Skip to content

Commit 22f0fa7

Browse files
EmyrkEmyrk
committed
feat: add login type 'none' to prevent login
Users with this login type must use tokens to authenticate. Tokens must come from some other source, not a /login with password authentication
1 parent 2495386 commit 22f0fa7

File tree

4 files changed

+36
-13
lines changed

4 files changed

+36
-13
lines changed

coderd/database/dump.sql

Lines changed: 4 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/models.go

Lines changed: 5 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/users.go

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -351,21 +351,34 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
351351
}
352352
}
353353

354-
err = userpassword.Validate(req.Password)
355-
if err != nil {
354+
if req.DisableLogin && req.Password != "" {
356355
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
357-
Message: "Password not strong enough!",
358-
Validations: []codersdk.ValidationError{{
359-
Field: "password",
360-
Detail: err.Error(),
361-
}},
356+
Message: "Cannot set password when disabling login.",
362357
})
363358
return
364359
}
365360

361+
var loginType database.LoginType = "unknown"
362+
if req.DisableLogin {
363+
loginType = database.LoginTypeNone
364+
} else {
365+
err = userpassword.Validate(req.Password)
366+
if err != nil {
367+
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
368+
Message: "Password not strong enough!",
369+
Validations: []codersdk.ValidationError{{
370+
Field: "password",
371+
Detail: err.Error(),
372+
}},
373+
})
374+
return
375+
}
376+
loginType = database.LoginTypePassword
377+
}
378+
366379
user, _, err := api.CreateUser(ctx, api.Database, CreateUserRequest{
367380
CreateUserRequest: req,
368-
LoginType: database.LoginTypePassword,
381+
LoginType: loginType,
369382
})
370383
if dbauthz.IsNotAuthorizedError(err) {
371384
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{

codersdk/users.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -66,9 +66,12 @@ type CreateFirstUserResponse struct {
6666
}
6767

6868
type CreateUserRequest struct {
69-
Email string `json:"email" validate:"required,email" format:"email"`
70-
Username string `json:"username" validate:"required,username"`
71-
Password string `json:"password" validate:"required"`
69+
Email string `json:"email" validate:"required,email" format:"email"`
70+
Username string `json:"username" validate:"required,username"`
71+
Password string `json:"password" validate:"required"`
72+
// DisableLogin sets the user's login type to 'none'. This prevents the user
73+
// from being able to use a password or any other authentication method to login.
74+
DisableLogin bool `json:"disable_login"`
7275
OrganizationID uuid.UUID `json:"organization_id" validate:"" format:"uuid"`
7376
}
7477

0 commit comments

Comments
 (0)