npm - @lenne.tech/nest-server - Versions diffs - 11.13.3 → 11.13.5 - Mend

@lenne.tech/nest-server 11.13.3 → 11.13.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.13.3",
+  "version": "11.13.5",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",

package/src/core/common/interfaces/server-options.interface.ts CHANGED Viewed

@@ -1429,6 +1429,39 @@ export interface IServerOptions {
     path?: string;
   };
+  /**
+   * System setup configuration for initial admin creation.
+   *
+   * When enabled, provides REST endpoints for creating the first admin user
+   * on a fresh deployment (zero users in the database).
+   *
+   * Enabled by default when BetterAuth is active. Explicitly disable with:
+   * - `{ enabled: false }`: Disabled
+   *
+   * Auto-creation via config/ENV (no REST call needed):
+   * - `{ initialAdmin: { email: '...', password: '...' } }`
+   * - `NSC__systemSetup__initialAdmin__email` + `NSC__systemSetup__initialAdmin__password`
+   *
+   * @since 11.14.0
+   *
+   * @example
+   * ```typescript
+   * // Enabled by default (no config needed when BetterAuth is active)
+   *
+   * // Disable explicitly
+   * systemSetup: { enabled: false },
+   *
+   * // Auto-create admin on server start (useful for Docker/CI)
+   * systemSetup: {
+   *   initialAdmin: {
+   *     email: process.env.INITIAL_ADMIN_EMAIL,
+   *     password: process.env.INITIAL_ADMIN_PASSWORD,
+   *   },
+   * },
+   * ```
+   */
+  systemSetup?: ISystemSetup;
   /**
    * Templates
    */
@@ -1476,6 +1509,49 @@ export interface IServerOptions {
   tus?: boolean | ITusConfig;
 }
+export interface ISystemSetup {
+  /**
+   * Whether system setup is enabled.
+   * @default true (when BetterAuth is enabled)
+   */
+  enabled?: boolean;
+  /**
+   * Pre-configured initial admin credentials for automatic creation on server start.
+   *
+   * When set, the service will automatically create the initial admin user
+   * during application bootstrap if zero users exist. This is useful for
+   * automated deployments (Docker, CI/CD) where no manual REST call is possible.
+   *
+   * Can be provided via environment variables:
+   * - `NSC__systemSetup__initialAdmin__email`
+   * - `NSC__systemSetup__initialAdmin__password`
+   * - `NSC__systemSetup__initialAdmin__name` (optional)
+   *
+   * Security: Same zero-user guard applies - only works when no users exist.
+   */
+  initialAdmin?: ISystemSetupInitialAdmin;
+}
+/**
+ * System setup configuration interface
+ *
+ * Follows the "presence implies enabled" pattern:
+ * - `undefined`: Disabled (default, backward compatible)
+ * - `{}`: Enabled with defaults
+ * - `{ enabled: false }`: Disabled explicitly
+ *
+ * @since 11.14.0
+ */
+export interface ISystemSetupInitialAdmin {
+  /** Email address for the initial admin user */
+  email: string;
+  /** Name of the initial admin user (defaults to email prefix) */
+  name?: string;
+  /** Password for the initial admin user (minimum 8 characters) */
+  password: string;
+}
 /**
  * TUS Upload Configuration Interface
  *
@@ -1693,6 +1769,14 @@ interface IBetterAuthBase {
    * Set `enabled: false` to explicitly disable email/password auth.
    */
   emailAndPassword?: {
+    /**
+     * Disable user registration (sign-up) via BetterAuth.
+     * Passed through to better-auth's native emailAndPassword.disableSignUp.
+     * Custom endpoints (GraphQL + REST) also check this flag early.
+     * @default false
+     */
+    disableSignUp?: boolean;
     /**
      * Whether email/password authentication is enabled.
      * @default true
@@ -1993,10 +2077,7 @@ interface IBetterAuthBase {
  * };
  * ```
  */
-type IBetterAuthPasskeyDisabled =
-  | false
-  | (Omit<IBetterAuthPasskeyConfig, 'enabled'> & { enabled: false })
-  | undefined;
+type IBetterAuthPasskeyDisabled = false | (Omit<IBetterAuthPasskeyConfig, 'enabled'> & { enabled: false }) | undefined;
 /**
  * Passkey configuration that is considered "enabled".
