zerobyte/app/server/modules/system/system.controller.ts
Parman Mohammadalizadeh 2b70267e01 feat: add option to disable password login
Adds a global admin setting to hide the username/password form on the
login page, useful for deployments that rely solely on SSO/OIDC or
passkeys. The form defaults to enabled so existing deployments are
unaffected.

Changes:
- Add PASSWORD_LOGIN_ENABLED_KEY constant
- Add isPasswordLoginEnabled / setPasswordLoginEnabled to system service
  (defaults to true when no DB record exists)
- Add GET/PUT /api/v1/system/password-login-status endpoints (GET
  auth-gated for admin use; setting is exposed to the login page via
  the existing getLoginOptions server function)
- Extend getLoginOptions to include passwordLoginEnabled
- Conditionally render the password login form in LoginPage
- Add "Enable password login" toggle in the admin System Settings tab,
  next to "Enable new user registrations"
- Add corresponding entries to generated API client files
  (types.gen.ts, sdk.gen.ts, @tanstack/react-query.gen.ts)

Closes #941
2026-06-05 22:49:07 +03:30

118 lines
3.6 KiB
TypeScript

import { Hono } from "hono";
import { validator } from "hono-openapi";
import {
downloadResticPasswordBodySchema,
downloadResticPasswordDto,
getUpdatesDto,
systemInfoDto,
type SystemInfoDto,
type UpdateInfoDto,
setRegistrationStatusDto,
getRegistrationStatusDto,
registrationStatusBody,
type RegistrationStatusDto,
getPasswordLoginStatusDto,
setPasswordLoginStatusDto,
passwordLoginStatusBody,
type PasswordLoginStatusDto,
getDevPanelDto,
type DevPanelDto,
} from "./system.dto";
import { systemService } from "./system.service";
import { requireAdmin, requireAuth, requireOrgAdmin } from "../auth/auth.middleware";
import { db } from "../../db/db";
import { usersTable } from "../../db/schema";
import { eq } from "drizzle-orm";
import { verifyUserPassword } from "../auth/helpers";
import { cryptoUtils } from "../../utils/crypto";
import { getOrganizationId } from "~/server/core/request-context";
export const systemController = new Hono()
.use(requireAuth)
.get("/info", systemInfoDto, async (c) => {
const info = await systemService.getSystemInfo();
return c.json<SystemInfoDto>(info, 200);
})
.get("/updates", getUpdatesDto, async (c) => {
const updates = await systemService.getUpdates();
c.header("Cache-Control", "no-store");
return c.json<UpdateInfoDto>(updates, 200);
})
.get("/registration-status", getRegistrationStatusDto, async (c) => {
const enabled = await systemService.isRegistrationEnabled();
return c.json<RegistrationStatusDto>({ enabled }, 200);
})
.put(
"/registration-status",
requireAdmin,
setRegistrationStatusDto,
validator("json", registrationStatusBody),
async (c) => {
const body = c.req.valid("json");
await systemService.setRegistrationEnabled(body.enabled);
return c.json<RegistrationStatusDto>({ enabled: body.enabled }, 200);
},
)
.post(
"/restic-password",
requireOrgAdmin,
downloadResticPasswordDto,
validator("json", downloadResticPasswordBodySchema),
async (c) => {
const user = c.get("user");
const organizationId = getOrganizationId();
const body = c.req.valid("json");
const isPasswordValid = await verifyUserPassword({ password: body.password, userId: user.id });
if (!isPasswordValid) {
return c.json({ message: "Invalid password" }, 401);
}
try {
const org = await db.query.organization.findFirst({ where: { id: organizationId } });
if (!org?.metadata?.resticPassword) {
return c.json({ message: "Organization Restic password not found" }, 404);
}
const content = await cryptoUtils.resolveSecret(org.metadata.resticPassword);
await db.update(usersTable).set({ hasDownloadedResticPassword: true }).where(eq(usersTable.id, user.id));
c.header("Content-Type", "text/plain");
c.header("Content-Disposition", 'attachment; filename="restic.pass"');
return c.text(content);
} catch (_error) {
return c.json({ message: "Failed to retrieve Restic password" }, 500);
}
},
)
.get("/password-login-status", getPasswordLoginStatusDto, async (c) => {
const enabled = await systemService.isPasswordLoginEnabled();
return c.json<PasswordLoginStatusDto>({ enabled }, 200);
})
.put(
"/password-login-status",
requireAdmin,
setPasswordLoginStatusDto,
validator("json", passwordLoginStatusBody),
async (c) => {
const body = c.req.valid("json");
await systemService.setPasswordLoginEnabled(body.enabled);
return c.json<PasswordLoginStatusDto>({ enabled: body.enabled }, 200);
},
)
.get("/dev-panel", getDevPanelDto, async (c) => {
const enabled = systemService.isDevPanelEnabled();
return c.json<DevPanelDto>({ enabled }, 200);
});