feat: add system setting to disable password-based login (#2039)

* system setting to disable password login * fix linter warning * fix indentation warning * Prohibit disable-password-login if no identity providers are configured * Warnings and explicit confirmation when en-/disabling password-login - Disabling password login now gives a warning and requires a second confirmation which needs to be explicitly typed. - (Re)Enabling password login now also gives a simple warning. - Removing an identity provider while password-login is disabled now also warns about possible problems. * Fix formatting * Fix code-style --------- Co-authored-by: traumweh <5042134-traumweh@users.noreply.gitlab.com>
2025-06-05 22:09:59 +02:00 · 2023-07-30 13:22:02 +00:00
parent 9ef0f8a901
commit c1cbfd5766
11 changed files with 257 additions and 55 deletions
--- a/api/v1/auth.go
+++ b/api/v1/auth.go
@ -37,6 +37,24 @@ func (s *APIV1Service) registerAuthRoutes(g *echo.Group) {
 	g.POST("/auth/signin", func(c echo.Context) error {
 		ctx := c.Request().Context()
 		signin := &SignIn{}
+
+		disablePasswordLoginSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+			Name: SystemSettingDisablePasswordLoginName.String(),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+		}
+		if disablePasswordLoginSystemSetting != nil {
+			disablePasswordLogin := false
+			err = json.Unmarshal([]byte(disablePasswordLoginSystemSetting.Value), &disablePasswordLogin)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting").SetInternal(err)
+			}
+			if disablePasswordLogin {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Password login is deactivated")
+			}
+		}
+
 		if err := json.NewDecoder(c.Request().Body).Decode(signin); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signin request").SetInternal(err)
 		}
--- a/api/v1/system.go
+++ b/api/v1/system.go
@ -19,6 +19,8 @@ type SystemStatus struct {
 	// System settings
 	// Allow sign up.
 	AllowSignUp bool `json:"allowSignUp"`
+	// Disable password login.
+	DisablePasswordLogin bool `json:"disablePasswordLogin"`
 	// Disable public memos.
 	DisablePublicMemos bool `json:"disablePublicMemos"`
 	// Max upload size.
@ -48,14 +50,15 @@ func (s *APIV1Service) registerSystemRoutes(g *echo.Group) {
 		ctx := c.Request().Context()

 		systemStatus := SystemStatus{
-			Profile:            *s.Profile,
-			DBSize:             0,
-			AllowSignUp:        false,
-			DisablePublicMemos: false,
-			MaxUploadSizeMiB:   32,
-			AutoBackupInterval: 0,
-			AdditionalStyle:    "",
-			AdditionalScript:   "",
+			Profile:              *s.Profile,
+			DBSize:               0,
+			AllowSignUp:          false,
+			DisablePasswordLogin: false,
+			DisablePublicMemos:   false,
+			MaxUploadSizeMiB:     32,
+			AutoBackupInterval:   0,
+			AdditionalStyle:      "",
+			AdditionalScript:     "",
 			CustomizedProfile: CustomizedProfile{
 				Name:        "memos",
 				LogoURL:     "",
@ -103,6 +106,8 @@ func (s *APIV1Service) registerSystemRoutes(g *echo.Group) {
 			switch systemSetting.Name {
 			case SystemSettingAllowSignUpName.String():
 				systemStatus.AllowSignUp = baseValue.(bool)
+			case SystemSettingDisablePasswordLoginName.String():
+				systemStatus.DisablePasswordLogin = baseValue.(bool)
 			case SystemSettingDisablePublicMemosName.String():
 				systemStatus.DisablePublicMemos = baseValue.(bool)
 			case SystemSettingMaxUploadSizeMiBName.String():
--- a/api/v1/system_setting.go
+++ b/api/v1/system_setting.go
@ -19,6 +19,8 @@ const (
 	SystemSettingSecretSessionName SystemSettingName = "secret-session"
 	// SystemSettingAllowSignUpName is the name of allow signup setting.
 	SystemSettingAllowSignUpName SystemSettingName = "allow-signup"
+	// SystemSettingDisablePasswordLoginName is the name of disable password login setting.
+	SystemSettingDisablePasswordLoginName SystemSettingName = "disable-password-login"
 	// SystemSettingDisablePublicMemosName is the name of disable public memos setting.
 	SystemSettingDisablePublicMemosName SystemSettingName = "disable-public-memos"
 	// SystemSettingMaxUploadSizeMiBName is the name of max upload size setting.
@ -92,6 +94,11 @@ func (upsert UpsertSystemSettingRequest) Validate() error {
 		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
 			return fmt.Errorf(systemSettingUnmarshalError, settingName)
 		}
+	case SystemSettingDisablePasswordLoginName:
+		var value bool
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return fmt.Errorf(systemSettingUnmarshalError, settingName)
+		}
 	case SystemSettingDisablePublicMemosName:
 		var value bool
 		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
@ -201,6 +208,20 @@ func (s *APIV1Service) registerSystemSettingRoutes(g *echo.Group) {
 		if err := systemSettingUpsert.Validate(); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "invalid system setting").SetInternal(err)
 		}
+		if systemSettingUpsert.Name == SystemSettingDisablePasswordLoginName {
+			var disablePasswordLogin bool
+			if err := json.Unmarshal([]byte(systemSettingUpsert.Value), &disablePasswordLogin); err != nil {
+				return echo.NewHTTPError(http.StatusBadRequest, "invalid system setting").SetInternal(err)
+			}
+
+			identityProviderList, err := s.Store.ListIdentityProviders(ctx, &store.FindIdentityProvider{})
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert system setting").SetInternal(err)
+			}
+			if disablePasswordLogin && len(identityProviderList) == 0 {
+				return echo.NewHTTPError(http.StatusForbidden, "Cannot disable passwords if no SSO identity provider is configured.")
+			}
+		}

 		systemSetting, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
 			Name:        systemSettingUpsert.Name.String(),