chore: update auth service

server/router/api/v1/auth_service.go

@@ -24,6 +24,10 @@ import (
 	"github.com/usememos/memos/store"
 )
 
+const (
+	unmatchedEmailAndPasswordError = "unmatched email and password"
+)
+
 func (s *APIV1Service) GetAuthStatus(ctx context.Context, _ *v1pb.GetAuthStatusRequest) (*v1pb.User, error) {
 	user, err := s.GetCurrentUser(ctx)
 	if err != nil {
@@ -47,14 +51,23 @@ func (s *APIV1Service) SignIn(ctx context.Context, request *v1pb.SignInRequest)
 		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to find user by username %s", request.Username))
 	}
 	if user == nil {
-		return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("user not found with username %s", request.Username))
-	} else if user.RowStatus == store.Archived {
-		return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("user has been archived with username %s", request.Username))
+		return nil, status.Errorf(codes.InvalidArgument, unmatchedEmailAndPasswordError)
 	}
-
 	// Compare the stored hashed password, with the hashed version of the password that was received.
 	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(request.Password)); err != nil {
-		return nil, status.Errorf(codes.InvalidArgument, "unmatched email and password")
+		return nil, status.Errorf(codes.InvalidArgument, unmatchedEmailAndPasswordError)
+	}
+
+	workspaceGeneralSetting, err := s.Store.GetWorkspaceGeneralSetting(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get workspace general setting, err: %s", err))
+	}
+	// Check if the password sign in is allowed.
+	if workspaceGeneralSetting.DisallowPasswordSignin && user.Role == store.RoleUser {
+		return nil, status.Errorf(codes.PermissionDenied, "password signin is not allowed")
+	}
+	if user.RowStatus == store.Archived {
+		return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("user has been archived with username %s", request.Username))
 	}
 
 	expireTime := time.Now().Add(AccessTokenDuration)