Hide password by default when OIDC enabled

normana10 · normana10 · commit fc12496dd638 · 2023-01-16T19:17:37.000-05:00
diff --git a/cli/deployment/config.go b/cli/deployment/config.go
@@ -168,11 +168,6 @@ func newConfig() *codersdk.DeploymentConfig {
 			Flag:   "postgres-url",
 			Secret: true,
 		},
-		PasswordAuthHidden: &codersdk.DeploymentConfigField[bool]{
-			Name:  "Flag to hide password auth",
-			Usage: "When this flag is set to true, the user/password form in the UI will be hidden",
-			Flag:  "password-auth-hidden",
-		},
 		OAuth2: &codersdk.OAuth2Config{
 			Github: &codersdk.OAuth2GithubConfig{
 				ClientID: &codersdk.DeploymentConfigField[string]{
diff --git a/cli/server.go b/cli/server.go
@@ -481,8 +481,6 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 				options.TLSCertificates = tlsConfig.Certificates
 			}
 
-			options.PasswordAuthHidden = cfg.PasswordAuthHidden.Value
-
 			if cfg.UpdateCheck.Value {
 				options.UpdateCheckOptions = &updatecheck.Options{
 					// Avoid spamming GitHub API checking for updates.
@@ -552,8 +550,8 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 					EmailDomain:   cfg.OIDC.EmailDomain.Value,
 					AllowSignups:  cfg.OIDC.AllowSignups.Value,
 					UsernameField: cfg.OIDC.UsernameField.Value,
-					SignInText:   cfg.OIDC.SignInText.Value,
-					IconURL:      cfg.OIDC.IconURL.Value,
+					SignInText:    cfg.OIDC.SignInText.Value,
+					IconURL:       cfg.OIDC.IconURL.Value,
 				}
 			}
 
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -97,7 +97,6 @@ type Options struct {
 	Authorizer                     rbac.Authorizer
 	AzureCertificates              x509.VerifyOptions
 	GoogleTokenValidator           *idtoken.Validator
-	PasswordAuthHidden   bool
 	GithubOAuth2Config             *GithubOAuth2Config
 	OIDCConfig                     *OIDCConfig
 	PrometheusRegistry             *prometheus.Registry
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -62,11 +62,8 @@ func (api *API) userAuthMethods(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.AuthMethods{
-		Password: codersdk.PasswordMethod{
-			AuthMethod: codersdk.AuthMethod{Enabled: true},
-			Hidden:     api.PasswordAuthHidden,
-		},
-		Github: codersdk.AuthMethod{Enabled: api.GithubOAuth2Config != nil},
+		Password: codersdk.AuthMethod{Enabled: true},
+		Github:   codersdk.AuthMethod{Enabled: api.GithubOAuth2Config != nil},
 		OIDC: codersdk.OIDCMethod{
 			AuthMethod: codersdk.AuthMethod{Enabled: api.OIDCConfig != nil},
 			SignInText: signInText,
@@ -233,9 +230,9 @@ type OIDCConfig struct {
 	// username.
 	UsernameField string
 	// SignInText is the text to display on the OIDC login button
-	SignInText   string
+	SignInText string
 	// IconURL points to the URL of an icon to display on the OIDC login button
-	IconURL      string
+	IconURL string
 }
 
 // @Summary OpenID Connect Callback
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -105,22 +105,17 @@ type CreateOrganizationRequest struct {
 	Name string `json:"name" validate:"required,username"`
 }
 
-// AuthMethods contains authentication method information like whether they are enabled or not or hidden or not, etc.
+// AuthMethods contains authentication method information like whether they are enabled or not or custom text, etc.
 type AuthMethods struct {
-	Password PasswordMethod `json:"password"`
-	Github   AuthMethod     `json:"github"`
-	OIDC     OIDCMethod     `json:"oidc"`
+	Password AuthMethod `json:"password"`
+	Github   AuthMethod `json:"github"`
+	OIDC     OIDCMethod `json:"oidc"`
 }
 
 type AuthMethod struct {
 	Enabled bool `json:"enabled"`
 }
 
-type PasswordMethod struct {
-	AuthMethod
-	Hidden bool `json:"hidden"`
-}
-
 type OIDCMethod struct {
 	AuthMethod
 	SignInText string `json:"signInText"`
diff --git a/docs/admin/auth.md b/docs/admin/auth.md
@@ -4,18 +4,6 @@ By default, Coder is accessible via password authentication.
 
