disable pw auth

4 days ago · e6f937711c
6 changed files with 60 additions and 16 deletions
--- a/docs/content/advanced/config/external-authentication.md
+++ b/docs/content/advanced/config/external-authentication.md
@ -33,11 +33,17 @@ If your provider does not support multiple redirect URIs (e.g. GitHub) but allow

 ### Auto Register

-To automatically register users that log in with an OAuth provider, set the env var `OAUTH_AUTO_REGISTER` to `true`.
+To automatically register users that log in with an OAuth provider, set the following environment variable to `true`:

-If a user logs in with an email address that is not yet registered, a new account will be created for them.
+| Env                   | Required | Default | Description              |
+| --------------------- | -------- | ------- | ------------------------ |
+| `OAUTH_AUTO_REGISTER` | ✖️       | `false` | Enable auto-registration |

-If a user logs in with an email address that is already registered, their account will be linked to the OAuth provider (if not already linked), regardless of the value of `OAUTH_AUTO_REGISTER`.
+When enabled:
+
+- If a user logs in with an email address that is not yet registered, a new account will be created for them.
+
+- If a user logs in with an email address that is already registered, their account will be linked to the OAuth provider (if not already linked), regardless of the value of `OAUTH_AUTO_REGISTER`.

 /// warning | Security

@ -49,7 +55,11 @@ Use [Allowed Domains](#allowed-domains) to restrict which users can log in.

 ### Allowed Domains

-To only allow users with an email address from a specific domain to log in, set the env var `OAUTH_ALLOWED_DOMAINS` to the allowed domain.
+To only allow users with an email address from a specific domain to log in, set the following environment variable to the allowed domain.
+
+| Env                     | Required | Default | Description           |
+| ----------------------- | -------- | ------- | --------------------- |
+| `OAUTH_ALLOWED_DOMAINS` | ✖️       | -       | Allowed email domains |

 You can allow multiple domains by separating them with a comma:

@ -134,3 +144,23 @@ docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --
 ### Generic OAuth

 Not currently supported
+
+### Disable Password Authentication
+
+To disable password-based authentication and only allow login via OAuth providers, set the following environment variable to `true`:
+
+| Env                     | Required | Default | Description                     |
+| ----------------------- | -------- | ------- | ------------------------------- |
+| `DISABLE_PASSWORD_AUTH` | ✖️       | `false` | Disable password authentication |
+
+When enabled:
+
+- Users will not be able to log in with a password
+
+/// warning | Access Recovery
+
+Before disabling password authentication, ensure that at least one OAuth provider is configured and that you have successfully linked an administrator account.
+
+If no login method is available, you will not be able to log in to the application and will need to reset the configuration to regain access.
+
+///
--- a/src/app/pages/login.vue
+++ b/src/app/pages/login.vue
@ -24,7 +24,10 @@
        />

        <!-- Divider -->
-        <div v-if="authMethods.oauthEnabled" class="flex items-center gap-2">
+        <div
+          v-if="authMethods.oauthEnabled && !authMethods.passwordDisabled"
+          class="flex items-center gap-2"
+        >
          <div class="h-px flex-1 bg-gray-300 dark:bg-neutral-600"></div>
          <span class="text-xs text-gray-500 dark:text-neutral-400">
            {{ $t('login.or') }}
@ -34,7 +37,11 @@
      </div>

      <!-- Classic Login Form -->
-      <form class="flex flex-col gap-5" @submit.prevent="submit">
+      <form
+        v-if="!authMethods?.passwordDisabled"
+        class="flex flex-col gap-5"
+        @submit.prevent="submit"
+      >
        <BaseInput
          v-model="username"
          type="text"
@ -73,13 +80,8 @@
        </label>

        <button
-          class="rounded py-2 text-sm text-white shadow transition dark:text-white"
-          :class="{
-            'cursor-pointer bg-red-800 hover:bg-red-700 dark:bg-red-800 dark:hover:bg-red-700':
-              password && username,
-            'cursor-not-allowed bg-gray-200 dark:bg-neutral-800':
-              !password || !username,
-          }"
+          class="rounded bg-red-800 py-2 text-sm text-white shadow transition hover:bg-red-700 disabled:cursor-not-allowed disabled:bg-gray-200 dark:bg-red-800 dark:text-white dark:hover:bg-red-700 disabled:dark:bg-neutral-800"
+          :disabled="!password || !username"
        >
          <IconsLoading
            v-if="authenticating"
--- a/src/server/api/auth/methods.get.ts
+++ b/src/server/api/auth/methods.get.ts
@ -12,5 +12,6 @@ export default defineEventHandler(() => {
    ),
    oauthEnabled:
      WG_ENV.OAUTH_PROVIDERS !== undefined && WG_ENV.OAUTH_PROVIDERS.length > 0,
+    passwordDisabled: WG_ENV.DISABLE_PASSWORD_AUTH,
  };
 });
--- a/src/server/api/auth/password.post.ts
+++ b/src/server/api/auth/password.post.ts
@ -1,6 +1,13 @@
 import { UserLoginSchema } from '#db/repositories/user/types';

 export default defineEventHandler(async (event) => {
+  if (WG_ENV.DISABLE_PASSWORD_AUTH) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Password authentication is disabled',
+    });
+  }
+
  const { username, password, remember, totpCode } = await readValidatedBody(
    event,
    validateZod(UserLoginSchema, event)
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@ -50,13 +50,17 @@ export const WG_ENV = {
  ),
  /** Automatically register users that log in with an OAuth provider */
  OAUTH_AUTO_REGISTER: process.env.OAUTH_AUTO_REGISTER === 'true',
+  /** Disable password authentication */
+  DISABLE_PASSWORD_AUTH: process.env.DISABLE_PASSWORD_AUTH === 'true',
 };

-if (WG_ENV.OAUTH_PROVIDERS && WG_ENV.OAUTH_PROVIDERS.length > 1) {
+if (WG_ENV.OAUTH_PROVIDERS && WG_ENV.OAUTH_PROVIDERS.length > 0) {
  SERVER_DEBUG(`
 Enabled OAuth providers: ${WG_ENV.OAUTH_PROVIDERS.join(', ')}
 Allowed OAuth domains: ${WG_ENV.OAUTH_ALLOWED_DOMAINS?.join(', ') ?? 'All'}
-OAuth auto register: ${WG_ENV.OAUTH_AUTO_REGISTER ? 'Enabled' : 'Disabled'}`);
+OAuth auto register: ${WG_ENV.OAUTH_AUTO_REGISTER ? 'Enabled' : 'Disabled'}
+Password authentication: ${WG_ENV.DISABLE_PASSWORD_AUTH ? 'Disabled' : 'Enabled'}
+`);
 }

 export const WG_INITIAL_ENV = {
--- a/src/server/utils/oauth.ts
+++ b/src/server/utils/oauth.ts
@ -90,7 +90,7 @@ export async function buildOauthConfig(event: H3Event) {

  if (!isEnabledProvider(provider)) {
    throw createError({
-      statusCode: 400,
+      statusCode: 403,
      statusMessage: 'Provider is not enabled',
    });
  }