From 9f87207d668fbe0a2039c63803128fbe5916f993 Mon Sep 17 00:00:00 2001
From: kamtschatka <simon.schatka@gmx.at>
Date: Sat, 12 Oct 2024 15:27:21 +0200
Subject: feature: Allow to disable default password login after SSO is
 configured. Fixes #406 (#502)

* [Feature Request] Allow to disable default password log in after SSO is configured #406
changed the flag to also disallow logging in via password
The extensions will also no longer be allowed to log in via username/password then

* [Feature Request] Allow to disable default password log in after SSO is configured #406
added the error message for OAuth
---
 packages/trpc/routers/apiKeys.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'packages/trpc/routers/apiKeys.ts')

diff --git a/packages/trpc/routers/apiKeys.ts b/packages/trpc/routers/apiKeys.ts
index 81e3bb2b..b7468dd2 100644
--- a/packages/trpc/routers/apiKeys.ts
+++ b/packages/trpc/routers/apiKeys.ts
@@ -3,6 +3,7 @@ import { and, eq } from "drizzle-orm";
 import { z } from "zod";
 
 import { apiKeys } from "@hoarder/db/schema";
+import serverConfig from "@hoarder/shared/config";
 
 import { authenticateApiKey, generateApiKey, validatePassword } from "../auth";
 import { authedProcedure, publicProcedure, router } from "../index";
@@ -74,6 +75,13 @@ export const apiKeysAppRouter = router({
     .output(zApiKeySchema)
     .mutation(async ({ input }) => {
       let user;
+      // Special handling as otherwise the extension would show "username or password is wrong"
+      if (serverConfig.auth.disablePasswordAuth) {
+        throw new TRPCError({
+          message: "Password authentication is currently disabled",
+          code: "FORBIDDEN",
+        });
+      }
       try {
         user = await validatePassword(input.email, input.password);
       } catch (e) {
-- 
cgit v1.2.3-70-g09d2