diff options
| author | kamtschatka <simon.schatka@gmx.at> | 2024-10-12 15:27:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-12 14:27:21 +0100 |
| commit | 9f87207d668fbe0a2039c63803128fbe5916f993 (patch) | |
| tree | 08e1fff219e204258ebbf1732ddf22bff145714d /packages/trpc | |
| parent | 02a5b35a30845268cfaa814bb045d0ec800dc538 (diff) | |
| download | karakeep-9f87207d668fbe0a2039c63803128fbe5916f993.tar.zst | |
feature: Allow to disable default password login after SSO is configured. Fixes #406 (#502)
* [Feature Request] Allow to disable default password log in after SSO is configured #406
changed the flag to also disallow logging in via password
The extensions will also no longer be allowed to log in via username/password then
* [Feature Request] Allow to disable default password log in after SSO is configured #406
added the error message for OAuth
Diffstat (limited to 'packages/trpc')
| -rw-r--r-- | packages/trpc/auth.ts | 4 | ||||
| -rw-r--r-- | packages/trpc/routers/apiKeys.ts | 8 | ||||
| -rw-r--r-- | packages/trpc/routers/users.ts | 4 |
3 files changed, 14 insertions, 2 deletions
diff --git a/packages/trpc/auth.ts b/packages/trpc/auth.ts index 846c07b6..39aebd3b 100644 --- a/packages/trpc/auth.ts +++ b/packages/trpc/auth.ts @@ -3,6 +3,7 @@ import * as bcrypt from "bcryptjs"; import { db } from "@hoarder/db"; import { apiKeys } from "@hoarder/db/schema"; +import serverConfig from "@hoarder/shared/config"; // API Keys @@ -79,6 +80,9 @@ export async function hashPassword(password: string) { } export async function validatePassword(email: string, password: string) { + if (serverConfig.auth.disablePasswordAuth) { + throw new Error("Password authentication is currently disabled"); + } const user = await db.query.users.findFirst({ where: (u, { eq }) => eq(u.email, email), }); diff --git a/packages/trpc/routers/apiKeys.ts b/packages/trpc/routers/apiKeys.ts index 81e3bb2b..b7468dd2 100644 --- a/packages/trpc/routers/apiKeys.ts +++ b/packages/trpc/routers/apiKeys.ts @@ -3,6 +3,7 @@ import { and, eq } from "drizzle-orm"; import { z } from "zod"; import { apiKeys } from "@hoarder/db/schema"; +import serverConfig from "@hoarder/shared/config"; import { authenticateApiKey, generateApiKey, validatePassword } from "../auth"; import { authedProcedure, publicProcedure, router } from "../index"; @@ -74,6 +75,13 @@ export const apiKeysAppRouter = router({ .output(zApiKeySchema) .mutation(async ({ input }) => { let user; + // Special handling as otherwise the extension would show "username or password is wrong" + if (serverConfig.auth.disablePasswordAuth) { + throw new TRPCError({ + message: "Password authentication is currently disabled", + code: "FORBIDDEN", + }); + } try { user = await validatePassword(input.email, input.password); } catch (e) { diff --git a/packages/trpc/routers/users.ts b/packages/trpc/routers/users.ts index 736e7e2f..87d0fa2d 100644 --- a/packages/trpc/routers/users.ts +++ b/packages/trpc/routers/users.ts @@ -31,9 +31,9 @@ export const usersAppRouter = router({ .mutation(async ({ input, ctx }) => { if ( serverConfig.auth.disableSignups || - serverConfig.auth.disablePasswordSignups + serverConfig.auth.disablePasswordAuth ) { - const errorMessage = serverConfig.auth.disablePasswordSignups + const errorMessage = serverConfig.auth.disablePasswordAuth ? "Local Signups are disabled in the server config. Use OAuth instead!" : "Signups are disabled in server config"; throw new TRPCError({ |