 The following steps explain how to set up GitHub OAuth or OpenID Connect.
 
-If after configuring another authentication method you'd like to hide password authentication, you can configure that like so:
-
-```console
-CODER_PASSWORD_AUTH_HIDDEN=true
-```
-
-If your external authentication method(s) were to go down, you can un-hide password authentication with the following URL query parameter:
-
-```console
-https://coder.domain.com/login?auth=password
-```
-
 ## GitHub
 
 ### Step 1: Configure the OAuth application in GitHub
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -96,7 +96,7 @@ export interface AuthMethod {
 
 // From codersdk/users.go
 export interface AuthMethods {
-  readonly password: PasswordMethod
+  readonly password: AuthMethod
   readonly github: AuthMethod
   readonly oidc: OIDCMethod
 }
@@ -538,11 +538,6 @@ export interface ParameterSchema {
   readonly validation_contains?: string[]
 }
 
-// From codersdk/users.go
-export interface PasswordMethod extends AuthMethod {
-  readonly hidden: boolean
-}
-
 // From codersdk/groups.go
 export interface PatchGroupRequest {
   readonly add_users: string[]
diff --git a/site/src/components/SignInForm/SignInForm.stories.tsx b/site/src/components/SignInForm/SignInForm.stories.tsx
@@ -29,7 +29,7 @@ Loading.args = {
   ...SignedOut.args,
   isLoading: true,
   authMethods: {
-    password: { enabled: true, hidden: false },
+    password: { enabled: true },
     github: { enabled: true },
     oidc: { enabled: false, signInText: "", iconUrl: "" },
   },
@@ -100,7 +100,7 @@ export const WithGithub = Template.bind({})
 WithGithub.args = {
   ...SignedOut.args,
   authMethods: {
-    password: { enabled: true, hidden: false },
+    password: { enabled: true },
     github: { enabled: true },
     oidc: { enabled: false, signInText: "", iconUrl: "" },
   },
@@ -110,7 +110,7 @@ export const WithOIDC = Template.bind({})
 WithOIDC.args = {
   ...SignedOut.args,
   authMethods: {
-    password: { enabled: true, hidden: false },
+    password: { enabled: true },
     github: { enabled: false },
     oidc: { enabled: true, signInText: "", iconUrl: "" },
   },
@@ -120,7 +120,7 @@ export const WithGithubAndOIDC = Template.bind({})
 WithGithubAndOIDC.args = {
   ...SignedOut.args,
   authMethods: {
-    password: { enabled: true, hidden: false },
+    password: { enabled: true },
     github: { enabled: true },
     oidc: { enabled: true, signInText: "", iconUrl: "" },
   },
diff --git a/site/src/components/SignInForm/SignInForm.tsx b/site/src/components/SignInForm/SignInForm.tsx
@@ -2,19 +2,19 @@ import Box from "@material-ui/core/Box"
 import Button from "@material-ui/core/Button"
 import Link from "@material-ui/core/Link"
 import { makeStyles } from "@material-ui/core/styles"
+import Typography from "@material-ui/core/Typography"
 import TextField from "@material-ui/core/TextField"
 import GitHubIcon from "@material-ui/icons/GitHub"
 import KeyIcon from "@material-ui/icons/VpnKey"
 import { Stack } from "components/Stack/Stack"
 import { FormikContextType, FormikTouched, useFormik } from "formik"
-import { FC } from "react"
+import { FC, useState } from "react"
 import * as Yup from "yup"
 import { AuthMethods } from "../../api/typesGenerated"
 import { getFormHelpers, onChangeTrimmed } from "../../util/formUtils"
 import { LoadingButton } from "./../LoadingButton/LoadingButton"
 import { AlertBanner } from "components/AlertBanner/AlertBanner"
 import { useTranslation } from "react-i18next"
-import { useSearchParams } from "react-router-dom"
 
