feature: Allow to disable default password login after SSO is configured. Fixes #406 (#502)

* [Feature Request] Allow to disable default password log in after SSO is configured #406 changed the flag to also disallow logging in via password The extensions will also no longer be allowed to log in via username/password then * [Feature Request] Allow to disable default password log in after SSO is configured #406 added the error message for OAuth
author: kamtschatka <simon.schatka@gmx.at> 2024-10-12 15:27:21 +0200
committer: GitHub <noreply@github.com> 2024-10-12 14:27:21 +0100
commit: 9f87207d668fbe0a2039c63803128fbe5916f993 (patch)
tree: 08e1fff219e204258ebbf1732ddf22bff145714d /packages
parent: 02a5b35a30845268cfaa814bb045d0ec800dc538 (diff)
download: karakeep-9f87207d668fbe0a2039c63803128fbe5916f993.tar.zst
4 files changed, 17 insertions, 5 deletions
diff --git a/packages/shared/config.ts b/packages/shared/config.ts
index 288becab..44b7e26d 100644
--- a/packages/shared/config.ts
+++ b/packages/shared/config.ts
@@ -10,7 +10,7 @@ const stringBool = (defaultValue: string) =>
 const allEnv = z.object({
   API_URL: z.string().url().default("http://localhost:3000"),
   DISABLE_SIGNUPS: stringBool("false"),
-  DISABLE_PASSWORD_SIGNUPS: stringBool("false"),
+  DISABLE_PASSWORD_AUTH: stringBool("false"),
   OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: stringBool("false"),
   OAUTH_WELLKNOWN_URL: z.string().url().optional(),
   OAUTH_CLIENT_SECRET: z.string().optional(),
@@ -54,7 +54,7 @@ const serverConfigSchema = allEnv.transform((val) => {
     apiUrl: val.API_URL,
     auth: {
       disableSignups: val.DISABLE_SIGNUPS,
-      disablePasswordSignups: val.DISABLE_PASSWORD_SIGNUPS,
+      disablePasswordAuth: val.DISABLE_PASSWORD_AUTH,
       oauth: {
         allowDangerousEmailAccountLinking:
           val.OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING,
@@ -114,7 +114,7 @@ export const clientConfig = {
   demoMode: serverConfig.demoMode,
   auth: {
     disableSignups: serverConfig.auth.disableSignups,
-    disablePasswordSignups: serverConfig.auth.disablePasswordSignups,
+    disablePasswordAuth: serverConfig.auth.disablePasswordAuth,
   },
   inference: {
     inferredTagLang: serverConfig.inference.inferredTagLang,
diff --git a/packages/trpc/auth.ts b/packages/trpc/auth.ts
index 846c07b6..39aebd3b 100644
--- a/packages/trpc/auth.ts
+++ b/packages/trpc/auth.ts
@@ -3,6 +3,7 @@ import * as bcrypt from "bcryptjs";
 
 import { db } from "@hoarder/db";
 import { apiKeys } from "@hoarder/db/schema";
+import serverConfig from "@hoarder/shared/config";
 
 // API Keys
 
@@ -79,6 +80,9 @@ export async function hashPassword(password: string) {
 }
 
 export async function validatePassword(email: string, password: string) {
+  if (serverConfig.auth.disablePasswordAuth) {
+    throw new Error("Password authentication is currently disabled");
+  }
   const user = await db.query.users.findFirst({
     where: (u, { eq }) => eq(u.email, email),
   });
diff --git a/packages/trpc/routers/apiKeys.ts b/packages/trpc/routers/apiKeys.ts
index 81e3bb2b..b7468dd2 100644
--- a/packages/trpc/routers/apiKeys.ts
+++ b/packages/trpc/routers/apiKeys.ts
@@ -3,6 +3,7 @@ import { and, eq } from "drizzle-orm";
 import { z } from "zod";
 
 import { apiKeys } from "@hoarder/db/schema";
+import serverConfig from "@hoarder/shared/config";
 
 import { authenticateApiKey, generateApiKey, validatePassword } from "../auth";
 import { authedProcedure, publicProcedure, router } from "../index";
@@ -74,6 +75,13 @@ export const apiKeysAppRouter = router({
     .output(zApiKeySchema)
     .mutation(async ({ input }) => {
       let user;
+      // Special handling as otherwise the extension would show "username or password is wrong"
+      if (serverConfig.auth.disablePasswordAuth) {
+        throw new TRPCError({
+          message: "Password authentication is currently disabled",
+          code: "FORBIDDEN",
+        });
+      }
       try {
         user = await validatePassword(input.email, input.password);
       } catch (e) {
diff --git a/packages/trpc/routers/users.ts b/packages/trpc/routers/users.ts
index 736e7e2f..87d0fa2d 100644
--- a/packages/trpc/routers/users.ts
+++ b/packages/trpc/routers/users.ts
@@ -31,9 +31,9 @@ export const usersAppRouter = router({
     .mutation(async ({ input, ctx }) => {
       if (
         serverConfig.auth.disableSignups ||
-        serverConfig.auth.disablePasswordSignups
+        serverConfig.auth.disablePasswordAuth
       ) {
-        const errorMessage = serverConfig.auth.disablePasswordSignups
+        const errorMessage = serverConfig.auth.disablePasswordAuth
           ? "Local Signups are disabled in the server config. Use OAuth instead!"
           : "Signups are disabled in server config";
         throw new TRPCError({
author	kamtschatka <simon.schatka@gmx.at>	2024-10-12 15:27:21 +0200
committer	GitHub <noreply@github.com>	2024-10-12 14:27:21 +0100
commit	9f87207d668fbe0a2039c63803128fbe5916f993 (patch)
tree	08e1fff219e204258ebbf1732ddf22bff145714d /packages
parent	02a5b35a30845268cfaa814bb045d0ec800dc538 (diff)
download	karakeep-9f87207d668fbe0a2039c63803128fbe5916f993.tar.zst