feat: allow to disable password authentication

2025-01-22 20:58:14 -05:00 · 2024-12-31 21:22:03 +08:00 · 2024-12-31 21:22:03 +08:00 · 24a17e5824
commit 24a17e5824
parent 3c89d2d08a
5 changed files with 37 additions and 6 deletions
--- a/cmd/dashboard/controller/jwt.go
+++ b/cmd/dashboard/controller/jwt.go
@ -89,6 +89,7 @@ func authenticator() func(c *gin.Context) (interface{}, error) {

 		var user model.User
 		realip := c.GetString(model.CtxKeyRealIPStr)
+
 		if err := singleton.DB.Select("id", "password").Where("username = ?", loginVals.Username).First(&user).Error; err != nil {
 			if err == gorm.ErrRecordNotFound {
 				model.BlockIP(singleton.DB, realip, model.WAFBlockReasonTypeLoginFail, model.BlockIDUnknownUser)
@ -96,6 +97,11 @@ func authenticator() func(c *gin.Context) (interface{}, error) {
 			return nil, jwt.ErrFailedAuthentication
 		}

+		if user.RejectPassword {
+			model.BlockIP(singleton.DB, realip, model.WAFBlockReasonTypeLoginFail, int64(user.ID))
+			return nil, jwt.ErrForbidden
+		}
+
 		if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(loginVals.Password)); err != nil {
 			model.BlockIP(singleton.DB, realip, model.WAFBlockReasonTypeLoginFail, int64(user.ID))
 			return nil, jwt.ErrFailedAuthentication
--- a/cmd/dashboard/controller/oauth2.go
+++ b/cmd/dashboard/controller/oauth2.go
@ -42,7 +42,7 @@ func oauth2redirect(c *gin.Context) (*model.Oauth2LoginResponse, error) {
 		return nil, singleton.Localizer.ErrorT("provider is required")
 	}

-	rTypeInt, err := strconv.Atoi(c.Query("type"))
+	rTypeInt, err := strconv.ParseUint(c.Query("type"), 10, 8)
 	if err != nil {
 		return nil, err
 	}
@ -87,10 +87,23 @@ func unbindOauth2(c *gin.Context) (any, error) {
 		return nil, singleton.Localizer.ErrorT("provider not found")
 	}
 	provider = strings.ToLower(provider)
+
 	u := c.MustGet(model.CtxKeyAuthorizedUser).(*model.User)
-	if err := singleton.DB.Where("provider = ? AND user_id = ?", provider, u.ID).Delete(&model.Oauth2Bind{}).Error; err != nil {
+	query := singleton.DB.Where("provider = ? AND user_id = ?", provider, u.ID)
+
+	var bindCount int64
+	if err := query.Model(&model.Oauth2Bind{}).Count(&bindCount).Error; err != nil {
 		return nil, newGormError("%v", err)
 	}
+
+	if bindCount < 2 && u.RejectPassword {
+		return nil, singleton.Localizer.ErrorT("operation not permitted")
+	}
+
+	if err := query.Delete(&model.Oauth2Bind{}).Error; err != nil {
+		return nil, newGormError("%v", err)
+	}
+
 	return nil, nil
 }

--- a/cmd/dashboard/controller/user.go
+++ b/cmd/dashboard/controller/user.go
@ -73,8 +73,18 @@ func updateProfile(c *gin.Context) (any, error) {
 		return nil, err
 	}

+	var bindCount int64
+	if err := singleton.DB.Where("user_id = ?", auth.(*model.User).ID).Count(&bindCount).Error; err != nil {
+		return nil, newGormError("%v", err)
+	}
+
+	if pf.RejectPassword && bindCount < 1 {
+		return nil, singleton.Localizer.ErrorT("you don't have any oauth2 bindings")
+	}
+
 	user.Username = pf.NewUsername
 	user.Password = string(hash)
+	user.RejectPassword = pf.RejectPassword
 	if err := singleton.DB.Save(&user).Error; err != nil {
 		return nil, newGormError("%v", err)
 	}
--- a/model/user.go
+++ b/model/user.go
@ -19,6 +19,7 @@ type User struct {
 	Password       string `json:"password,omitempty" gorm:"type:char(72)"`
 	Role           uint8  `json:"role,omitempty"`
 	AgentSecret    string `json:"agent_secret,omitempty" gorm:"type:char(32)"`
+	RejectPassword bool   `json:"reject_password,omitempty"`
 }

 type UserInfo struct {
--- a/model/user_api.go
+++ b/model/user_api.go
@ -10,4 +10,5 @@ type ProfileForm struct {
 	OriginalPassword string `json:"original_password,omitempty"`
 	NewUsername      string `json:"new_username,omitempty"`
 	NewPassword      string `json:"new_password,omitempty"`
+	RejectPassword   bool   `json:"reject_password,omitempty"`
 }