@@ -2006,9 +2087,7 @@ type IBetterAuthPasskeyDisabled =
  * - `{ enabled: true, ... }` (explicit enabled)
  * - `{ rpName: 'My App', ... }` (config without explicit enabled = defaults to true)
  */
-type IBetterAuthPasskeyEnabled =
-  | (Omit<IBetterAuthPasskeyConfig, 'enabled'> & { enabled?: true })
-  | true;
+type IBetterAuthPasskeyEnabled = (Omit<IBetterAuthPasskeyConfig, 'enabled'> & { enabled?: true }) | true;
 /**
  * BetterAuth configuration WITHOUT Passkey (or Passkey disabled).

package/src/core/modules/better-auth/INTEGRATION-CHECKLIST.md CHANGED Viewed

@@ -313,6 +313,12 @@ After integration, verify:
 - [ ] Passkey login redirects to dashboard after successful authentication
 - [ ] Passkey can be registered, listed, and deleted from security settings
+### Optional: Disable Sign-Up (`emailAndPassword.disableSignUp: true`)
+- [ ] REST `POST /iam/sign-up/email` returns `400` with error `LTNS_0026`
+- [ ] GraphQL `betterAuthSignUp` returns error `LTNS_0026`
+- [ ] `GET /iam/features` reports `signUpEnabled: false`
+- [ ] Sign-in still works for existing users
 ### Additional checks for Migration scenario:
 - [ ] Sign-in via Legacy Auth works for BetterAuth-created users
 - [ ] Sign-in via BetterAuth works for Legacy-created users

package/src/core/modules/better-auth/README.md CHANGED Viewed

@@ -574,6 +574,32 @@ const config = {
 };
 ```
+### Disable Sign-Up
+Disable user registration while keeping sign-in active (e.g., invite-only apps, admin-created accounts):
+```typescript
+const config = {
+  betterAuth: {
+    emailAndPassword: {
+      disableSignUp: true, // Block new registrations (REST + GraphQL)
+    },
+  },
+};
+```
+When disabled:
+- REST `POST /iam/sign-up/email` returns `400 Bad Request` with error `LTNS_0026`
+- GraphQL `betterAuthSignUp` mutation returns error `LTNS_0026`
+- `betterAuthFeatures` reports `signUpEnabled: false`
+- Sign-in continues to work for existing users
+**Defense in Depth:** The flag is enforced at two layers:
+1. **Custom check** (`CoreBetterAuthService.ensureSignUpEnabled()`) runs in Controller/Resolver *before* any BetterAuth API call and returns a structured `LTNS_0026` error.
+2. **Native BetterAuth** `emailAndPassword.disableSignUp` acts as a safety net for any direct API access that bypasses the custom check.
+**Default:** `false` (sign-up enabled) - fully backward compatible.
 ### Additional User Fields
 Add custom fields to the Better-Auth user schema:
@@ -1049,6 +1075,7 @@ type CoreBetterAuthFeaturesModel {
   jwt: Boolean!
   twoFactor: Boolean!
   passkey: Boolean!
+  signUpEnabled: Boolean!
   socialProviders: [String!]!
 }
 ```
@@ -1100,6 +1127,7 @@ query {
     jwt
     twoFactor
     passkey
+    signUpEnabled
     socialProviders
   }
 }
@@ -1247,6 +1275,7 @@ export class MyService {
 | `isJwtEnabled()`                    | Check if JWT plugin is enabled               |
 | `isTwoFactorEnabled()`              | Check if 2FA is enabled                      |
 | `isPasskeyEnabled()`                | Check if Passkey is enabled                  |
+| `isSignUpEnabled()`                 | Check if sign-up is enabled                  |
 | `getEnabledSocialProviders()`       | Get list of enabled social providers         |
 | `getBasePath()`                     | Get the base path for endpoints              |
 | `getBaseUrl()`                      | Get the base URL                             |
@@ -1970,6 +1999,9 @@ These protected methods are available for use in your custom resolver:
 // Check if Better-Auth is enabled (throws if not)
 this.ensureEnabled();
+// Check if sign-up is enabled (throws if not) - delegated to service
+this.betterAuthService.ensureSignUpEnabled();
 // Convert Express headers to Web API Headers
 const headers = this.convertHeaders(ctx.req.headers);

package/src/core/modules/better-auth/better-auth.config.ts CHANGED Viewed

@@ -314,6 +314,12 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
     // Enable email/password authentication by default (required by Better-Auth 1.x)
     // Can be disabled by setting config.emailAndPassword.enabled = false
     emailAndPassword: {
+      // Defense in Depth: This native Better-Auth flag is the second layer.
