From b8f24343a40dd87df90f342e1be98d46d78d56ae Mon Sep 17 00:00:00 2001
From: Peter Lieverdink <lieverdink@reliefweb.int>
Date: Thu, 18 Sep 2025 11:30:17 +1000
Subject: [PATCH 1/3] feat: HID is going, so stop new sign-ups.

Remove the register link, disable the register path, disable the register form. That should do it.

Refs: HID-2438
---
 api/controllers/ViewController.js | 26 ++++++++++++
 config/routes.js                  |  5 ++-
 config/web.js                     |  1 -
 templates/login.html              |  1 -
 templates/register.html           | 66 +++++++------------------------
 5 files changed, 45 insertions(+), 54 deletions(-)

diff --git a/api/controllers/ViewController.js b/api/controllers/ViewController.js
index 920db3f2..3f865850 100644
--- a/api/controllers/ViewController.js
+++ b/api/controllers/ViewController.js
@@ -17,6 +17,9 @@ const config = require('../../config/env');
 const { logger } = config;
 
 function _getRegisterLink(args) {
+  // Registrations disabled. No register page link.
+  return '/';
+
   const params = HelperService.getOauthParams(args);
   let registerLink = '/register';
   if (params) {
@@ -216,6 +219,17 @@ module.exports = {
   },
 
   register(request, reply) {
+
+    return reply.view('login', {
+      alert: {
+        type: 'error',
+        message: 'No new registrations are accepted.',
+      },
+      query: request.query,
+      registerLink,
+      passwordLink,
+    });
+
     const requestUrl = _buildRequestUrl(request, 'verify');
     return reply.view('register', {
       title: 'Register a Humanitarian ID account',
@@ -228,6 +242,18 @@ module.exports = {
   },
 
   async registerPost(request, reply) {
+
+    // Early return, no registration allowed.
+    return reply.view('login', {
+      alert: {
+        type: 'error',
+        message: 'No new registrations are accepted.',
+      },
+      query: request.query,
+      registerLink,
+      passwordLink,
+    });
+
     // Check recaptcha
     const recaptcha = new Recaptcha({
       siteKey: process.env.RECAPTCHA_PUBLIC_KEY,
diff --git a/config/routes.js b/config/routes.js
index d6d1b882..49c827bb 100644
--- a/config/routes.js
+++ b/config/routes.js
@@ -26,7 +26,8 @@ module.exports = [
    * Public-facing pages
    *
    * None of these routes require a session. Account setup/recovery actions are
-   * all included here: registration, verify, password reset, API docs, etc.
+   * all included here: verify, password reset, API docs, etc.
+   * Registration is disabled - https://humanitarian.atlassian.net/browse/HID-2438
    */
   {
     method: 'GET',
@@ -46,6 +47,7 @@ module.exports = [
     },
   },
 
+  /*
   {
     method: 'GET',
     path: '/register',
@@ -63,6 +65,7 @@ module.exports = [
       auth: false,
     },
   },
+  */
 
   {
     method: 'GET',
diff --git a/config/web.js b/config/web.js
index 25833f89..09628580 100644
--- a/config/web.js
+++ b/config/web.js
@@ -130,7 +130,6 @@ const config = {
             '/',
             '/login',
             '/oauth/authorize',
-            '/register',
             '/verify',
             '/password',
             '/new-password',
diff --git a/templates/login.html b/templates/login.html
index da2ee2da..c8c3f1eb 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -49,7 +49,6 @@ <h1 class="cd-page-title page-header__heading">Log in</h1>
         </div>
       </form>
 
-      <p><a href="<%= registerLink %>">Register a new Humanitarian ID Account</a></p>
       <p><a href="<%= passwordLink %>">Forgot/Reset password</a></p>
     </div>
 
diff --git a/templates/register.html b/templates/register.html
index 996ee42a..20141503 100644
--- a/templates/register.html
+++ b/templates/register.html
@@ -4,61 +4,25 @@
 <script src="https://www.google.com/recaptcha/api.js" async defer></script>
 
 <main aria-label="Page content" id="main-content" class=" cd-layout cd-container">
+  <%- include('includes/alert') %>
   <div class="cd-layout__content [ cd-flow ]">
     <h1 class="cd-page-title page-header__heading">Register a Humanitarian ID account</h1>
 
