Adds a global admin setting to hide the username/password form on the login page, useful for deployments that rely solely on SSO/OIDC or passkeys. The form defaults to enabled so existing deployments are unaffected. Changes: - Add PASSWORD_LOGIN_ENABLED_KEY constant - Add isPasswordLoginEnabled / setPasswordLoginEnabled to system service (defaults to true when no DB record exists) - Add GET/PUT /api/v1/system/password-login-status endpoints (GET auth-gated for admin use; setting is exposed to the login page via the existing getLoginOptions server function) - Extend getLoginOptions to include passwordLoginEnabled - Conditionally render the password login form in LoginPage - Add "Enable password login" toggle in the admin System Settings tab, next to "Enable new user registrations" - Add corresponding entries to generated API client files (types.gen.ts, sdk.gen.ts, @tanstack/react-query.gen.ts) Closes #941
118 lines
3.6 KiB
TypeScript
118 lines
3.6 KiB
TypeScript
import { Hono } from "hono";
|
|
import { validator } from "hono-openapi";
|
|
import {
|
|
downloadResticPasswordBodySchema,
|
|
downloadResticPasswordDto,
|
|
getUpdatesDto,
|
|
systemInfoDto,
|
|
type SystemInfoDto,
|
|
type UpdateInfoDto,
|
|
setRegistrationStatusDto,
|
|
getRegistrationStatusDto,
|
|
registrationStatusBody,
|
|
type RegistrationStatusDto,
|
|
getPasswordLoginStatusDto,
|
|
setPasswordLoginStatusDto,
|
|
passwordLoginStatusBody,
|
|
type PasswordLoginStatusDto,
|
|
getDevPanelDto,
|
|
type DevPanelDto,
|
|
} from "./system.dto";
|
|
import { systemService } from "./system.service";
|
|
import { requireAdmin, requireAuth, requireOrgAdmin } from "../auth/auth.middleware";
|
|
import { db } from "../../db/db";
|
|
import { usersTable } from "../../db/schema";
|
|
import { eq } from "drizzle-orm";
|
|
import { verifyUserPassword } from "../auth/helpers";
|
|
import { cryptoUtils } from "../../utils/crypto";
|
|
import { getOrganizationId } from "~/server/core/request-context";
|
|
|
|
export const systemController = new Hono()
|
|
.use(requireAuth)
|
|
.get("/info", systemInfoDto, async (c) => {
|
|
const info = await systemService.getSystemInfo();
|
|
|
|
return c.json<SystemInfoDto>(info, 200);
|
|
})
|
|
.get("/updates", getUpdatesDto, async (c) => {
|
|
const updates = await systemService.getUpdates();
|
|
c.header("Cache-Control", "no-store");
|
|
|
|
return c.json<UpdateInfoDto>(updates, 200);
|
|
})
|
|
.get("/registration-status", getRegistrationStatusDto, async (c) => {
|
|
const enabled = await systemService.isRegistrationEnabled();
|
|
|
|
return c.json<RegistrationStatusDto>({ enabled }, 200);
|
|
})
|
|
.put(
|
|
"/registration-status",
|
|
requireAdmin,
|
|
setRegistrationStatusDto,
|
|
validator("json", registrationStatusBody),
|
|
async (c) => {
|
|
const body = c.req.valid("json");
|
|
|
|
await systemService.setRegistrationEnabled(body.enabled);
|
|
|
|
return c.json<RegistrationStatusDto>({ enabled: body.enabled }, 200);
|
|
},
|
|
)
|
|
.post(
|
|
"/restic-password",
|
|
requireOrgAdmin,
|
|
downloadResticPasswordDto,
|
|
validator("json", downloadResticPasswordBodySchema),
|
|
async (c) => {
|
|
const user = c.get("user");
|
|
const organizationId = getOrganizationId();
|
|
const body = c.req.valid("json");
|
|
|
|
const isPasswordValid = await verifyUserPassword({ password: body.password, userId: user.id });
|
|
if (!isPasswordValid) {
|
|
return c.json({ message: "Invalid password" }, 401);
|
|
}
|
|
|
|
try {
|
|
const org = await db.query.organization.findFirst({ where: { id: organizationId } });
|
|
|
|
if (!org?.metadata?.resticPassword) {
|
|
return c.json({ message: "Organization Restic password not found" }, 404);
|
|
}
|
|
|
|
const content = await cryptoUtils.resolveSecret(org.metadata.resticPassword);
|
|
|
|
await db.update(usersTable).set({ hasDownloadedResticPassword: true }).where(eq(usersTable.id, user.id));
|
|
|
|
c.header("Content-Type", "text/plain");
|
|
c.header("Content-Disposition", 'attachment; filename="restic.pass"');
|
|
|
|
return c.text(content);
|
|
} catch (_error) {
|
|
return c.json({ message: "Failed to retrieve Restic password" }, 500);
|
|
}
|
|
},
|
|
)
|
|
.get("/password-login-status", getPasswordLoginStatusDto, async (c) => {
|
|
const enabled = await systemService.isPasswordLoginEnabled();
|
|
|
|
return c.json<PasswordLoginStatusDto>({ enabled }, 200);
|
|
})
|
|
.put(
|
|
"/password-login-status",
|
|
requireAdmin,
|
|
setPasswordLoginStatusDto,
|
|
validator("json", passwordLoginStatusBody),
|
|
async (c) => {
|
|
const body = c.req.valid("json");
|
|
|
|
await systemService.setPasswordLoginEnabled(body.enabled);
|
|
|
|
return c.json<PasswordLoginStatusDto>({ enabled: body.enabled }, 200);
|
|
},
|
|
)
|
|
.get("/dev-panel", getDevPanelDto, async (c) => {
|
|
const enabled = systemService.isDevPanelEnabled();
|
|
|
|
return c.json<DevPanelDto>({ enabled }, 200);
|
|
});
|