+      // The first layer is CoreBetterAuthService.ensureSignUpEnabled() which
+      // runs in Controller/Resolver BEFORE the BetterAuth API is called and
+      // returns a structured LTNS_0026 error. The native flag acts as a safety
+      // net in case the custom check is bypassed (e.g., direct API calls).
+      disableSignUp: config.emailAndPassword?.disableSignUp === true,
       enabled: config.emailAndPassword?.enabled !== false,
       password: {
         hash: nativeScryptHash,
@@ -426,7 +432,7 @@ function buildEmailVerificationConfig(
       _request?: Request,
     ) => {
       // Don't await to prevent timing attacks (as recommended by Better-Auth docs)
       sendVerificationEmail(data);
     };
   }
@@ -918,7 +924,11 @@ function normalizePasskeyConfig(
   // Resolve values: explicit config > resolved URLs
   const finalRpId = rawConfig.rpId || resolvedUrls.rpId;
   const finalOrigin = rawConfig.origin || resolvedUrls.appUrl;
-  const finalTrustedOrigins = config.trustedOrigins?.length ? config.trustedOrigins : resolvedUrls.appUrl ? [resolvedUrls.appUrl] : undefined;
+  const finalTrustedOrigins = config.trustedOrigins?.length
+    ? config.trustedOrigins
+    : resolvedUrls.appUrl
+      ? [resolvedUrls.appUrl]
+      : undefined;
   // Check if we have all required values for Passkey
   const hasRequiredConfig = finalRpId && finalOrigin && finalTrustedOrigins?.length;

package/src/core/modules/better-auth/core-better-auth-models.ts CHANGED Viewed

@@ -135,6 +135,9 @@ export class CoreBetterAuthFeaturesModel {
   @Field(() => Boolean, { description: 'Whether Passkey is enabled' })
   passkey: boolean;
+  @Field(() => Boolean, { description: 'Whether sign-up is enabled' })
+  signUpEnabled: boolean;
   @Field(() => [String], { description: 'List of enabled social providers' })
   socialProviders: string[];

package/src/core/modules/better-auth/core-better-auth.controller.ts CHANGED Viewed

@@ -14,7 +14,15 @@ import {
   Res,
   UnauthorizedException,
 } from '@nestjs/common';
-import { ApiBody, ApiCreatedResponse, ApiExcludeEndpoint, ApiOkResponse, ApiOperation, ApiProperty, ApiTags } from '@nestjs/swagger';
+import {
+  ApiBody,
+  ApiCreatedResponse,
+  ApiExcludeEndpoint,
+  ApiOkResponse,
+  ApiOperation,
+  ApiProperty,
+  ApiTags,
+} from '@nestjs/swagger';
 import { Request, Response } from 'express';
 import { Roles } from '../../common/decorators/roles.decorator';
@@ -251,7 +259,10 @@ export class CoreBetterAuthController {
    * @since 11.13.0
    */
   @ApiOkResponse({ description: 'Better-Auth feature flags' })
-  @ApiOperation({ description: 'Get enabled Better-Auth features for client-side feature detection', summary: 'Get Features' })
+  @ApiOperation({
+    description: 'Get enabled Better-Auth features for client-side feature detection',
+    summary: 'Get Features',
+  })
   @Get('features')
   @Roles(RoleEnum.S_EVERYONE)
   getFeatures(): Record<string, boolean | number | string[]> {
@@ -262,6 +273,7 @@ export class CoreBetterAuthController {
       passkey: this.betterAuthService.isPasskeyEnabled(),
       resendCooldownSeconds: this.emailVerificationService?.getConfig()?.resendCooldownSeconds ?? 60,
       signUpChecks: this.signUpValidator?.isEnabled() ?? false,
+      signUpEnabled: this.betterAuthService.isSignUpEnabled(),
       socialProviders: this.betterAuthService.getEnabledSocialProviders(),
       twoFactor: this.betterAuthService.isTwoFactorEnabled(),
     };
@@ -345,7 +357,9 @@ export class CoreBetterAuthController {
         // Without this, users with 2FA enabled but unverified email could bypass verification
         await this.checkEmailVerificationByEmail(input.email);
-        this.logger.debug(`2FA required for ${maskEmail(input.email)}, forwarding to native handler for cookie handling`);
+        this.logger.debug(
+          `2FA required for ${maskEmail(input.email)}, forwarding to native handler for cookie handling`,
+        );
