Disable m.login.token if there are no enabled login methods to use it.

2026-01-04 20:53:09 -06:00 · 2022-05-23 11:37:27 +02:00 · 2022-05-23 11:37:27 +02:00 · c1c2a0448c
parent 43989aa017
commit c1c2a0448c
4 changed files with 42 additions and 3 deletions
--- a/clientapi/auth/login.go
+++ b/clientapi/auth/login.go
@ -62,6 +62,14 @@ func LoginFromJSONReader(ctx context.Context, r io.Reader, useraccountAPI uapi.U
 			Config:               cfg,
 		}
 	case authtypes.LoginTypeToken:
+		if !cfg.Login.LoginTokenEnabled() {
+			err := util.JSONResponse{
+				Code: http.StatusBadRequest,
+				JSON: jsonerror.InvalidArgumentValue("disabled login type: " + header.Type),
+			}
+			return nil, nil, &err
+		}
+
 		typ = &LoginTypeToken{
 			UserAPI: userAPI,
 			Config:  cfg,
--- a/clientapi/auth/login_test.go
+++ b/clientapi/auth/login_test.go
@ -68,6 +68,11 @@ func TestLoginFromJSONReader(t *testing.T) {
 				Matrix: &config.Global{
 					ServerName: serverName,
 				},
+				Login: config.Login{
+					SSO: config.SSO{
+						Enabled: true,
+					},
+				},
 			}
 			login, cleanup, err := LoginFromJSONReader(ctx, strings.NewReader(tst.Body), &userAPI, &userAPI, cfg)
 			if err != nil {
@ -146,6 +151,11 @@ func TestBadLoginFromJSONReader(t *testing.T) {
 				Matrix: &config.Global{
 					ServerName: serverName,
 				},
+				Login: config.Login{
+					SSO: config.SSO{
+						Enabled: true,
+					},
+				},
 			}
 			_, cleanup, errRes := LoginFromJSONReader(ctx, strings.NewReader(tst.Body), &userAPI, &userAPI, cfg)
 			if errRes == nil {
--- a/clientapi/routing/login.go
+++ b/clientapi/routing/login.go
@ -59,6 +59,10 @@ func passwordLogin() []stage {
 }

 func ssoLogin(cfg *config.ClientAPI) []stage {
+	if !cfg.Login.SSO.Enabled {
+		return nil
+	}
+
 	var idps []identityProvider
 	for _, idp := range cfg.Login.SSO.Providers {
 		brand := idp.Brand
@ -87,6 +91,18 @@ func ssoLogin(cfg *config.ClientAPI) []stage {
 	}
 }

+func tokenLogin(cfg *config.ClientAPI) []stage {
+	if !cfg.Login.LoginTokenEnabled() {
+		return nil
+	}
+
+	return []stage{
+		{
+			Type: authtypes.LoginTypeToken,
+		},
+	}
+}
+
 // Login implements GET and POST /login
 func Login(
 	req *http.Request, userAPI userapi.ClientUserAPI,
@ -94,9 +110,8 @@ func Login(
 ) util.JSONResponse {
 	if req.Method == http.MethodGet {
 		allFlows := passwordLogin()
-		if cfg.Login.SSO.Enabled {
-			allFlows = append(allFlows, ssoLogin(cfg)...)
-		}
+		allFlows = append(allFlows, ssoLogin(cfg)...)
+		allFlows = append(allFlows, tokenLogin(cfg)...)
 		return util.JSONResponse{
 			Code: http.StatusOK,
 			JSON: flows{Flows: allFlows},
--- a/setup/config/config_clientapi.go
+++ b/setup/config/config_clientapi.go
@ -103,6 +103,12 @@ type Login struct {
 	SSO SSO `yaml:"sso"`
 }

+// LoginTokenEnabled returns whether any login type uses
+// authtypes.LoginTypeToken.
+func (l *Login) LoginTokenEnabled() bool {
+	return l.SSO.Enabled
+}
+
 func (l *Login) Verify(configErrs *ConfigErrors) {
 	l.SSO.Verify(configErrs)
 }