From 9f87207d668fbe0a2039c63803128fbe5916f993 Mon Sep 17 00:00:00 2001 From: kamtschatka Date: Sat, 12 Oct 2024 15:27:21 +0200 Subject: feature: Allow to disable default password login after SSO is configured. Fixes #406 (#502) * [Feature Request] Allow to disable default password log in after SSO is configured #406 changed the flag to also disallow logging in via password The extensions will also no longer be allowed to log in via username/password then * [Feature Request] Allow to disable default password log in after SSO is configured #406 added the error message for OAuth --- packages/trpc/auth.ts | 4 ++++ packages/trpc/routers/apiKeys.ts | 8 ++++++++ packages/trpc/routers/users.ts | 4 ++-- 3 files changed, 14 insertions(+), 2 deletions(-) (limited to 'packages/trpc') diff --git a/packages/trpc/auth.ts b/packages/trpc/auth.ts index 846c07b6..39aebd3b 100644 --- a/packages/trpc/auth.ts +++ b/packages/trpc/auth.ts @@ -3,6 +3,7 @@ import * as bcrypt from "bcryptjs"; import { db } from "@hoarder/db"; import { apiKeys } from "@hoarder/db/schema"; +import serverConfig from "@hoarder/shared/config"; // API Keys @@ -79,6 +80,9 @@ export async function hashPassword(password: string) { } export async function validatePassword(email: string, password: string) { + if (serverConfig.auth.disablePasswordAuth) { + throw new Error("Password authentication is currently disabled"); + } const user = await db.query.users.findFirst({ where: (u, { eq }) => eq(u.email, email), }); diff --git a/packages/trpc/routers/apiKeys.ts b/packages/trpc/routers/apiKeys.ts index 81e3bb2b..b7468dd2 100644 --- a/packages/trpc/routers/apiKeys.ts +++ b/packages/trpc/routers/apiKeys.ts @@ -3,6 +3,7 @@ import { and, eq } from "drizzle-orm"; import { z } from "zod"; import { apiKeys } from "@hoarder/db/schema"; +import serverConfig from "@hoarder/shared/config"; import { authenticateApiKey, generateApiKey, validatePassword } from "../auth"; import { authedProcedure, publicProcedure, router } from "../index"; @@ -74,6 +75,13 @@ export const apiKeysAppRouter = router({ .output(zApiKeySchema) .mutation(async ({ input }) => { let user; + // Special handling as otherwise the extension would show "username or password is wrong" + if (serverConfig.auth.disablePasswordAuth) { + throw new TRPCError({ + message: "Password authentication is currently disabled", + code: "FORBIDDEN", + }); + } try { user = await validatePassword(input.email, input.password); } catch (e) { diff --git a/packages/trpc/routers/users.ts b/packages/trpc/routers/users.ts index 736e7e2f..87d0fa2d 100644 --- a/packages/trpc/routers/users.ts +++ b/packages/trpc/routers/users.ts @@ -31,9 +31,9 @@ export const usersAppRouter = router({ .mutation(async ({ input, ctx }) => { if ( serverConfig.auth.disableSignups || - serverConfig.auth.disablePasswordSignups + serverConfig.auth.disablePasswordAuth ) { - const errorMessage = serverConfig.auth.disablePasswordSignups + const errorMessage = serverConfig.auth.disablePasswordAuth ? "Local Signups are disabled in the server config. Use OAuth instead!" : "Signups are disabled in server config"; throw new TRPCError({ -- cgit v1.2.3-70-g09d2