-    <%- include('includes/alert') %>
-
-    <form id="passwordForm" name="register" action="/register" method="POST" class="[ cd-flow ]">
-      <div class="form-field">
-        <label for="email" translate>Email</label>
-        <input type="email" name="email" id="email" value="<%= formEmail %>" placeholder="you@example.com" required>
-      </div>
-      <div class="form-field">
-        <label for="given_name">First Name</label>
-        <input type="text" name="given_name" id="given_name" value="<%= formGivenName %>" placeholder="Your first name" required>
-      </div>
-      <div class="form-field">
-        <label for="family_name">Last Name</label>
-        <input type="text" name="family_name" id="family_name" value="<%= formFamilyName %>" placeholder="Your last name" required>
-      </div>
-      <div class="form-field">
-        <label for="password">Password</label>
-        <input
-          type="password"
-          name="password"
-          id="password"
-          autocomplete="off"
-          required
-          minlength="12"
-          pattern="<%- include('includes/password-regex') %>"
-          title="See password requirements below.">
-        <button type="button" class="password__viz-toggle viz-toggle viz-toggle--see">
-          <span class="visually-hidden">Toggle password visibility</span>
-        </button>
+    <div class="cd-alert">
+      <div role="status" aria-label="Info message">
+        <svg class="cd-icon cd-icon--about" aria-hidden="true" focusable="false" width="16" height="16">
+          <use xlink:href="#cd-icon--about">
+            <symbol viewBox="0 0 42 42" id="cd-icon--about" xmlns="http://www.w3.org/2000/svg">
+              <path d="M38 0H4a4 4 0 0 0-4 4v34a4 4 0 0 0 4 4h34a4 4 0 0 0 4-4V4a4 4 0 0 0-4-4ZM24 35h-4a2 2 0 0 1-2-2V18h4a2 2 0 0 1 2 2Zm-3-22a3 3 0 1 1 3-3 3 3 0 0 1-3 3Z"></path>
+            </symbol>
+          </use>
+        </svg>
+        <div class="cd-alert__container cd-max-width">
+          After careful review, the Humanitarian ID project will be decommissioned as of 31 December 2025. New account registrations are disabled.
+        </div>
       </div>
-      <div class="form-field">
-        <label for="confirm_password">Confirm password</label>
-        <input
-          type="password"
-          name="confirm_password"
-          id="confirm_password"
-          autocomplete="off"
-          required
-          minlength="12"
-          pattern="<%- include('includes/password-regex') %>"
-          title="See password requirements below.">
-        <button type="button" class="password__viz-toggle viz-toggle viz-toggle--see">
-          <span class="visually-hidden">Toggle password visibility</span>
-        </button>
-      </div>
-      <div class="form-field">
-        <%- include('includes/password-requirements') %>
-      </div>
-      <div class="g-recaptcha" data-sitekey="<%= recaptcha_site_key %>"></div>
-      <input type="hidden" name="crumb" value="<%= crumb %>" />
-      <button type="submit" class="cd-button cd-button--bold cd-button--wide cd-button--uppercase t-btn--register">Register</button>
-    </form>
+    </div>
+
   </div>
 </main>
 

From ba85d6c0fe4100108e1112851c11e7d4ff9814ae Mon Sep 17 00:00:00 2001
From: Peter Lieverdink <lieverdink@reliefweb.int>
Date: Thu, 18 Sep 2025 12:01:43 +1000
Subject: [PATCH 2/3] fix: lint

---
 api/controllers/ViewController.js | 131 ++----------------------------
 1 file changed, 5 insertions(+), 126 deletions(-)

diff --git a/api/controllers/ViewController.js b/api/controllers/ViewController.js
index 3f865850..b36091b9 100644
--- a/api/controllers/ViewController.js
+++ b/api/controllers/ViewController.js
@@ -20,21 +20,23 @@ function _getRegisterLink(args) {
   // Registrations disabled. No register page link.
   return '/';
 
+  /*
   const params = HelperService.getOauthParams(args);
   let registerLink = '/register';
   if (params) {
     registerLink += `?${params}`;
   }
   return registerLink;
+  */
 }
 
 function _getPasswordLink(args) {
   const params = HelperService.getOauthParams(args);
-  let registerLink = '/password';
+  let passwordLink = '/password';
   if (params) {
-    registerLink += `?${params}`;
+    passwordLink += `?${params}`;
   }
-  return registerLink;
+  return passwordLink;
 }
 
 function _buildRequestUrl(request, url) {
@@ -219,25 +221,12 @@ module.exports = {
   },
 
   register(request, reply) {
-
     return reply.view('login', {
       alert: {
         type: 'error',
         message: 'No new registrations are accepted.',
       },
       query: request.query,
-      registerLink,
-      passwordLink,
-    });
-
-    const requestUrl = _buildRequestUrl(request, 'verify');
-    return reply.view('register', {
-      title: 'Register a Humanitarian ID account',
-      formEmail: '',
-      formGivenName: '',
-      formFamilyName: '',
-      requestUrl,
-      recaptcha_site_key: process.env.RECAPTCHA_PUBLIC_KEY,
     });
   },
 
