feat: add more security settings

2025-07-04 20:28:00 +00:00 · 2024-08-29 20:13:10 +08:00
parent 6c54732cd1
commit 0ac2554545
15 changed files with 312 additions and 247 deletions
--- a/server/route/api/v1/auth_service.go
+++ b/server/route/api/v1/auth_service.go
@ -21,6 +21,10 @@ import (
 	"github.com/yourselfhosted/slash/store"
 )

+const (
+	unmatchedEmailAndPasswordError = "unmatched email and password"
+)
+
 func (s *APIV1Service) GetAuthStatus(ctx context.Context, _ *v1pb.GetAuthStatusRequest) (*v1pb.User, error) {
 	user, err := getCurrentUser(ctx, s.Store)
 	if err != nil {
@ -40,15 +44,24 @@ func (s *APIV1Service) SignIn(ctx context.Context, request *v1pb.SignInRequest)
 		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to find user by email %s", request.Email))
 	}
 	if user == nil {
-		return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("user not found with email %s", request.Email))
-	} else if user.RowStatus == store.Archived {
+		return nil, status.Errorf(codes.InvalidArgument, unmatchedEmailAndPasswordError)
+	}
+	// Compare the stored hashed password, with the hashed version of the password that was received.
+	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(request.Password)); err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, unmatchedEmailAndPasswordError)
+	}
+
+	workspaceSecuritySetting, err := s.Store.GetWorkspaceSecuritySetting(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get workspace security setting, err: %s", err))
+	}
+	if workspaceSecuritySetting.DisallowPasswordAuth && user.Role == store.RoleUser {
+		return nil, status.Errorf(codes.PermissionDenied, "password authentication is not allowed")
+	}
+	if user.RowStatus == store.Archived {
 		return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("user has been archived with email %s", request.Email))
 	}

-	// Compare the stored hashed password, with the hashed version of the password that was received.
-	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(request.Password)); err != nil {
-		return nil, status.Errorf(codes.InvalidArgument, "unmatched email and password")
-	}
 	if err := s.doSignIn(ctx, user, time.Now().Add(AccessTokenDuration)); err != nil {
 		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))
 	}
--- a/server/route/api/v1/workspace_service.go
+++ b/server/route/api/v1/workspace_service.go
@ -37,12 +37,6 @@ func (s *APIV1Service) GetWorkspaceProfile(ctx context.Context, _ *v1pb.GetWorks
 	}
 	workspaceProfile.Branding = workspaceGeneralSetting.GetBranding()

-	workspaceSecuritySetting, err := s.Store.GetWorkspaceSecuritySetting(ctx)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to get workspace security setting")
-	}
-	workspaceProfile.EnableSignup = !workspaceSecuritySetting.DisallowUserRegistration
-
 	return workspaceProfile, nil
 }

@ -64,6 +58,7 @@ func (s *APIV1Service) GetWorkspaceSetting(ctx context.Context, _ *v1pb.GetWorks
 		} else if v.Key == storepb.WorkspaceSettingKey_WORKSPACE_SETTING_SECURITY {
 			securitySetting := v.GetSecurity()
 			workspaceSetting.DisallowUserRegistration = securitySetting.GetDisallowUserRegistration()
+			workspaceSetting.DisallowPasswordAuth = securitySetting.GetDisallowPasswordAuth()
 		} else if v.Key == storepb.WorkspaceSettingKey_WORKSPACE_SETTING_SHORTCUT_RELATED {
 			shortcutRelatedSetting := v.GetShortcutRelated()
 			workspaceSetting.DefaultVisibility = v1pb.Visibility(shortcutRelatedSetting.GetDefaultVisibility())
@ -170,6 +165,20 @@ func (s *APIV1Service) UpdateWorkspaceSetting(ctx context.Context, request *v1pb
 			}); err != nil {
 				return nil, status.Errorf(codes.Internal, "failed to update workspace setting: %v", err)
 			}
+		} else if path == "disallow_password_auth" {
+			securitySetting, err := s.Store.GetWorkspaceSecuritySetting(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get workspace setting: %v", err)
+			}
+			securitySetting.DisallowPasswordAuth = request.Setting.DisallowPasswordAuth
+			if _, err := s.Store.UpsertWorkspaceSetting(ctx, &storepb.WorkspaceSetting{
+				Key: storepb.WorkspaceSettingKey_WORKSPACE_SETTING_SECURITY,
+				Value: &storepb.WorkspaceSetting_Security{
+					Security: securitySetting,
+				},
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to update workspace setting: %v", err)
+			}
 		} else {
 			return nil, status.Errorf(codes.InvalidArgument, "invalid path: %s", path)
 		}