fix(auth): guard blank rawCap + short-circuit cap≤0 in computeSignupCapacity

- Blank/whitespace rawCap (e.g. SIGN_CAP="") now treated as uncapped (null)
  instead of coercing to 0 via Number('')
- cap ≤ 0 short-circuits countFn (remaining is deterministically 0, no DB hit)
- Add unit tests: empty string cap, whitespace cap, cap=0 no-count assertion

Author: PierreBrisorgueil

modules/auth/services/auth.signupCapacity.js

@@ -1,14 +1,15 @@
 /**
  * @desc Compute the public beta-capacity view for the auth config endpoint:
  * the configured cap and how many seats remain. Skips the (collection-wide)
- * count entirely when uncapped, so the common case stays a no-op.
- * @param {number|string|null|undefined} rawCap - config.sign.cap (null/undefined/non-numeric = uncapped; 0 = fully closed, 0 seats)
+ * count entirely when uncapped or when cap ≤ 0 (remaining is deterministically 0).
+ * @param {number|string|null|undefined} rawCap - config.sign.cap (null/undefined/non-numeric/blank = uncapped; 0 = fully closed, 0 seats)
  * @param {() => Promise<number>} countFn - async total-account counter (UserService.count)
  * @returns {Promise<{cap: number|null, remaining: number|null}>}
  */
 export const computeSignupCapacity = async (rawCap, countFn) => {
-  const cap = rawCap != null ? Number(rawCap) : null;
+  const cap = rawCap != null && String(rawCap).trim() !== '' ? Number(rawCap) : null;
   if (cap == null || !Number.isFinite(cap)) return { cap: null, remaining: null };
+  if (cap <= 0) return { cap, remaining: 0 };
   const remaining = Math.max(0, cap - (await countFn()));
   return { cap, remaining };
 };

modules/auth/tests/auth.signupCapacity.unit.tests.js

@@ -30,10 +30,22 @@ describe('computeSignupCapacity', () => {
     expect(countFn).not.toHaveBeenCalled();
   });
 
-  test('cap = 0 → fully closed: {cap:0, remaining:0} and count IS called', async () => {
-    const countFn = jest.fn().mockResolvedValue(0);
+  test('empty string cap → treated as uncapped (not coerced to 0)', async () => {
+    const countFn = jest.fn();
+    await expect(computeSignupCapacity('', countFn)).resolves.toEqual({ cap: null, remaining: null });
+    expect(countFn).not.toHaveBeenCalled();
+  });
+
+  test('whitespace-only cap → treated as uncapped (not coerced to 0)', async () => {
+    const countFn = jest.fn();
+    await expect(computeSignupCapacity('   ', countFn)).resolves.toEqual({ cap: null, remaining: null });
+    expect(countFn).not.toHaveBeenCalled();
+  });
+
+  test('cap = 0 → fully closed: {cap:0, remaining:0} and count is NOT called (short-circuit)', async () => {
+    const countFn = jest.fn();
     await expect(computeSignupCapacity(0, countFn)).resolves.toEqual({ cap: 0, remaining: 0 });
-    expect(countFn).toHaveBeenCalled();
+    expect(countFn).not.toHaveBeenCalled();
   });
 
   test('numeric string cap ("42") → coerced: {cap:42, remaining:40}', async () => {