Add config to inhibit account registration for SSO provider.
Add config option to inhibit random fallback ID's for SSO registration. Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
@@ -396,6 +396,10 @@ pub(crate) async fn sso_callback_route(
|
|||||||
|
|
||||||
// Attempt to register a non-existing user.
|
// Attempt to register a non-existing user.
|
||||||
if !services.users.exists(&user_id).await {
|
if !services.users.exists(&user_id).await {
|
||||||
|
if !provider.registration {
|
||||||
|
return Err!(Request(Forbidden("Registration from this provider is disabled")));
|
||||||
|
}
|
||||||
|
|
||||||
register_user(&services, &provider, &session, &userinfo, &user_id).await?;
|
register_user(&services, &provider, &session, &userinfo, &user_id).await?;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -697,6 +701,14 @@ async fn try_user_id(
|
|||||||
debug_warn!(?username, "Username exists.");
|
debug_warn!(?username, "Username exists.");
|
||||||
return None;
|
return None;
|
||||||
}
|
}
|
||||||
|
} else if unique_id && !provider.unique_id_fallbacks {
|
||||||
|
debug_warn!(
|
||||||
|
?username,
|
||||||
|
provider = ?provider.brand,
|
||||||
|
"Unique ID fallbacks disabled.",
|
||||||
|
);
|
||||||
|
|
||||||
|
return None;
|
||||||
}
|
}
|
||||||
|
|
||||||
Some(user_id)
|
Some(user_id)
|
||||||
|
|||||||
@@ -2760,6 +2760,37 @@ pub struct IdentityProvider {
|
|||||||
#[serde(default)]
|
#[serde(default)]
|
||||||
pub trusted: bool,
|
pub trusted: bool,
|
||||||
|
|
||||||
|
/// Setting this option to false will inhibit unique ID's from being
|
||||||
|
/// generated as a last-resort when determining a UserId from a provider's
|
||||||
|
/// claims. In the case of untrusted providers, when all provided claims
|
||||||
|
/// conflict with existing user accounts, a unique fallback ID needs
|
||||||
|
/// to be generated for registration to not be denied with an error.
|
||||||
|
///
|
||||||
|
/// Set this option to false if you operate a private server or a trusted
|
||||||
|
/// identity provider where random UserId's are undesirable; the result of a
|
||||||
|
/// misconfiguration or other issue where an error is warranted.
|
||||||
|
///
|
||||||
|
/// This option should be set to true for public servers or some users may
|
||||||
|
/// never be able to register.
|
||||||
|
///
|
||||||
|
/// default: true
|
||||||
|
#[serde(default = "true_fn")]
|
||||||
|
pub unique_id_fallbacks: bool,
|
||||||
|
|
||||||
|
/// Controls whether new user registration is possible from this provider.
|
||||||
|
/// When this option is set to false, authorizations from this provider
|
||||||
|
/// only affect existing users and will never result in a new registration
|
||||||
|
/// when the claims fail to match any existing user (in the case of trusted
|
||||||
|
/// providers) or an available username is found (in the case of untrusted
|
||||||
|
/// providers).
|
||||||
|
///
|
||||||
|
/// Setting this option to false is generally not useful unless there is
|
||||||
|
/// an explicit reason to do so.
|
||||||
|
///
|
||||||
|
/// default: true
|
||||||
|
#[serde(default = "true_fn")]
|
||||||
|
pub registration: bool,
|
||||||
|
|
||||||
/// Optional extra path components after the issuer_url leading to the
|
/// Optional extra path components after the issuer_url leading to the
|
||||||
/// location of the `.well-known` directory used for discovery. If the path
|
/// location of the `.well-known` directory used for discovery. If the path
|
||||||
/// starts with a slash it will be treated as absolute, meaning overwriting
|
/// starts with a slash it will be treated as absolute, meaning overwriting
|
||||||
|
|||||||
@@ -2360,6 +2360,33 @@
|
|||||||
#
|
#
|
||||||
#trusted = false
|
#trusted = false
|
||||||
|
|
||||||
|
# Setting this option to false will inhibit unique ID's from being
|
||||||
|
# generated as a last-resort when determining a UserId from a provider's
|
||||||
|
# claims. In the case of untrusted providers, when all provided claims
|
||||||
|
# conflict with existing user accounts, a unique fallback ID needs
|
||||||
|
# to be generated for registration to not be denied with an error.
|
||||||
|
#
|
||||||
|
# Set this option to false if you operate a private server or a trusted
|
||||||
|
# identity provider where random UserId's are undesirable; the result of a
|
||||||
|
# misconfiguration or other issue where an error is warranted.
|
||||||
|
#
|
||||||
|
# This option should be set to true for public servers or some users may
|
||||||
|
# never be able to register.
|
||||||
|
#
|
||||||
|
#unique_id_fallbacks = true
|
||||||
|
|
||||||
|
# Controls whether new user registration is possible from this provider.
|
||||||
|
# When this option is set to false, authorizations from this provider
|
||||||
|
# only affect existing users and will never result in a new registration
|
||||||
|
# when the claims fail to match any existing user (in the case of trusted
|
||||||
|
# providers) or an available username is found (in the case of untrusted
|
||||||
|
# providers).
|
||||||
|
#
|
||||||
|
# Setting this option to false is generally not useful unless there is
|
||||||
|
# an explicit reason to do so.
|
||||||
|
#
|
||||||
|
#registration = true
|
||||||
|
|
||||||
# Optional extra path components after the issuer_url leading to the
|
# Optional extra path components after the issuer_url leading to the
|
||||||
# location of the `.well-known` directory used for discovery. If the path
|
# location of the `.well-known` directory used for discovery. If the path
|
||||||
# starts with a slash it will be treated as absolute, meaning overwriting
|
# starts with a slash it will be treated as absolute, meaning overwriting
|
||||||
|
|||||||
Reference in New Issue
Block a user