // Also inject EmailVerificationService to set static reference before Better-Auth init
           inject: [getConnectionToken(), CoreBetterAuthEmailVerificationService],
           provide: BETTER_AUTH_INSTANCE,
-          useFactory: async (connection: Connection, emailVerificationService: CoreBetterAuthEmailVerificationService) => {
+          useFactory: async (
+            connection: Connection,
+            emailVerificationService: CoreBetterAuthEmailVerificationService,
+          ) => {
             // Set static references for callbacks BEFORE creating Better-Auth instance
             this.setEmailVerificationService(emailVerificationService);
             this.mongoConnection = connection;
@@ -843,9 +878,8 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
             // Store a config copy with the resolved secret (same as first forRoot variant)
             const fallbacks = options?.fallbackSecrets;
             const resolvedSecret2 = config.secret || fallbacks?.find((s) => s && s.length >= 32);
-            this.currentConfig = resolvedSecret2 && resolvedSecret2 !== config.secret
-              ? { ...config, secret: resolvedSecret2 }
-              : config;
+            this.currentConfig =
+              resolvedSecret2 && resolvedSecret2 !== config.secret ? { ...config, secret: resolvedSecret2 } : config;
 
             // Keep static betterAuthEnabled in sync with the authInstance state.
             // This is important because forRoot() sets it synchronously, but reset()
@@ -907,10 +941,7 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
         ...(this.shouldRegisterRolesGuardGlobally && !RolesGuardRegistry.isRegistered()
           ? (() => {
               RolesGuardRegistry.markRegistered('CoreBetterAuthModule');
-              return [
-                BetterAuthRolesGuard,
-                { provide: APP_GUARD, useExisting: BetterAuthRolesGuard },
-              ];
+              return [BetterAuthRolesGuard, { provide: APP_GUARD, useExisting: BetterAuthRolesGuard }];
             })()
           : []),
       ],
@@ -979,6 +1010,10 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
       features.push('Sign-Up Checks');
     }
 
+    if (config.emailAndPassword?.disableSignUp) {
+      features.push('Sign-Up Disabled');
+    }
+
     if (features.length > 0) {
       this.logger.log(`Enabled features: ${features.join(', ')}`);
     }

package/src/core/modules/better-auth/core-better-auth.resolver.ts

@@ -107,10 +107,7 @@ export class CoreBetterAuthResolver {
    * @throws UnauthorizedException if email is not verified and verification is required
    */
   protected checkEmailVerification(sessionUser: BetterAuthSessionUser): void {
-    if (
-      this.emailVerificationService?.isEnabled()
-      && !sessionUser.emailVerified
-    ) {
+    if (this.emailVerificationService?.isEnabled() && !sessionUser.emailVerified) {
       this.logger.debug(`[SignIn] Email not verified for ${maskEmail(sessionUser.email)}, blocking login`);
       throw new UnauthorizedException(ErrorCode.EMAIL_VERIFICATION_REQUIRED);
     }
@@ -193,6 +190,7 @@ export class CoreBetterAuthResolver {
       enabled: this.betterAuthService.isEnabled(),
       jwt: this.betterAuthService.isJwtEnabled(),
       passkey: this.betterAuthService.isPasskeyEnabled(),
+      signUpEnabled: this.betterAuthService.isSignUpEnabled(),
       socialProviders: this.betterAuthService.getEnabledSocialProviders(),
       twoFactor: this.betterAuthService.isTwoFactorEnabled(),
     };
@@ -303,12 +301,16 @@ export class CoreBetterAuthResolver {
         body: { email, password },
       })) as BetterAuthSignInResponse | null;
 
-      this.logger.debug(`[SignIn] API response for ${maskEmail(email)}: ${JSON.stringify(response)?.substring(0, 200)}`);
+      this.logger.debug(
+        `[SignIn] API response for ${maskEmail(email)}: ${JSON.stringify(response)?.substring(0, 200)}`,
+      );
 
       // Check if response indicates an error (Better-Auth returns error objects, not throws)
       const responseAny = response as any;
       if (responseAny?.error || responseAny?.code === 'CREDENTIAL_ACCOUNT_NOT_FOUND') {
-        this.logger.debug(`[SignIn] API returned error for ${maskEmail(email)}: ${responseAny?.error || responseAny?.code}`);
+        this.logger.debug(
+          `[SignIn] API returned error for ${maskEmail(email)}: ${responseAny?.error || responseAny?.code}`,
+        );
         throw new Error(responseAny?.error || responseAny?.code || 'Credential account not found');
       }
 
