Bug: Keycloak self-registration bypasses app registration pipeline #151

New issue

Open

opened 2026-03-28 21:26:02 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-28 21:26:02 +00:00

Owner

Copy link

Type

Bug

Lineage

Discovered during spike #150 — parent login flow validation.

Repo

forgejo_admin/westside-landing (fix is Keycloak realm config, not app code)

What Broke

The westside-basketball Keycloak realm has registrationAllowed: true. The Keycloak login form shows a "New user? Register" link that creates a Keycloak account with NO corresponding Parent or Player records in basketball-api. User logs in successfully but sees empty dashboard.

Repro Steps

1. Navigate to /signin and click "Sign In"
2. On Keycloak login form, click "Register"
3. Fill in email, password, first name, last name and submit
4. User is created in Keycloak and logged in
5. Dashboard shows "No players found" — orphaned account

Expected Behavior

Self-registration via Keycloak should be disabled. All registration goes through the app's /register flow which creates Keycloak user + Parent + Player records together.

Environment

• Cluster/namespace: prod
• Service: Keycloak realm westside-basketball

Acceptance Criteria

• Keycloak registrationAllowed set to false on westside-basketball realm
• "Register" link no longer appears on Keycloak login form
• App's /register flow still works
• No orphaned Keycloak accounts created going forward

Related

• project-westside-basketball
• forgejo_admin/westside-landing #150 — parent spike

### Type Bug ### Lineage Discovered during spike #150 — parent login flow validation. ### Repo `forgejo_admin/westside-landing` (fix is Keycloak realm config, not app code) ### What Broke The `westside-basketball` Keycloak realm has `registrationAllowed: true`. The Keycloak login form shows a "New user? Register" link that creates a Keycloak account with NO corresponding Parent or Player records in basketball-api. User logs in successfully but sees empty dashboard. ### Repro Steps 1. Navigate to `/signin` and click "Sign In" 2. On Keycloak login form, click "Register" 3. Fill in email, password, first name, last name and submit 4. User is created in Keycloak and logged in 5. Dashboard shows "No players found" — orphaned account ### Expected Behavior Self-registration via Keycloak should be disabled. All registration goes through the app's `/register` flow which creates Keycloak user + Parent + Player records together. ### Environment - Cluster/namespace: prod - Service: Keycloak realm `westside-basketball` ### Acceptance Criteria - [ ] Keycloak `registrationAllowed` set to `false` on westside-basketball realm - [ ] "Register" link no longer appears on Keycloak login form - [ ] App's `/register` flow still works - [ ] No orphaned Keycloak accounts created going forward ### Related - `project-westside-basketball` - `forgejo_admin/westside-landing #150` — parent spike

forgejo_admin referenced this issue from a commit 2026-03-28 22:35:49 +00:00

fix: disable Keycloak self-registration in example tfvars

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

142-validate-coach-login-and-read-only-roste

139-fix-admin-dashboard-stats-showing-all-ze

129-validate-girls-draft-board-coach-login-a

204-auto-tag-update

deploy-update-image-tag

110-fix-harbor-push-target

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

No labels

domain:backend

domain:devops

domain:frontend

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-landing#151

No description provided.