 /**
  * BuiltInAuthFormValues describes a form using built-in (email/password)
@@ -95,6 +95,12 @@ const useStyles = makeStyles((theme) => ({
     fontSize: 12,
     letterSpacing: 1,
   },
+  showPasswordLink: {
+    cursor: "pointer",
+    fontSize: 12,
+    color: theme.palette.text.secondary,
+    marginTop: 12,
+  }
 }))
 
 export interface SignInFormProps {
@@ -115,8 +121,10 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
   onSubmit,
   initialTouched,
 }) => {
+  const nonPasswordAuthEnabled = authMethods?.github.enabled || authMethods?.oidc.enabled
+
+  const [showPasswordAuth, setShowPasswordAuth] = useState(!nonPasswordAuthEnabled);
   const styles = useStyles()
-  const [searchParams] = useSearchParams()
   const form: FormikContextType<BuiltInAuthFormValues> =
     useFormik<BuiltInAuthFormValues>({
       initialValues: {
@@ -139,17 +147,13 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
   const commonTranslation = useTranslation("common")
   const loginPageTranslation = useTranslation("loginPage")
 
-  const passwordHidden = authMethods?.password.hidden
-  const urlParamOverride = searchParams.get("auth") === "password"
-  const showPasswordLogin = !passwordHidden || urlParamOverride
-
   return (
     <div className={styles.root}>
       <h1 className={styles.title}>
         {loginPageTranslation.t("signInTo")}{" "}
         <strong>{commonTranslation.t("coder")}</strong>
       </h1>
-      {showPasswordLogin && (
+      {showPasswordAuth && (
         <form onSubmit={form.handleSubmit}>
           <Stack>
             {Object.keys(loginErrors).map(
@@ -195,15 +199,15 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
           </Stack>
         </form>
       )}
-      {showPasswordLogin &&
-        (authMethods?.github.enabled || authMethods?.oidc.enabled) && (
+      {showPasswordAuth &&
+        (nonPasswordAuthEnabled) && (
           <div className={styles.divider}>
             <div className={styles.dividerLine} />
             <div className={styles.dividerLabel}>Or</div>
             <div className={styles.dividerLine} />
           </div>
         )}
-      {(authMethods?.github.enabled || authMethods?.oidc.enabled) && (
+      {(nonPasswordAuthEnabled) && (
         <Box display="grid" gridGap="16px">
           {authMethods.github.enabled && (
             <Link
@@ -255,6 +259,11 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
           )}
         </Box>
       )}
+      {!showPasswordAuth &&
+        <Typography className={styles.showPasswordLink} onClick={() => setShowPasswordAuth(true)}>
+          Show password login
+        </Typography>
+      }
     </div>
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -481,8 +481,6 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`481`	`481`	`options.TLSCertificates = tlsConfig.Certificates`
`482`	`482`	`}`
`483`	`483`
`484`		`- options.PasswordAuthHidden = cfg.PasswordAuthHidden.Value`
`485`		`-`
`486`	`484`	`if cfg.UpdateCheck.Value {`
`487`	`485`	`options.UpdateCheckOptions = &updatecheck.Options{`
`488`	`486`	`// Avoid spamming GitHub API checking for updates.`
`@@ -552,8 +550,8 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`552`	`550`	`EmailDomain: cfg.OIDC.EmailDomain.Value,`
`553`	`551`	`AllowSignups: cfg.OIDC.AllowSignups.Value,`
`554`	`552`	`UsernameField: cfg.OIDC.UsernameField.Value,`
`555`		`- SignInText: cfg.OIDC.SignInText.Value,`
`556`		`- IconURL: cfg.OIDC.IconURL.Value,`
	`553`	`+ SignInText: cfg.OIDC.SignInText.Value,`
	`554`	`+ IconURL: cfg.OIDC.IconURL.Value,`
`557`	`555`	`}`
`558`	`556`	`}`
`559`	`557`