         // Forward to native Better Auth handler which sets the session cookie correctly
         // We need to modify the request body to use the normalized password
@@ -370,7 +384,7 @@ export class CoreBetterAuthController {
           body: modifiedBody,
           headers: new Headers({
             'Content-Type': 'application/json',
-            'Origin': req.headers.origin || baseUrl,
+            Origin: req.headers.origin || baseUrl,
           }),
           method: 'POST',
         });
@@ -407,7 +421,8 @@ export class CoreBetterAuthController {
         const mappedUser = await this.userMapper.mapSessionUser(response.user);
         // Get token: JWT accessToken > top-level token > session.token
-        const rawToken = responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+        const rawToken =
+          responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
         const token = await this.resolveJwtToken(rawToken);
         const result: CoreBetterAuthResponse = {
@@ -464,6 +479,7 @@ export class CoreBetterAuthController {
     @Body() input: CoreBetterAuthSignUpInput,
   ): Promise<CoreBetterAuthResponse> {
     this.ensureEnabled();
+    this.betterAuthService.ensureSignUpEnabled();
     // Validate sign-up input (termsAndPrivacyAccepted is required by default)
     if (this.signUpValidator) {
@@ -494,7 +510,9 @@ export class CoreBetterAuthController {
       if (hasUser(response)) {
         // Link or create user in our database
         // Pass termsAndPrivacyAccepted to store the acceptance timestamp
-        await this.userMapper.linkOrCreateUser(response.user, { termsAndPrivacyAccepted: input.termsAndPrivacyAccepted });
+        await this.userMapper.linkOrCreateUser(response.user, {
+          termsAndPrivacyAccepted: input.termsAndPrivacyAccepted,
+        });
         // Sync password to legacy (enables IAM Sign-Up → Legacy Sign-In)
         // Pass the plain password so it can be hashed with bcrypt for Legacy Auth
@@ -506,7 +524,8 @@ export class CoreBetterAuthController {
         // Without this, no session cookies are set after sign-up, causing 401 on
         // subsequent authenticated requests (e.g., Passkey, 2FA, /token)
         const responseAny = response as any;
-        const rawToken = responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+        const rawToken =
+          responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
         const token = await this.resolveJwtToken(rawToken);
         // If email verification is enabled, revoke the session and don't return session data
@@ -518,7 +537,9 @@ export class CoreBetterAuthController {
             await this.betterAuthService.revokeSession(sessionToken);
           }
           this.clearAuthCookies(res);
-          this.logger.debug(`[SignUp] Email verification required for ${maskEmail(response.user.email)}, session revoked`);
+          this.logger.debug(
+            `[SignUp] Email verification required for ${maskEmail(response.user.email)}, session revoked`,
+          );
           return {
             emailVerificationRequired: true,
             requiresTwoFactor: false,
@@ -692,10 +713,7 @@ export class CoreBetterAuthController {
    * @throws UnauthorizedException if email is not verified and verification is required
    */
   protected checkEmailVerification(sessionUser: BetterAuthSessionUser): void {
-    if (
-      this.emailVerificationService?.isEnabled()
-      && !sessionUser.emailVerified
-    ) {
+    if (this.emailVerificationService?.isEnabled() && !sessionUser.emailVerified) {
       this.logger.debug(`[SignIn] Email not verified for ${maskEmail(sessionUser.email)}, blocking login`);
       throw new UnauthorizedException(ErrorCode.EMAIL_VERIFICATION_REQUIRED);
     }
@@ -764,7 +782,9 @@ export class CoreBetterAuthController {
    * NOTE: The session token is intentionally NOT included in the response.
    * It is set as an httpOnly cookie for security.