@@ -250,117 +239,7 @@ module.exports = {
         message: 'No new registrations are accepted.',
       },
       query: request.query,
-      registerLink,
-      passwordLink,
-    });
-
-    // Check recaptcha
-    const recaptcha = new Recaptcha({
-      siteKey: process.env.RECAPTCHA_PUBLIC_KEY,
-      secretKey: process.env.RECAPTCHA_PRIVATE_KEY,
     });
-    const registerLink = _getRegisterLink(request.payload);
-    const passwordLink = _getPasswordLink(request.payload);
-    let requestUrl = _buildRequestUrl(request, 'verify');
-
-    // Validate the visitor's response to reCAPTCHA challenge.
-    try {
-      await recaptcha.validate(request.payload['g-recaptcha-response']);
-    } catch (err) {
-      const errorType = 'RECAPTCHA';
-
-      logger.warn(
-        '[ViewController->registerPost] Failure during reCAPTCHA validation.',
-        {
-          request,
-          security: true,
-          fail: true,
-          stack_trace: err.stack,
-          error_type: errorType,
-        },
-      );
-
-      return reply.view('register', {
-        alert: {
-          type: 'error',
-          message: `
-            <p>Our system detected your registration attempt as spam. We apologize for the inconvenience.</p>
-            <p>For more information on why this problem may be occurring, <a href="https://about.humanitarian.id/faqs">please see our FAQs</a></p>
-          `,
-          error_type: errorType,
-        },
-        formEmail: request.payload.email,
-        formGivenName: request.payload.given_name,
-        formFamilyName: request.payload.family_name,
-        query: request.query,
-        registerLink,
-        passwordLink,
-        requestUrl,
-        recaptcha_site_key: process.env.RECAPTCHA_PUBLIC_KEY,
-      });
-    }
-
-    // reCAPTCHA validation was successful. Proceed.
-    try {
-      // Attempt to create a new HID account.
-      await UserController.create(request);
-
-      // Render login form with success message.
-      return reply.view('login', {
-        alert: {
-          type: 'status',
-          message: 'Thank you for creating an account. You will soon receive a confirmation email to confirm your account.',
-        },
-        query: request.query,
-        registerLink,
-        passwordLink,
-      });
-    } catch (err) {
-      // Check if we have an error worth telling the user about.
-      const errorMessage = err.output && err.output.payload && err.output.payload.message;
-      let userMessage = 'There is an error in your registration. You may have already registered. If so, simply reset your password at https://auth.humanitarian.id/password.';
-
-      // If the error says the email already exists, we'll redirect to login.
-      if (errorMessage && errorMessage.indexOf('is already registered') !== -1) {
-        userMessage = 'That email address is already registered. Please login, or if you\'ve forgotten your password, reset using the link below.';
-
-        return reply.view('login', {
-          alert: {
-            type: 'error',
-            message: userMessage,
-          },
-          query: request.query,
-          registerLink,
-          passwordLink,
-        });
-      }
-
-      // Check the error for a few special cases to provide better user feedback.
-      // All of these will render the registration form.
-      if (errorMessage && errorMessage.indexOf('password does not meet') !== -1) {
-        userMessage = 'Your password was not strong enough. Please check the requirements and try again.';
-      }
-      if (errorMessage && errorMessage.indexOf('fields do not match') !== -1) {
-        userMessage = 'Your password fields did not match. Please try again and carefully confirm the password.';
-      }
-
-      // Add a domain from the allow-list.
-      requestUrl = _buildRequestUrl(request, 'register');
-
-      // Render registration form.
-      return reply.view('register', {
-        alert: {
-          type: 'warning',
-          message: userMessage,
-        },
-        query: request.query,
-        formEmail: request.payload.email,
-        formGivenName: request.payload.given_name,
-        formFamilyName: request.payload.family_name,
-        requestUrl,
-        recaptcha_site_key: process.env.RECAPTCHA_PUBLIC_KEY,
-      });
-    }
   },
 
   async verify(request, reply) {

From 71b4ab4e81c6afdf238228e29a8807e0d59a1ec3 Mon Sep 17 00:00:00 2001
From: Peter Lieverdink <lieverdink@reliefweb.int>
Date: Thu, 18 Sep 2025 12:06:39 +1000
Subject: [PATCH 3/3] fix: more lint

---
 api/controllers/ViewController.js | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/api/controllers/ViewController.js b/api/controllers/ViewController.js
index b36091b9..779a151f 100644
--- a/api/controllers/ViewController.js
+++ b/api/controllers/ViewController.js
@@ -4,7 +4,6 @@
  */
 const Boom = require('@hapi/boom');
 const Hoek = require('@hapi/hoek');
-const Recaptcha = require('recaptcha2');
 const Client = require('../models/Client');
 const User = require('../models/User');
 const EmailService = require('../services/EmailService');
@@ -18,16 +17,12 @@ const { logger } = config;
 
 function _getRegisterLink(args) {
   // Registrations disabled. No register page link.
-  return '/';
-
-  /*
   const params = HelperService.getOauthParams(args);
-  let registerLink = '/register';
+  let registerLink = '/';
   if (params) {
     registerLink += `?${params}`;
   }
   return registerLink;
-  */
 }
 
 function _getPasswordLink(args) {
@@ -221,6 +216,7 @@ module.exports = {
   },
 
   register(request, reply) {
+    // Early return, no registration allowed.
     return reply.view('login', {
       alert: {
         type: 'error',
@@ -231,7 +227,6 @@ module.exports = {
   },
 
   async registerPost(request, reply) {
-
     // Early return, no registration allowed.
     return reply.view('login', {
       alert: {