Skip to content

Commit 50d0dcb

Browse files
kylecarbskylecarbs
committed
fix: allow disabling all password auth even if owner
Removes any and all ability to auth with a password.
1 parent a54de60 commit 50d0dcb

File tree

3 files changed

+36
-17
lines changed

3 files changed

+36
-17
lines changed

coderd/userauth.go

+4-14
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,6 @@ import (
2323
"github.com/coder/coder/coderd/database"
2424
"github.com/coder/coder/coderd/httpapi"
2525
"github.com/coder/coder/coderd/httpmw"
26-
"github.com/coder/coder/coderd/rbac"
2726
"github.com/coder/coder/coderd/userpassword"
2827
"github.com/coder/coder/codersdk"
2928
)
@@ -89,19 +88,10 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
8988
// If password authentication is disabled and the user does not have the
9089
// owner role, block the request.
9190
if api.DeploymentConfig.DisablePasswordAuth.Value {
92-
permitted := false
93-
for _, role := range user.RBACRoles {
94-
if role == rbac.RoleOwner() {
95-
permitted = true
96-
break
97-
}
98-
}
99-
if !permitted {
100-
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
101-
Message: "Password authentication is disabled. Only administrators can sign in with password authentication.",
102-
})
103-
return
104-
}
91+
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
92+
Message: "Password authentication is disabled.",
93+
})
94+
return
10595
}
10696

10797
if user.LoginType != database.LoginTypePassword {

site/src/components/SignInForm/SignInForm.stories.tsx

+20
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,26 @@ WithOIDC.args = {
116116
},
117117
}
118118

119+
export const WithOIDCWithoutPassword = Template.bind({})
120+
WithOIDCWithoutPassword.args = {
121+
...SignedOut.args,
122+
authMethods: {
123+
password: { enabled: false },
124+
github: { enabled: false },
125+
oidc: { enabled: true, signInText: "", iconUrl: "" },
126+
},
127+
}
128+
129+
export const WithoutAny = Template.bind({})
130+
WithoutAny.args = {
131+
...SignedOut.args,
132+
authMethods: {
133+
password: { enabled: false },
134+
github: { enabled: false },
135+
oidc: { enabled: false, signInText: "", iconUrl: "" },
136+
},
137+
}
138+
119139
export const WithGithubAndOIDC = Template.bind({})
120140
WithGithubAndOIDC.args = {
121141
...SignedOut.args,

site/src/components/SignInForm/SignInForm.tsx

+12-3
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import { OAuthSignInForm } from "./OAuthSignInForm"
99
import { BuiltInAuthFormValues } from "./SignInForm.types"
1010
import Button from "@material-ui/core/Button"
1111
import EmailIcon from "@material-ui/icons/EmailOutlined"
12+
import { AlertBanner } from "components/AlertBanner/AlertBanner"
1213

1314
export enum LoginErrors {
1415
AUTH_ERROR = "authError",
@@ -94,6 +95,7 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
9495
const oAuthEnabled = Boolean(
9596
authMethods?.github.enabled || authMethods?.oidc.enabled,
9697
)
98+
const passwordEnabled = authMethods?.password.enabled ?? true
9799

98100
// Hide password auth by default if any OAuth method is enabled
99101
const [showPasswordAuth, setShowPasswordAuth] = useState(!oAuthEnabled)
@@ -108,15 +110,15 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
108110
{loginPageTranslation.t("signInTo")}{" "}
109111
<strong>{commonTranslation.t("coder")}</strong>
110112
</h1>
111-
<Maybe condition={showPasswordAuth}>
113+
<Maybe condition={passwordEnabled && showPasswordAuth}>
112114
<PasswordSignInForm
113115
loginErrors={loginErrors}
114116
onSubmit={onSubmit}
115117
initialTouched={initialTouched}
116118
isLoading={isLoading}
117119
/>
118120
</Maybe>
119-
<Maybe condition={showPasswordAuth && oAuthEnabled}>
121+
<Maybe condition={passwordEnabled && showPasswordAuth && oAuthEnabled}>
120122
<div className={styles.divider}>
121123
<div className={styles.dividerLine} />
122124
<div className={styles.dividerLabel}>Or</div>
@@ -131,7 +133,14 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
131133
/>
132134
</Maybe>
133135

134-
<Maybe condition={!showPasswordAuth}>
136+
<Maybe condition={!passwordEnabled && !oAuthEnabled}>
137+
<AlertBanner
138+
severity="error"
139+
text="No authentication methods configured!"
140+
/>
141+
</Maybe>
142+
143+
<Maybe condition={passwordEnabled && !showPasswordAuth}>
135144
<div className={styles.divider}>
136145
<div className={styles.dividerLine} />
137146
<div className={styles.dividerLabel}>Or</div>

0 commit comments

Comments
 (0)