    */
-  protected mapSession(session: null | undefined | { expiresAt: Date; id: string; token?: string }): CoreBetterAuthSessionInfo | undefined {
+  protected mapSession(
+    session: null | undefined | { expiresAt: Date; id: string; token?: string },
+  ): CoreBetterAuthSessionInfo | undefined {
     if (!session) return undefined;
     return {
       expiresAt: session.expiresAt instanceof Date ? session.expiresAt.toISOString() : String(session.expiresAt),
@@ -778,7 +798,7 @@ export class CoreBetterAuthController {
    * @param sessionUser - The user from Better-Auth session
    * @param _mappedUser - The synced user from legacy system (available for override customization)
    */
   protected mapUser(sessionUser: BetterAuthSessionUser, _mappedUser: any): CoreBetterAuthUserResponse {
     return {
       email: sessionUser.email,
@@ -802,7 +822,11 @@ export class CoreBetterAuthController {
    * @param result - The CoreBetterAuthResponse to return
    * @param sessionToken - Optional session token to set in cookies (if not provided, uses result.token)
    */
-  protected processCookies(res: Response, result: CoreBetterAuthResponse, sessionToken?: string): CoreBetterAuthResponse {
+  protected processCookies(
+    res: Response,
+    result: CoreBetterAuthResponse,
+    sessionToken?: string,
+  ): CoreBetterAuthResponse {
     const cookiesEnabled = this.configService.getFastButReadOnly('cookies') !== false;
     // If a specific session token is provided, use it directly
@@ -883,7 +907,11 @@ export class CoreBetterAuthController {
       this.logger.error(`Better Auth handler error: ${error instanceof Error ? error.message : 'Unknown error'}`);
       // Re-throw NestJS exceptions
-      if (error instanceof BadRequestException || error instanceof UnauthorizedException || error instanceof InternalServerErrorException) {
+      if (
+        error instanceof BadRequestException ||
+        error instanceof UnauthorizedException ||
+        error instanceof InternalServerErrorException
+      ) {
         throw error;
       }

package/src/core/modules/better-auth/core-better-auth.module.ts CHANGED Viewed

@@ -313,15 +313,17 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
     if (CoreBetterAuthModule.currentConfig) {
       const globalConfig = ConfigService.configFastButReadOnly;
       const cookiesDisabled = globalConfig?.cookies === false;
-      const jwtExplicitlyDisabled = CoreBetterAuthModule.currentConfig.jwt === false
-        || (typeof CoreBetterAuthModule.currentConfig.jwt === 'object' && CoreBetterAuthModule.currentConfig.jwt?.enabled === false);
+      const jwtExplicitlyDisabled =
+        CoreBetterAuthModule.currentConfig.jwt === false ||
+        (typeof CoreBetterAuthModule.currentConfig.jwt === 'object' &&
+          CoreBetterAuthModule.currentConfig.jwt?.enabled === false);
       if (cookiesDisabled && jwtExplicitlyDisabled) {
         CoreBetterAuthModule.logger.warn(
           'CONFIGURATION WARNING: cookies is set to false, but betterAuth.jwt is not enabled. ' +
-          'Without cookies, BetterAuth cannot establish sessions via Set-Cookie headers. ' +
-          'Enable betterAuth.jwt (set jwt: true in betterAuth config) to use Bearer token authentication, ' +
-          'or set cookies: true to use cookie-based sessions.',
+            'Without cookies, BetterAuth cannot establish sessions via Set-Cookie headers. ' +
+            'Enable betterAuth.jwt (set jwt: true in betterAuth config) to use Bearer token authentication, ' +
+            'or set cookies: true to use cookie-based sessions.',
         );
       }
     }
@@ -331,8 +333,8 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
     if (CoreBetterAuthModule.rolesGuardExplicitlyDisabled && !RolesGuardRegistry.isRegistered()) {
       CoreBetterAuthModule.logger.warn(
         '⚠️ SECURITY WARNING: registerRolesGuardGlobally is explicitly set to false, ' +
-        'but no RolesGuard is registered globally. @Roles() decorators will NOT enforce access control! ' +
-        'Either set registerRolesGuardGlobally: true, or ensure CoreAuthModule (Legacy) is imported.',
+          'but no RolesGuard is registered globally. @Roles() decorators will NOT enforce access control! ' +
+          'Either set registerRolesGuardGlobally: true, or ensure CoreAuthModule (Legacy) is imported.',
       );
     }
   }
@@ -422,10 +424,10 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
     if (this.forRootCalled && !process.env.VITEST) {
       this.logger.warn(
         'CoreBetterAuthModule.forRoot() was called more than once. ' +
-        'The second call is ignored by NestJS (DynamicModule deduplication). ' +
-        'Custom controller/resolver from the second call will NOT be registered. ' +
-        'Solutions: (1) Use betterAuth.controller/resolver in config, or ' +
-        '(2) Set betterAuth.autoRegister: false and import your module separately.',
+          'The second call is ignored by NestJS (DynamicModule deduplication). ' +
+          'Custom controller/resolver from the second call will NOT be registered. ' +
+          'Solutions: (1) Use betterAuth.controller/resolver in config, or ' +
+          '(2) Set betterAuth.autoRegister: false and import your module separately.',
       );
       if (this.cachedDynamicModule) {
         return this.cachedDynamicModule;
@@ -453,11 +455,9 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
     const effectiveRawConfig = rawConfig ?? globalConfig?.betterAuth;
     // Auto-detect fallbackSecrets from ConfigService if not explicitly provided
-    const effectiveFallbackSecrets = fallbackSecrets ?? (
-      globalConfig?.jwt
-        ? [globalConfig.jwt.secret, globalConfig.jwt.refresh?.secret].filter(Boolean)
-        : undefined
-    );
+    const effectiveFallbackSecrets =
+      fallbackSecrets ??