@@ -341,7 +343,8 @@ export class CoreBetterAuthResolver {
         // 2. token (top-level, some BetterAuth versions)
         // 3. session.token (session-based fallback)
         const responseAny = response as any;
-        const rawToken = responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+        const rawToken =
+          responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
         const token = await this.resolveJwtToken(rawToken);
 
         return {
@@ -410,7 +413,8 @@ export class CoreBetterAuthResolver {
     // 2. token (top-level, some BetterAuth versions)
     // 3. session.token (session-based fallback)
     const responseAny = response as any;
-    const rawToken = responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+    const rawToken =
+      responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
     const token = await this.resolveJwtToken(rawToken);
 
     return {
@@ -448,6 +452,7 @@ export class CoreBetterAuthResolver {
     @Args('termsAndPrivacyAccepted', { nullable: true }) termsAndPrivacyAccepted?: boolean,
   ): Promise<CoreBetterAuthAuthModel> {
     this.ensureEnabled();
+    this.betterAuthService.ensureSignUpEnabled();
 
     // Validate sign-up input (termsAndPrivacyAccepted is required by default)
     if (this.signUpValidator) {
@@ -487,7 +492,9 @@ export class CoreBetterAuthResolver {
           if (sessionToken) {
             await this.betterAuthService.revokeSession(sessionToken);
           }
-          this.logger.debug(`[SignUp] Email verification required for ${maskEmail(sessionUser.email)}, session revoked`);
+          this.logger.debug(
+            `[SignUp] Email verification required for ${maskEmail(sessionUser.email)}, session revoked`,
+          );
           return {
             emailVerificationRequired: true,
             requiresTwoFactor: false,

package/src/core/modules/better-auth/core-better-auth.service.ts

@@ -1,4 +1,4 @@
-import { Inject, Injectable, Logger, Optional } from '@nestjs/common';
+import { BadRequestException, Inject, Injectable, Logger, Optional } from '@nestjs/common';
 import { InjectConnection } from '@nestjs/mongoose';
 import { Request } from 'express';
 import { importJWK, jwtVerify } from 'jose';
@@ -7,6 +7,7 @@ import { Connection } from 'mongoose';
 import { maskEmail, maskToken } from '../../common/helpers/logging.helper';
 import { IBetterAuth } from '../../common/interfaces/server-options.interface';
 import { ConfigService } from '../../common/services/config.service';
+import { ErrorCode } from '../error-code/error-codes';
 import { BetterAuthInstance } from './better-auth.config';
 import { BetterAuthSessionUser } from './core-better-auth-user.mapper';
 import { convertExpressHeaders, parseCookieHeader, signCookieValueIfNeeded } from './core-better-auth-web.helper';
@@ -155,6 +156,26 @@ export class CoreBetterAuthService {
     return true;
   }
 
+  /**
+   * Checks if sign-up is enabled.
+   * Sign-up is enabled by default unless explicitly disabled via
+   * emailAndPassword.disableSignUp: true
+   */
+  isSignUpEnabled(): boolean {
+    if (!this.isEnabled()) return false;
+    return this.config.emailAndPassword?.disableSignUp !== true;
+  }
+
+  /**
+   * Throws BadRequestException if sign-up is disabled.
+   * Used by Controller and Resolver as a guard before sign-up logic.
+   */
+  ensureSignUpEnabled(): void {
+    if (!this.isSignUpEnabled()) {
+      throw new BadRequestException(ErrorCode.SIGNUP_DISABLED);
+    }
+  }
+
   /**
    * Gets the list of enabled social providers
    * Dynamically iterates over all configured providers.
@@ -593,10 +614,7 @@ export class CoreBetterAuthService {
           {
             $match: {
               $expr: {
-                $or: [
-                  { $eq: ['$userId', userId] },
-                  { $eq: [{ $toString: '$userId' }, userId] },
-                ],
+                $or: [{ $eq: ['$userId', userId] }, { $eq: [{ $toString: '$userId' }, userId] }],
               },
               expiresAt: { $gt: new Date() },
             },
@@ -690,7 +708,9 @@ export class CoreBetterAuthService {
       }
       return !!result.user.emailVerified;
     } catch (error) {
-      this.logger.debug(`isUserEmailVerified error for ${maskEmail(email)}: ${error instanceof Error ? error.message : 'Unknown error'}`);
+      this.logger.debug(
+        `isUserEmailVerified error for ${maskEmail(email)}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      );
       return null;
     }
   }
@@ -867,7 +887,10 @@ export class CoreBetterAuthService {
    * @param token - Optional JWT token to verify directly (bypasses header extraction)
    * @returns The JWT payload with user info, or null if no valid token
    */
-  async verifyJwtFromRequest(req: Request, token?: string): Promise<null | {
+  async verifyJwtFromRequest(
+    req: Request,
+    token?: string,
+  ): Promise<null | {
     [key: string]: any;
     email?: string;
     sub: string;

package/src/core/modules/error-code/error-codes.ts

@@ -278,6 +278,15 @@ export const LtnsErrors = {
     },
   },
 
+  SIGNUP_DISABLED: {
+    code: 'LTNS_0026',
+    message: 'Sign-up is currently disabled',
+    translations: {
+      de: 'Die Registrierung ist derzeit deaktiviert.',
+      en: 'Sign-up is currently disabled.',
+    },
+  },
+
   // =====================================================
   // Authorization Errors (LTNS_0100-LTNS_0199)
   // =====================================================