From e4488da96ec5fa50e18a426245ea69ff500fdd0e Mon Sep 17 00:00:00 2001
From: Wen Sun <iwendellsun@gmail.com>
Date: Wed, 17 Jan 2024 11:49:22 +0900
Subject: [PATCH] fix: signup is not allowed if password login is disabled
 (#2776)

Signup is not allowed if password login is disabled

If password login is disabled in the system configuration, the "signup" in the "/auth" page disappears, but the user can manually enter "/auth/signup" to access the system by creating a new user.
---
 api/v1/auth.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/api/v1/auth.go b/api/v1/auth.go
index 24cbdcd8..93123b3f 100644
--- a/api/v1/auth.go
+++ b/api/v1/auth.go
@@ -324,6 +324,23 @@ func (s *APIV1Service) SignUp(c echo.Context) error {
 		if !allowSignUpSettingValue {
 			return echo.NewHTTPError(http.StatusUnauthorized, "signup is disabled").SetInternal(err)
 		}
+
+		disablePasswordLoginSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+			Name: SystemSettingDisablePasswordLoginName.String(),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+		}
+		if disablePasswordLoginSystemSetting != nil {
+			disablePasswordLogin := false
+			err = json.Unmarshal([]byte(disablePasswordLoginSystemSetting.Value), &disablePasswordLogin)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting").SetInternal(err)
+			}
+			if disablePasswordLogin {
+				return echo.NewHTTPError(http.StatusUnauthorized, "password login is deactivated")
+			}
+		}
 	}
 
 	passwordHash, err := bcrypt.GenerateFromPassword([]byte(signup.Password), bcrypt.DefaultCost)