NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commit50d0dcb

committed

fix: allow disabling all password auth even if owner

Removes any and all ability to auth with a password.

1 parenta54de60 commit50d0dcbCopy full SHA for 50d0dcb

File tree

3 files changed

+36

-17

lines changed

coderd
- userauth.go
site/src/components/SignInForm
- SignInForm.stories.tsx
- SignInForm.tsx

3 files changed

+36

-17

lines changed

`‎coderd/userauth.go‎`

Lines changed: 4 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,6 @@ import (`
`23`	`23`	`"github.com/coder/coder/coderd/database"`
`24`	`24`	`"github.com/coder/coder/coderd/httpapi"`
`25`	`25`	`"github.com/coder/coder/coderd/httpmw"`
`26`		`-"github.com/coder/coder/coderd/rbac"`
`27`	`26`	`"github.com/coder/coder/coderd/userpassword"`
`28`	`27`	`"github.com/coder/coder/codersdk"`
`29`	`28`	`)`
`@@ -89,19 +88,10 @@ func (api API) postLogin(rw http.ResponseWriter, r http.Request) {`
`89`	`88`	`// If password authentication is disabled and the user does not have the`
`90`	`89`	`// owner role, block the request.`
`91`	`90`	`ifapi.DeploymentConfig.DisablePasswordAuth.Value {`
`92`		`-permitted:=false`
`93`		`-for_,role:=rangeuser.RBACRoles {`
`94`		`-ifrole==rbac.RoleOwner() {`
`95`		`-permitted=true`
`96`		`-break`
`97`		`-}`
`98`		`-}`
`99`		`-if!permitted {`
`100`		`-httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{`
`101`		`-Message:"Password authentication is disabled. Only administrators can sign in with password authentication.",`
`102`		`-})`
`103`		`-return`
`104`		`-}`
	`91`	`+httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{`
	`92`	`+Message:"Password authentication is disabled.",`
	`93`	`+})`
	`94`	`+return`
`105`	`95`	`}`
`106`	`96`
`107`	`97`	`ifuser.LoginType!=database.LoginTypePassword {`

`‎site/src/components/SignInForm/SignInForm.stories.tsx‎`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,26 @@ WithOIDC.args = {`
`116`	`116`	`},`
`117`	`117`	`}`
`118`	`118`
	`119`	`+exportconstWithOIDCWithoutPassword=Template.bind({})`
	`120`	`+WithOIDCWithoutPassword.args={`
	`121`	`+ ...SignedOut.args,`
	`122`	`+authMethods:{`
	`123`	`+password:{enabled:false},`
	`124`	`+github:{enabled:false},`
	`125`	`+oidc:{enabled:true,signInText:"",iconUrl:""},`
	`126`	`+},`
	`127`	`+}`
	`128`	`+`
	`129`	`+exportconstWithoutAny=Template.bind({})`
	`130`	`+WithoutAny.args={`
	`131`	`+ ...SignedOut.args,`
	`132`	`+authMethods:{`
	`133`	`+password:{enabled:false},`
	`134`	`+github:{enabled:false},`
	`135`	`+oidc:{enabled:false,signInText:"",iconUrl:""},`
	`136`	`+},`
	`137`	`+}`
	`138`	`+`
`119`	`139`	`exportconstWithGithubAndOIDC=Template.bind({})`
`120`	`140`	`WithGithubAndOIDC.args={`
`121`	`141`	`...SignedOut.args,`

`‎site/src/components/SignInForm/SignInForm.tsx‎`

Lines changed: 12 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ import { OAuthSignInForm } from "./OAuthSignInForm"`
`9`	`9`	`import{BuiltInAuthFormValues}from"./SignInForm.types"`
`10`	`10`	`importButtonfrom"@material-ui/core/Button"`
`11`	`11`	`importEmailIconfrom"@material-ui/icons/EmailOutlined"`
	`12`	`+import{AlertBanner}from"components/AlertBanner/AlertBanner"`
`12`	`13`
`13`	`14`	`exportenumLoginErrors{`
`14`	`15`	`AUTH_ERROR="authError",`
`@@ -94,6 +95,7 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({`
`94`	`95`	`constoAuthEnabled=Boolean(`
`95`	`96`	`authMethods?.github.enabled\|\|authMethods?.oidc.enabled,`
`96`	`97`	`)`
	`98`	`+constpasswordEnabled=authMethods?.password.enabled??true`
`97`	`99`
`98`	`100`	`// Hide password auth by default if any OAuth method is enabled`
`99`	`101`	`const[showPasswordAuth,setShowPasswordAuth]=useState(!oAuthEnabled)`
`@@ -108,15 +110,15 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({`
`108`	`110`	`{loginPageTranslation.t("signInTo")}{" "}`
`109`	`111`	`<strong>{commonTranslation.t("coder")}</strong>`
`110`	`112`	`</h1>`
`111`		`-<Maybecondition={showPasswordAuth}>`
	`113`	`+<Maybecondition={passwordEnabled&&showPasswordAuth}>`
`112`	`114`	`<PasswordSignInForm`
`113`	`115`	`loginErrors={loginErrors}`
`114`	`116`	`onSubmit={onSubmit}`
`115`	`117`	`initialTouched={initialTouched}`
`116`	`118`	`isLoading={isLoading}`
`117`	`119`	`/>`
`118`	`120`	`</Maybe>`
`119`		`-<Maybecondition={showPasswordAuth&&oAuthEnabled}>`
	`121`	`+<Maybecondition={passwordEnabled&&showPasswordAuth&&oAuthEnabled}>`
`120`	`122`	`<divclassName={styles.divider}>`
`121`	`123`	`<divclassName={styles.dividerLine}/>`
`122`	`124`	`<divclassName={styles.dividerLabel}>Or</div>`
`@@ -131,7 +133,14 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({`
`131`	`133`	`/>`
`132`	`134`	`</Maybe>`
`133`	`135`
`134`		`-<Maybecondition={!showPasswordAuth}>`
	`136`	`+<Maybecondition={!passwordEnabled&&!oAuthEnabled}>`
	`137`	`+<AlertBanner`
	`138`	`+severity="error"`
	`139`	`+text="No authentication methods configured!"`
	`140`	`+/>`
	`141`	`+</Maybe>`
	`142`	`+`
	`143`	`+<Maybecondition={passwordEnabled&&!showPasswordAuth}>`
`135`	`144`	`<divclassName={styles.divider}>`
`136`	`145`	`<divclassName={styles.dividerLine}/>`
`137`	`146`	`<divclassName={styles.dividerLabel}>Or</div>`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit50d0dcb

File tree

3 files changed

3 files changed

`‎coderd/userauth.go‎`

`‎site/src/components/SignInForm/SignInForm.stories.tsx‎`

`‎site/src/components/SignInForm/SignInForm.tsx‎`

0 commit comments