+      (globalConfig?.jwt ? [globalConfig.jwt.secret, globalConfig.jwt.refresh?.secret].filter(Boolean) : undefined);
     // Auto-detect server URLs from ConfigService if not explicitly provided
     const effectiveServerAppUrl = serverAppUrl ?? globalConfig?.appUrl;
@@ -489,7 +489,14 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
       this.logger.debug('BetterAuth is disabled - skipping initialization');
       this.betterAuthEnabled = false;
       this.cachedDynamicModule = {
-        exports: [BETTER_AUTH_INSTANCE, CoreBetterAuthService, CoreBetterAuthUserMapper, CoreBetterAuthRateLimiter, BetterAuthTokenService, CoreBetterAuthChallengeService],
+        exports: [
+          BETTER_AUTH_INSTANCE,
+          CoreBetterAuthService,
+          CoreBetterAuthUserMapper,
+          CoreBetterAuthRateLimiter,
+          BetterAuthTokenService,
+          CoreBetterAuthChallengeService,
+        ],
         module: CoreBetterAuthModule,
         providers: [
           {
@@ -537,7 +544,16 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
   static forRootAsync(): DynamicModule {
     return {
       controllers: [this.getControllerClass()],
-      exports: [BETTER_AUTH_INSTANCE, CoreBetterAuthService, CoreBetterAuthUserMapper, CoreBetterAuthRateLimiter, BetterAuthTokenService, CoreBetterAuthChallengeService, CoreBetterAuthEmailVerificationService, CoreBetterAuthSignUpValidatorService],
+      exports: [
+        BETTER_AUTH_INSTANCE,
+        CoreBetterAuthService,
+        CoreBetterAuthUserMapper,
+        CoreBetterAuthRateLimiter,
+        BetterAuthTokenService,
+        CoreBetterAuthChallengeService,
+        CoreBetterAuthEmailVerificationService,
+        CoreBetterAuthSignUpValidatorService,
+      ],
       imports: [],
       module: CoreBetterAuthModule,
       providers: [
@@ -559,7 +575,10 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
         {
           inject: [ConfigService, CoreBetterAuthEmailVerificationService],
           provide: BETTER_AUTH_INSTANCE,
-          useFactory: async (configService: ConfigService, emailVerificationService: CoreBetterAuthEmailVerificationService) => {
+          useFactory: async (
+            configService: ConfigService,
+            emailVerificationService: CoreBetterAuthEmailVerificationService,
+          ) => {
             // Set static reference for callbacks BEFORE creating Better-Auth instance
             this.setEmailVerificationService(emailVerificationService);
@@ -608,9 +627,8 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
             // The original config object may be frozen (from ConfigService), so we
             // create a shallow copy with the resolved fallback secret applied.
             const resolvedSecret = config.secret || fallbackSecrets?.find((s) => s && s.length >= 32);
-            this.currentConfig = resolvedSecret && resolvedSecret !== config.secret
-              ? { ...config, secret: resolvedSecret }
-              : config;
+            this.currentConfig =
+              resolvedSecret && resolvedSecret !== config.secret ? { ...config, secret: resolvedSecret } : config;
             if (this.authInstance) {
               this.logger.log('BetterAuth initialized successfully');
@@ -725,7 +743,11 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
    */
   private static createEmailVerificationCallbacks(): {
     onEmailVerified: (userId: string) => Promise<void>;
-    sendVerificationEmail: (options: { token: string; url: string; user: { email: string; id: string; name?: null | string } }) => Promise<void>;
+    sendVerificationEmail: (options: {
+      token: string;
+      url: string;
+      user: { email: string; id: string; name?: null | string };
+    }) => Promise<void>;
   } {
     return {
       onEmailVerified: async (userId: string) => {
@@ -735,16 +757,17 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
           const db = this.mongoConnection?.db;
           if (db) {
             const { ObjectId } = await import('mongodb');
-            await db.collection('users').updateOne(
-              { _id: new ObjectId(userId) },
-              { $set: { verified: true, verifiedAt: new Date() } },
-            );
+            await db
+              .collection('users')
+              .updateOne({ _id: new ObjectId(userId) }, { $set: { verified: true, verifiedAt: new Date() } });
             this.logger.debug(`Email verified for user ${userId} - synced verified/verifiedAt`);
           } else {
             this.logger.warn(`Cannot sync verifiedAt for user ${userId} - no database connection`);
           }
         } catch (error) {
-          this.logger.error(`Failed to sync verifiedAt for user ${userId}: ${error instanceof Error ? error.message : 'Unknown error'}`);
+          this.logger.error(
+            `Failed to sync verifiedAt for user ${userId}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+          );
         }
       },
       sendVerificationEmail: async (options) => {
@@ -778,7 +801,16 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
   ): DynamicModule {
     return {
       controllers: [this.getControllerClass()],
-      exports: [BETTER_AUTH_INSTANCE, CoreBetterAuthService, CoreBetterAuthUserMapper, CoreBetterAuthRateLimiter, BetterAuthTokenService, CoreBetterAuthChallengeService, CoreBetterAuthEmailVerificationService, CoreBetterAuthSignUpValidatorService],
+      exports: [
+        BETTER_AUTH_INSTANCE,
+        CoreBetterAuthService,
+        CoreBetterAuthUserMapper,
+        CoreBetterAuthRateLimiter,
+        BetterAuthTokenService,
+        CoreBetterAuthChallengeService,
+        CoreBetterAuthEmailVerificationService,
+        CoreBetterAuthSignUpValidatorService,
+      ],
       module: CoreBetterAuthModule,
       providers: [
         // Optional BrevoService: uses factory to avoid constructor error when brevo config is missing
@@ -801,7 +833,10 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
           // Also inject EmailVerificationService to set static reference before Better-Auth init
           inject: [getConnectionToken(), CoreBetterAuthEmailVerificationService],
           provide: BETTER_AUTH_INSTANCE,
-          useFactory: async (connection: Connection, emailVerificationService: CoreBetterAuthEmailVerificationService) => {
+          useFactory: async (
+            connection: Connection,
+            emailVerificationService: CoreBetterAuthEmailVerificationService,
+          ) => {
             // Set static references for callbacks BEFORE creating Better-Auth instance
             this.setEmailVerificationService(emailVerificationService);
             this.mongoConnection = connection;
@@ -843,9 +878,8 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
             // Store a config copy with the resolved secret (same as first forRoot variant)
             const fallbacks = options?.fallbackSecrets;
             const resolvedSecret2 = config.secret || fallbacks?.find((s) => s && s.length >= 32);
-            this.currentConfig = resolvedSecret2 && resolvedSecret2 !== config.secret
-              ? { ...config, secret: resolvedSecret2 }
-              : config;
+            this.currentConfig =
+              resolvedSecret2 && resolvedSecret2 !== config.secret ? { ...config, secret: resolvedSecret2 } : config;
             // Keep static betterAuthEnabled in sync with the authInstance state.
             // This is important because forRoot() sets it synchronously, but reset()
@@ -907,10 +941,7 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
         ...(this.shouldRegisterRolesGuardGlobally && !RolesGuardRegistry.isRegistered()
           ? (() => {
               RolesGuardRegistry.markRegistered('CoreBetterAuthModule');
-              return [
-                BetterAuthRolesGuard,
-                { provide: APP_GUARD, useExisting: BetterAuthRolesGuard },
-              ];
+              return [BetterAuthRolesGuard, { provide: APP_GUARD, useExisting: BetterAuthRolesGuard }];
             })()
           : []),
       ],
@@ -979,6 +1010,10 @@ export class CoreBetterAuthModule implements NestModule, OnModuleInit {
       features.push('Sign-Up Checks');
     }
+    if (config.emailAndPassword?.disableSignUp) {
+      features.push('Sign-Up Disabled');
+    }
     if (features.length > 0) {
       this.logger.log(`Enabled features: ${features.join(', ')}`);
     }